On Wednesday, Debian released information about a couple of security vulnerabilities in Symfony.
One involves the “Remember me” feature. Debian said that testers discovered a session fixation vulnerability with the “Remember Me” login feature that allows an attacker to impersonate another user if the session id value was previously known to the attacker.
The other security hole involves several potential remote timing attack vulnerabilities discovered in classes from the Symfony Security component and in the legacy CSRF implementation from the Symfony Form component.
If you’re running Debian and managing your Symphony installation with a Debian package, you should upgrade.