fix(deps): update dependency symfony/http-kernel to v5.4.20 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
symfony/http-kernel (source)	5.4.10 -> 5.4.20

GitHub Vulnerability Alerts

CVE-2022-24894

Description

The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients.

In a recent AbstractSessionListener change, the response might now contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session.

Resolution

The HttpStore constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers.
The default value for this parameter is Set-Cookie, but it can be overridden or extended by the application.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Soner Sayakci for reporting the issue and Nicolas Grekas for fixing it.

---

Release Notes

symfony/http-kernel (symfony/http-kernel)

v5.4.20

Compare Source

Changelog (symfony/http-kernel@v5.4.19...v5.4.20)

• no significant changes

v5.4.19

Compare Source

Changelog (symfony/http-kernel@v5.4.18...v5.4.19)

• no significant changes

v5.4.18

Compare Source

Changelog (symfony/http-kernel@v5.4.17...v5.4.18)

• no significant changes

v5.4.17

Compare Source

Changelog (symfony/http-kernel@v5.4.16...v5.4.17)

• bug #​48651 AbstractSessionListener should not override the cache lifetime for private responses (rodmen)
• bug #​48615 Fix getting the name of closures on PHP 8.1.11+ (nicolas-grekas)

v5.4.16

Compare Source

Changelog (symfony/http-kernel@v5.4.15...v5.4.16)

• bug #​48273 Fix message for unresovable arguments of invokable controllers (fancyweb)
• bug #​48172 Don’t try to wire Response argument with controller.service_arguments (MatTheCat)

v5.4.15

Compare Source

Changelog (symfony/http-kernel@v5.4.14...v5.4.15)

• bug #​47857 Fix empty request stack when terminating with exception (krzyc)
• bug #​47878 Remove EOL when using error_log() in HttpKernel Logger (cyve)

v5.4.14

Compare Source

Changelog (symfony/http-kernel@v5.4.13...v5.4.14)

• bug #​46956 Allow to specify null for exception mapping configuration values (andrew-demb)

v5.4.13

Compare Source

Changelog (symfony/http-kernel@v5.4.12...v5.4.13)

• bug #​47491 Prevent exception in RequestDataCollector if request stack is empty (aschempp)
• bug #​47435 lock when writting profiles (nicolas-grekas)

v5.4.12

Compare Source

Changelog (symfony/http-kernel@v5.4.11...v5.4.12)

• bug #​47358 Fix broken request stack state if throwable is thrown. (Warxcell)
• bug #​47273 Do not send Set-Cookie header twice for deleted session cookie (X-Coder264)
• bug #​47238 Fix passing null to \trim() method in LoggerDataCollector (SVillette)

v5.4.11

Compare Source

Changelog (symfony/http-kernel@v5.4.10...v5.4.11)

• bug #​47073 Fix non-scalar check in surrogate fragment renderer (aschempp)
• bug #​47086 Workaround disabled "var_dump" (nicolas-grekas)
• bug #​43998 Don't throw on 304 Not Modified (aleho)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.