[pkg-php-pear] Symfony: Fixes for CVE-2016-4423 and CVE-2016-2403 for sid and experimental in git (WAS: Re: Symfony in stable: Fix for CVE-2016-4423 in git)

[Daniel Beyer]

Hi David,

On Tue, 2016-05-10 at 23:48 +0200, Daniel Beyer wrote:
> Hi David,
> 
> (...)
> 
> I prepared 2.8.6 in branch 2.8, which should be ready for a sid upload.
> With 3.0.6 I have failing tests - I uploaded my work in branch
> wip/dabe/3.0.6 and have a closer look to that tomorrow.
> 

Regarding CVE-2016-4423 and CVE-2016-2403 which are closed by upstream
in 2.8.6 and 3.0.6:

As already mentioned, 2.8.6 in branch 2.8 should be ready for sid.


With 3.0.6 there was a dependency problem in symfony. I circumvented
this by reporting the issue upstream [1] and cherry-picking my proposed
fix back into our packaging [2].

The tests for 3.0.6 are still failing in experimental, which is caused
by a too new version of php-phpdocumentor-reflection. This issue is not
new and already present in current 3.0.5+dfsg-1.
Given that the testsuite already is failing and 3.0.6 closes two CVEs, I
suggest to upload wip/dabe/3.0.6 to experimental (note that d/changelog
is still open in wip/dabe/3.0.6 - use "gbp dch --auto --release" on it).

I'm not sure how to get the tests working again with the newer version
of php-phpdocumentor-reflection in experimental, but I'll try to work on
it - yet I'm not sure if I find time for it this week. 


Greetings
Daniel

[1] https://github.com/symfony/symfony/pull/18745
[2] https://anonscm.debian.org/cgit/pkg-php/symfony.git/tree/debian/patches/MonologBridge-Uninstallable-together-with-symfony-ht.patch?h=wip/dabe/3.0.6

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20160511/47a9d7d2/attachment-0001.sig>