Security Release: Symfony 2.0.11 released
Fabien Potencier
Warning: Symfony 2.0 is no longer supported. Consider upgrading your applications to the most recent Symfony version.
Symfony 2.0.11 has just been released and it contains a security vulnerability fix for the Serializer Component. If you are using the Serializer component, you should upgrade as soon as possible.
The security vulnerability has been reported this morning by Sense of Security:
"The XMLEncoder component of Symfony 2.0.x fails to disable external entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system."
They have also provided a possible exploit example:
$serializer = new Serializer(array(), array(
'xml' => new \Symfony\Component\Serializer\Encoder\XmlEncoder()
));
$x = $serializer->decode('<?xml version="1.0"?><!DOCTYPE scan
[<!ENTITY test SYSTEM
"php://filter/read=convert.base64-encode/resource=/etc/passwd">]><scan>&test;</scan>',
'xml');
var_dump($x);
In this case, $x will now contain a copy of /etc/passwd in base64 encoded
form.
The vulnerability has been fixed today by Jordi Boggiano and we are releasing Symfony 2.0.11 tonight to ensure an easy upgrade path for everybody. If you cannot upgrade to 2.0.11, please at least apply the appropriate patch as soon as possible.
The 2.0.11 release also contains some other minor bug fixes. As always, the CHANGELOG has all the details about the changes done in this release and you can also have a look at the full diff.
If you are starting a new project, you can get the Symfony Standard Edition distribution on the download page.
If you already have a project based on the Symfony Standard Edition 2.0.x, you can easily upgrade to 2.0.11 by getting the new deps and deps.lock files.
Then, run the vendors script (it also clears your cache):
$ ./bin/vendors install
Remember that the Symfony2 Components are also available as standalone
libraries. You can get them via their dedicated read-only repositories on
Github (https://github.com/symfony/Finder for instance), install them via
PEAR (pear install symfony2/Finder), or even
install them via Composer.
Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.
Help the Symfony project!
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
Comments
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.
https://github.com/symfony/symfony/commit/3e64d36cbdc34acaa82e0e6318112cd2eacb6fec.patch
If a google search is an indication, many folks get a "Your project seems to be based on a Standard Edition that includes vendors. Try to run ./bin/vendors install --reinstall." error message.
That's the message I get as well.
How do you actually patch Symfony2? What about using a Windows OS? Does that effect the patch?
Symfony\vendor\symfony\src\Symfony\Bundle\MonologBundle
Symfony\vendor\bundles\Symfony\Bundle\MonologBundle
Symfony\vendor\symfony\src\Symfony\Bundle\SwiftmailerBundle
Symfony\vendor\bundles\Symfony\Bundle\SwiftmailerBundle