Candidate: CVE-2019-18887
PublicDate: 2019-11-21 23:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18887
 https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner
 https://github.com/symfony/symfony/commit/cccefe6a7f12e776df0665aeb77fe9294c285fbb
Description:
 An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through
 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was
 subject to timing attacks. This is related to symfony/http-kernel.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]


Patches_symfony:
upstream_symfony: released (4.3.8+dfsg-1)
precise/esm_symfony: DNE
trusty_symfony: ignored (out of standard support)
trusty/esm_symfony: DNE
xenial_symfony: ignored (end of standard support, was needed)
bionic_symfony: needed
disco_symfony: ignored (reached end-of-life)
eoan_symfony: ignored (reached end-of-life)
focal_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
groovy_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
hirsute_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
impish_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
jammy_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
devel_symfony: not-affected (4.3.8+dfsg-1ubuntu1)