Follow-up to #2578805: Upgrade to Symfony 2.7.5

Symfony 2.7.6 is now released.

Have a skim of the issue summary on #2454393: Upgrade to Symfony 2.6.5 for a better overview of why upgrading point releases is a good idea :).

There are a few security related fixes.

Changelog changelog.

https://www.drupal.org/core/d8-allowed-changes

CommentFileSizeAuthor
#3 2609268-3.patch515.76 KBhussainweb
#2 2609268-2.patch516.74 KBandypost
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

andypost created an issue. See original summary.

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost as a volunteer and at Skilld commented
Status: Active » Needs review
FileSize
2609268-2.patch516.74 KB
hussainweb’s picture

hussainweb
Primary language English
CreditAttribution: hussainweb at Axelerant commented
Issue summary: View changes
FileSize
2609268-3.patch515.76 KB

I ran this update and there is a difference in the autoload_classmap.php file. I think it got missed because of a different location. Here is the missing change.

diff --git a/vendor/composer/autoload_classmap.php b/vendor/composer/autoload_classmap.php
index fac9eab..6d782e0 100644
--- a/vendor/composer/autoload_classmap.php
+++ b/vendor/composer/autoload_classmap.php
@@ -437,6 +437,7 @@
     'SebastianBergmann\\Environment\\Runtime' => $vendorDir . '/sebastian/environment/src/Runtime.php',
     'SebastianBergmann\\Exporter\\Exporter' => $vendorDir . '/sebastian/exporter/src/Exporter.php',
     'SebastianBergmann\\GlobalState\\Blacklist' => $vendorDir . '/sebastian/global-state/src/Blacklist.php',
+    'SebastianBergmann\\GlobalState\\CodeExporter' => $vendorDir . '/sebastian/global-state/src/CodeExporter.php',
     'SebastianBergmann\\GlobalState\\Exception' => $vendorDir . '/sebastian/global-state/src/Exception.php',
     'SebastianBergmann\\GlobalState\\Restorer' => $vendorDir . '/sebastian/global-state/src/Restorer.php',
     'SebastianBergmann\\GlobalState\\RuntimeException' => $vendorDir . '/sebastian/global-state/src/RuntimeException.php',

Also, I see there are security related fixes in the changelog. I am guessing this issue counts as critical but I will leave that for review.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner as a volunteer commented

#2608426: Upgrade to Symfony 2.7.6 is the exact same issue with some discussion about security.

hussainweb’s picture

hussainweb
Primary language English
CreditAttribution: hussainweb at Axelerant commented

Quoting from #2608426-3: Upgrade to Symfony 2.7.6:

bug #16108 [Security] #15764. Use SessionAuthenticationStrategy on RememberMe login
bug #16146 [Security] sync translations and add a test for it
bug #14842 [Security][bugfix] "Remember me" cookie cleared on logout with custom "secure"/"httponly" config options
bug #13627 [Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing
bug #15895 [Security] Allow user providers to be defined in many files

And from comment 4 on the same issue:

All of those are part of the security component, which we don't use. They aren't security fixes itself.

Since there is already a patch here, should we mark that as duplicate, or post the patch to that issue?

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner as a volunteer commented

Since there is already a patch here, should we mark that as duplicate, or post the patch to that issue?

Yeah let's mark the other issue as duplicate. Just wanted to point out the security aspect ...

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost as a volunteer and at Skilld commented

Closed as duplicate #2608426: Upgrade to Symfony 2.7.6

@hussainweb thanx, yep missed the change

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett as a volunteer commented
Status: Needs review » Reviewed & tested by the community
Issue tags: -rc eligible +rc target triage

Looks good to me. Needs to be triaged though.

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett as a volunteer commented
Issue tags: -rc target triage +rc eligible

I was going off the wrong tag description docs. Sorry.

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Status: Reviewed & tested by the community » Fixed

Committed/pushed to 8.0.x, thanks!

  • catch committed c313594 on 8.0.x 
    Issue #2609268 by andypost, hussainweb: Upgrade to Symfony 2.7.6

  • catch committed c313594 on 8.1.x 
    Issue #2609268 by andypost, hussainweb: Upgrade to Symfony 2.7.6

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.