CVE-2016-4423

Priority
Description
The attemptAuthentication function in
Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php
in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and
3.0.x before 3.0.6 does not limit the length of a username stored in a
session, which allows remote attackers to cause a denial of service
(session storage consumption) via a series of authentication attempts with
long, non-existent usernames.
Notes
Package
Upstream:released (2.8.6+dfsg-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (3.4.6+dfsg-1)
Ubuntu 19.10 (Eoan Ermine):not-affected (3.4.15+dfsg-2ubuntu4)
Ubuntu 20.04 (Focal Fossa):not-affected (3.4.15+dfsg-2ubuntu4)
More Information

Updated: 2020-01-29 18:28:09 UTC (commit 40f18bf14da5fb50662e1f861ea594a462b207fe)