fix(deps): update dependency symfony/http-kernel to v6.1.12 [security] - autoclosed #22

renovate · 2023-03-30T18:52:15Z

This PR contains the following updates:

Package	Type	Update	Change
symfony/http-kernel (source)	require	patch	`6.1.0` -> `6.1.12`

GitHub Vulnerability Alerts

CVE-2022-24894

Description

The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients.

In a recent AbstractSessionListener change, the response might now contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session.

Resolution

The HttpStore constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers.
The default value for this parameter is Set-Cookie, but it can be overridden or extended by the application.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Soner Sayakci for reporting the issue and Nicolas Grekas for fixing it.

Release Notes

symfony/http-kernel (symfony/http-kernel)

`v6.1.12`

Compare Source

Changelog (symfony/http-kernel@v6.1.11...v6.1.12)

no significant changes

`v6.1.11`

Compare Source

`v6.1.10`

Compare Source

Changelog (symfony/http-kernel@v6.1.9...v6.1.10)

no significant changes

`v6.1.9`

Compare Source

Changelog (symfony/http-kernel@v6.1.8...v6.1.9)

bug #48651 AbstractSessionListener should not override the cache lifetime for private responses (rodmen)
bug #48624 Fix reading the SYMFONY_IDE env var (nicolas-grekas)
bug #48615 Fix getting the name of closures on PHP 8.1.11+ (nicolas-grekas)
bug #48346 In DateTimeValueResolver, convert previously defined date attribute to the expected class (GromNaN)

`v6.1.8`

Compare Source

Changelog (symfony/http-kernel@v6.1.7...v6.1.8)

bug #48273 Fix message for unresovable arguments of invokable controllers (fancyweb)
bug #48172 Don’t try to wire Response argument with controller.service_arguments (MatTheCat)
bug #48110 Fix deprecation for DateTimeValueResolver with null on non-nullable argument (GromNaN)

`v6.1.7`

Compare Source

Changelog (symfony/http-kernel@v6.1.6...v6.1.7)

bug #47857 Fix empty request stack when terminating with exception (krzyc)
bug #47878 Remove EOL when using error_log() in HttpKernel Logger (cyve)

`v6.1.6`

Compare Source

Changelog (symfony/http-kernel@v6.1.5...v6.1.6)

bug #46956 Allow to specify null for exception mapping configuration values (andrew-demb)

`v6.1.5`

Compare Source

Changelog (symfony/http-kernel@v6.1.4...v6.1.5)

bug #47675 Use Accept-Language header even if there are no enabled locales (MatTheCat)
bug #47491 Prevent exception in RequestDataCollector if request stack is empty (aschempp)
bug #47435 lock when writting profiles (nicolas-grekas)

`v6.1.4`

Compare Source

Changelog (symfony/http-kernel@v6.1.3...v6.1.4)

bug #47358 Fix broken request stack state if throwable is thrown. (Warxcell)
bug #47273 Do not send Set-Cookie header twice for deleted session cookie (X-Coder264)
bug #47238 Fix passing null to \trim() method in LoggerDataCollector (SVillette)

`v6.1.3`

Compare Source

Changelog (symfony/http-kernel@v6.1.2...v6.1.3)

bug #47073 Fix non-scalar check in surrogate fragment renderer (aschempp)
bug #47086 Workaround disabled "var_dump" (nicolas-grekas)
bug #43998 Don't throw on 304 Not Modified (aleho)

`v6.1.2`

Compare Source

Changelog (symfony/http-kernel@v6.1.1...v6.1.2)

bug #46769 Fix a PHP 8.1 deprecation notice in HttpCache (mpdude)
bug #46676 Extend type guessing on enum fields (Gigino Chianese)
bug #46697 Disable session tracking while collecting profiler data (nicolas-grekas)

`v6.1.1`

Compare Source

Changelog (symfony/http-kernel@v6.1.0...v6.1.1)

bug #46586 Fix BackedEnumValueResolver already resolved enum value (janatjak)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate bot force-pushed the renovate/packagist-symfony/http-kernel-vulnerability branch from 01c2caf to 1859ad0 Compare April 18, 2023 08:01

renovate bot force-pushed the renovate/packagist-symfony/http-kernel-vulnerability branch from 1859ad0 to 6f7f2d8 Compare May 3, 2023 06:22

renovate bot force-pushed the renovate/packagist-symfony/http-kernel-vulnerability branch from 6f7f2d8 to 593ec64 Compare May 28, 2023 07:15

fix(deps): update dependency symfony/http-kernel to v6.1.12 [security]

f3feca9

renovate bot force-pushed the renovate/packagist-symfony/http-kernel-vulnerability branch from 593ec64 to f3feca9 Compare July 9, 2023 09:20

renovate bot changed the title ~~fix(deps): update dependency symfony/http-kernel to v6.1.12 [security]~~ fix(deps): update dependency symfony/http-kernel to v6.1.12 [security] - autoclosed Aug 7, 2023

renovate bot closed this Aug 7, 2023

renovate bot deleted the renovate/packagist-symfony/http-kernel-vulnerability branch August 7, 2023 08:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update dependency symfony/http-kernel to v6.1.12 [security] - autoclosed #22

fix(deps): update dependency symfony/http-kernel to v6.1.12 [security] - autoclosed #22

renovate bot commented Mar 30, 2023 •

edited

Loading

fix(deps): update dependency symfony/http-kernel to v6.1.12 [security] - autoclosed #22

fix(deps): update dependency symfony/http-kernel to v6.1.12 [security] - autoclosed #22

Conversation

renovate bot commented Mar 30, 2023 • edited Loading

GitHub Vulnerability Alerts

Description

Resolution

Credits

Release Notes

Configuration

renovate bot commented Mar 30, 2023 •

edited

Loading