ELA-1471-1 symfony security update

validation bypass vulnerabilities

2025-06-24
Packagesymfony
Version3.4.22+dfsg-2+deb10u4 (buster)
Related CVEs CVE-2024-50343 CVE-2024-50345


CVE-2024-50343

It was discovered input ending with \n could bypass Validators.

CVE-2024-50345

Sam Mush discovered that due to URI parsing mismatch between common browsers and the Request class, an attacker could supply a specially crafted URI to bypass validation and redirect users to another domain.



For Debian 10 buster, these problems have been fixed in version 3.4.22+dfsg-2+deb10u4.

We recommend that you upgrade your symfony packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.