Symfony 2.0.11 has just been released and it contains a security vulnerability fix for the Serializer Component. If you are using the Serializer component, you should upgrade as soon as possible.
The security vulnerability has been reported this morning by Sense of Security:
"The XMLEncoder component of Symfony 2.0.x fails to disable external entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system."
They have also provided a possible exploit example:
$serializer = new Serializer(array(), array(
'xml' => new \Symfony\Component\Serializer\Encoder\XmlEncoder()
));
$x = $serializer->decode('<?xml version="1.0"?><!DOCTYPE scan
[<!ENTITY test SYSTEM
"php://filter/read=convert.base64-encode/resource=/etc/passwd">]><scan>&test;</scan>',
'xml');
var_dump($x);
In this case, $x will now contain a copy of /etc/passwd in base64 encoded
form.
The vulnerability has been fixed today by Jordi Boggiano and we are releasing Symfony 2.0.11 tonight to ensure an easy upgrade path for everybody. If you cannot upgrade to 2.0.11, please at least apply the appropriate patch as soon as possible.
The 2.0.11 release also contains some other minor bug fixes. As always, the CHANGELOG has all the details about the changes done in this release and you can also have a look at the full diff.
If you are starting a new project, you can get the Symfony Standard Edition distribution on the download page.
If you already have a project based on the Symfony Standard Edition 2.0.x, you can easily upgrade to 2.0.11 by getting the new deps and deps.lock files.
Then, run the vendors script (it also clears your cache):
$ ./bin/vendors install
Remember that the Symfony2 Components are also available as standalone
libraries. You can get them via their dedicated read-only repositories on
Github (https://github.com/symfony/Finder for instance), install them via
PEAR (pear install symfony2/Finder), or even
install them via Composer.
Great response time to get that fixed and released!
Great response guys! The following link contains the raw patch file:
https://github.com/symfony/symfony/commit/3e64d36cbdc34acaa82e0e6318112cd2eacb6fec.patch
Thank you so much for this bug fix.
Where do I report additional security issues? In case I find anything..
Whenever you think you have found a security issue, please follow the appropriate procedure: http://symfony.com/doc/current/contributing/code/security.html
Great reactivity as always. :)
Always on the edge!
was this bug introduced after the sec-audit from sektion eins or did they miss it?
Is it possible to get some meaningful directions on how to update/patch an existing Symfony2 project. The above directions-- seen in many places-- doesn't really work.
If a google search is an indication, many folks get a "Your project seems to be based on a Standard Edition that includes vendors. Try to run ./bin/vendors install --reinstall." error message.
That's the message I get as well.
How do you actually patch Symfony2? What about using a Windows OS? Does that effect the patch?
@Konrad Mohrfeldt: Looks like it affects all versions of Symfony2 so i'm guessing sektion eins missed it
Seems there are duplicate bundles in the release?
Symfony\vendor\symfony\src\Symfony\Bundle\MonologBundle Symfony\vendor\bundles\Symfony\Bundle\MonologBundle Symfony\vendor\symfony\src\Symfony\Bundle\SwiftmailerBundle Symfony\vendor\bundles\Symfony\Bundle\SwiftmailerBundle