7x Releases 7x SymfonyOne v1.5.0.2 - The Symfony v1 Drop In Framework Security Upgrade! Upgrade now!

Security Release: 7x SymfonyOne v1.5.0.2 — All Symfony 1.x Users Should Upgrade Immediately

7x has released 7x SymfonyOne v1.5.0.2, a security release for the Symfony One framework. If you are running any version of Symfony 1.4.x or earlier on a public server, your application is currently exposed to unpatched vulnerabilities — including a Critical-severity remote code execution vector that has existed in the codebase since Symfony 1.4.x went end-of-life in 2012.

Upgrade now. This release is a drop-in replacement for any Symfony 1.x installation.

What Was Fixed
  • Remote Code Execution (Critical) — The YAML parser allowed PHP objects to be injected and deserialized from untrusted input, enabling arbitrary code execution via gadget chains. Disabled unconditionally in v1.5.0.2.
  • CSRF Token Timing Attack (High) — Token comparison leaked timing information enabling byte-by-byte brute-force. Fixed with constant-time comparison.
  • Weak CSRF Token Generation (Medium) — Tokens were generated with broken MD5 concatenation. Upgraded to HMAC-SHA256.
  • eval() Code Injection via i18n (Medium) — Translation catalogue content was passed to eval() without validation. A strict character allowlist is now enforced.

None of these vulnerabilities were ever patched in the upstream Symfony 1.4.x project. They have been present in every Symfony 1.x release until now.

How to Upgrade
  • Download v1.5.0.2 from GitHub or update via Composer: se7enxweb/symfonyone
  • Point your web server DocumentRoot at the public/ directory — not the project root. Full Apache and Nginx examples are in the updated INSTALL.md.
  • No application code changes are required.

Read the full release notes for technical detail on each fix.

Comments

Contact Us
Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.