Problem/Motivation

There's security releases

- https://github.com/symfony/symfony/releases/tag/v4.4.24
- https://github.com/symfony/symfony/releases/tag/v5.2.9

+------------------------------+---------+---------+
| Production Changes           | From    | To      |
+------------------------------+---------+---------+
| symfony/console              | v4.4.23 | v4.4.24 |
| symfony/dependency-injection | v4.4.23 | v4.4.24 |
| symfony/http-kernel          | v4.4.23 | v4.4.24 |
| symfony/mime                 | v5.2.7  | v5.2.9  |
| symfony/routing              | v4.4.22 | v4.4.24 |
| symfony/serializer           | v4.4.22 | v4.4.24 |
| symfony/translation          | v4.4.23 | v4.4.24 |
| symfony/validator            | v4.4.22 | v4.4.24 |
| symfony/yaml                 | v4.4.22 | v4.4.24 |
+------------------------------+---------+---------+

+------------------------+---------+---------+
| Dev Changes            | From    | To      |
+------------------------+---------+---------+
| symfony/browser-kit    | v4.4.22 | v4.4.24 |
| symfony/css-selector   | v4.4.22 | v4.4.24 |
| symfony/dom-crawler    | v4.4.20 | v4.4.24 |
| symfony/finder         | v4.4.23 | v4.4.24 |
| symfony/phpunit-bridge | v5.2.8  | v5.2.9  |
+------------------------+---------+---------+

Core should not be affected but security scanners will find it

Proposed resolution

COMPOSER_ROOT_VERSION=9.3.x-dev composer2 update symfony/*

Remaining tasks

- review/commit
- decide about backport to 9.2

User interface changes

no

API changes

no

Data model changes

no

Release notes snippet

no

CommentFileSizeAuthor
#2 3215039-2.patch26.44 KBandypost

Comments

andypost created an issue. See original summary.

andypost’s picture

andypost
he/him
Primary language Russian
commented
Status: Active » Needs review
StatusFileSize
new 3215039-2.patch26.44 KB
spokje’s picture

spokje
Primary language Dutch
commented
Status: Needs review » Reviewed & tested by the community

- Getting the same changes as in the patch when I do composer update symfony/*.
- Unchanged symfony dependencies are not re-released under the v4.4.24 or v5.2.9 security release.
=============================================================+
RTBC for me.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented

Security scanners on projects I'm working on aren't being triggered - and that's because 4.4.24 is not a security release for any of the symfony components we use. It includes a security release of symfony/security but we do't use that. And reading the advisory https://github.com/advisories/GHSA-5pv8-ppvj-4h68 shows that this has been released 8 days ago.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Title: Update symfony dependencies to latest security release » Update symfony dependencies to latest release
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Version: 9.3.x-dev » 9.2.x-dev

Committed 0999af5 and pushed to 9.3.x. Thanks!

I've committed this to 9.3.x and will ask a release manager about backporting this to 9.2.x.

  • alexpott committed 0999af5 on 9.3.x 
    Issue #3215039 by andypost: Update symfony dependencies to latest...
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Fixed

Discussed with @catch and we agreed to put this in 9.2.x to stay up-to-date.

Committed 7b927eb and pushed to 9.2.x. Thanks!

  • alexpott committed 7b927eb on 9.2.x 
    Issue #3215039 by andypost: Update symfony dependencies to latest...
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Issue tags: +9.2.0 release notes

Dependency updates are tagged fro the release notes.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.