Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 Nov 2012 10:06:26 -0500 (EST)
From: Jan Lieskovsky <>
Cc: "Steven M. Christey" <>
Subject: CVE Request -- Symfony (php-symfony-symfony) < 1.4.20: Ability to
 read arbitrary files on the server, readable with the web server privileges

Hello Kurt, Steve, vendors,

  Symfony upstream has released 1.4.20 version:

correcting one security flaw:
"An information disclosure flaw was found in the way Symfony,
an open-source PHP web framework, sanitized certain HTTP POST
request values. A remote attacker could use this flaw to obtain
(unauthorized) read access to arbitrary system files, readable
with the privileges of the web server process."


Relevant upstream patch:

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ