Comments

54 Comments

The drupal8 package has conflicted with Twig v2 since 8.4.6-2 (Sat Mar 31 2018) -- see https://src.fedoraproject.org/rpms/drupal8/c/2b082882a1b0c5fdce466bd32b7b41bf84235bbc

THANKS @tis! I have fixed the issue and the new release should be available soon.

THANKS @tis! I have fixed the issue and the new release should be available soon.

php-paragonie-random-compat version constraint has now been removed from php-symfony-security

This update has been unpushed.

This update has been unpushed.

This update has been unpushed.

Hello muench --

I based the "security" type on the following in the changelog:

2016-07-19 Uwe Tews

{math} shell injection vulnerability patch provided by Tim Weber

2013-09-30

Fixed old vulnerability bug https://bugs.gentoo.org/show_bug.cgi?id=356615

I am curious... what is the use case for this very old version of Smarty?

FYI: I could not find any dependents of this package and have retired it in Fedora 30.

$ rpm -qp --requires /home/siwinski/rpmbuild/RPMS/noarch/drupal8-8.4.6-3.fc27.noarch.rpm | grep -i symfony | sort
(php-composer(symfony/class-loader) >= 3.2.8 with php-composer(symfony/class-loader) < 4.0.0)
(php-composer(symfony-cmf/routing) >= 1.4 with php-composer(symfony-cmf/routing) < 2.0)
(php-composer(symfony/console) >= 3.2.8 with php-composer(symfony/console) < 4.0.0)
(php-composer(symfony/dependency-injection) >= 3.2.8 with php-composer(symfony/dependency-injection) < 4.0.0)
(php-composer(symfony/event-dispatcher) >= 3.2.8 with php-composer(symfony/event-dispatcher) < 4.0.0)
(php-composer(symfony/http-foundation) >= 3.2.8 with php-composer(symfony/http-foundation) < 4.0.0)
(php-composer(symfony/http-kernel) >= 3.2.8 with php-composer(symfony/http-kernel) < 4.0.0)
(php-composer(symfony/process) >= 3.2.8 with php-composer(symfony/process) < 4.0.0)
(php-composer(symfony/psr-http-message-bridge) >= 1.0 with php-composer(symfony/psr-http-message-bridge) < 2.0)
(php-composer(symfony/routing) >= 3.2.8 with php-composer(symfony/routing) < 4.0.0)
(php-composer(symfony/serializer) >= 3.2.8 with php-composer(symfony/serializer) < 4.0.0)
(php-composer(symfony/translation) >= 3.2.8 with php-composer(symfony/translation) < 4.0.0)
(php-composer(symfony/validator) >= 3.2.8 with php-composer(symfony/validator) < 4.0.0)
(php-composer(symfony/yaml) >= 3.2.8 with php-composer(symfony/yaml) < 4.0.0)

drupal8-8.4.6-3 now uses range dependencies when possible. Also, I finally found that a Symfony Config dependency was missing so that has been added as well.

See https://src.fedoraproject.org/rpms/drupal8/c/dc10ba3d8b6a4839ca7efaaa511d80465dca9a44 for changes

I'm a little lost as to how Symfony 3 is not getting installed as it is listed as a dependency:

$ rpm -qp --requires /home/siwinski/rpmbuild/RPMS/noarch/drupal8-8.4.6-2.fc27.noarch.rpm | grep -i symfony | sort
php-composer(symfony/class-loader) >= 3.2.8
php-composer(symfony/class-loader) < 4.0.0
php-composer(symfony-cmf/routing) >= 1.4
php-composer(symfony-cmf/routing) < 2.0
php-composer(symfony/console) >= 3.2.8
php-composer(symfony/console) < 4.0.0
php-composer(symfony/dependency-injection) >= 3.2.8
php-composer(symfony/dependency-injection) < 4.0.0
php-composer(symfony/event-dispatcher) >= 3.2.8
php-composer(symfony/event-dispatcher) < 4.0.0
php-composer(symfony/http-foundation) >= 3.2.8
php-composer(symfony/http-foundation) < 4.0.0
php-composer(symfony/http-kernel) >= 3.2.8
php-composer(symfony/http-kernel) < 4.0.0
php-composer(symfony/process) >= 3.2.8
php-composer(symfony/process) < 4.0.0
php-composer(symfony/psr-http-message-bridge) >= 1.0
php-composer(symfony/psr-http-message-bridge) < 2.0
php-composer(symfony/routing) >= 3.2.8
php-composer(symfony/routing) < 4.0.0
php-composer(symfony/serializer) >= 3.2.8
php-composer(symfony/serializer) < 4.0.0
php-composer(symfony/translation) >= 3.2.8
php-composer(symfony/translation) < 4.0.0
php-composer(symfony/validator) >= 3.2.8
php-composer(symfony/validator) < 4.0.0
php-composer(symfony/yaml) >= 3.2.8
php-composer(symfony/yaml) < 4.0.0

I'll try modifying the requires to use range dependencies in case it is DNF not installing the correct versions (i.e. just satisfying the "< 4.0.0")

Thanks for the update. Can You shed some light on why this is marked a security udpate? Is there some fixed vulnerability? Nothing so far in http://symfony.com/blog/category/security-advisories

I marked it as a security update after a quick review of the changes and the following in 4.0.0-RC1:

  • security #24995 Validate redirect targets using the session cookie domain (@nicolas-grekas)
  • security #24994 Prevent bundle readers from breaking out of paths (@xabbuh)
  • security #24993 Ensure that submitted data are uploaded files (@xabbuh)
  • security #24992 Namespace generated CSRF tokens depending of the current scheme (@dunglas)