Package: symfony / 2.8.7+dfsg-1.3+deb9u3
Metadata
| Package | Version | Patches format |
|---|---|---|
| symfony | 2.8.7+dfsg-1.3+deb9u3 | 3.0 (quilt) |
Patch series
view the series file| Patch | File delta | Description |
|---|---|---|
| group online for test failing without network.patch | (download) |
src/Symfony/Component/Filesystem/Tests/FilesystemTest.php |
3 3 + 0 - 0 ! |
'@group online' for test failing without network |
| Add more tests to group tty.patch | (download) |
src/Symfony/Component/Process/Tests/ProcessTest.php |
7 7 + 0 - 0 ! |
add more tests to '@group tty' Not all tests using a tty are in @group tty. This should be reported (and fixed) upstream but needs further investigation: - There might be more tests needing a tty. - It could be that some tests in group tty may not need a tty. |
| Increasing timeout in test AbstractProcessTest testS.patch | (download) |
src/Symfony/Component/Process/Tests/ProcessTest.php |
4 2 + 2 - 0 ! |
increasing timeout in test AbstractProcessTest::testStartAfterATimeout() This hopefully will allow ci.debian.net to run DEP-8 as installed tests and might prevent FTBFS #775625 from hitting us again. |
| FrameworkBundle SecurityBundle Don t try to include .patch | (download) |
src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/AppKernel.php |
10 0 + 10 - 0 ! |
frameworkbundle+securitybundle: don't try to include legacy autoload files The AppKernel.php used for some functional tests still tries to load ./autoload.php(.dist), which is no longer shipped with Symfony in favour of using vendor/autoload.php. This is harmless for the normal testsuite, but becomes problematic for the Debian packaging of Symfony: In Debian the autoloading for Symfony currently does not make use of composer's autoloading mechanism. Instead an own autoloading is implemented, that uses phpab to generate autoload.php files for each single component, bride and bundle. Since AppKernel.php, which is provided for functional tests in FrameworkBundle and SecurityBundle would load those generated autoload.php files instead of /vendor/autoload.php, the testsuite fails for the Debian packaging. Additionally for DEP-8 (as-installed) tests not including vendor/autoload.php means, that instead of installed classes, classes from the source code are loaded, which is wrong. Example for tests in the Symfony SecurityBundle: Instead of loading [SYMFONY]/vendor.autoload.php, the file [SYMFONY]/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/AppKernel.php would load [SYMFONY]/src/Symfony/Bundle/SecurityBundle/autoload.php without this patch, making the tests fail. |
| HttpFoundation Fix incompatibility with php memcache.patch | (download) |
src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MemcacheSessionHandler.php |
5 4 + 1 - 0 ! |
httpfoundation fix incompatibility with php-memcache from debian The version of php-memcache (3.0.9~20151130.fdbd46b-1) in Debian makes the test MemcacheSessionHandlerTest::testReadSession fail, complaining about missing arguments. This commit solves this issue. |
| fix php 7.1 related failures | (download) |
.travis.yml |
10 5 + 5 - 0 ! |
fix php 7.1 related failures |
| do not depend on a fixed date in layout | (download) |
src/Symfony/Component/Form/Tests/AbstractBootstrap3LayoutTest.php |
16 8 + 8 - 0 ! |
do not depend on a fixed date in layout tests By default, the `DateType` as well as the `DateTimeType` set the choices being available for the year to a range starting five years in the past. After some time, this will make tests fail when the year of the fixed date being used as the initial data is before the first year being part of the choices. |
| update ipvalidatortest data set with a v | (download) |
src/Symfony/Component/Validator/Tests/Constraints/IpValidatorTest.php |
2 1 + 1 - 0 ! |
update ipvalidatortest data set with a valid reserved ip The validator uses PHP filter which was recently fixed (see https://bugs.php.net/bug.php?id=72972). |
| relax 1 test failing with latest php ver | (download) |
src/Symfony/Component/VarDumper/Tests/Caster/SplCasterTest.php |
4 2 + 2 - 0 ! |
relax 1 test failing with latest php versions Related to php bug #52646 which is fixed in 5.6.25RC1, 7.0.10RC1, 7.1.0beta2 |
| vardumper relax tests to adapt for php 7 | (download) |
src/Symfony/Component/VarDumper/Tests/CliDumperTest.php |
4 1 + 3 - 0 ! |
[vardumper] relax tests to adapt for php 7.1rc4 |
| vardumper relax line number for clidumpe | (download) |
src/Symfony/Component/VarDumper/Tests/CliDumperTest.php |
3 1 + 2 - 0 ! |
[vardumper] relax line number for clidumpertest |
| Security Validate redirect targets using the session cook.patch | (download) |
src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php |
40 40 + 0 - 0 ! |
[security] validate redirect targets using the session cookie domain [CVE-2017-16652] https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers |
| Security Namespace generated CSRF tokens depending of the.patch | (download) |
src/Symfony/Bundle/FrameworkBundle/Resources/config/security_csrf.xml |
1 1 + 0 - 0 ! |
[security] namespace generated csrf tokens depending of the current scheme |
| prevent bundle readers from breaking out of paths.patch | (download) |
src/Symfony/Component/Intl/Data/Bundle/Reader/JsonBundleReader.php |
5 5 + 0 - 0 ! |
prevent bundle readers from breaking out of paths [CVE-2017-16654] https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths |
| Form DX FileType multiple fixes.patch | (download) |
src/Symfony/Component/Form/Extension/Core/Type/FileType.php |
41 36 + 5 - 0 ! |
[form][dx] filetype "multiple" fixes |
| ensure that submitted data are uploaded files.patch | (download) |
UPGRADE-2.7.md |
2 2 + 0 - 0 ! |
ensure that submitted data are uploaded files [CVE-2017-16790] https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files |
| Adding session strategy to ALL listeners to avoid any pos.patch | (download) |
src/Symfony/Component/Security/Http/Firewall/AbstractPreAuthenticatedListener.php |
15 15 + 0 - 0 ! |
adding session strategy to all listeners to avoid *any* possible fixation [CVE-2018-11385] https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication |
| Adding session authentication strategy to Guard to avoid .patch | (download) |
src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php |
13 13 + 0 - 0 ! |
adding session authentication strategy to guard to avoid session fixation [CVE-2018-11385] https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication |
| HttpFoundation Break infinite loop in PdoSessionHandler w.patch | (download) |
src/Symfony/Component/HttpFoundation/Session/Storage/Handler/PdoSessionHandler.php |
6 6 + 0 - 0 ! |
[httpfoundation] break infinite loop in pdosessionhandler when mysql is in loose mode [CVE-2018-11386] https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler |
| Security Fix logout.patch | (download) |
src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php |
25 13 + 12 - 0 ! |
[security] fix logout |
| do not mock the session in token storage tests.patch | (download) |
src/Symfony/Component/Security/Csrf/Tests/TokenStorage/SessionTokenStorageTest.php |
177 25 + 152 - 0 ! |
do not mock the session in token storage tests |
| clear CSRF tokens when the user is logged out.patch | (download) |
src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterCsrfTokenClearingLogoutHandlerPass.php |
42 42 + 0 - 0 ! |
clear csrf tokens when the user is logged out [CVE-2018-11406] https://symfony.com/blog/cve-2018-11406-csrf-token-fixation |
| Ldap cast to string when checking empty passwords.patch | (download) |
src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php |
2 1 + 1 - 0 ! |
[ldap] cast to string when checking empty passwords [CVE-2016-2403] https://symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password |
| SecurityBundle Fail if security.http_utils cannot be conf.patch | (download) |
src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php |
3 2 + 1 - 0 ! |
[securitybundle] fail if security.http_utils cannot be configured [CVE-2018-11408] https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers |
| HttpFoundation Remove support for legacy and risky HTTP h.patch | (download) |
src/Symfony/Component/HttpFoundation/CHANGELOG.md |
6 6 + 0 - 0 ! |
[httpfoundation] remove support for legacy and risky http headers [CVE-2018-14773] https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers |
| Form Filter file uploads out of regular form types.patch | (download) |
src/Symfony/Component/Form/Extension/Core/Type/FileType.php |
1 1 + 0 - 0 ! |
[form] filter file uploads out of regular form types [CVE-2018-19789] https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-path |
| Security Http detect bad redirect targets using backslash.patch | (download) |
src/Symfony/Component/Security/Http/HttpUtils.php |
2 1 + 1 - 0 ! |
[security\http] detect bad redirect targets using backslashes [CVE-2018-19790] https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http |
| security cve 2019 10909 FrameworkBundle Form Fix XSS issu.patch | (download) |
src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/choice_widget_collapsed.html.php |
2 1 + 1 - 0 ! |
security #cve-2019-10909 [frameworkbundle][form] fix xss issues in the form theme of the PHP templating engine (stof) This PR was merged into the 2.8 branch. Discussion |
| security cve 2019 10910 DI Check service IDs are valid ni.patch | (download) |
src/Symfony/Bridge/ProxyManager/LazyProxy/PhpDumper/ProxyDumper.php |
8 5 + 3 - 0 ! |
security #cve-2019-10910 [di] check service ids are valid (nicolas-grekas) This PR was merged into the 2.8 branch. Discussion |
| security cve 2019 10911 Security Add a separator in the r.patch | (download) |
src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php |
2 1 + 1 - 0 ! |
security #cve-2019-10911 [security] add a separator in the remember me cookie hash (pborreli) This PR was merged into the 2.8 branch. Discussion |
| security cve 2019 10912 PHPUnit Bridge Prevent destructor.patch | (download) |
src/Symfony/Bridge/PhpUnit/SymfonyTestsListener.php |
10 10 + 0 - 0 ! |
security #cve-2019-10912 [phpunit bridge] prevent destructors with side-effects from being unserialized (nicolas-grekas) This PR was merged into the 2.8 branch. Discussion |
| HttpFoundation fixed using _method parameter with invalid.patch | (download) |
src/Symfony/Component/HttpFoundation/Request.php |
5 4 + 1 - 0 ! |
[httpfoundation] fixed using _method parameter with invalid type |
| security cve 2019 10913 HttpFoundation reject invalid met.patch | (download) |
src/Symfony/Component/HttpFoundation/Request.php |
43 29 + 14 - 0 ! |
security #cve-2019-10913 [httpfoundation] reject invalid method override (nicolas-grekas) This PR was merged into the 2.8 branch. Discussion |
| HttpKernel Use constant time comparison in UriSigner.patch | (download) |
src/Symfony/Component/HttpKernel/UriSigner.php |
2 1 + 1 - 0 ! |
[httpkernel] use constant time comparison in urisigner |
| HttpFoundation fix guessing mime types of files with lead.patch | (download) |
src/Symfony/Component/HttpFoundation/File/MimeType/FileBinaryMimeTypeGuesser.php |
4 2 + 2 - 0 ! |
[httpfoundation] fix guessing mime-types of files with leading dash https://github.com/symfony/symfony/commit/d41bd42ad5d51e0f4d24259ec2814ccb294c3ba2 |