Candidate: CVE-2015-4050
PublicDate: 2015-06-02 14:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4050 
 http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access
Description:
 FragmentListener in the HttpKernel component in Symfony 2.3.19 through
 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through
 2.6.7, when ESI or SSI support enabled, does not check if the _controller
 attribute is set, which allows remote attackers to bypass URL signing and
 security rules by including (1) no hash or (2) an invalid hash in a request
 to /_fragment.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Jakub Zalas
Assigned-to:
CVSS: 

Patches_symfony:
 upstream: https://github.com/fabpot/symfony/commit/d320d27699abcea12479cf608908fa91bcc133d4
upstream_symfony: released (2.7.0~beta2+dfsg-2)
precise_symfony: DNE
precise/esm_symfony: DNE
trusty_symfony: DNE
trusty/esm_symfony: DNE
utopic_symfony: DNE
vivid_symfony: ignored (reached end-of-life)
vivid/stable-phone-overlay_symfony: DNE
vivid/ubuntu-core_symfony: DNE
wily_symfony: ignored (reached end-of-life)
xenial_symfony: not-affected (2.7.10-0ubuntu2)
yakkety_symfony: ignored (reached end-of-life)
zesty_symfony: ignored (reached end-of-life)
artful_symfony: ignored (reached end-of-life)
bionic_symfony: not-affected (3.4.6+dfsg-1)
devel_symfony: not-affected (3.4.15+dfsg-2ubuntu4)