[Security] Bump symfony/symfony from 3.4.27 to 3.4.49

[dependabot-preview[bot]]

Bumps symfony/symfony from 3.4.27 to 3.4.49. This update includes security fixes.

Vulnerabilities fixed

Sourced from The PHP Security Advisories Database.

CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances

Affected versions: >=3.1.0, =4.3.0, <4.3.8

Sourced from The PHP Security Advisories Database.

CVE-2019-18887: Use constant time comparison in UriSigner

Affected versions: >=2.2.0, =4.3.0, <4.3.8

Sourced from The PHP Security Advisories Database.

CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser

Affected versions: >=2.0.0, =4.3.0, <4.3.8

Sourced from The PHP Security Advisories Database.

CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms

Affected versions: >=2.8.0, =5.2.0, <5.2.8

Sourced from The PHP Security Advisories Database.

CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms

Affected versions: >=2.8.0, =5.2.0, <5.2.9

Release notes

Sourced from symfony/symfony's releases.

v3.4.49

Changelog (https://github.com/symfony/symfony/compare/v3.4.48...v3.4.49)

• security #cve-2021-21424 [Security\Core] Fix user enumeration via response body on invalid credentials (@​chalasr)

[PR] symfony/symfony#41276 [SECURITY] Security release

v3.4.48

Changelog (https://github.com/symfony/symfony/compare/v3.4.47...v3.4.48)

• security #cve-2021-21424 [Security][Guard] Prevent user enumeration (@​chalasr)

[PR] symfony/symfony#41193 [SECURITY] Security release

v3.4.47

Changelog (https://github.com/symfony/symfony/compare/v3.4.46...v3.4.47)

• bug #38628 [DoctrineBridge] indexBy could reference to association columns (@​juanmiguelbesada)

[PR] symfony/symfony#39193 [EOM] End of maintenance release for branch 3.4

v3.4.46

Changelog (https://github.com/symfony/symfony/compare/v3.4.45...v3.4.46)

• bug #38669 [Serializer] fix decoding float XML attributes starting with 0 (@​Marcin Kruk)
• bug #38595 [TwigBridge] do not translate null placeholders or titles (@​xabbuh)
• bug #38652 [Filesystem] Check if failed unlink was caused by permission denied (@​Nyholm)
• bug #38604 [DoctrineBridge] indexBy does not refer to attributes, but to column names (@​xabbuh)
• bug #38606 [WebProfilerBundle] Hide debug toolbar in print view (@​jt2k)
• bug #38582 [DI] Fix Reflection file name with eval()'d code (@​maxime-aknin)
• bug #38516 [HttpFoundation] Fix Range Requests (@​BattleRattle)
• bug #38510 [PropertyInfo] Support for the mixed type (@​derrabus)
• bug #38444 [PhpUnitBridge] fix running parallel tests with phpunit 9 (@​nicolas-grekas)
• bug #38442 [VarDumper] fix truncating big arrays (@​nicolas-grekas)
• bug #38380 [Form] propagate validation groups to subforms (@​johanderuijter, @​xabbuh)
• bug #38360 [BrowserKit] Cookie expiration at current timestamp (@​iquito)

[PR] symfony/symfony#38851

v3.4.45

Changelog (https://github.com/symfony/symfony/compare/v3.4.44...v3.4.45)

• bug #38228 [Yaml Parser] Fix edge cases when parsing multiple documents (@​digilist)
• bug #38229 [Yaml] fix parsing comments not prefixed by a space (@​xabbuh)
• bug #38131 [Validator] allow consumers to mock all methods (@​xabbuh)
• bug #37097 DateTime validator support for trailing data (@​stefankleff)
• bug #38116 [Console] Silence warnings on sapi_windows_cp_set() call (@​chalasr)

... (truncated)

Changelog

Sourced from symfony/symfony's changelog.

• 3.4.49 (2021-05-19)

• security #cve-2021-21424 [Security\Core] Fix user enumeration via response body on invalid credentials (chalasr)

• 3.4.48 (2021-05-12)

• security #cve-2021-21424 [Security][Guard] Prevent user enumeration (chalasr)

• 3.4.47 (2020-11-27)

• bug #38628 [DoctrineBridge] indexBy could reference to association columns (juanmiguelbesada)

• 3.4.46 (2020-10-28)

• bug #38669 [Serializer] fix decoding float XML attributes starting with 0 (Marcin Kruk)

• bug #38595 [TwigBridge] do not translate null placeholders or titles (xabbuh)

• bug #38652 [Filesystem] Check if failed unlink was caused by permission denied (Nyholm)

• bug #38604 [DoctrineBridge] indexBy does not refer to attributes, but to column names (xabbuh)

• bug #38606 [WebProfilerBundle] Hide debug toolbar in print view (jt2k)

• bug #38582 [DI] Fix Reflection file name with eval()'d code (maxime-aknin)

• bug #38516 [HttpFoundation] Fix Range Requests (BattleRattle)

• bug #38510 [PropertyInfo] Support for the mixed type (derrabus)

• bug #38444 [PhpUnitBridge] fix running parallel tests with phpunit 9 (nicolas-grekas)

• bug #38442 [VarDumper] fix truncating big arrays (nicolas-grekas)

• bug #38380 [Form] propagate validation groups to subforms (johanderuijter, xabbuh)

• bug #38360 [BrowserKit] Cookie expiration at current timestamp (iquito)

• 3.4.45 (2020-09-27)

• bug #38228 [Yaml Parser] Fix edge cases when parsing multiple documents (digilist)

• bug #38229 [Yaml] fix parsing comments not prefixed by a space (xabbuh)

• bug #38131 [Validator] allow consumers to mock all methods (xabbuh)

• bug #37097 DateTime validator support for trailing data (stefankleff)

• bug #38116 [Console] Silence warnings on sapi_windows_cp_set() call (chalasr)

• bug #38114 [Console] guard $argv + $token against null, preventing unnecessary exceptions (bilogic)

• bug #38099 Prevent parsing invalid octal digits as octal numbers (julienfalque)

• bug #38091 [DI] fix ContainerBuilder on PHP8 (nicolas-grekas)

• bug #38080 [Console] Make sure $maxAttempts is an int or null (derrabus)

• bug #38073 [VarDumper] Fix caster for invalid SplFileInfo objects on php 8 (derrabus)

• bug #38071 [PhpUnitBridge] Adjust output parsing of CoverageListenerTrait for PHPUnit 9.3 (sanmai, derrabus)

• bug #38049 [Debug] Parse "x not found" errors correctly on php 8 (derrabus)

• bug #38024 [Console] Fix undefined index for inconsistent command name definition (chalasr)

• 3.4.44 (2020-08-31)

• bug #37949 [Yaml] fix more numeric cases changing in PHP 8 (xabbuh)

• bug #37921 [Yaml] account for is_numeric() behavior changes in PHP 8 (xabbuh)

• bug #37912 [ExpressionLanguage] fix passing arguments to call_user_func_array() on PHP 8 (xabbuh)

• bug #37853 [Validator] ensure that the validator is a mock object for backwards-compatibility (xabbuh)

• bug #37845 [Serializer] Fix variadic support when using type hints (fabpot)

... (truncated)

Commits

• ba0e346 Merge pull request #41276 from fabpot/release-3.4.49
• 13af892 Update VERSION for 3.4.49
• 184bd68 Update CHANGELOG for 3.4.49
• 1ad13fe security #cve-2021-21424 [Security\Core] Fix user enumeration via response bo...
• e850700 [Security\Core] Fix user enumeration via response body on invalid credentials
• d0d17db Merge pull request #41193 from fabpot/release-3.4.48
• fd84b53 Update VERSION for 3.4.48
• 684ab1f Update CHANGELOG for 3.4.48
• 2a581d2 security #cve-2021-21424 [Security][Guard] Prevent user enumeration (chalasr)
• f012eee [Security][Guard] Prevent user enumeration via response content
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)