Symfony lock to v3.4.6 in latest bugfix release 4.4.18 prevents security fixes for Symfony

[christian-kolb]

When using the core bundle as a Symfony bundle I can only upgrade to v3.4.6 or 4.4.18.

Symfony v3.4.6 contains the following security issues:

• CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an empty password
• CVE-2018-11386: Denial of service when using PDOSessionHandler
• CVE-2018-11406: CSRF Token Fixation
• CVE-2018-11408: Open redirect vulnerability on security handlers
• CVE-2018-11385: Session Fixation Issue for Guard Authentication

Contao 4.4.18 on the other hand includes a fix for:

• CVE-2018-10125

As soon as manually set the symfony/symfony to 3.4.11 composer downgrades Contao to 4.4.17.

For debugging purposes here the whole require part of the composer.json:

"require": {
    "php": ">=7.1.6",
    "contao/calendar-bundle": "^4.4",
    "contao/comments-bundle": "^4.4",
    "contao/core-bundle": "4.4.*",
    "contao/faq-bundle": "^4.4",
    "contao/installation-bundle": "^4.4",
    "contao/listing-bundle": "^4.4",
    "contao/news-bundle": "^4.4",
    "doctrine/doctrine-bundle": "^1.6",
    "doctrine/orm": "^2.5",
    "gargron/fileupload": "^1.4",
    "incenteev/composer-parameter-handler": "^2.0",
    "menatwork/contao-multicolumnwizard": "^3.3",
    "oneup/contao-security-checker-bundle": "^0.4",
    "php-http/guzzle6-adapter": "^1.1",
    "sensio/distribution-bundle": "^5.0.19",
    "sensio/framework-extra-bundle": "^3.0.2",
    "symfony/monolog-bundle": "^3.1.0",
    "symfony/polyfill-apcu": "^1.0",
    "symfony/swiftmailer-bundle": "^2.6.4",
    "symfony/symfony": "3.4.11",
    "twig/twig": "^1.0||^2.0"
},

Is there a important reason for that or just some kind of unnoticed conflict?

[christian-kolb]

I just updated symfony to 3.4.11 and I'm always directly logged out in the Contao backend after I login when I click on any link. Is this a known issue which will be fixed in the next bugfix release?

[christian-kolb]

Ok, looks like it's a duplicate for https://github.com/contao/core-bundle/issues/1534.

[fritzmg]

Yes, symfony/security in version >3.4.6 is incompatible with Contao 4.4.x.

See

• https://github.com/contao/core-bundle/issues/1534
• https://github.com/contao/core-bundle/issues/1466

for example.

[patrickjDE]

symfony/security 3.4.9 and 3.4.10 are working fine with contao, 3.4.11 just introduced a new issue.