When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability.
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2019-18887.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18887.yaml
github.com/symfony/symfony/releases/tag/v4.3.8
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ
lists.fedoraproject.org/archives/list/[email protected]/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX
lists.fedoraproject.org/archives/list/[email protected]/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
lists.fedoraproject.org/archives/list/[email protected]/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ
nvd.nist.gov/vuln/detail/CVE-2019-18887
symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner
symfony.com/blog/symfony-4-3-8-released
symfony.com/cve-2019-18887