Fedora 32: FEDORA-2020-fade6a8df7 Critical: Access Control Issue

Symfony PHP framework (version 4).

NOTE: Does not require PHPUnit bridge.

**Version 4.4.7** (2020-03-30) * security #cve-2020-5255 [HttpFoundation] Do

not set the default Content-Type based on the Accept header (yceruto) *

security #cve-2020-5275 [Security] Fix access_control behavior with unanimous

decision strategy (chalasr) * bug #36262 [DI] fix generating TypedReference

from PriorityTaggedServiceTrait (nicolas-grekas) * bug #36252 [Security/Http]

Allow setting cookie security settings for delete_cookies (wouterj) * bug

#36261 [FrameworkBundle] revert to legacy wiring of the session when circular

refs are detected (nicolas-grekas) * bug #36259 [DomCrawler] Fix BC break in

assertions breaking Panther (dunglas) * bug #36181 [BrowserKit] fixed missing

post request parameters in file uploads (codebay) * bug #36216 [Validator]

Assert Valid with many groups (phucwan91) * bug #36222 [Console] Fix

OutputStream for PHP 7.4 (guillbdx) ---- **Version 4.4.6** (2020-03-27) *

bug #36169 [HttpKernel] fix locking for PHP 7.4+ (nicolas-grekas) * bug #36175

[Security/Http] Remember me: allow to set the samesite cookie flag (dunglas) *

bug #36173 [Http Foundation] Fix clear cookie samesite (guillbdx) * bug #36176

[Security] Check if firewall is stateless before checking for session/previous

session (koenreiniers) * bug #36149 [Form] Support customized intl php.ini

settings (jorrit) * bug #36172 [Debug] fix for PHP 7.3.16+/7.4.4+ (nicolas-grekas) * bug #36151 [Security] Fixed hardcoded value of

SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE (lyrixx) * bug #36141 Prevent warning

in proc_open() (BenMorel) * bug #36143 [FrameworkBundle] Fix Router Cache

(guillbdx) * bug #36103 [DI] fix preloading script generation (nicolas-grekas)

* bug #36118 [Security/Http] don't require the session to be started when

tracking its id (nicolas-grekas) * bug #36108 [DI] Fix CheckTypeDeclarationPass

(guillbdx) * bug #36121 [VarDumper] fix side-effect by not using mt_rand()

(nicolas-grekas) * bug #36073 [PropertyAccess][DX] Improved errors when reading

uninitialized properties (HeahDude) * bug #36063 [FrameworkBundle] start

session on flashbag injection (William Arslett) * bug #36031 [Console] Fallback

to default answers when unable to read input (ostrolucky) * bug #36083

[DI][Form] Fixed test suite (TimeType changes & unresolved merge conflict)

(wouterj) * bug #36026 [Mime] Fix boundary header (guillbdx) * bug #36020

[Form] ignore microseconds submitted by Edge (xabbuh) * bug #36038 [HttpClient]

disable debug log with curl 7.64.0 (nicolas-grekas) * bug #36041 fix import

from config file using type: glob (Tobion) * bug #35987

[DoctrineBridge][DoctrineExtractor] Fix wrong guessed type for "json" type

(fancyweb) * bug #35949 [DI] Fix container lint command when a synthetic

service is used in an expression (HypeMC) * bug #36023 [HttpClient] fix

requests to hosts that idn_to_ascii() cannot handle (nicolas-grekas) * bug

#35938 [Form] Handle false as empty value on expanded choices (fancyweb) * bug

#36030 [SecurityBundle] Minor fix in LDAP config tree builder (HeahDude) * bug

#35993 Remove int return type from FlattenException::getCode (wucdbm) * bug

#36004 [Yaml] fix dumping strings containing CRs (xabbuh) * bug #35982 [DI] Fix

XmlFileLoader bad error message (przemyslaw-bogusz) * bug #35957 [DI] ignore

extra tags added by autoconfiguration in PriorityTaggedServiceTrait (nicolas-grekas) * bug #35937 Revert "bug symfony#28179 [DomCrawler] Skip disabled

fields processing in Form" (dmaicher) * bug #35928 [Routing] Prevent localized

routes _locale default & requirement from being overridden (fancyweb) * bug

#35912 [FrameworkBundle] register only existing transport factories (xabbuh) *

bug #35899 [DomCrawler] prevent deprecation being triggered from assertion

(xabbuh) * bug #35910 [SecurityBundle] Minor fixes in configuration tree

builder (HeahDude)

* Tue Mar 31 2020 Remi Collet - 4.4.7-1

- update to 4.4.7

* Fri Mar 27 2020 Remi Collet - 4.4.6-1

- update to 4.4.6

su -c 'dnf upgrade --advisory FEDORA-2020-fade6a8df7' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/