This document explains how Symfony security issues are handled by the Symfony
core team (Symfony being the code hosted on the main symfony/symfony Git
repository).
If you think that you have found a security issue in Symfony, don't use the mailing-list or the bug tracker and don't publish it publicly. Instead, all security issues must be sent to security [at] symfony.com. Emails sent to this address are forwarded to the Symfony core-team private mailing-list.
For each report, we first try to confirm the vulnerability. When it is confirmed, the core-team works on a solution following these steps:
- Send an acknowledgement to the reporter;
- Work on a patch;
- Get a CVE identifier from mitre.org;
- Write a security announcement for the official Symfony blog about the
vulnerability. This post should contain the following information:
- a title that always include the "Security release" string;
- a description of the vulnerability;
- the affected versions;
- the possible exploits;
- how to patch/upgrade/workaround affected applications;
- the CVE identifier;
- credits.
- Send the patch and the announcement to the reporter for review;
- Apply the patch to all maintained versions of Symfony;
- Package new versions for all affected versions;
- Publish the post on the official Symfony blog (it must also be added to the "Security Advisories" category);
- Update the security advisory list (see below).
Note
Releases that include security issues should not be done on Saturday or Sunday, except if the vulnerability has been publicly posted.
Note
While we are working on a patch, please do not reveal the issue publicly.
This section indexes security vulnerabilities that were fixed in Symfony releases, starting from Symfony 1.0.0:
- January 17, 2013: Security release: Symfony 2.0.22 and 2.1.7 released (CVE-2013-1348 and CVE-2013-1397)
- December 20, 2012: Security release: Symfony 2.0.20 and 2.1.5 (CVE-2012-6431 and CVE-2012-6432)
- November 29, 2012: Security release: Symfony 2.0.19 and 2.1.4
- November 25, 2012: Security release: symfony 1.4.20 released (CVE-2012-5574)
- August 28, 2012: Security Release: Symfony 2.0.17 released
- May 30, 2012: Security Release: symfony 1.4.18 released (CVE-2012-2667)
- February 24, 2012: Security Release: Symfony 2.0.11 released
- November 16, 2011: Security Release: Symfony 2.0.6
- March 21, 2011: symfony 1.3.10 and 1.4.10: security releases
- June 29, 2010: Security Release: symfony 1.3.6 and 1.4.6
- May 31, 2010: symfony 1.3.5 and 1.4.5
- February 25, 2010: Security Release: 1.2.12, 1.3.3 and 1.4.3
- February 13, 2010: symfony 1.3.2 and 1.4.2
- April 27, 2009: symfony 1.2.6: Security fix
- October 03, 2008: symfony 1.1.4 released: Security fix
- May 14, 2008: symfony 1.0.16 is out
- April 01, 2008: symfony 1.0.13 is out
- March 21, 2008: symfony 1.0.12 is (finally) out !
- June 25, 2007: symfony 1.0.5 released (security fix)