When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.
Resolution
Symfony removes all CSRF tokens from the session on successful login.
The patch for this issue is available here for branch 4.4.
Credits
We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.
Release Notes
symfony/security-bundle (symfony/security-bundle)
### [`v5.4.20`](https://togithub.com/symfony/security-bundle/releases/tag/v5.4.20)
[Compare Source](https://togithub.com/symfony/security-bundle/compare/v5.4.19...v5.4.20)
**Changelog** (https://github.com/symfony/security-bundle/compare/v5.4.19...v5.4.20)
- no significant changes
### [`v5.4.19`](https://togithub.com/symfony/security-bundle/releases/tag/v5.4.19)
[Compare Source](https://togithub.com/symfony/security-bundle/compare/v5.4.17...v5.4.19)
**Changelog** (https://github.com/symfony/security-bundle/compare/v5.4.18...v5.4.19)
- bug [#48937](https://togithub.com/symfony/security-bundle/issues/48937) Fix using same handler for multiple authenticators (RobertMe)
### [`v5.4.17`](https://togithub.com/symfony/security-bundle/releases/tag/v5.4.17)
[Compare Source](https://togithub.com/symfony/security-bundle/compare/v5.4.11...v5.4.17)
**Changelog** (https://github.com/symfony/security-bundle/compare/v5.4.16...v5.4.17)
- bug [#48718](https://togithub.com/symfony/security-bundle/issues/48718) Compatibility with doctrine/annotations 2 (derrabus)
- bug [#48615](https://togithub.com/symfony/security-bundle/issues/48615) Fix getting the name of closures on PHP 8.1.11+ (nicolas-grekas)
### [`v5.4.11`](https://togithub.com/symfony/security-bundle/releases/tag/v5.4.11)
[Compare Source](https://togithub.com/symfony/security-bundle/compare/v5.4.9...v5.4.11)
**Changelog** (https://github.com/symfony/security-bundle/compare/v5.4.10...v5.4.11)
- no significant changes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
5.4.9->5.4.20GitHub Vulnerability Alerts
CVE-2022-24895
Description
When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.
Resolution
Symfony removes all CSRF tokens from the session on successful login.
The patch for this issue is available here for branch 4.4.
Credits
We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.
Release Notes
symfony/security-bundle (symfony/security-bundle)
### [`v5.4.20`](https://togithub.com/symfony/security-bundle/releases/tag/v5.4.20) [Compare Source](https://togithub.com/symfony/security-bundle/compare/v5.4.19...v5.4.20) **Changelog** (https://github.com/symfony/security-bundle/compare/v5.4.19...v5.4.20) - no significant changes ### [`v5.4.19`](https://togithub.com/symfony/security-bundle/releases/tag/v5.4.19) [Compare Source](https://togithub.com/symfony/security-bundle/compare/v5.4.17...v5.4.19) **Changelog** (https://github.com/symfony/security-bundle/compare/v5.4.18...v5.4.19) - bug [#48937](https://togithub.com/symfony/security-bundle/issues/48937) Fix using same handler for multiple authenticators (RobertMe) ### [`v5.4.17`](https://togithub.com/symfony/security-bundle/releases/tag/v5.4.17) [Compare Source](https://togithub.com/symfony/security-bundle/compare/v5.4.11...v5.4.17) **Changelog** (https://github.com/symfony/security-bundle/compare/v5.4.16...v5.4.17) - bug [#48718](https://togithub.com/symfony/security-bundle/issues/48718) Compatibility with doctrine/annotations 2 (derrabus) - bug [#48615](https://togithub.com/symfony/security-bundle/issues/48615) Fix getting the name of closures on PHP 8.1.11+ (nicolas-grekas) ### [`v5.4.11`](https://togithub.com/symfony/security-bundle/releases/tag/v5.4.11) [Compare Source](https://togithub.com/symfony/security-bundle/compare/v5.4.9...v5.4.11) **Changelog** (https://github.com/symfony/security-bundle/compare/v5.4.10...v5.4.11) - no significant changesConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.