Security Release: symfony 1.4.18 released
symfony 1.4.18 has just been released. Read the post carefully as this version fixes a security vulnerability.
Dmitri Groutso contacted us a couple of days ago about a possible security issue in the session code:
regenerate() method as implemented by database backed session classes do
not persist the current session data from request memory before regenerating
session ID, leaving shadow copy in the database as it was at the beginning of
the request (still authenticated in the "logout" case). Passing to
$destroy=true to regenerate mitigates the attack, by explicitly removing
His patch has been applied in the 1.4.18 release.
Here are all the changes from the CHANGELOG:
-  fixed a possible DB session fixation attack (patch from Dmitri Groutso)
-  fixed test browser click function does not handle css selector without [ or ] (closes #9982, patch from mouette)
If you've checked out a copy of the tag from Subversion you can switch to the latest version:
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_4_18
If you are using the PEAR package you can update using the pear command:
$ pear upgrade symfony/symfony-1.4.18
And as always, don't forget to clear your cache after upgrading.
Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.