Deprecated: eZINI::parameterSet(): Implicitly marking parameter $fileName as nullable is deprecated, the explicit nullable type must be used instead in /var/www/vhosts/se7enx.com/public_html/lib/ezutils/classes/ezini.php on line 319

Deprecated: eZINI::parameterSet(): Implicitly marking parameter $rootDir as nullable is deprecated, the explicit nullable type must be used instead in /var/www/vhosts/se7enx.com/public_html/lib/ezutils/classes/ezini.php on line 319

Deprecated: eZSys::setInstance(): Implicitly marking parameter $instance as nullable is deprecated, the explicit nullable type must be used instead in /var/www/vhosts/se7enx.com/public_html/lib/ezutils/classes/ezsys.php on line 1286

Deprecated: eZSession::registerFunctions(): Implicitly marking parameter $handler as nullable is deprecated, the explicit nullable type must be used instead in /var/www/vhosts/se7enx.com/public_html/lib/ezsession/classes/ezsession.php on line 266

Deprecated: eZSession::getHandlerInstance(): Implicitly marking parameter $handler as nullable is deprecated, the explicit nullable type must be used instead in /var/www/vhosts/se7enx.com/public_html/lib/ezsession/classes/ezsession.php on line 579
7x Releases 7x Primer v1.5.0.2 - The Symfony v1 Drop In Framework Security Upgrade! Upgrade now! / News / 7x

7x Releases 7x Primer v1.5.0.2 - The Symfony v1 Drop In Framework Security Upgrade! Upgrade now!

Security Release: 7x Primer v1.5.0.2 — All Symfony 1.x Users Should Upgrade Immediately

7x has released 7x Primer v1.5.0.2, a security release for the Symfony One framework. If you are running any version of Symfony 1.4.x or earlier on a public server, your application is currently exposed to unpatched vulnerabilities — including a Critical-severity remote code execution vector that has existed in the codebase since Symfony 1.4.x went end-of-life in 2012.

Upgrade now. This release is a drop-in replacement for any Symfony 1.x installation.

What Was Fixed
  • Remote Code Execution (Critical) — The YAML parser allowed PHP objects to be injected and deserialized from untrusted input, enabling arbitrary code execution via gadget chains. Disabled unconditionally in v1.5.0.2.
  • CSRF Token Timing Attack (High) — Token comparison leaked timing information enabling byte-by-byte brute-force. Fixed with constant-time comparison.
  • Weak CSRF Token Generation (Medium) — Tokens were generated with broken MD5 concatenation. Upgraded to HMAC-SHA256.
  • eval() Code Injection via i18n (Medium) — Translation catalogue content was passed to eval() without validation. A strict character allowlist is now enforced.

None of these vulnerabilities were ever patched in the upstream Symfony 1.4.x project. They have been present in every Symfony 1.x release until now.

How to Upgrade
  • Download v1.5.0.2 from GitHub or update via Composer: se7enxweb/symfonyone
  • Point your web server DocumentRoot at the public/ directory — not the project root. Full Apache and Nginx examples are in the updated INSTALL.md.
  • No application code changes are required.

Read the full release notes for technical detail on each fix.

Comments

Contact Us
Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.