Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1000645: bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u1
0 views
Skip to first unread message
David Prévot
Nov 26, 2021, 6:50:03 AM11/26/21
to
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.d...@packages.debian.org
Usertags: pu
Hi,
Thanks in advance for accepting this short update.
* Prevent CSV injection via formulas [CVE-2021-41270]
[ Reason ]
The security issue was introduced in 4.1 (buster shipped with
3.4). The security team decided it doesn’t warrant a DSA.
[ Impact ]
It makes applications depending on php-symfony-serializer vulnerable to
CSV injection.
[ Tests ]
The testsuite was fixed and extended in the applied patch. The testsuite
is run at build time and via autopkgtest.
[ Risks ]
The code changed is trivial, upstream patch applied directly, and the
php-symfony-serializer binary package actually shipping the code has not
much reverse dependencies.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The escape character (\t) chosen in Symfony 4.1 for CSV formula has
recently been added as a character starting a formula. The fix adds \t
and \r among the characters starting a formula, and uses a single quote
(') to escape them, following OWASP recommendations.
[ Other info ]
Version 4.4.19+dfsg-3 (similar to the one I’m proposing here) was
uploaded to unstable, but didn’t last long: version 5 (also fixing the
issue) was uploaded soon after.
Regards
David
https://symfony.com/blog/cve-2021-41270-prevent-csv-injection-via-formulas
Severity: normal
Tags: bullseye
User: release.d...@packages.debian.org
Usertags: pu
Hi,
Thanks in advance for accepting this short update.
* Prevent CSV injection via formulas [CVE-2021-41270]
[ Reason ]
The security issue was introduced in 4.1 (buster shipped with
3.4). The security team decided it doesn’t warrant a DSA.
[ Impact ]
It makes applications depending on php-symfony-serializer vulnerable to
CSV injection.
[ Tests ]
The testsuite was fixed and extended in the applied patch. The testsuite
is run at build time and via autopkgtest.
[ Risks ]
The code changed is trivial, upstream patch applied directly, and the
php-symfony-serializer binary package actually shipping the code has not
much reverse dependencies.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The escape character (\t) chosen in Symfony 4.1 for CSV formula has
recently been added as a character starting a formula. The fix adds \t
and \r among the characters starting a formula, and uses a single quote
(') to escape them, following OWASP recommendations.
[ Other info ]
Version 4.4.19+dfsg-3 (similar to the one I’m proposing here) was
uploaded to unstable, but didn’t last long: version 5 (also fixing the
issue) was uploaded soon after.
Regards
David
https://symfony.com/blog/cve-2021-41270-prevent-csv-injection-via-formulas
Adam D. Barratt
Dec 4, 2021, 12:20:02 PM12/4/21
to
Control: tags -1 + confirmed
On Fri, 2021-11-26 at 07:40 -0400, David Prévot wrote:
> * Prevent CSV injection via formulas [CVE-2021-41270]
>
> [ Reason ]
> The security issue was introduced in 4.1 (buster shipped with
> 3.4). The security team decided it doesn’t warrant a DSA.
>
> [ Impact ]
> It makes applications depending on php-symfony-serializer vulnerable
> to
> CSV injection.
>
+symfony (4.4.19+dfsg-2+deb11u1) stable; urgency=medium
We generally prefer using codenames (so "bullseye") as the
distribution, as it's more self-documenting over time (and doesn't have
unexpected side-effects if an update is uploaded and accepted on
opposite sides of a release occurring).
Please go ahead.
Regards,
Adam
On Fri, 2021-11-26 at 07:40 -0400, David Prévot wrote:
> * Prevent CSV injection via formulas [CVE-2021-41270]
>
> [ Reason ]
> The security issue was introduced in 4.1 (buster shipped with
> 3.4). The security team decided it doesn’t warrant a DSA.
>
> [ Impact ]
> It makes applications depending on php-symfony-serializer vulnerable
> to
> CSV injection.
>
We generally prefer using codenames (so "bullseye") as the
distribution, as it's more self-documenting over time (and doesn't have
unexpected side-effects if an update is uploaded and accepted on
opposite sides of a release occurring).
Please go ahead.
Regards,
Adam
Debian Bug Tracking System
Dec 4, 2021, 12:20:03 PM12/4/21
to
Processing control commands:
> tags -1 + confirmed
Bug #1000645 [release.debian.org] bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u1
Added tag(s) confirmed.
--
1000645: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000645
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
> tags -1 + confirmed
Bug #1000645 [release.debian.org] bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u1
Added tag(s) confirmed.
--
1000645: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000645
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
David Prévot
Dec 4, 2021, 4:00:02 PM12/4/21
to
Hi Adam,
Le 04/12/2021 à 13:13, Adam D. Barratt a écrit :
> On Fri, 2021-11-26 at 07:40 -0400, David Prévot wrote:
[…]
> Please go ahead.
Thanks, uploaded (with changelog updated).
Regards
David
Le 04/12/2021 à 13:13, Adam D. Barratt a écrit :
> On Fri, 2021-11-26 at 07:40 -0400, David Prévot wrote:
> +symfony (4.4.19+dfsg-2+deb11u1) stable; urgency=medium
>
> We generally prefer using codenames (so "bullseye")
Sorry, I used to know that…
>
> We generally prefer using codenames (so "bullseye")
> Please go ahead.
Thanks, uploaded (with changelog updated).
Regards
David
Adam D Barratt
Dec 24, 2021, 11:10:02 AM12/24/21
to
package release.debian.org
tags 1000645 = bullseye pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.
Thanks for your contribution!
Upload details
==============
Package: symfony
Version: 4.4.19+dfsg-2+deb11u1
Explanation: fix CVE injection issue [CVE-2021-41270]
tags 1000645 = bullseye pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.
Thanks for your contribution!
Upload details
==============
Package: symfony
Version: 4.4.19+dfsg-2+deb11u1
Explanation: fix CVE injection issue [CVE-2021-41270]
Debian Bug Tracking System
Dec 24, 2021, 11:10:03 AM12/24/21
to
Processing commands for con...@bugs.debian.org:
> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 'release.debian.org'
Limit currently set to 'package':'release.debian.org'
> tags 1000645 = bullseye pending
> thanks
Stopping processing here.
Please contact me if you need assistance.
> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 'release.debian.org'
Limit currently set to 'package':'release.debian.org'
> tags 1000645 = bullseye pending
Bug #1000645 [release.debian.org] bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u1
Added tag(s) pending; removed tag(s) confirmed.
> thanks
Stopping processing here.
Please contact me if you need assistance.
Debian Bug Tracking System
Mar 26, 2022, 8:10:04 AM3/26/22
to
Your message dated Sat, 26 Mar 2022 11:59:13 +0000
with message-id <c4d20274f6d76a43fb574d2...@adam-barratt.org.uk>
and subject line Closing p-u requests for updates in 11.3
has caused the Debian Bug report #1000645,
regarding bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
with message-id <c4d20274f6d76a43fb574d2...@adam-barratt.org.uk>
and subject line Closing p-u requests for updates in 11.3
has caused the Debian Bug report #1000645,
regarding bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
0 new messages