3.4.14 (2018-08-01)

• security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (nicolas-grekas)
• security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (nicolas-grekas)
• bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in inline subrequest when configuring trusted proxy with subnet (netiul)
• bug #28007 [FrameworkBundle] fixed guard event names for transitions (destillat)
• bug #28045 [HttpFoundation] Fix Cookie::isCleared (ro0NL)
• bug #28080 [HttpFoundation] fixed using _method parameter with invalid type (Phobetor)
• bug #28052 [HttpKernel] Fix merging bindings for controllers' locators (nicolas-grekas)

3.4.13 (2018-07-23)

• bug #28005 [HttpKernel] Fixed templateExists on parse error of the template name (yceruto)
• bug #27997 Serbo-Croatian has Serbian plural rule (kylekatarnls)
• bug #26193 Fix false-positive deprecation notices for TranslationLoader and WriteCheckSessionHandler (iquito)
• bug #27941 [WebProfilerBundle] Fixed icon alignment issue using Bootstrap 4.1.2 (jmsche)
• bug #27937 [HttpFoundation] reset callback on StreamedResponse when setNotModified() is called (rubencm)
• bug #27927 [HttpFoundation] Suppress side effects in 'get' and 'has' methods of NamespacedAttributeBag (webnet-fr)
• bug #27923 [Form/Profiler] Massively reducing memory footprint of form profiling pages... (VincentChalnot)
• bug #27918 [Console] correctly return parameter's default value on "--" (seschwar)
• bug #27904 [Filesystem] fix lock file permissions (fritzmg)
• bug #27903 [Lock] fix lock file permissions (fritzmg)
• bug #27889 [Form] Replace .initialism with .text-uppercase. (vudaltsov)
• bug #27902 Fix the detection of the Process new argument (stof)
• bug #27885 [HttpFoundation] don't encode cookie name for BC (nicolas-grekas)
• bug #27782 [DI] Fix dumping ignore-on-uninitialized references to synthetic services (nicolas-grekas)
• bug #27435 [OptionResolver] resolve arrays (Doctrs)
• bug #27728 [TwigBridge] Fix missing path and separators in loader paths list on debug:twig output (yceruto)
• bug #27837 [PropertyInfo] Fix dock block lookup fallback loop (DerManoMann)
• bug #27758 [WebProfilerBundle] Prevent toolbar links color override by css (alcalyn)
• bug #27834 [DI] Don't show internal service id on binding errors (nicolas-grekas)
• bug #27831 Check for Hyper terminal on all operating systems. (azjezz)
• bug #27794 Add color support for Hyper terminal . (azjezz)
• bug #27809 [HttpFoundation] Fix tests: new message for status 425 (dunglas)
• bug #27618 [PropertyInfo] added handling of nullable types in PhpDoc (oxan)
• bug #27659 [HttpKernel] Make AbstractTestSessionListener compatible with CookieClearingLogoutHandler (thewilkybarkid)
• bug #27752 [Cache] provider does not respect option maxIdLength with versioning enabled (Constantine Shtompel)
• bug #27776 [ProxyManagerBridge] Fix support of private services (bis) (nicolas-grekas)
• bug #27714 [HttpFoundation] fix session tracking counter (nicolas-grekas, dmaicher)
• bug #27747 [HttpFoundation] fix registration of session proxies (nicolas-grekas)
• bug #27722 Redesign the Debug error page in prod (javiereguiluz)
• bug #27716 [DI] fix dumping deprecated service in yaml (nicolas-grekas)