Fedora 28: php-symfony3 Security Update
Summary
Symfony PHP framework (version 3).
NOTE: Does not require PHPUnit bridge.
## 3.4.14 (2018-08-01) * security #cve-2018-14774 [HttpKernel] fix trusted
headers management in HttpCache and InlineFragmentRenderer (nicolas-grekas) *
security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky
HTTP headers (nicolas-grekas) * bug #28003 [HttpKernel] Fixes invalid
REMOTE_ADDR in inline subrequest when configuring trusted proxy with subnet
(netiul) * bug #28007 [FrameworkBundle] fixed guard event names for transitions
(destillat) * bug #28045 [HttpFoundation] Fix Cookie::isCleared (ro0NL) * bug
#28080 [HttpFoundation] fixed using _method parameter with invalid type
(Phobetor) * bug #28052 [HttpKernel] Fix merging bindings for controllers'
locators (nicolas-grekas) ## 3.4.13 (2018-07-23) * bug #28005 [HttpKernel]
Fixed templateExists on parse error of the template name (yceruto) * bug #27997
Serbo-Croatian has Serbian plural rule (kylekatarnls) * bug #26193 Fix false-positive deprecation notices for TranslationLoader and WriteCheckSessionHandler
(iquito) * bug #27941 [WebProfilerBundle] Fixed icon alignment issue using
Bootstrap 4.1.2 (jmsche) * bug #27937 [HttpFoundation] reset callback on
StreamedResponse when setNotModified() is called (rubencm) * bug #27927
[HttpFoundation] Suppress side effects in 'get' and 'has' methods of
NamespacedAttributeBag (webnet-fr) * bug #27923 [Form/Profiler] Massively
reducing memory footprint of form profiling pages... (VincentChalnot) * bug
#27918 [Console] correctly return parameter's default value on "--" (seschwar)
* bug #27904 [Filesystem] fix lock file permissions (fritzmg) * bug #27903
[Lock] fix lock file permissions (fritzmg) * bug #27889 [Form] Replace
.initialism with .text-uppercase. (vudaltsov) * bug #27902 Fix the detection of
the Process new argument (stof) * bug #27885 [HttpFoundation] don't encode
cookie name for BC (nicolas-grekas) * bug #27782 [DI] Fix dumping ignore-on-uninitialized references to synthetic services (nicolas-grekas) * bug #27435
[OptionResolver] resolve arrays (Doctrs) * bug #27728 [TwigBridge] Fix missing
path and separators in loader paths list on debug:twig output (yceruto) * bug
#27837 [PropertyInfo] Fix dock block lookup fallback loop (DerManoMann) * bug
#27758 [WebProfilerBundle] Prevent toolbar links color override by css (alcalyn)
* bug #27834 [DI] Don't show internal service id on binding errors (nicolas-grekas) * bug #27831 Check for Hyper terminal on all operating systems.
(azjezz) * bug #27794 Add color support for Hyper terminal . (azjezz) * bug
#27809 [HttpFoundation] Fix tests: new message for status 425 (dunglas) * bug
#27618 [PropertyInfo] added handling of nullable types in PhpDoc (oxan) * bug
#27659 [HttpKernel] Make AbstractTestSessionListener compatible with
CookieClearingLogoutHandler (thewilkybarkid) * bug #27752 [Cache] provider does
not respect option maxIdLength with versioning enabled (Constantine Shtompel) *
bug #27776 [ProxyManagerBridge] Fix support of private services (bis) (nicolas-grekas) * bug #27714 [HttpFoundation] fix session tracking counter (nicolas-grekas, dmaicher) * bug #27747 [HttpFoundation] fix registration of session
proxies (nicolas-grekas) * bug #27722 Redesign the Debug error page in prod
(javiereguiluz) * bug #27716 [DI] fix dumping deprecated service in yaml
(nicolas-grekas)
* Wed Aug 1 2018 Shawn Iwinski
- Update to 3.4.14 (CVE-2018-14773 / CVE-2018-14774)
- Add conflict php-composer(phpdocumentor/type-resolver) < 0.3.0
* Fri Jul 13 2018 Fedora Release Engineering
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jun 25 2018 Shawn Iwinski
- Update 3.4.12
* Mon May 28 2018 Remi Collet
- update to 3.4.11
* Thu May 24 2018 Remi Collet
- update to 3.4.10
- ignore new dependency on symfony/polyfill-ctype
* Fri May 4 2018 Remi Collet
- update to 3.4.9
[ 1 ] Bug #1611906 - CVE-2018-14773 php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions
https://bugzilla.redhat.com/show_bug.cgi?id=1611906
su -c 'dnf upgrade --advisory FEDORA-2018-9c38d1dc1d' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEXOLS5O7DVCCNWZY5TXF4UW5O2KP2HK/
FEDORA-2018-9c38d1dc1d 2018-08-14 21:06:35.949541 Product : Fedora 28 Version : 3.4.14 Release : 1.fc28 URL : https://symfony.com/ Summary : Symfony PHP framework (version 3) Description : Symfony PHP framework (version 3). NOTE: Does not require PHPUnit bridge. ## 3.4.14 (2018-08-01) * security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (nicolas-grekas) * security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (nicolas-grekas) * bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in inline subrequest when configuring trusted proxy with subnet (netiul) * bug #28007 [FrameworkBundle] fixed guard event names for transitions (destillat) * bug #28045 [HttpFoundation] Fix Cookie::isCleared (ro0NL) * bug #28080 [HttpFoundation] fixed using _method parameter with invalid type (Phobetor) * bug #28052 [HttpKernel] Fix merging bindings for controllers' locators (nicolas-grekas) ## 3.4.13 (2018-07-23) * bug #28005 [HttpKernel] Fixed templateExists on parse error of the template name (yceruto) * bug #27997 Serbo-Croatian has Serbian plural rule (kylekatarnls) * bug #26193 Fix false-positive deprecation notices for TranslationLoader and WriteCheckSessionHandler (iquito) * bug #27941 [WebProfilerBundle] Fixed icon alignment issue using Bootstrap 4.1.2 (jmsche) * bug #27937 [HttpFoundation] reset callback on StreamedResponse when setNotModified() is called (rubencm) * bug #27927 [HttpFoundation] Suppress side effects in 'get' and 'has' methods of NamespacedAttributeBag (webnet-fr) * bug #27923 [Form/Profiler] Massively reducing memory footprint of form profiling pages... (VincentChalnot) * bug #27918 [Console] correctly return parameter's default value on "--" (seschwar) * bug #27904 [Filesystem] fix lock file permissions (fritzmg) * bug #27903 [Lock] fix lock file permissions (fritzmg) * bug #27889 [Form] Replace .initialism with .text-uppercase. (vudaltsov) * bug #27902 Fix the detection of the Process new argument (stof) * bug #27885 [HttpFoundation] don't encode cookie name for BC (nicolas-grekas) * bug #27782 [DI] Fix dumping ignore-on-uninitialized references to synthetic services (nicolas-grekas) * bug #27435 [OptionResolver] resolve arrays (Doctrs) * bug #27728 [TwigBridge] Fix missing path and separators in loader paths list on debug:twig output (yceruto) * bug #27837 [PropertyInfo] Fix dock block lookup fallback loop (DerManoMann) * bug #27758 [WebProfilerBundle] Prevent toolbar links color override by css (alcalyn) * bug #27834 [DI] Don't show internal service id on binding errors (nicolas-grekas) * bug #27831 Check for Hyper terminal on all operating systems. (azjezz) * bug #27794 Add color support for Hyper terminal . (azjezz) * bug #27809 [HttpFoundation] Fix tests: new message for status 425 (dunglas) * bug #27618 [PropertyInfo] added handling of nullable types in PhpDoc (oxan) * bug #27659 [HttpKernel] Make AbstractTestSessionListener compatible with CookieClearingLogoutHandler (thewilkybarkid) * bug #27752 [Cache] provider does not respect option maxIdLength with versioning enabled (Constantine Shtompel) * bug #27776 [ProxyManagerBridge] Fix support of private services (bis) (nicolas-grekas) * bug #27714 [HttpFoundation] fix session tracking counter (nicolas-grekas, dmaicher) * bug #27747 [HttpFoundation] fix registration of session proxies (nicolas-grekas) * bug #27722 Redesign the Debug error page in prod (javiereguiluz) * bug #27716 [DI] fix dumping deprecated service in yaml (nicolas-grekas) * Wed Aug 1 2018 Shawn Iwinski - 3.4.14-1 - Update to 3.4.14 (CVE-2018-14773 / CVE-2018-14774) - Add conflict php-composer(phpdocumentor/type-resolver) < 0.3.0 * Fri Jul 13 2018 Fedora Release Engineering - 3.4.12-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Mon Jun 25 2018 Shawn Iwinski - 3.4.12-1 - Update 3.4.12 * Mon May 28 2018 Remi Collet - 3.4.11-1 - update to 3.4.11 * Thu May 24 2018 Remi Collet - 3.4.10-1 - update to 3.4.10 - ignore new dependency on symfony/polyfill-ctype * Fri May 4 2018 Remi Collet - 3.4.9-1 - update to 3.4.9 [ 1 ] Bug #1611906 - CVE-2018-14773 php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions https://bugzilla.redhat.com/show_bug.cgi?id=1611906 su -c 'dnf upgrade --advisory FEDORA-2018-9c38d1dc1d' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEXOLS5O7DVCCNWZY5TXF4UW5O2KP2HK/
Change Log
References
Update Instructions
