Candidate: CVE-2016-1902
PublicDate: 2016-06-01 22:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1902
 http://symfony.com/blog/cve-2016-1902-securerandom-s-fallback-not-secure-when-openssl-fails
 https://github.com/symfony/symfony/pull/17359
Description:
 The nextBytes function in the SecureRandom class in Symfony before 2.3.37,
 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate
 random numbers when used with PHP 5.x without the paragonie/random_compat
 library and the openssl_random_pseudo_bytes function fails, which makes it
 easier for attackers to defeat cryptographic protection mechanisms via
 unspecified vectors.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Lander Brandt
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]

Patches_symfony:
 upstream: https://github.com/symfony/symfony/pull/17359
upstream_symfony: released (2.7.9+dfsg-1, 2.3.37, 2.6.13, and 2.7.9)
precise_symfony: DNE
trusty_symfony: DNE
trusty/esm_symfony: DNE
vivid_symfony: ignored (reached end-of-life)
vivid/stable-phone-overlay_symfony: DNE
vivid/ubuntu-core_symfony: DNE
wily_symfony: ignored (reached end-of-life)
xenial_symfony: not-affected (2.7.9+dfsg-1)
devel_symfony: not-affected (2.7.9+dfsg-1)