FEDORA-2017-8a9862f4b7 created by siwinski 2 years ago for Fedora 27
stable

4.0.1 (2017-12-05)

  • bug #25304 [Bridge/PhpUnit] Prefer $_SERVER['argv'] over $argv (ricknox)
  • bug #25272 [SecurityBundle] fix setLogoutOnUserChange calls for context listeners (dmaicher)
  • bug #25282 [DI] Register singly-implemented interfaces when doing PSR-4 discovery (nicolas-grekas)
  • bug #25274 [Security] Adding a GuardAuthenticatorHandler alias (weaverryan)
  • bug #25308 [FrameworkBundle] Fix a bug where a color tag will be shown when passing an antislash (Simperfit)
  • bug #25278 Fix for missing whitespace control modifier in form layout (kubawerlos)
  • bug #25306 [Form][TwigBridge] Fix collision between view properties and form fields (yceruto)
  • bug #25305 [Form][TwigBridge] Fix collision between view properties and form fields (yceruto)
  • bug #25236 [Form][TwigBridge] Fix collision between view properties and form fields (yceruto)
  • bug #25312 [DI] Fix deep-inlining of non-shared refs (nicolas-grekas)
  • bug #25309 [Yaml] parse newlines in quoted multiline strings (xabbuh)
  • bug #25313 [DI] Fix missing unset leading to false-positive circular ref (nicolas-grekas)
  • bug #25268 [DI] turn $private to protected in dumped container, to make cache:clear BC (nicolas-grekas)
  • bug #25285 [DI] Throw an exception if Expression Language is not installed (sroze)
  • bug #25241 [Yaml] do not eagerly filter comment lines (xabbuh)
  • bug #25284 [DI] Cast ids to string, as done on 3.4 (nicolas-grekas, sroze)
  • bug #25297 [Validator] Fixed the @Valid(groups={"group"}) against null exception case (vudaltsov)
  • bug #25255 [Console][DI] Fail gracefully (nicolas-grekas)
  • bug #25264 [DI] Trigger deprecation when setting a to-be-private synthetic service (nicolas-grekas)
  • bug #25258 [link] Prevent warnings when running link with 2.7 (dunglas)
  • bug #25244 [DI] Add missing deprecation when fetching private services from ContainerBuilder (nicolas-grekas)
  • bug #24750 [Validator] ExpressionValidator should use OBJECT_TO_STRING (Simperfit)
  • bug #25247 [DI] Fix false-positive circular exception (nicolas-grekas)
  • bug #25226 [HttpKernel] Fix issue when resetting DumpDataCollector (Pierstoval)
  • bug #25230 Use a more specific file for detecting the bridge (greg0ire)
  • bug #25232 [WebProfilerBundle] [TwigBundle] Fix Profiler breaking XHTML pages (tistre)

4.0.0 (2017-11-30)

  • bug #25220 [HttpFoundation] Add Session::isEmpty(), fix MockFileSessionStorage to behave like the native one (nicolas-grekas)
  • bug #25209 [VarDumper] Dont use empty(), it chokes on eg GMP objects (nicolas-grekas)
  • bug #25200 [HttpKernel] Arrays with scalar values passed to ESI fragment renderer throw deprecation notice (Simperfit)
  • bug #25201 [HttpKernel] Add a better error messages when passing a private or non-tagged controller (Simperfit)
  • bug #25155 [DependencyInjection] Detect case mismatch in autowiring (Simperfit, sroze)
  • bug #25217 [Dotenv] Changed preg_match flags from null to 0 (deekthesqueak)
  • bug #25180 [DI] Fix circular reference when using setters (nicolas-grekas)
  • bug #25204 [DI] Clear service reference graph (nicolas-grekas)
  • bug #25203 [DI] Fix infinite loop in InlineServiceDefinitionsPass (nicolas-grekas)
  • bug #25185 [Serializer] Do not cache attributes if attributes in context (sroze)
  • bug #25190 [HttpKernel] Keep legacy container files for concurrent requests (nicolas-grekas)
  • bug #25182 [HttpFoundation] AutExpireFlashBag should not clear new flashes (Simperfit, sroze)
  • bug #25174 [Translation] modify definitions only if the do exist (xabbuh)
  • bug #25179 [FrameworkBundle][Serializer] Remove YamlEncoder definition if Yaml component isn't installed (ogizanagi)
  • bug #25160 [DI] Prevent a ReflectionException during cache:clear when the parent class doesn't exist (dunglas)
  • bug #25163 [DI] Fix tracking of env vars in exceptions (nicolas-grekas)
  • bug #25162 [HttpKernel] Read $_ENV when checking SHELL_VERBOSITY (nicolas-grekas)
  • bug #25158 [DI] Remove unreachable code (GawainLynch)
  • bug #25152 [Form] Don't rely on Symfony\Component\HttpFoundation\File\File if http-foundation isn't in FileType (issei-m)
  • bug #24987 [Console] Fix global console flag when used in chain (Simperfit)
  • bug #25137 Adding checks for the expression language (weaverryan)
  • bug #25151 [FrameworkBundle] Automatically enable the CSRF protection if CSRF manager exists (sroze)
  • bug #25043 [Yaml] added ability for substitute aliases when mapping is on single line (MichaƂ Strzelecki, xabbuh)

4.0.0-RC2 (2017-11-24)

  • bug #25146 [DI] Dont resolve envs in service ids (nicolas-grekas)
  • bug #25113 [Routing] Fix "config-file-relative" annotation loader resources (nicolas-grekas, sroze)
  • bug #25065 [FrameworkBundle] Update translation commands to work with default paths (yceruto)
  • bug #25109 Make debug:container search command case-insensitive (jzawadzki)
  • bug #25121 [FrameworkBundle] Fix AssetsInstallCommand (nicolas-grekas)
  • bug #25102 [Form] Fixed ContextErrorException in FileType (chihiro-adachi)
  • bug #25130 [DI] Fix handling of inlined definitions by ContainerBuilder (nicolas-grekas)
  • bug #25119 [DI] Fix infinite loop when analyzing references (nicolas-grekas)
  • bug #25094 [FrameworkBundle][DX] Display a nice error message if an enabled component is missing (derrabus)
  • bug #25100 [SecurityBundle] providerIds is undefined error when firewall provider is not specified (karser)
  • bug #25100 [SecurityBundle] providerIds is undefined error when firewall provider is not specified (karser)
  • bug #25100 [SecurityBundle] providerIds is undefined error when firewall provider is not specified (karser)
  • bug #25097 [Bridge\PhpUnit] Turn "preserveGlobalState" to false by default, revert "Blacklist" removal (nicolas-grekas)

4.0.0-RC1 (2017-11-21)

  • bug #25077 [Bridge/Twig] Let getFlashes starts the session (MatTheCat)
  • bug #25082 [HttpKernel] Disable container inlining when legacy inlining has been used (nicolas-grekas)
  • bug #25022 [Filesystem] Updated Filesystem::makePathRelative (inso)
  • bug #25072 [Bridge/PhpUnit] Remove trailing "\n" from ClockMock::microtime(false) (joky)
  • bug #25069 [Debug] Fix undefined variable $lightTrace (nicolas-grekas)
  • bug #25053 [Serializer] Fixing PropertyNormalizer supports parent properties (Christopher Hertel)
  • bug #25055 [DI] Analyze setter-circular deps more precisely (nicolas-grekas)
  • feature #25056 [Bridge/PhpUnit] Sync the bridge version installed in vendor/ and in phpunit clone (nicolas-grekas)
  • bug #25048 Allow EnumNode name to be null (MatTheCat)
  • bug #25045 [SecurityBundle] Don't trigger auto-picking notice if provider is set per listener (chalasr)
  • bug #25033 [FrameworkBundle] Dont create empty bundles directory by default (ro0NL)
  • bug #25037 [DI] Skip hot_path tag for deprecated services as their class might also be (nicolas-grekas)
  • bug #25038 [Cache] Memcached options should ignore "lazy" (nicolas-grekas)
  • bug #25014 Move deprecation under use statements (greg0ire)
  • bug #25030 [Console] Fix ability to disable lazy commands (chalasr)
  • bug #25032 [Bridge\PhpUnit] Disable broken auto-require mechanism of phpunit (nicolas-grekas)
  • bug #25016 [HttpKernel] add type-hint for the requestType (Simperfit)
  • bug #25027 [FrameworkBundle] Hide server:log command based on deps (sroze)
  • bug #24991 [DependencyInjection] Single typed argument can be applied on multiple parameters (nicolas-grekas, sroze)
  • bug #24983 [Validator] enter the context in which to validate (xabbuh)
  • bug #24956 Fix ambiguous pattern (weltling)
  • bug #24732 [DependencyInjection] Prevent service:method factory notation in PHP config (vudaltsov)
  • bug #24979 [HttpKernel] remove services resetter even when it's an alias (xabbuh)
  • bug #24972 [HttpKernel] Fix service arg resolver for controllers as array callables (sroze, nicolas-grekas)
  • bug #24971 [FrameworkBundle] Empty event dispatcher earlier in CacheClearCommand (nicolas-grekas)
  • security #24995 Validate redirect targets using the session cookie domain (nicolas-grekas)
  • security #24994 Prevent bundle readers from breaking out of paths (xabbuh)
  • security #24993 Ensure that submitted data are uploaded files (xabbuh)
  • security #24992 Namespace generated CSRF tokens depending of the current scheme (dunglas)
  • bug #24975 [DomCrawler] Type fix Crawler:: discoverNamespace() (VolCh)
  • bug #24954 [DI] Fix dumping with custom base class (nicolas-grekas)
  • bug #24952 [HttpFoundation] Fix session-related BC break (nicolas-grekas, sroze)
  • bug #24943 [FrameworkBundle] Wire the translation.reader service instead of deprecated translation.loader in commands (ogizanagi)

How to install

sudo dnf upgrade --advisory=FEDORA-2017-8a9862f4b7

This update has been submitted for testing by siwinski.

2 years ago

siwinski edited this update.

2 years ago
User Icon anonymous commented & provided feedback 2 years ago

Thanks for the update. Can You shed some light on why this is marked a security udpate? Is there some fixed vulnerability? Nothing so far in http://symfony.com/blog/category/security-advisories

This update has been pushed to testing.

2 years ago
User Icon siwinski commented & provided feedback 2 years ago

Thanks for the update. Can You shed some light on why this is marked a security udpate? Is there some fixed vulnerability? Nothing so far in http://symfony.com/blog/category/security-advisories

I marked it as a security update after a quick review of the changes and the following in 4.0.0-RC1:

  • security #24995 Validate redirect targets using the session cookie domain (@nicolas-grekas)
  • security #24994 Prevent bundle readers from breaking out of paths (@xabbuh)
  • security #24993 Ensure that submitted data are uploaded files (@xabbuh)
  • security #24992 Namespace generated CSRF tokens depending of the current scheme (@dunglas)
User Icon anonymous commented & provided feedback 2 years ago

thanks, this info helped us evaluating the update fyi:

24992 > CVE-2017-16653

24993 > CVE-2017-16790

24994 > CVE-2017-16654

24995 > CVE-2017-16652

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

2 years ago

This update has been submitted for batched by siwinski.

2 years ago

This update has been submitted for stable by siwinski.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
security
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
modified
2 years ago
BZ#1509765 php-symfony4-4.0.1 is available
0
0

Automated Test Results