Fedora 31 FEDORA-2019-8b0ba02338 Critical: Symfony Security Updates

Symfony PHP framework (version 3).

NOTE: Does not require PHPUnit bridge.

**Version 3.4.35** (2019-11-13) * bug #34344 [Console] Constant STDOUT might

be undefined (nicolas-grekas) * security #cve-2019-18889 [Cache] forbid

serializing AbstractAdapter and TagAwareAdapter instances (nicolas-grekas) *

security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with

leading dash (nicolas-grekas) * security #cve-2019-18887 [HttpKernel] Use

constant time comparison in UriSigner (stof) ---- **Version 3.4.34**

(2019-11-11) * bug #34297 [DI] fix locators with numeric keys (nicolas-grekas)

* bug #34282 [DI] Dont cache classes with missing parents (nicolas-grekas) *

bug #34181 [Stopwatch] Fixed bug in getDuration when counting multiple ongoing

periods (TimoBakx) * bug #34179 [Stopwatch] Fixed a bug in

StopwatchEvent::getStartTime (TimoBakx) * bug #34203 [FrameworkBundle]

[HttpKernel] fixed correct EOL and EOM month (erics86) ---- **Version 3.4.33**

(2019-11-01) * bug #33998 [Config] Disable default alphabet sorting in glob

function due of unstable sort (hurricane-voronin) * bug #34144 [Serializer]

Improve messages for unexpected resources values (fancyweb) * bug #34080

[SecurityBundle] correct types for default arguments for firewall configs

(shieldo) * bug #33999 [Form] Make sure to collect child forms created on

*_SET_DATA events (yceruto) * bug #34021 [TwigBridge] do not render errors for

checkboxes twice (xabbuh) * bug #34041 [HttpKernel] fix wrong removal of the

just generated container dir (nicolas-grekas) * bug #34023 [Dotenv] allow LF in

single-quoted strings (nicolas-grekas) * bug #33818 [Yaml] Throw exception for

tagged invalid inline elements (gharlan) * bug #33948 [PropertyInfo] Respect

property name case when guessing from public method name (antograssiot) * bug

#33962 [Cache] fixed TagAwareAdapter returning invalid cache (v-m-i) * bug

#33965 [HttpFoundation] Add plus character `+` to legal mime subtype (ilzrv) *

bug #32943 [Dotenv] search variable values in ENV first then env file

(soufianZantar) * bug #33943 [VarDumper] fix resetting the "bold" state in

CliDumper (nicolas-grekas) ---- **Version 3.4.32** (2019-10-07) * bug #33834

[Validator] Fix ValidValidator group cascading usage (fancyweb) * bug #33841

[VarDumper] fix dumping uninitialized SplFileInfo (nicolas-grekas) * bug #33799

[Security]: Don't let falsy usernames slip through impersonation (j4nr6n) * bug

#33814 [HttpFoundation] Check if data passed to SessionBagProxy::initialize is

an array (mynameisbogdan) * bug #33805 [FrameworkBundle] Fix wrong returned

status code in ConfigDebugCommand (jschaedl) * bug #33781

[AnnotationCacheWarmer] add RedirectController to annotation cache (jenschude)

* bug #33777 Fix the :only-of-type pseudo class selector (jakzal) * bug #32051

[Serializer] Add CsvEncoder tests for PHP 7.4 (ro0NL) * feature #33776 Copy

phpunit.xsd to a predictable path (julienfalque) * bug #33759 [Security/Http]

fix parsing X509 emailAddress (nicolas-grekas) * bug #33733 [Serializer] fix

denormalization of string-arrays with only one element (mkrauser) * bug #33754

[Cache] fix known tag versions ttl check (SwenVanZanten) * bug #33646

[HttpFoundation] allow additinal characters in not raw cookies (marie) * bug

#33748 [Console] Do not include hidden commands in suggested alternatives (m-vo)

* bug #33625 [DependencyInjection] Fix wrong exception when service is synthetic

(k0d3r1s) * bug #32522 [Validator] Accept underscores in the URL validator, as

the URL will load (battye) * bug #32437 Fix toolbar load when GET params are

present in "_wdt" route (Molkobain) * bug #32925 [Translation] Collect original

locale in case of fallback translation (digilist) * bug #31198

[FrameworkBundle] Fix framework bundle lock configuration not working as

expected (HypeMC) * bug #33719 [Cache] dont override native Memcached options

(nicolas-grekas) * bug #33675 [PhpUnit] Fix usleep mock return value (fabpot)

* bug #33618 fix tests depending on other components' tests (xabbuh) * bug

#33626 [PropertyInfo] ensure compatibility with type resolver 0.5 (xabbuh) *

bug #33620 [Twig] Fix Twig config extra keys (fabpot) * bug #33571 [Inflector]

add support 'see' to 'ee' for singularize 'fees' to 'fee' (maxhelias) * bug

#32763 [Console] Get dimensions from stty on windows if possible (rtek) * bug

#33518 [Yaml] don't dump a scalar tag value on its own line (xabbuh) * bug

#32818 [HttpKernel] Fix getFileLinkFormat() to avoid returning the wrong URL in

Profiler (Arman-Hosseini) * bug #33487 [HttpKernel] Fix Apache mod_expires

Session Cache-Control issue (pbowyer) * bug #33439 [Validator] Sync string to

date behavior and throw a better exception (fancyweb) * bug #32903 [PHPUnit

Bridge] Avoid registering listener twice (alexpott) * bug #33402 [Finder]

Prevent unintentional file locks in Windows (jspringe) * bug #33396 Fix #33395

PHP 5.3 compatibility (kylekatarnls) * bug #33385 [Console] allow

Command::getName() to return null (nicolas-grekas) * bug #33353 Return null as

Expire header if it was set to null (danrot) * bug #33382 [ProxyManager] remove

ProxiedMethodReturnExpression polyfill (nicolas-grekas) * bug #33377 [Yaml] fix

dumping not inlined scalar tag values (xabbuh) ---- **Version 3.4.31**

(2019-08-26) * bug #33335 [DependencyInjection] Fixed the `getServiceIds`

implementation to always return aliases (pdommelen) * bug #33244 [Router] Fix

TraceableUrlMatcher behaviour with trailing slash (Xavier Leune) * bug #33172

[Console] fixed a PHP notice when there is no function in the stack trace of an

Exception (fabpot) * bug #33157 Fix getMaxFilesize() returning zero (ausi) *

bug #33139 [Intl] Cleanup unused language aliases entry (ro0NL) * bug #33066

[Serializer] Fix negative DateInterval (jderusse) * bug #33033 [Lock]

consistently throw NotSupportException (xabbuh) * bug #32516

[FrameworkBundle][Config] Ignore exceptions thrown during reflection classes

autoload (fancyweb) * bug #32981 Fix tests/code for php 7.4 (jderusse) * bug

#32992 [ProxyManagerBridge] Polyfill for unmaintained version (jderusse) * bug

#32933 [PhpUnitBridge] fixed PHPUnit 8.3 compatibility: method handleError was

renamed to __invoke (karser) * bug #32947 [Intl] Support DateTimeInterface in

IntlDateFormatter::format (pierredup) * bug #32838 [FrameworkBundle] Detect

indirect env vars in routing (ro0NL) * bug #32918 [Intl] Order alpha2 to alpha3

mapping (ro0NL) * bug #32902 [PhpUnitBridge] Allow sutFqcnResolver to return

array (VincentLanglet) * bug #32682 [HttpFoundation] Revert getClientIp @return

docblock (ossinkine) * bug #32910 [Yaml] PHP-8: Uncaught TypeError: abs()

expects parameter 1 to be int or float, string given (Aleksandr Dankovtsev) *

bug #32870 #32853 Check if $this->parameters is array. (ABGEO07) * bug #32868

[PhpUnitBridge] Allow symfony/phpunit-bridge > 4.2 to be installed with phpunit

4.8 (jderusse) * bug #32767 [Yaml] fix comment in multi line value

(soufianZantar) * bug #32790 [HttpFoundation] Fix `getMaxFilesize` (bennyborn)

* bug #32796 [Cache] fix warning on PHP 7.4 (jpauli) * bug #32806 [Console] fix

warning on PHP 7.4 (rez1dent3) * bug #32809 Don't add object-value of static

properties in the signature of container metadata-cache (arjenm) * bug #30096

[DI] Fix dumping Doctrine-like service graphs (bis) (weaverryan, nicolas-grekas)

* bug #32799 [HttpKernel] do not stopwatch sections when profiler is disabled

(Tobion) ---- **Packaging changes** * One distinct autoloader for each

component.

* Wed Nov 13 2019 Remi Collet - 3.4.35-2

- update to 3.4.35

- use range dependencies

* Tue Nov 12 2019 Remi Collet - 3.4.34-1

- update to 3.4.34

* Tue Nov 5 2019 Remi Collet - 3.4.33-1

- update to 3.4.33

- raise dependency on twig 1.41

- raise dependency on egulias/email-validator 2.1.10

- raise dependency on doctrine/annotations 1.7

- switch to phpunit7

* Sat Sep 14 2019 Shawn Iwinski - 3.4.30-2

- Update autoloader generator to include self PSR-0, PSR-4, files, and classmap

su -c 'dnf upgrade --advisory FEDORA-2019-8b0ba02338' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/