Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Symfony | Sensiolabs | 2.3.0 (including) | 2.3.0 (including) |
| Symfony | Sensiolabs | 2.3.1 (including) | 2.3.1 (including) |
| Symfony | Sensiolabs | 2.3.2 (including) | 2.3.2 (including) |
| Symfony | Sensiolabs | 2.3.3 (including) | 2.3.3 (including) |
| Symfony | Sensiolabs | 2.3.4 (including) | 2.3.4 (including) |
| Symfony | Sensiolabs | 2.3.5 (including) | 2.3.5 (including) |
| Symfony | Sensiolabs | 2.3.6 (including) | 2.3.6 (including) |
| Symfony | Sensiolabs | 2.3.7 (including) | 2.3.7 (including) |
| Symfony | Sensiolabs | 2.3.8 (including) | 2.3.8 (including) |
| Symfony | Sensiolabs | 2.3.9 (including) | 2.3.9 (including) |
| Symfony | Sensiolabs | 2.3.10 (including) | 2.3.10 (including) |
| Symfony | Sensiolabs | 2.3.11 (including) | 2.3.11 (including) |
| Symfony | Sensiolabs | 2.3.12 (including) | 2.3.12 (including) |
| Symfony | Sensiolabs | 2.3.13 (including) | 2.3.13 (including) |
| Symfony | Sensiolabs | 2.3.14 (including) | 2.3.14 (including) |
| Symfony | Sensiolabs | 2.3.15 (including) | 2.3.15 (including) |
| Symfony | Sensiolabs | 2.3.16 (including) | 2.3.16 (including) |
| Symfony | Sensiolabs | 2.3.17 (including) | 2.3.17 (including) |
| Symfony | Sensiolabs | 2.3.18 (including) | 2.3.18 (including) |
| Symfony | Sensiolabs | 2.3.19 (including) | 2.3.19 (including) |
| Symfony | Sensiolabs | 2.3.20 (including) | 2.3.20 (including) |
| Symfony | Sensiolabs | 2.3.21 (including) | 2.3.21 (including) |
| Symfony | Sensiolabs | 2.3.22 (including) | 2.3.22 (including) |
| Symfony | Sensiolabs | 2.3.23 (including) | 2.3.23 (including) |
| Symfony | Sensiolabs | 2.3.24 (including) | 2.3.24 (including) |
| Symfony | Sensiolabs | 2.3.25 (including) | 2.3.25 (including) |
| Symfony | Sensiolabs | 2.3.26 (including) | 2.3.26 (including) |
| Symfony | Sensiolabs | 2.3.27 (including) | 2.3.27 (including) |
| Symfony | Sensiolabs | 2.3.28 (including) | 2.3.28 (including) |
| Symfony | Sensiolabs | 2.3.29 (including) | 2.3.29 (including) |
| Symfony | Sensiolabs | 2.3.30 (including) | 2.3.30 (including) |
| Symfony | Sensiolabs | 2.3.31 (including) | 2.3.31 (including) |
| Symfony | Sensiolabs | 2.3.32 (including) | 2.3.32 (including) |
| Symfony | Sensiolabs | 2.3.33 (including) | 2.3.33 (including) |
| Symfony | Sensiolabs | 2.3.34 (including) | 2.3.34 (including) |
| Symfony | Sensiolabs | 2.6.0 (including) | 2.6.0 (including) |
| Symfony | Sensiolabs | 2.6.1 (including) | 2.6.1 (including) |
| Symfony | Sensiolabs | 2.6.2 (including) | 2.6.2 (including) |
| Symfony | Sensiolabs | 2.6.3 (including) | 2.6.3 (including) |
| Symfony | Sensiolabs | 2.6.4 (including) | 2.6.4 (including) |
| Symfony | Sensiolabs | 2.6.5 (including) | 2.6.5 (including) |
| Symfony | Sensiolabs | 2.6.6 (including) | 2.6.6 (including) |
| Symfony | Sensiolabs | 2.6.7 (including) | 2.6.7 (including) |
| Symfony | Sensiolabs | 2.6.8 (including) | 2.6.8 (including) |
| Symfony | Sensiolabs | 2.6.9 (including) | 2.6.9 (including) |
| Symfony | Sensiolabs | 2.6.10 (including) | 2.6.10 (including) |
| Symfony | Sensiolabs | 2.6.11 (including) | 2.6.11 (including) |
| Symfony | Sensiolabs | 2.7.0 (including) | 2.7.0 (including) |
| Symfony | Sensiolabs | 2.7.1 (including) | 2.7.1 (including) |
| Symfony | Sensiolabs | 2.7.2 (including) | 2.7.2 (including) |
| Symfony | Sensiolabs | 2.7.3 (including) | 2.7.3 (including) |
| Symfony | Sensiolabs | 2.7.4 (including) | 2.7.4 (including) |
| Symfony | Sensiolabs | 2.7.5 (including) | 2.7.5 (including) |
| Symfony | Sensiolabs | 2.7.6 (including) | 2.7.6 (including) |
| Symfony | Ubuntu | artful | * |
| Symfony | Ubuntu | upstream | * |
| Symfony | Ubuntu | vivid | * |
| Symfony | Ubuntu | wily | * |
| Symfony | Ubuntu | yakkety | * |
| Symfony | Ubuntu | zesty | * |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173300.html
- http://www.debian.org/security/2015/dsa-3402
- http://www.securityfocus.com/bid/77692
- https://symfony.com/blog/cve-2015-8125-potential-remote-timing-attack-vulnerability-in-security-remember-me-service
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173300.html
- http://www.debian.org/security/2015/dsa-3402
- http://www.securityfocus.com/bid/77692
- https://symfony.com/blog/cve-2015-8125-potential-remote-timing-attack-vulnerability-in-security-remember-me-service