|
| 1 | +Security Issues |
| 2 | +=============== |
| 3 | + |
| 4 | +This document explains how Symfony security issues are handled by the Symfony |
| 5 | +core team (Symfony being the code hosted on the main ``symfony/symfony`` `Git |
| 6 | +repository`_). |
| 7 | + |
1 | 8 | Reporting a Security Issue |
2 | | -========================== |
| 9 | +-------------------------- |
| 10 | + |
| 11 | +If you think that you have found a security issue in Symfony, don't use the |
| 12 | +mailing-list or the bug tracker and don't publish it publicly. Instead, all |
| 13 | +security issues must be sent to **security [at] symfony.com**. Emails sent to |
| 14 | +this address are forwarded to the Symfony core-team private mailing-list. |
3 | 15 |
|
4 | | -Found a security issue in Symfony2? Don't use the mailing-list or the bug |
5 | | -tracker. All security issues must be sent to **security [at] |
6 | | -symfony-project.com** instead. Emails sent to this address are forwarded to |
7 | | -the Symfony core-team private mailing-list. |
| 16 | +Resolving Process |
| 17 | +----------------- |
8 | 18 |
|
9 | 19 | For each report, we first try to confirm the vulnerability. When it is |
10 | 20 | confirmed, the core-team works on a solution following these steps: |
11 | 21 |
|
12 | 22 | 1. Send an acknowledgement to the reporter; |
13 | 23 | 2. Work on a patch; |
14 | | -3. Write a post describing the vulnerability, the possible exploits, and how |
15 | | - to patch/upgrade affected applications; |
16 | | -4. Apply the patch to all maintained versions of Symfony; |
17 | | -5. Publish the post on the official Symfony blog. |
| 24 | +3. Write a security announcement for the official Symfony `blog`_ about the |
| 25 | + vulnerability. This post should contain the following information: |
| 26 | + |
| 27 | + * a title that always include the "Security release" string; |
| 28 | + * a description of the vulnerability; |
| 29 | + * the affected versions; |
| 30 | + * the possible exploits; |
| 31 | + * how to patch/upgrade/workaround affected applications; |
| 32 | + * credits. |
| 33 | +4. Send the patch and the announcement to the reporter for review; |
| 34 | +5. Apply the patch to all maintained versions of Symfony; |
| 35 | +6. Package new versions for all affected versions; |
| 36 | +7. Publish the post on the official Symfony `blog`_ (it must also be added to |
| 37 | + the "`Security Advisories`_" category); |
| 38 | +8. Update the security advisory list (see below). |
| 39 | + |
| 40 | +..note:: |
| 41 | + |
| 42 | + Releases that include security issues should not be done on Saturday or |
| 43 | + Sunday, except if the vulnerability has been publicly posted. |
18 | 44 |
|
19 | 45 | ..note:: |
20 | 46 |
|
21 | 47 | While we are working on a patch, please do not reveal the issue publicly. |
| 48 | + |
| 49 | +Security Advisories |
| 50 | +------------------- |
| 51 | + |
| 52 | +This section indexes security vulnerabilities that were fixed in Symfony |
| 53 | +releases, starting from Symfony 1.0.0: |
| 54 | + |
| 55 | +* November 29, 2012: `Security release: Symfony 2.0.19 and 2.1.4<http://symfony.com/blog/security-release-symfony-2-0-19-and-2-1-4>`_ |
| 56 | +* November 25, 2012: `Security release: symfony 1.4.20 released<http://symfony.com/blog/security-release-symfony-1-4-20-released>`_ |
| 57 | +* August 28, 2012: `Security Release: Symfony 2.0.17 released<http://symfony.com/blog/security-release-symfony-2-0-17-released>`_ |
| 58 | +* May 30, 2012: `Security Release: symfony 1.4.18 released<http://symfony.com/blog/security-release-symfony-1-4-18-released>`_ |
| 59 | +* February 24, 2012: `Security Release: Symfony 2.0.11 released<http://symfony.com/blog/security-release-symfony-2-0-11-released>`_ |
| 60 | +* November 16, 2011: `Security Release: Symfony 2.0.6<http://symfony.com/blog/security-release-symfony-2-0-6>`_ |
| 61 | +* March 21, 2011: `symfony 1.3.10 and 1.4.10: security releases<http://symfony.com/blog/symfony-1-3-10-and-1-4-10-security-releases>`_ |
| 62 | +* June 29, 2010: `Security Release: symfony 1.3.6 and 1.4.6<http://symfony.com/blog/security-release-symfony-1-3-6-and-1-4-6>`_ |
| 63 | +* May 31, 2010: `symfony 1.3.5 and 1.4.5<http://symfony.com/blog/symfony-1-3-5-and-1-4-5>`_ |
| 64 | +* February 25, 2010: `Security Release: 1.2.12, 1.3.3 and 1.4.3<http://symfony.com/blog/security-release-1-2-12-1-3-3-and-1-4-3>`_ |
| 65 | +* February 13, 2010: `symfony 1.3.2 and 1.4.2<http://symfony.com/blog/symfony-1-3-2-and-1-4-2>`_ |
| 66 | +* April 27, 2009: `symfony 1.2.6: Security fix<http://symfony.com/blog/symfony-1-2-6-security-fix>`_ |
| 67 | +* October 03, 2008: `symfony 1.1.4 released: Security fix<http://symfony.com/blog/symfony-1-1-4-released-security-fix>`_ |
| 68 | +* May 14, 2008: `symfony 1.0.16 is out<http://symfony.com/blog/symfony-1-0-16-is-out>`_ |
| 69 | +* April 01, 2008: `symfony 1.0.13 is out<http://symfony.com/blog/symfony-1-0-13-is-out>`_ |
| 70 | +* March 21, 2008: `symfony 1.0.12 is (finally) out !<http://symfony.com/blog/symfony-1-0-12-is-finally-out>`_ |
| 71 | +* June 25, 2007: `symfony 1.0.5 released (security fix)<http://symfony.com/blog/symfony-1-0-5-released-security-fix>`_ |
| 72 | + |
| 73 | +.. _Git repository:https://github.com/symfony/symfony |
| 74 | +.. _blog:https://symfony.com/blog/ |
| 75 | +.. _Security Advisories:http://symfony.com/blog/category/security-advisories |