Follow-up to #2454393: Upgrade to Symfony 2.6.5 & #2414235: Upgrade to Symfony 2.6.4 & #2377281: Upgrade to Symfony 2.6 stable.
Symfony 2.6.8 was released on 27th of May 2015.
Have a skim of the issue summary on #2454393: Upgrade to Symfony 2.6.5 for a better overview of why upgrading point releases is a good idea :).
This fixes:
security #14759 CVE-2015-4050 [HttpKernel] Do not call the FragmentListener if _controller is already defined (jakzal)
Changelog changelog.
| Issue category | Task because it is an external library upgrade. |
|---|---|
| Issue priority | Major because this is a minor external library upgrade. |
| Disruption | Not disruptive. |
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | 2495463-2.6.7.patch | 312.13 KB | joshtaylor |
Comments
Comment #1
joshtaylor commentedComment #2
joshtaylor commentedComment #4
joshtaylor commentedMore info http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access
Comment #5
berdirWe already have a critical to update to 2.7.0 as soon as it's out, which will also include this: #2470693: Upgrade to Symfony 2.7.0
We're not using ESI so I don't think this affects us, so it doesn't seem urgent.
Closing as duplicate, feel free to re-open if you disagree.
Comment #6
joshtaylor commentedWasn't sure if Drupal used ESI or not (which is why I submitted the patch), but if it doesn't then it can wait until 2.7.0 (yay), yes.