Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Bump symfony/symfony from 3.4.23 to 3.4.27 #2804

Merged
merged 1 commit into from May 21, 2019

Conversation

@dependabot-preview
Copy link
Contributor

commented May 2, 2019

Bumps symfony/symfony from 3.4.23 to 3.4.27. This update includes security fixes.

Vulnerabilities fixed

Sourced from The PHP Security Advisories Database.

CVE-2019-10909: Escape validation messages in the PHP templating engine

Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Sourced from The PHP Security Advisories Database.

CVE-2019-10911: Add a separator in the remember me cookie hash

Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Sourced from The PHP Security Advisories Database.

CVE-2019-10913: Reject invalid HTTP method overrides

Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Sourced from The PHP Security Advisories Database.

CVE-2019-10912: Prevent destructors with side-effects from being unserialized

Affected versions: >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Sourced from The PHP Security Advisories Database.

CVE-2019-10910: Check service IDs are valid

Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Release notes

Sourced from symfony/symfony's releases.

v3.4.27

Changelog (since symfony/symfony@v3.4.26...v3.4.27)

  • bug #31338 Revert "bug #30620 [FrameworkBundle][HttpFoundation] make session service resettable (dmaicher)" (@​nicolas-grekas)
  • bug #31326 fix ConsoleFormatter - call to a member function format() on string (@​keksa)
  • bug #31331 [Workflow] Fixed dumping when many transition with same name exist (@​lyrixx)
  • bug #31302 [FramworkBundle] mark any env vars found in the ide setting as used (@​nicolas-grekas)
  • bug #31290 [TwigBundle] Use the apply tag instead of the filter tag (@​greg0ire)
  • bug #31275 [Translator] Preserve default domain when extracting strings from php files (@​Stadly)
  • bug #31213 [WebProfilerBundle] Intercept redirections only for HTML format (@​javiereguiluz)

[PR] #31345

v3.4.26

Changelog (since symfony/symfony@v3.4.25...v3.4.26)

  • bug #31084 [HttpFoundation] Make MimeTypeExtensionGuesser case insensitive (@​vermeirentony)
  • bug #31142 Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)" (@​chalasr)
  • security #cve-2019-10910 [DI] Check service IDs are valid (@​nicolas-grekas)
  • security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine (@​stof)
  • security #cve-2019-10912 [Cache][PHPUnit Bridge] Prevent destructors with side-effects from being unserialized (@​nicolas-grekas)
  • security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (@​pborreli)
  • security #cve-2019-10913 [HttpFoundation] reject invalid method override (@​nicolas-grekas)

[PR] #31146
[SECURITY] Security release

v3.4.25

Changelog (since symfony/symfony@v3.4.24...v3.4.25)

  • bug #29944 [DI] Overriding services autowired by name under _defaults bind not working (@​przemyslaw-bogusz, @​renanbr)
  • bug #31076 [HttpKernel] Fixed LoggerDataCollector crashing on empty file (@​althaus)
  • bug #31071 property normalizer should also pass format and context to isAllowedAttribute (@​dbu)
  • bug #31059 Show more accurate message in profiler when missing stopwatch (@​linaori)
  • bug #30423 [Security] Rework firewall's access denied rule (@​dimabory)
  • bug #31012 [Process] Fix missing $extraDirs when open_basedir returns (@​arsonik)
  • bug #30907 [Serializer] Respect ignored attributes in cache key of normalizer (@​dbu)
  • bug #30085 Fix TestRunner compatibility to PhpUnit 8 (@​alexander-schranz)
  • bug #30977 [serializer] prevent mixup in normalizer of the object to populate (@​dbu)
  • bug #30976 [Debug] Fixed error handling when an error is already handled when another error is already handled (5) (@​lyrixx)
  • bug #30979 Fix the configurability of CoreExtension deps in standalone usage (@​stof)
  • bug #30918 [Cache] fix using ProxyAdapter inside TagAwareAdapter (@​dmaicher)
  • bug #30961 [Form] fix translating file validation error message (@​xabbuh)
  • bug #30951 Handle case where no translations were found (@​greg0ire)
  • bug #29800 [Validator] Only traverse arrays that are cascaded into (@​corphi)
  • bug #30921 [Translator] Warm up the translations cache in dev (@​tgalopin)
  • bug #30922 [TwigBridge] fix horizontal spacing of inlined Bootstrap forms (@​xabbuh)
  • bug #30895 [Form] turn failed file uploads into form errors (@​xabbuh)
  • bug #30919 [Translator] Fix wrong dump for PO files (@​deguif)
  • bug #30889 [DependencyInjection] Fix a wrong error when using a factory (@​Simperfit)
... (truncated)
Changelog

Sourced from symfony/symfony's changelog.

  • 3.4.27 (2019-05-01)

  • bug #31338 Revert "bug #30620 [FrameworkBundle][HttpFoundation] make session service resettable (dmaicher)" (nicolas-grekas)

  • bug #31326 fix ConsoleFormatter - call to a member function format() on string (keksa)

  • bug #31331 [Workflow] Fixed dumping when many transition with same name exist (lyrixx)

  • bug #31302 [FramworkBundle] mark any env vars found in the ide setting as used (nicolas-grekas)

  • bug #31290 [TwigBundle] Use the apply tag instead of the filter tag (greg0ire)

  • bug #31275 [Translator] Preserve default domain when extracting strings from php files (Stadly)

  • bug #31213 [WebProfilerBundle] Intercept redirections only for HTML format (javiereguiluz)

  • 3.4.26 (2019-04-17)

  • bug #31084 [HttpFoundation] Make MimeTypeExtensionGuesser case insensitive (vermeirentony)

  • bug #31142 Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)" (chalasr)

  • security #cve-2019-10910 [DI] Check service IDs are valid (nicolas-grekas)

  • security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine (stof)

  • security #cve-2019-10912 [Cache][PHPUnit Bridge] Prevent destructors with side-effects from being unserialized (nicolas-grekas)

  • security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (pborreli)

  • security #cve-2019-10913 [HttpFoundation] reject invalid method override (nicolas-grekas)

  • 3.4.25 (2019-04-16)

  • bug #29944 [DI] Overriding services autowired by name under _defaults bind not working (przemyslaw-bogusz, renanbr)

  • bug #31076 [HttpKernel] Fixed LoggerDataCollector crashing on empty file (althaus)

  • bug #31071 property normalizer should also pass format and context to isAllowedAttribute (dbu)

  • bug #31059 Show more accurate message in profiler when missing stopwatch (linaori)

  • bug #30423 [Security] Rework firewall's access denied rule (dimabory)

  • bug #31012 [Process] Fix missing $extraDirs when open_basedir returns (arsonik)

  • bug #30907 [Serializer] Respect ignored attributes in cache key of normalizer (dbu)

  • bug #30085 Fix TestRunner compatibility to PhpUnit 8 (alexander-schranz)

  • bug #30977 [serializer] prevent mixup in normalizer of the object to populate (dbu)

  • bug #30976 [Debug] Fixed error handling when an error is already handled when another error is already handled (5) (lyrixx)

  • bug #30979 Fix the configurability of CoreExtension deps in standalone usage (stof)

  • bug #30918 [Cache] fix using ProxyAdapter inside TagAwareAdapter (dmaicher)

  • bug #30961 [Form] fix translating file validation error message (xabbuh)

  • bug #30951 Handle case where no translations were found (greg0ire)

  • bug #29800 [Validator] Only traverse arrays that are cascaded into (corphi)

  • bug #30921 [Translator] Warm up the translations cache in dev (tgalopin)

  • bug #30922 [TwigBridge] fix horizontal spacing of inlined Bootstrap forms (xabbuh)

  • bug #30895 [Form] turn failed file uploads into form errors (xabbuh)

  • bug #30919 [Translator] Fix wrong dump for PO files (deguif)

  • bug #30889 [DependencyInjection] Fix a wrong error when using a factory (Simperfit)

  • bug #30879 [Form] Php doc fixes and cs + optimizations (Jules Pietri)

  • bug #30883 [Console] Fix stty not reset when aborting in QuestionHelper::autocomplete() (Simperfit)

  • bug #30878 [Console] Fix inconsistent result for choice questions in non-interactive mode (chalasr)

  • 3.4.24 (2019-04-02)

  • bug #30660 [Bridge][Twig] DebugCommand - fix escaping and filter (SpacePossum)

  • bug #30720 Fix getSetMethodNormalizer to correctly ignore the attributes specified in "ignored_attributes" (Emmanuel BORGES)

... (truncated)
Commits
  • a9bb118 Merge pull request #31345 from fabpot/release-3.4.27
  • 3d7ca2e updated VERSION for 3.4.27
  • 1611faf update CONTRIBUTORS for 3.4.27
  • e6c269e updated CHANGELOG for 3.4.27
  • e2881d1 minor #31339 Reword VarDumper description (greg0ire)
  • cc480e4 minor #31343 [Translation] Fixes typo in comment (jschaedl)
  • e11985f [Translation] Fixes typo in comment
  • 6024e16 Reword VarDumper description
  • 9041637 bug #31338 Revert "bug #30620 [FrameworkBundle][HttpFoundation] make session ...
  • 4177331 Revert "bug #30620 [FrameworkBundle][HttpFoundation] make session service res...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

@dependabot-preview dependabot-preview bot force-pushed the dependabot/composer/symfony/symfony-3.4.27 branch 2 times, most recently from 75f5dbf to efc3ad7 May 20, 2019

@carakas carakas added this to the 5.5.3 milestone May 20, 2019

@carakas

This comment has been minimized.

Copy link
Member

commented May 20, 2019

@dependabot rebase

[Security] Bump symfony/symfony from 3.4.23 to 3.4.27
Bumps [symfony/symfony](https://github.com/symfony/symfony) from 3.4.23 to 3.4.27. **This update includes security fixes.**
- [Release notes](https://github.com/symfony/symfony/releases)
- [Changelog](https://github.com/symfony/symfony/blob/v3.4.27/CHANGELOG-3.4.md)
- [Commits](symfony/symfony@v3.4.23...v3.4.27)

Signed-off-by: dependabot[bot] <support@dependabot.com>

@dependabot-preview dependabot-preview bot force-pushed the dependabot/composer/symfony/symfony-3.4.27 branch from efc3ad7 to 5a159bb May 20, 2019

@carakas carakas merged commit be84efe into master May 21, 2019

4 of 5 checks passed

Scrutinizer Canceled
Details
continuous-integration/styleci/pr The analysis has passed
Details
continuous-integration/styleci/push The analysis has passed
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@carakas carakas deleted the dependabot/composer/symfony/symfony-3.4.27 branch May 21, 2019

@carakas carakas modified the milestones: 5.5.3, 6.0.0, 5.6.0 May 21, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.