edno / kleis

Simplified SquidGuard web frontend (users & filters management)
MIT License
4 stars 2 forks source link

[Security] Bump symfony/http-foundation from 4.3.3 to 4.4.1 #147

Closed dependabot-preview[bot] closed 4 years ago

dependabot-preview[bot] commented 4 years ago

Bumps symfony/http-foundation from 4.3.3 to 4.4.1. This update includes a security fix.

Vulnerabilities fixed *Sourced from [The PHP Security Advisories Database](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-18888.yaml).* > **CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser** > > Affected versions: >=2.0.0, <2.1.0; >=2.1.0, <2.2.0; >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.8.0; >=2.8.0, <2.8.52; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.35; >=4.0.0, <4.1.0; >=4.1.0, <4.2.0; >=4.2.0, <4.2.12; >=4.3.0, <4.3.8
Changelog *Sourced from [symfony/http-foundation's changelog](https://github.com/symfony/http-foundation/blob/master/CHANGELOG.md).* > CHANGELOG > ========= > > 5.0.0 > ----- > > * made `Cookie` auto-secure and lax by default > * removed classes in the `MimeType` namespace, use the Symfony Mime component instead > * removed method `UploadedFile::getClientSize()` and the related constructor argument > * made `Request::getSession()` throw if the session has not been set before > * removed `Response::HTTP_RESERVED_FOR_WEBDAV_ADVANCED_COLLECTIONS_EXPIRED_PROPOSAL` > * passing a null url when instantiating a `RedirectResponse` is not allowed > > 4.4.0 > ----- > > * passing arguments to `Request::isMethodSafe()` is deprecated. > * `ApacheRequest` is deprecated, use the `Request` class instead. > * passing a third argument to `HeaderBag::get()` is deprecated, use method `all()` instead > * [BC BREAK] `PdoSessionHandler` with MySQL changed the type of the lifetime column, > make sure to run `ALTER TABLE sessions MODIFY sess_lifetime INTEGER UNSIGNED NOT NULL` to > update your database. > * `PdoSessionHandler` now precalculates the expiry timestamp in the lifetime column, > make sure to run `CREATE INDEX EXPIRY ON sessions (sess_lifetime)` to update your database > to speed up garbage collection of expired sessions. > * added `SessionHandlerFactory` to create session handlers with a DSN > * added `IpUtils::anonymize()` to help with GDPR compliance. > > 4.3.0 > ----- > > * added PHPUnit constraints: `RequestAttributeValueSame`, `ResponseCookieValueSame`, `ResponseHasCookie`, > `ResponseHasHeader`, `ResponseHeaderSame`, `ResponseIsRedirected`, `ResponseIsSuccessful`, and `ResponseStatusCodeSame` > * deprecated `MimeTypeGuesserInterface` and `ExtensionGuesserInterface` in favor of `Symfony\Component\Mime\MimeTypesInterface`. > * deprecated `MimeType` and `MimeTypeExtensionGuesser` in favor of `Symfony\Component\Mime\MimeTypes`. > * deprecated `FileBinaryMimeTypeGuesser` in favor of `Symfony\Component\Mime\FileBinaryMimeTypeGuesser`. > * deprecated `FileinfoMimeTypeGuesser` in favor of `Symfony\Component\Mime\FileinfoMimeTypeGuesser`. > * added `UrlHelper` that allows to get an absolute URL and a relative path for a given path > > 4.2.0 > ----- > > * the default value of the "$secure" and "$samesite" arguments of Cookie's constructor > will respectively change from "false" to "null" and from "null" to "lax" in Symfony > 5.0, you should define their values explicitly or use "Cookie::create()" instead. > * added `matchPort()` in RequestMatcher > > 4.1.3 > ----- > > ... (truncated)
Commits - [`8bccc59`](https://github.com/symfony/http-foundation/commit/8bccc59e61b41963d14c3dbdb23181e5c932a1d5) Merge branch '4.3' into 4.4 - [`fcafc7c`](https://github.com/symfony/http-foundation/commit/fcafc7c53784919e4bbcb6d5df73cabbb5c39e76) Merge branch '3.4' into 4.3 - [`d2d0cfe`](https://github.com/symfony/http-foundation/commit/d2d0cfe8e319d9df44c4cca570710fcf221d4593) [HttpFoundation] Fixed typo - [`cc09809`](https://github.com/symfony/http-foundation/commit/cc09809aa4182d5d062cde2c5836c5281f4e96eb) [HttpFoundation] Update CHANGELOG for PdoSessionHandler BC BREAK in 4.4 - [`c2480b7`](https://github.com/symfony/http-foundation/commit/c2480b72a0bbf21cb04cd2ea6ef21b9d6b533a45) Merge branch '3.4' into 4.3 - [`f7efd0b`](https://github.com/symfony/http-foundation/commit/f7efd0b387b7bdbfe0fd1e38fe6b7d4a812b4e39) Simpler example for Apache basic auth workaround - [`502040d`](https://github.com/symfony/http-foundation/commit/502040dd2b0cf0a292defeb6145f4d7a4753c99c) Merge branch '4.3' into 4.4 - [`0ac9ebf`](https://github.com/symfony/http-foundation/commit/0ac9ebffc17cbff398157c03f2d48b8b59e922da) Merge branch '3.4' into 4.3 - [`a558b18`](https://github.com/symfony/http-foundation/commit/a558b18bafae7c8fdd1d23c4bdc3690210f2f9a6) feature [#34405](https://github-redirect.dependabot.com/symfony/http-foundation/issues/34405) [HttpFoundation] Added possibility to configure expiration tim... - [`0c5217a`](https://github.com/symfony/http-foundation/commit/0c5217a9050712a1e66f851d04962abf8f2c6fc4) [HttpFoundation] Added possibility to configure expiration time in redis sess... - Additional commits viewable in [compare view](https://github.com/symfony/http-foundation/compare/v4.3.3...v4.4.1)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)
dependabot-preview[bot] commented 4 years ago

Superseded by #154.