Vulnerabilities > CVE-2019-18889 - Code Injection vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2019-8B0BA02338.NASL description **Version 3.4.35** (2019-11-13) - bug #34344 [Console] Constant STDOUT might be undefined (nicolas-grekas) - security #cve-2019-18889 [Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances (nicolas-grekas) - security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas) - security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof) ---- **Version 3.4.34** (2019-11-11) - bug #34297 [DI] fix locators with numeric keys (nicolas-grekas) - bug #34282 [DI] Dont cache classes with missing parents (nicolas-grekas) - bug #34181 [Stopwatch] Fixed bug in getDuration when counting multiple ongoing periods (TimoBakx) - bug #34179 [Stopwatch] Fixed a bug in StopwatchEvent::getStartTime (TimoBakx) - bug #34203 [FrameworkBundle] [HttpKernel] fixed correct EOL and EOM month (erics86) ---- **Version 3.4.33** (2019-11-01) - bug #33998 [Config] Disable default alphabet sorting in glob function due of unstable sort (hurricane-voronin) - bug #34144 [Serializer] Improve messages for unexpected resources values (fancyweb) - bug #34080 [SecurityBundle] correct types for default arguments for firewall configs (shieldo) - bug #33999 [Form] Make sure to collect child forms created on *_SET_DATA events (yceruto) - bug #34021 [TwigBridge] do not render errors for checkboxes twice (xabbuh) - bug #34041 [HttpKernel] fix wrong removal of the just generated container dir (nicolas-grekas) - bug #34023 [Dotenv] allow LF in single-quoted strings (nicolas-grekas) - bug #33818 [Yaml] Throw exception for tagged invalid inline elements (gharlan) - bug #33948 [PropertyInfo] Respect property name case when guessing from public method name (antograssiot) - bug #33962 [Cache] fixed TagAwareAdapter returning invalid cache (v-m-i) - bug #33965 [HttpFoundation] Add plus character `+` to legal mime subtype (ilzrv) - bug #32943 [Dotenv] search variable values in ENV first then env file (soufianZantar) - bug #33943 [VarDumper] fix resetting the last seen 2020-06-01 modified 2020-06-02 plugin id 131202 published 2019-11-22 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131202 title Fedora 31 : php-symfony3 (2019-8b0ba02338) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-8b0ba02338. # include("compat.inc"); if (description) { script_id(131202); script_version("1.4"); script_cvs_date("Date: 2019/12/09"); script_cve_id("CVE-2019-18887", "CVE-2019-18888", "CVE-2019-18889"); script_xref(name:"FEDORA", value:"2019-8b0ba02338"); script_name(english:"Fedora 31 : php-symfony3 (2019-8b0ba02338)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "**Version 3.4.35** (2019-11-13) - bug #34344 [Console] Constant STDOUT might be undefined (nicolas-grekas) - security #cve-2019-18889 [Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances (nicolas-grekas) - security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas) - security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof) ---- **Version 3.4.34** (2019-11-11) - bug #34297 [DI] fix locators with numeric keys (nicolas-grekas) - bug #34282 [DI] Dont cache classes with missing parents (nicolas-grekas) - bug #34181 [Stopwatch] Fixed bug in getDuration when counting multiple ongoing periods (TimoBakx) - bug #34179 [Stopwatch] Fixed a bug in StopwatchEvent::getStartTime (TimoBakx) - bug #34203 [FrameworkBundle] [HttpKernel] fixed correct EOL and EOM month (erics86) ---- **Version 3.4.33** (2019-11-01) - bug #33998 [Config] Disable default alphabet sorting in glob function due of unstable sort (hurricane-voronin) - bug #34144 [Serializer] Improve messages for unexpected resources values (fancyweb) - bug #34080 [SecurityBundle] correct types for default arguments for firewall configs (shieldo) - bug #33999 [Form] Make sure to collect child forms created on *_SET_DATA events (yceruto) - bug #34021 [TwigBridge] do not render errors for checkboxes twice (xabbuh) - bug #34041 [HttpKernel] fix wrong removal of the just generated container dir (nicolas-grekas) - bug #34023 [Dotenv] allow LF in single-quoted strings (nicolas-grekas) - bug #33818 [Yaml] Throw exception for tagged invalid inline elements (gharlan) - bug #33948 [PropertyInfo] Respect property name case when guessing from public method name (antograssiot) - bug #33962 [Cache] fixed TagAwareAdapter returning invalid cache (v-m-i) - bug #33965 [HttpFoundation] Add plus character `+` to legal mime subtype (ilzrv) - bug #32943 [Dotenv] search variable values in ENV first then env file (soufianZantar) - bug #33943 [VarDumper] fix resetting the 'bold' state in CliDumper (nicolas-grekas) ---- **Version 3.4.32** (2019-10-07) - bug #33834 [Validator] Fix ValidValidator group cascading usage (fancyweb) - bug #33841 [VarDumper] fix dumping uninitialized SplFileInfo (nicolas-grekas) - bug #33799 [Security]: Don't let falsy usernames slip through impersonation (j4nr6n) - bug #33814 [HttpFoundation] Check if data passed to SessionBagProxy::initialize is an array (mynameisbogdan) - bug #33805 [FrameworkBundle] Fix wrong returned status code in ConfigDebugCommand (jschaedl) - bug #33781 [AnnotationCacheWarmer] add RedirectController to annotation cache (jenschude) - bug #33777 Fix the :only-of-type pseudo class selector (jakzal) - bug #32051 [Serializer] Add CsvEncoder tests for PHP 7.4 (ro0NL) - feature #33776 Copy phpunit.xsd to a predictable path (julienfalque) - bug #33759 [Security/Http] fix parsing X509 emailAddress (nicolas-grekas) - bug #33733 [Serializer] fix denormalization of string-arrays with only one element (mkrauser) - bug #33754 [Cache] fix known tag versions ttl check (SwenVanZanten) - bug #33646 [HttpFoundation] allow additinal characters in not raw cookies (marie) - bug #33748 [Console] Do not include hidden commands in suggested alternatives (m-vo) - bug #33625 [DependencyInjection] Fix wrong exception when service is synthetic (k0d3r1s) - bug #32522 [Validator] Accept underscores in the URL validator, as the URL will load (battye) - bug #32437 Fix toolbar load when GET params are present in '_wdt' route (Molkobain) - bug #32925 [Translation] Collect original locale in case of fallback translation (digilist) - bug #31198 [FrameworkBundle] Fix framework bundle lock configuration not working as expected (HypeMC) - bug #33719 [Cache] dont override native Memcached options (nicolas-grekas) - bug #33675 [PhpUnit] Fix usleep mock return value (fabpot) - bug #33618 fix tests depending on other components' tests (xabbuh) - bug #33626 [PropertyInfo] ensure compatibility with type resolver 0.5 (xabbuh) - bug #33620 [Twig] Fix Twig config extra keys (fabpot) - bug #33571 [Inflector] add support 'see' to 'ee' for singularize 'fees' to 'fee' (maxhelias) - bug #32763 [Console] Get dimensions from stty on windows if possible (rtek) - bug #33518 [Yaml] don't dump a scalar tag value on its own line (xabbuh) - bug #32818 [HttpKernel] Fix getFileLinkFormat() to avoid returning the wrong URL in Profiler (Arman-Hosseini) - bug #33487 [HttpKernel] Fix Apache mod_expires Session Cache-Control issue (pbowyer) - bug #33439 [Validator] Sync string to date behavior and throw a better exception (fancyweb) - bug #32903 [PHPUnit Bridge] Avoid registering listener twice (alexpott) - bug #33402 [Finder] Prevent unintentional file locks in Windows (jspringe) - bug #33396 Fix #33395 PHP 5.3 compatibility (kylekatarnls) - bug #33385 [Console] allow Command::getName() to return null (nicolas-grekas) - bug #33353 Return null as Expire header if it was set to null (danrot) - bug #33382 [ProxyManager] remove ProxiedMethodReturnExpression polyfill (nicolas-grekas) - bug #33377 [Yaml] fix dumping not inlined scalar tag values (xabbuh) ---- **Version 3.4.31** (2019-08-26) - bug #33335 [DependencyInjection] Fixed the `getServiceIds` implementation to always return aliases (pdommelen) - bug #33244 [Router] Fix TraceableUrlMatcher behaviour with trailing slash (Xavier Leune) - bug #33172 [Console] fixed a PHP notice when there is no function in the stack trace of an Exception (fabpot) - bug #33157 Fix getMaxFilesize() returning zero (ausi) - bug #33139 [Intl] Cleanup unused language aliases entry (ro0NL) - bug #33066 [Serializer] Fix negative DateInterval (jderusse) - bug #33033 [Lock] consistently throw NotSupportException (xabbuh) - bug #32516 [FrameworkBundle][Config] Ignore exceptions thrown during reflection classes autoload (fancyweb) - bug #32981 Fix tests/code for php 7.4 (jderusse) - bug #32992 [ProxyManagerBridge] Polyfill for unmaintained version (jderusse) - bug #32933 [PhpUnitBridge] fixed PHPUnit 8.3 compatibility: method handleError was renamed to __invoke (karser) - bug #32947 [Intl] Support DateTimeInterface in IntlDateFormatter::format (pierredup) - bug #32838 [FrameworkBundle] Detect indirect env vars in routing (ro0NL) - bug #32918 [Intl] Order alpha2 to alpha3 mapping (ro0NL) - bug #32902 [PhpUnitBridge] Allow sutFqcnResolver to return array (VincentLanglet) - bug #32682 [HttpFoundation] Revert getClientIp @return docblock (ossinkine) - bug #32910 [Yaml] PHP-8: Uncaught TypeError: abs() expects parameter 1 to be int or float, string given (Aleksandr Dankovtsev) - bug #32870 #32853 Check if $this->parameters is array. (ABGEO07) - bug #32868 [PhpUnitBridge] Allow symfony/phpunit-bridge > 4.2 to be installed with phpunit 4.8 (jderusse) - bug #32767 [Yaml] fix comment in multi line value (soufianZantar) - bug #32790 [HttpFoundation] Fix `getMaxFilesize` (bennyborn) - bug #32796 [Cache] fix warning on PHP 7.4 (jpauli) - bug #32806 [Console] fix warning on PHP 7.4 (rez1dent3) - bug #32809 Don't add object-value of static properties in the signature of container metadata-cache (arjenm) - bug #30096 [DI] Fix dumping Doctrine-like service graphs (bis) (weaverryan, nicolas-grekas) - bug #32799 [HttpKernel] do not stopwatch sections when profiler is disabled (Tobion) ---- **Packaging changes** - One distinct autoloader for each component. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-8b0ba02338" ); script_set_attribute( attribute:"solution", value:"Update the affected php-symfony3 package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-symfony3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:31"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/21"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^31([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 31", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC31", reference:"php-symfony3-3.4.35-2.fc31")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-symfony3"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4573.NASL description Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to a timing attack/information leak, argument injection and code execution via unserialization. last seen 2020-06-01 modified 2020-06-02 plugin id 131141 published 2019-11-20 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131141 title Debian DSA-4573-1 : symfony - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4573. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(131141); script_version("1.3"); script_cvs_date("Date: 2019/12/09"); script_cve_id("CVE-2019-18887", "CVE-2019-18888", "CVE-2019-18889"); script_xref(name:"DSA", value:"4573"); script_name(english:"Debian DSA-4573-1 : symfony - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to a timing attack/information leak, argument injection and code execution via unserialization." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/symfony" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/symfony" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/buster/symfony" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4573" ); script_set_attribute( attribute:"solution", value: "Upgrade the symfony packages. For the oldstable distribution (stretch), these problems have been fixed in version 2.8.7+dfsg-1.3+deb9u3. For the stable distribution (buster), these problems have been fixed in version 3.4.22+dfsg-2+deb10u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:symfony"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/21"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/20"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"10.0", prefix:"php-symfony", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-asset", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-browser-kit", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-cache", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-class-loader", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-config", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-console", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-css-selector", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-debug", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-debug-bundle", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-dependency-injection", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-doctrine-bridge", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-dom-crawler", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-dotenv", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-event-dispatcher", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-expression-language", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-filesystem", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-finder", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-form", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-framework-bundle", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-http-foundation", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-http-kernel", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-inflector", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-intl", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-ldap", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-lock", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-monolog-bridge", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-options-resolver", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-phpunit-bridge", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-process", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-property-access", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-property-info", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-proxy-manager-bridge", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-routing", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-security", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-security-bundle", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-security-core", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-security-csrf", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-security-guard", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-security-http", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-serializer", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-stopwatch", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-templating", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-translation", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-twig-bridge", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-twig-bundle", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-validator", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-var-dumper", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-web-link", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-web-profiler-bundle", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-web-server-bundle", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-workflow", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"php-symfony-yaml", reference:"3.4.22+dfsg-2+deb10u1")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-asset", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-browser-kit", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-class-loader", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-config", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-console", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-css-selector", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-debug", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-debug-bundle", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-dependency-injection", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-doctrine-bridge", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-dom-crawler", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-event-dispatcher", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-expression-language", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-filesystem", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-finder", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-form", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-framework-bundle", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-http-foundation", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-http-kernel", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-intl", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-ldap", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-locale", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-monolog-bridge", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-options-resolver", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-phpunit-bridge", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-process", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-property-access", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-property-info", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-proxy-manager-bridge", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-routing", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-security", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-security-bundle", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-security-core", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-security-csrf", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-security-guard", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-security-http", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-serializer", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-stopwatch", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-swiftmailer-bridge", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-templating", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-translation", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-twig-bridge", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-twig-bundle", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-validator", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-var-dumper", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-web-profiler-bundle", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (deb_check(release:"9.0", prefix:"php-symfony-yaml", reference:"2.8.7+dfsg-1.3+deb9u3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- https://github.com/symfony/symfony/releases/tag/v4.3.8
- https://symfony.com/blog/symfony-4-3-8-released
- https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/