Skip to content
  • About
    • What is Symfony?
    • Community
    • News
    • Contributing
    • Support
  • Documentation
    • Symfony Docs
    • Symfony Book
    • Screencasts
    • Symfony Bundles
    • Symfony Cloud
    • Training
  • Services
    • SensioLabs Professional services to help you with Symfony
    • Platform.sh for Symfony Best platform to deploy Symfony apps
    • SymfonyInsight Automatic quality checks for your apps
    • Symfony Certification Prove your knowledge and boost your career
    • Blackfire Profile and monitor performance of your apps
  • Other
  • Blog
  • Download
sponsored by SensioLabs
  1. Home
  2. Documentation
  3. Contributing
  4. Code
  5. Security Issues
  • Documentation
  • Book
  • Reference
  • Bundles
  • Cloud

Table of Contents

  • Reporting a Security Issue
  • Resolving Process
  • Collaborating with Downstream Open-Source Projects
  • Security Advisories

Security Issues

Edit this page

Warning: You are browsing the documentation for Symfony 3.2, which is no longer maintained.

Read the updated version of this page for Symfony 6.2 (the current stable version).

Security Issues

This document explains how Symfony security issues are handled by the Symfony core team (Symfony being the code hosted on the main symfony/symfony Git repository).

Reporting a Security Issue

If you think that you have found a security issue in Symfony, don't use the bug tracker and don't publish it publicly. Instead, all security issues must be sent to security [at] symfony.com. Emails sent to this address are forwarded to the Symfony core-team private mailing-list.

Resolving Process

For each report, we first try to confirm the vulnerability. When it is confirmed, the core-team works on a solution following these steps:

  1. Send an acknowledgement to the reporter;
  2. Work on a patch;
  3. Get a CVE identifier from mitre.org;
  4. Write a security announcement for the official Symfony blog about the vulnerability. This post should contain the following information:

    • a title that always include the "Security release" string;
    • a description of the vulnerability;
    • the affected versions;
    • the possible exploits;
    • how to patch/upgrade/workaround affected applications;
    • the CVE identifier;
    • credits.
  5. Send the patch and the announcement to the reporter for review;
  6. Apply the patch to all maintained versions of Symfony;
  7. Package new versions for all affected versions;
  8. Publish the post on the official Symfony blog (it must also be added to the "`Security Advisories`_" category);
  9. Update the security advisory list (see below).
  10. Update the public security advisories database maintained by the FriendsOfPHP organization and which is used by the security:check command.

Note

Releases that include security issues should not be done on Saturday or Sunday, except if the vulnerability has been publicly posted.

Note

While we are working on a patch, please do not reveal the issue publicly.

Note

The resolution takes anywhere between a couple of days to a month depending on its complexity and the coordination with the downstream projects (see next paragraph).

Collaborating with Downstream Open-Source Projects

As Symfony is used by many large Open-Source projects, we standardized the way the Symfony security team collaborates on security issues with downstream projects. The process works as follows:

  1. After the Symfony security team has acknowledged a security issue, it immediately sends an email to the downstream project security teams to inform them of the issue;
  2. The Symfony security team creates a private Git repository to ease the collaboration on the issue and access to this repository is given to the Symfony security team, to the Symfony contributors that are impacted by the issue, and to one representative of each downstream projects;
  3. All people with access to the private repository work on a solution to solve the issue via pull requests, code reviews, and comments;
  4. Once the fix is found, all involved projects collaborate to find the best date for a joint release (there is no guarantee that all releases will be at the same time but we will try hard to make them at about the same time). When the issue is not known to be exploited in the wild, a period of two weeks seems like a reasonable amount of time.

The list of downstream projects participating in this process is kept as small as possible in order to better manage the flow of confidential information prior to disclosure. As such, projects are included at the sole discretion of the Symfony security team.

As of today, the following projects have validated this process and are part of the downstream projects included in this process:

  • Drupal (releases typically happen on Wednesdays)
  • eZPublish

Security Advisories

Tip

You can check your Symfony application for known security vulnerabilities using the security:check command (see How to Check for Known Security Vulnerabilities in Your Dependencies).

This section indexes security vulnerabilities that were fixed in Symfony releases, starting from Symfony 1.0.0:

  • Jul 17, 2017, CVE-2017-11365: Empty passwords validation issue (2.7.30, 2.7.31, 2.8.23, 2.8.24, 3.2.10, 3.2.11, 3.3.3, and 3.3.4)
  • May 9, 2016: CVE-2016-2403: Unauthorized access on a misconfigured Ldap server when using an empty password (2.8.0-2.8.5, 3.0.0-3.0.5)
  • May 9, 2016: CVE-2016-4423: Large username storage in session (2.3.0-2.3.40, 2.7.0-2.7.12, 2.8.0-2.8.5, 3.0.0-3.0.5)
  • January 18, 2016: CVE-2016-1902: SecureRandom's fallback not secure when OpenSSL fails (2.3.0-2.3.36, 2.6.0-2.6.12, 2.7.0-2.7.8)
  • November 23, 2015: CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember-Me Service (2.3.35, 2.6.12 and 2.7.7)
  • November 23, 2015: CVE-2015-8124: Session Fixation in the "Remember Me" Login Feature (2.3.35, 2.6.12 and 2.7.7)
  • May 26, 2015: CVE-2015-4050: ESI unauthorized access (Symfony 2.3.29, 2.5.12 and 2.6.8)
  • April 1, 2015: CVE-2015-2309: Unsafe methods in the Request class (Symfony 2.3.27, 2.5.11 and 2.6.6)
  • April 1, 2015: CVE-2015-2308: Esi Code Injection (Symfony 2.3.27, 2.5.11 and 2.6.6)
  • September 3, 2014: CVE-2014-6072: CSRF vulnerability in the Web Profiler (Symfony 2.3.19, 2.4.9 and 2.5.4)
  • September 3, 2014: CVE-2014-6061: Security issue when parsing the Authorization header (Symfony 2.3.19, 2.4.9 and 2.5.4)
  • September 3, 2014: CVE-2014-5245: Direct access of ESI URLs behind a trusted proxy (Symfony 2.3.19, 2.4.9 and 2.5.4)
  • September 3, 2014: CVE-2014-5244: Denial of service with a malicious HTTP Host header (Symfony 2.3.19, 2.4.9 and 2.5.4)
  • July 15, 2014: Security releases: Symfony 2.3.18, 2.4.8, and 2.5.2 released (CVE-2014-4931)
  • October 10, 2013: Security releases: Symfony 2.0.25, 2.1.13, 2.2.9, and 2.3.6 released (CVE-2013-5958)
  • August 7, 2013: Security releases: Symfony 2.0.24, 2.1.12, 2.2.5, and 2.3.3 released (CVE-2013-4751 and CVE-2013-4752)
  • January 17, 2013: Security release: Symfony 2.0.22 and 2.1.7 released (CVE-2013-1348 and CVE-2013-1397)
  • December 20, 2012: Security release: Symfony 2.0.20 and 2.1.5 (CVE-2012-6431 and CVE-2012-6432)
  • November 29, 2012: Security release: Symfony 2.0.19 and 2.1.4
  • November 25, 2012: Security release: symfony 1.4.20 released (CVE-2012-5574)
  • August 28, 2012: Security Release: Symfony 2.0.17 released
  • May 30, 2012: Security Release: symfony 1.4.18 released (CVE-2012-2667)
  • February 24, 2012: Security Release: Symfony 2.0.11 released
  • November 16, 2011: Security Release: Symfony 2.0.6
  • March 21, 2011: symfony 1.3.10 and 1.4.10: security releases
  • June 29, 2010: Security Release: symfony 1.3.6 and 1.4.6
  • May 31, 2010: symfony 1.3.5 and 1.4.5
  • February 25, 2010: Security Release: 1.2.12, 1.3.3 and 1.4.3
  • February 13, 2010: symfony 1.3.2 and 1.4.2
  • April 27, 2009: symfony 1.2.6: Security fix
  • October 03, 2008: symfony 1.1.4 released: Security fix
  • May 14, 2008: symfony 1.0.16 is out
  • April 01, 2008: symfony 1.0.13 is out
  • March 21, 2008: symfony 1.0.12 is (finally) out !
  • June 25, 2007: symfony 1.0.5 released (security fix)
This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
TOC
    Version
    We stand with Ukraine.
    Version:
    Online exam, become Sylius certified today

    Online exam, become Sylius certified today

    Check Code Performance in Dev, Test, Staging & Production

    Check Code Performance in Dev, Test, Staging & Production

    Symfony footer

    ↓ Our footer now uses the colors of the Ukrainian flag because Symfony stands with the people of Ukraine.

    Avatar of François MARTIN, a Symfony contributor

    Thanks François MARTIN for being a Symfony contributor

    1 commit • 2 lines changed

    View all contributors that help us make Symfony

    Become a Symfony contributor

    Be an active part of the community and contribute ideas, code and bug fixes. Both experts and newcomers are welcome.

    Learn how to contribute

    Symfony™ is a trademark of Symfony SAS. All rights reserved.

    • What is Symfony?

      • Symfony at a Glance
      • Symfony Components
      • Case Studies
      • Symfony Releases
      • Security Policy
      • Logo & Screenshots
      • Trademark & Licenses
      • symfony1 Legacy
    • Learn Symfony

      • Symfony Docs
      • Symfony Book
      • Reference
      • Bundles
      • Best Practices
      • Training
      • eLearning Platform
      • Certification
    • Screencasts

      • Learn Symfony
      • Learn PHP
      • Learn JavaScript
      • Learn Drupal
      • Learn RESTful APIs
    • Community

      • SymfonyConnect
      • Support
      • How to be Involved
      • Code of Conduct
      • Events & Meetups
      • Projects using Symfony
      • Downloads Stats
      • Contributors
      • Backers
    • Blog

      • Events & Meetups
      • A week of symfony
      • Case studies
      • Cloud
      • Community
      • Conferences
      • Diversity
      • Documentation
      • Living on the edge
      • Releases
      • Security Advisories
      • SymfonyInsight
      • Twig
      • SensioLabs
    • Services

      • SensioLabs services
      • Train developers
      • Manage your project quality
      • Improve your project performance
      • Host Symfony projects

      Deployed on

    Follow Symfony