From 9d86b5aed14055d6bb0c9766cfb95f13541d2cbf Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Wed, 4 Jan 2017 10:19:37 +0100 Subject: [PATCH] Added the references to security vulnerabilities discovered in 2016 --- contributing/code/security.rst | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/contributing/code/security.rst b/contributing/code/security.rst index ba8bba9cf01..907574fd749 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -103,8 +103,11 @@ Security Advisories This section indexes security vulnerabilities that were fixed in Symfony releases, starting from Symfony 1.0.0: -* November 23, 2015: `CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember-Me Service `_ (2.3.35, 2.6.12 and 2.7.7) -* November 23, 2015: `CVE-2015-8124: Session Fixation in the "Remember Me" Login Feature `_ (2.3.35, 2.6.12 and 2.7.7) +* May 9, 2016: `CVE-2016-2403: Unauthorized access on a misconfigured Ldap server when using an empty password `_ (2.8.0-2.8.5, 3.0.0-3.0.5) +* May 9, 2016: `CVE-2016-4423: Large username storage in session `_ (2.3.0-2.3.40, 2.7.0-2.7.12, 2.8.0-2.8.5, 3.0.0-3.0.5) +* January 18, 2016: `CVE-2016-1902: SecureRandom's fallback not secure when OpenSSL fails `_ (2.3.0-2.3.36, 2.6.0-2.6.12, 2.7.0-2.7.8) +* November 23, 2015: `CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember-Me Service `_ (2.3.35, 2.6.12 and 2.7.7) +* November 23, 2015: `CVE-2015-8124: Session Fixation in the "Remember Me" Login Feature `_ (2.3.35, 2.6.12 and 2.7.7) * May 26, 2015: `CVE-2015-4050: ESI unauthorized access `_ (Symfony 2.3.29, 2.5.12 and 2.6.8) * April 1, 2015: `CVE-2015-2309: Unsafe methods in the Request class `_ (Symfony 2.3.27, 2.5.11 and 2.6.6) * April 1, 2015: `CVE-2015-2308: Esi Code Injection `_ (Symfony 2.3.27, 2.5.11 and 2.6.6)