David Bohannon

**Name of the Vulnerable Software and Affected Versions** vproxy versions 2.3.3 and below **Description** vproxy is an HTTP/HTTPS/SOCKS5 proxy server. Untrusted data from the user-controlled HTTP Proxy-Authorization header is passed to `Extension::try from` and then to `parse ttl extension` where it is parsed as a TTL value. Supplying a TTL value of zero via the `username` in the Proxy-Authorization header (e.g., 'configuredUser-ttl-0') causes a division by zero panic in the `timestamp % ttl` modulo operation, leading to a denial-of-service condition and server crash. **Recommendations** Upgrade to vproxy version 2.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** Symfony versions prior to 2.7.38 Symfony versions prior to 2.8.31 Symfony versions prior to 3.2.14 Symfony versions prior to 3.3.13 Symfony versions prior to 3.4-BETA5 Symfony versions prior to 4.0-BETA5 **Description** An issue in the Intl component of Symfony allows an attacker to navigate to arbitrary directories via a dot-dot-slash attack, also known as Directory Traversal. The `read()` methods of bundle reader classes use a path and a locale to determine the language bundle to retrieve, with the locale argument value commonly retrieved from untrusted user input. This can be exploited by sending specially crafted requests, potentially allowing a remote attacker to disclose protected information. **Recommendations** For versions prior to 2.7.38, update to version 2.7.38 or later. For versions prior to 2.8.31, update to version 2.8.31 or later. For versions prior to 3.2.14, update to version 3.2.14 or later. For versions prior to 3.3.13, update to version 3.3.13 or later. For versions prior to 3.4-BETA5, update to version 3.4-BETA5 or later. For versions prior to 4.0-BETA5, update to version 4.0-BETA5 or later.