Archives


Master Symfony2 fundamentals

Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).
trainings.sensiolabs.com

Discover the SensioLabs Support

Access to the SensioLabs Competency Center for an exclusive and tailor-made support on Symfony
sensiolabs.com

Fabien Potencier
Security Release: Symfony 2.0.11 released
by Fabien Potencier – February 24, 2012 – 11 comments

Symfony 2.0.11 has just been released and it contains a security vulnerability fix for the Serializer Component. If you are using the Serializer component, you should upgrade as soon as possible.

The security vulnerability has been reported this morning by Sense of Security:

"The XMLEncoder component of Symfony 2.0.x fails to disable external entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system."

They have also provided a possible exploit example:

$serializer = new Serializer(array(), array(
    'xml' => new \Symfony\Component\Serializer\Encoder\XmlEncoder()
));

$x = $serializer->decode('<?xml version="1.0"?><!DOCTYPE scan
[<!ENTITY test SYSTEM
"php://filter/read=convert.base64-encode/resource=/etc/passwd">]><scan>&test;</scan>',
'xml');

var_dump($x);

In this case, $x will now contain a copy of /etc/passwd in base64 encoded form.

The vulnerability has been fixed today by Jordi Boggiano and we are releasing Symfony 2.0.11 tonight to ensure an easy upgrade path for everybody. If you cannot upgrade to 2.0.11, please at least apply the appropriate patch as soon as possible.

The 2.0.11 release also contains some other minor bug fixes. As always, the CHANGELOG has all the details about the changes done in this release and you can also have a look at the full diff.

If you are starting a new project, you can get the Symfony Standard Edition distribution on the download page.

If you already have a project based on the Symfony Standard Edition 2.0.x, you can easily upgrade to 2.0.11 by getting the new deps and deps.lock files.

Then, run the vendors script (it also clears your cache):

$ ./bin/vendors install

Remember that the Symfony2 Components are also available as standalone libraries. You can get them via their dedicated read-only repositories on Github (https://github.com/symfony/Finder for instance), install them via PEAR (pear install symfony2/Finder), or even install them via Composer.

Comments RSS

  • Chris Sedlmayr
    #1 Chris Sedlmayr said on the 2012/02/24 at 23:44
    Great response time to get that fixed and released!
  • Marijn Huizendveld
    #2 Marijn Huizendveld said on the 2012/02/25 at 00:19
    Great response guys! The following link contains the raw patch file:

    https://github.com/symfony/symfony/commit/3e64d36cbdc34acaa82e0e6318112cd2eacb6fec.patch
  • Peter Kokot
    #3 Peter Kokot said on the 2012/02/25 at 03:49
    Thank you so much for this bug fix.
  • Tobias Nyholm
    #4 Tobias Nyholm said on the 2012/02/25 at 05:09
    Where do I report additional security issues? In case I find anything..
  • Fabien Potencier
    #5 Fabien Potencier said on the 2012/02/25 at 10:05
    Whenever you think you have found a security issue, please follow the appropriate procedure: http://symfony.com/doc/current/contributing/code/security.html
  • Loïc Vernet
    #6 Loïc Vernet said on the 2012/02/25 at 13:42
    Great reactivity as always. :)
  • Luca Saba
    #7 Luca Saba said on the 2012/02/25 at 17:51
    Always on the edge!
  • Konrad Mohrfeldt
    #8 Konrad Mohrfeldt said on the 2012/02/27 at 12:04
    was this bug introduced after the sec-audit from sektion eins or did they miss it?
  • Evil Thug
    #9 Evil Thug said on the 2012/02/28 at 11:04
    Is it possible to get some meaningful directions on how to update/patch an existing Symfony2 project. The above directions-- seen in many places-- doesn't really work.

    If a google search is an indication, many folks get a "Your project seems to be based on a Standard Edition that includes vendors. Try to run ./bin/vendors install --reinstall." error message.

    That's the message I get as well.

    How do you actually patch Symfony2? What about using a Windows OS? Does that effect the patch?
  • Phil Taylor
    #10 Phil Taylor said on the 2012/03/02 at 00:06
    @Konrad Mohrfeldt: Looks like it affects all versions of Symfony2 so i'm guessing sektion eins missed it
  • Bo Nielsen
    #11 Bo Nielsen said on the 2012/03/02 at 18:48
    Seems there are duplicate bundles in the release?

    Symfony\vendor\symfony\src\Symfony\Bundle\MonologBundle
    Symfony\vendor\bundles\Symfony\Bundle\MonologBundle
    Symfony\vendor\symfony\src\Symfony\Bundle\SwiftmailerBundle
    Symfony\vendor\bundles\Symfony\Bundle\SwiftmailerBundle