CVE-2016-1902

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 2.3.37 Symfony versions 2.6.x prior to 2.6.13 Symfony versions 2.7.x prior to 2.7.9

Description The issue concerns the generation of random numbers by the nextBytes function in the SecureRandom class. When used with PHP 5.x and without the paragonie/random compat library, the function does not work correctly if the openssl random pseudo bytes function fails. This makes it easier for attackers to bypass cryptographic protection mechanisms.

Recommendations For Symfony versions prior to 2.3.37, update to version 2.3.37 or later. For Symfony versions 2.6.x prior to 2.6.13, update to version 2.6.13 or later. For Symfony versions 2.7.x prior to 2.7.9, update to version 2.7.9 or later.