7x Releases 7x Primer v2.9.0.0 - The Symfony v2 Drop In Framework Security Upgrade! Upgrade now!

Security Release: 7x Prime v2.9.0.0 — All Symfony 2.8.x Users Should Upgrade Immediately

7x has released 7x Prime v2.9.0.0, a security and PHP 8.x compatibility release for the Symfony 2.8 framework. If you are running any version of Symfony 2.8.x on a public server, your application is currently exposed to unpatched vulnerabilities — including a Critical-severity remote code execution vector that has existed in the codebase since Symfony 2.8.52 went end-of-life in November 2019.

Upgrade now. This release is a drop-in replacement for any Symfony 2.8.x installation.

What Was Fixed
  • YAML PHP Object Injection — Critical (RCE, CWE-502) — The Yaml component honoured !php/object: and !php/const: tags, passing attacker-controlled data to unserialize() and constant(). Exploitable via phpggc using gadget chains in Doctrine 2.x, Swiftmailer, and Doctrine DBAL. Both tags now throw ParseException unconditionally.
  • CRLF Injection in HTTP Headers — High (CWE-113)Response::setHeader() did not strip \r\n sequences, allowing an attacker controlling any header value to inject arbitrary headers or split responses. All header values are now sanitised at write time.
  • Session Cookie Hardening — Medium — Default session configuration did not set SameSite=Lax, cookie_httponly, or cookie_secure, leaving session cookies exposed to CSRF via top-level navigation and readable by injected JavaScript. New defaults match current PHP recommendations.
  • Host Header Spoofing — Low (CWE-346) — The routing and security layers did not fully validate the Host header and proxy equivalents before use in URL generation and access-control decisions. Incoming host and forwarded headers are now validated against a configurable trusted-host list.

None of these vulnerabilities were ever patched in the upstream Symfony 2.8.x project. They have been present in every Symfony 2.8.x release until now.

How to Upgrade
  • Download v2.9.0.0 from GitHub or update via Composer: se7enxweb/prime ^2.9
  • Run composer install then php bin/console cache:clear for each environment.
  • No application code changes are required. Review the updated INSTALL.md for full upgrade steps and web server configuration.

Read the full release notes for technical detail on each fix.

Comments

Contact Us
Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.