symfony/symfony is vulnerable to timing attack. When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, allowing a remote attacker to guess the URI by analyzing the server response time.
github.com/symfony/symfony/releases/tag/v4.3.8
lists.fedoraproject.org/archives/list/[email protected]/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/
lists.fedoraproject.org/archives/list/[email protected]/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/
lists.fedoraproject.org/archives/list/[email protected]/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/
symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner
symfony.com/blog/symfony-4-3-8-released