[Security] Bump symfony/symfony from 3.4.23 to 3.4.27

[dependabot-preview]

Bumps symfony/symfony from 3.4.23 to 3.4.27. This update includes security fixes.

Vulnerabilities fixed

Sourced from The PHP Security Advisories Database.

CVE-2019-10909: Escape validation messages in the PHP templating engine

Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Sourced from The PHP Security Advisories Database.

CVE-2019-10911: Add a separator in the remember me cookie hash

Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Sourced from The PHP Security Advisories Database.

CVE-2019-10913: Reject invalid HTTP method overrides

Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Sourced from The PHP Security Advisories Database.

CVE-2019-10912: Prevent destructors with side-effects from being unserialized

Affected versions: >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Sourced from The PHP Security Advisories Database.

CVE-2019-10910: Check service IDs are valid

Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Release notes

Sourced from symfony/symfony's releases.

v3.4.27

Changelog (since symfony/symfony@v3.4.26...v3.4.27)

• bug #31338 Revert "bug #30620 [FrameworkBundle][HttpFoundation] make session service resettable (dmaicher)" (@​nicolas-grekas)
• bug #31326 fix ConsoleFormatter - call to a member function format() on string (@​keksa)
• bug #31331 [Workflow] Fixed dumping when many transition with same name exist (@​lyrixx)
• bug #31302 [FramworkBundle] mark any env vars found in the ide setting as used (@​nicolas-grekas)
• bug #31290 [TwigBundle] Use the apply tag instead of the filter tag (@​greg0ire)
• bug #31275 [Translator] Preserve default domain when extracting strings from php files (@​Stadly)
• bug #31213 [WebProfilerBundle] Intercept redirections only for HTML format (@​javiereguiluz)

[PR] #31345

v3.4.26

Changelog (since symfony/symfony@v3.4.25...v3.4.26)

• bug #31084 [HttpFoundation] Make MimeTypeExtensionGuesser case insensitive (@​vermeirentony)
• bug #31142 Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)" (@​chalasr)
• security #cve-2019-10910 [DI] Check service IDs are valid (@​nicolas-grekas)
• security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine (@​stof)
• security #cve-2019-10912 [Cache][PHPUnit Bridge] Prevent destructors with side-effects from being unserialized (@​nicolas-grekas)
• security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (@​pborreli)
• security #cve-2019-10913 [HttpFoundation] reject invalid method override (@​nicolas-grekas)

[PR] #31146
[SECURITY] Security release

v3.4.25

Changelog (since symfony/symfony@v3.4.24...v3.4.25)

• bug #29944 [DI] Overriding services autowired by name under _defaults bind not working (@​przemyslaw-bogusz, @​renanbr)
• bug #31076 [HttpKernel] Fixed LoggerDataCollector crashing on empty file (@​althaus)
• bug #31071 property normalizer should also pass format and context to isAllowedAttribute (@​dbu)
• bug #31059 Show more accurate message in profiler when missing stopwatch (@​linaori)
• bug #30423 [Security] Rework firewall's access denied rule (@​dimabory)
• bug #31012 [Process] Fix missing $extraDirs when open_basedir returns (@​arsonik)
• bug #30907 [Serializer] Respect ignored attributes in cache key of normalizer (@​dbu)
• bug #30085 Fix TestRunner compatibility to PhpUnit 8 (@​alexander-schranz)
• bug #30977 [serializer] prevent mixup in normalizer of the object to populate (@​dbu)
• bug #30976 [Debug] Fixed error handling when an error is already handled when another error is already handled (5) (@​lyrixx)
• bug #30979 Fix the configurability of CoreExtension deps in standalone usage (@​stof)
• bug #30918 [Cache] fix using ProxyAdapter inside TagAwareAdapter (@​dmaicher)
• bug #30961 [Form] fix translating file validation error message (@​xabbuh)
• bug #30951 Handle case where no translations were found (@​greg0ire)
• bug #29800 [Validator] Only traverse arrays that are cascaded into (@​corphi)
• bug #30921 [Translator] Warm up the translations cache in dev (@​tgalopin)
• bug #30922 [TwigBridge] fix horizontal spacing of inlined Bootstrap forms (@​xabbuh)
• bug #30895 [Form] turn failed file uploads into form errors (@​xabbuh)
• bug #30919 [Translator] Fix wrong dump for PO files (@​deguif)
• bug #30889 [DependencyInjection] Fix a wrong error when using a factory (@​Simperfit)

... (truncated)

Changelog

Sourced from symfony/symfony's changelog.

• 3.4.27 (2019-05-01)

• bug #31338 Revert "bug #30620 [FrameworkBundle][HttpFoundation] make session service resettable (dmaicher)" (nicolas-grekas)

• bug #31326 fix ConsoleFormatter - call to a member function format() on string (keksa)

• bug #31331 [Workflow] Fixed dumping when many transition with same name exist (lyrixx)

• bug #31302 [FramworkBundle] mark any env vars found in the ide setting as used (nicolas-grekas)

• bug #31290 [TwigBundle] Use the apply tag instead of the filter tag (greg0ire)

• bug #31275 [Translator] Preserve default domain when extracting strings from php files (Stadly)

• bug #31213 [WebProfilerBundle] Intercept redirections only for HTML format (javiereguiluz)

• 3.4.26 (2019-04-17)

• bug #31084 [HttpFoundation] Make MimeTypeExtensionGuesser case insensitive (vermeirentony)

• bug #31142 Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)" (chalasr)

• security #cve-2019-10910 [DI] Check service IDs are valid (nicolas-grekas)

• security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine (stof)

• security #cve-2019-10912 [Cache][PHPUnit Bridge] Prevent destructors with side-effects from being unserialized (nicolas-grekas)

• security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (pborreli)

• security #cve-2019-10913 [HttpFoundation] reject invalid method override (nicolas-grekas)

• 3.4.25 (2019-04-16)

• bug #29944 [DI] Overriding services autowired by name under _defaults bind not working (przemyslaw-bogusz, renanbr)

• bug #31076 [HttpKernel] Fixed LoggerDataCollector crashing on empty file (althaus)

• bug #31071 property normalizer should also pass format and context to isAllowedAttribute (dbu)

• bug #31059 Show more accurate message in profiler when missing stopwatch (linaori)

• bug #30423 [Security] Rework firewall's access denied rule (dimabory)

• bug #31012 [Process] Fix missing $extraDirs when open_basedir returns (arsonik)

• bug #30907 [Serializer] Respect ignored attributes in cache key of normalizer (dbu)

• bug #30085 Fix TestRunner compatibility to PhpUnit 8 (alexander-schranz)

• bug #30977 [serializer] prevent mixup in normalizer of the object to populate (dbu)

• bug #30976 [Debug] Fixed error handling when an error is already handled when another error is already handled (5) (lyrixx)

• bug #30979 Fix the configurability of CoreExtension deps in standalone usage (stof)

• bug #30918 [Cache] fix using ProxyAdapter inside TagAwareAdapter (dmaicher)

• bug #30961 [Form] fix translating file validation error message (xabbuh)

• bug #30951 Handle case where no translations were found (greg0ire)

• bug #29800 [Validator] Only traverse arrays that are cascaded into (corphi)

• bug #30921 [Translator] Warm up the translations cache in dev (tgalopin)

• bug #30922 [TwigBridge] fix horizontal spacing of inlined Bootstrap forms (xabbuh)

• bug #30895 [Form] turn failed file uploads into form errors (xabbuh)

• bug #30919 [Translator] Fix wrong dump for PO files (deguif)

• bug #30889 [DependencyInjection] Fix a wrong error when using a factory (Simperfit)

• bug #30879 [Form] Php doc fixes and cs + optimizations (Jules Pietri)

• bug #30883 [Console] Fix stty not reset when aborting in QuestionHelper::autocomplete() (Simperfit)

• bug #30878 [Console] Fix inconsistent result for choice questions in non-interactive mode (chalasr)

• 3.4.24 (2019-04-02)

• bug #30660 [Bridge][Twig] DebugCommand - fix escaping and filter (SpacePossum)

• bug #30720 Fix getSetMethodNormalizer to correctly ignore the attributes specified in "ignored_attributes" (Emmanuel BORGES)

... (truncated)

Commits

• a9bb118 Merge pull request #31345 from fabpot/release-3.4.27
• 3d7ca2e updated VERSION for 3.4.27
• 1611faf update CONTRIBUTORS for 3.4.27
• e6c269e updated CHANGELOG for 3.4.27
• e2881d1 minor #31339 Reword VarDumper description (greg0ire)
• cc480e4 minor #31343 [Translation] Fixes typo in comment (jschaedl)
• e11985f [Translation] Fixes typo in comment
• 6024e16 Reword VarDumper description
• 9041637 bug #31338 Revert "bug #30620 [FrameworkBundle][HttpFoundation] make session ...
• 4177331 Revert "bug #30620 [FrameworkBundle][HttpFoundation] make session service res...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[carakas]

@dependabot rebase