symfony 1.4.18 has just been released. Read the post carefully as this version fixes a security vulnerability.

Dmitri Groutso contacted us a couple of days ago about a possible security issue in the session code:

"The regenerate() method as implemented by database backed session classes do not persist the current session data from request memory before regenerating session ID, leaving shadow copy in the database as it was at the beginning of the request (still authenticated in the "logout" case). Passing to $destroy=true to regenerate mitigates the attack, by explicitly removing shadow copy."

His patch has been applied in the 1.4.18 release.

Here are all the changes from the CHANGELOG:

  • [33466] fixed a possible DB session fixation attack (patch from Dmitri Groutso)
  • [33373] fixed test browser click function does not handle css selector without [ or ] (closes #9982, patch from mouette)

If you've checked out a copy of the tag from Subversion you can switch to the latest version:

$ svn switch

If you are using the PEAR package you can update using the pear command:

$ pear upgrade symfony/symfony-1.4.18

And as always, don't forget to clear your cache after upgrading.