I have prepared an update to symfony (version 2.3.21+dfsg-4+deb8u4) which is need of testing. I intend to upload in one week's time if I do not receive any reports of problems. Read on for details if you are in a position to help with testing these packages.
I attempted to test the changes myself (I am familiar with PHP) but it turns out that Symfony an entirely different sort of matter. In particular, the Debian package itself contains no documentation about how to setup even a basic Symfony app and all of the online documentation is geared toward the upstream preferred installation method which, among other things requires downloading an installer script and ends up creating a symfony executable binary. In any event, my attempts at testing have so far been unable to overcome these obstacles and I fear that continuing to try to figure this out for myself will only result in lots of wasted time and effort. To that end, I am requesting that anyone out there using Symfony on jessie and familiar with it please consider installing this upload candidate and report any issues encountered. Note that upstream has a very robust unit test suite and I made sure to include any new or updated unit tests with each upstream commit that I backported. The packages may be downloaded here: https://people.debian.org/~roberto/ symfony (2.3.21+dfsg-4+deb8u4) jessie-security; urgency=high * Non-maintainer upload by the LTS Team. * Cherry-pick upstream commit to fix unit test regression caused by PHP 5.6.27 (specifically, the fix for PHP bug 72972) * Fix additional unit test failures resulting from dates too far in the past * Cherry-pick upstream commits to fix security issues + Fix CVE-2017-16652: [Security] Validate redirect targets using the session cookie domain + Fix CVE-2017-16654: prevent bundle readers from breaking out of paths + Fix CVE-2018-11385: Adding session strategy to ALL listeners to avoid *any* possible fixation + Fix CVE-2018-11408: [SecurityBundle] Fail if security.http_utils cannot be configured + Fix CVE-2018-14773: [HttpFoundation] Remove support for legacy and risky HTTP headers + Fix CVE-2018-19789: [Form] Filter file uploads out of regular form types + Fix CVE-2018-19790: [Security\Http] detect bad redirect targets using backslashes -- Roberto C. Sanchez <[email protected]> Fri, 01 Mar 2019 09:20:42 -0500 Regards, -Roberto -- Roberto C. Sánchez
