Update dependency symfony/runtime to v7.1.7 [SECURITY]

[benjaminjonard]

This PR contains the following updates:

Package	Type	Update	Change
symfony/runtime (source)	require	patch	7.1.6 -> 7.1.7

GitHub Vulnerability Alerts

CVE-2024-50340

Description

When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.

Resolution

The SymfonyRuntime now ignores the argv values for non-cli SAPIs PHP runtimes

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.

---

Release Notes

symfony/runtime (symfony/runtime)

### [`v7.1.7`](https://redirect.github.com/symfony/runtime/releases/tag/v7.1.7) [Compare Source](https://redirect.github.com/symfony/runtime/compare/v7.1.6...v7.1.7) **Changelog** (https://github.com/symfony/runtime/compare/v7.1.6...v7.1.7) - security symfony/symfony#cve-2024-50340 \[Runtime] Do not read from argv on non-CLI SAPIs ([@​wouterj](https://redirect.github.com/wouterj))

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[benjaminjonard]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: composer update symfony/runtime:7.1.7 --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins
Loading composer repositories with package information
A connection timeout was encountered. If you intend to run Composer without connecting to the internet, run the command again prefixed with COMPOSER_DISABLE_NETWORK=1 to make Composer run in offline mode.
The following exception probably indicates you have misconfigured DNS resolver(s)

In CurlDownloader.php line 371:

  curl error 28 while downloading https://repo.packagist.org/packages.json: R  
  esolving timed out after 10002 milliseconds                                  

update [--with WITH] [--prefer-source] [--prefer-dist] [--prefer-install PREFER-INSTALL] [--dry-run] [--dev] [--no-dev] [--lock] [--no-install] [--no-audit] [--audit-format AUDIT-FORMAT] [--no-autoloader] [--no-suggest] [--no-progress] [-w|--with-dependencies] [-W|--with-all-dependencies] [-v|vv|vvv|--verbose] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--apcu-autoloader] [--apcu-autoloader-prefix APCU-AUTOLOADER-PREFIX] [--ignore-platform-req IGNORE-PLATFORM-REQ] [--ignore-platform-reqs] [--prefer-stable] [--prefer-lowest] [-m|--minimal-changes] [--patch-only] [-i|--interactive] [--root-reqs] [--bump-after-update [BUMP-AFTER-UPDATE]] [--] [<packages>...]