[pkg-php-pear] symfony_7.4.12+dfsg-1_source.changes ACCEPTED into unstable

Debian FTP Masters ftpmaster at ftp-master.debian.org
Wed May 20 21:34:22 BST 2026 

Thank you for your contribution to Debian.



Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 20 May 2026 21:29:52 +0200
Source: symfony
Architecture: source
Version: 7.4.12+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear at lists.alioth.debian.org>
Changed-By: David Prévot <taffit at debian.org>
Changes:
 symfony (7.4.12+dfsg-1) unstable; urgency=medium
 .
   [ Alexandre Daubois ]
   * [Routing] Fix regex alternation anchoring in UrlGenerator requirement
     validation [CVE-2026-45065]
   * [DomCrawler] Fix XXE in addXmlContent() by not enabling `validateOnParse`
     [CVE-2026-45071]
   * [HtmlSanitizer] Fix allowLinkHosts/allowMediaHosts bypass via URL parser
     differentials and <area> misclassification [CVE-2026-45066]
   * [Security] Add missing claims in `OidcTokenHandler` [CVE-2026-45069]
   * [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator
     [CVE-2026-45063]
   * [Mime] Reject email addresses containing line breaks in Address
     [CVE-2026-45067]
   * [Mailer] Add end-of-options separator before recipients in
     SendmailTransport; reject addresses starting with a dash [CVE-2026-45068]
   * [JsonPath] Cap regex backtracking in match()/search() to prevent ReDoS
     [CVE-2026-45756]
   * [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials
     [CVE-2026-45754]
   * [Mailer][Mailtrap] Reject webhooks with missing or invalid HMAC signature
     [CVE-2026-45755]
 .
   [ Nicolas Grekas ]
   * [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces
     in URLs [CVE-2026-45064]
   * [MonologBridge] Bind server:log to localhost by default [CVE-2026-45077]
   * [Security][HttpKernel] Fix HEAD requests bypassing methods filter in
     `IsGranted`, `IsCsrfTokenValid` and `IsSignatureValid` attributes
     [CVE-2026-45075]
   * [Yaml] Bound recursion depth in the parser [CVE-2026-45133]
   * [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() [CVE-2026-45072]
   * [Cache] Validate the prefix given to AbstractAdapter::clear()
     [CVE-2026-45073]
   * [Yaml] Bound collection-alias resolution in the parser [CVE-2026-45304]
   * [Yaml] Harden the Parser::cleanup() regexes against catastrophic
     backtracking [CVE-2026-45305]
   * [Security] Require configuring trusted hosts when using CAS authentication
     [CVE-2026-45074]
   * [Notifier][Lox24] Reject webhooks with missing or invalid token
     [CVE-2026-45754]
   * [Notifier][Twilio] Reject webhooks with missing or invalid HMAC signature
     [CVE-2026-47212]
   * [HtmlSanitizer] Sanitize URLs in action, formaction, poster and cite
     attributes [CVE-2026-45753]
   * [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on
     $_SERVER['QUERY_STRING'] [CVE-2026-46626]
 .
   [ Fabien Potencier ]
   * Update VERSION for 7.4.12
Checksums-Sha1:
 8c8bbffceb8cbdd48b7f0d1510bdd9c29260c6d6 19155 symfony_7.4.12+dfsg-1.dsc
 d3460cbba6435d135031a6124cb770d5125f2be0 9379696 symfony_7.4.12+dfsg.orig.tar.xz
 9415ee45b4d795045efedce3b43dd3b583c604d1 81268 symfony_7.4.12+dfsg-1.debian.tar.xz
 01dcb1743d41bcd749ad3b31965c01f53fb65c8d 74710 symfony_7.4.12+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 053623a631c3f67b509830671af00396a8fbfefc654580681cacd1fdb99d3d1b 19155 symfony_7.4.12+dfsg-1.dsc
 59e2e5a3d8451fd719bffc4d4ecfa713856318e768dd64d428c2748f95da5899 9379696 symfony_7.4.12+dfsg.orig.tar.xz
 f3b6bb74223e9e155535bb2b4e70e75a3bd88d674cd2bb157794c497ce14e173 81268 symfony_7.4.12+dfsg-1.debian.tar.xz
 2f97ac8af306aaf111ad30558731415ac86fce31e0a5d2eba16f71beac509efd 74710 symfony_7.4.12+dfsg-1_amd64.buildinfo
Files:
 957f195ed2a683633f7ac4d2d1c5352a 19155 php optional symfony_7.4.12+dfsg-1.dsc
 56e8175f4716d2fae9969b1e69d8c21d 9379696 php optional symfony_7.4.12+dfsg.orig.tar.xz
 529c0d86518cf3421319add1b5b5c8b3 81268 php optional symfony_7.4.12+dfsg-1.debian.tar.xz
 7ef0106e0b3f4db3ffa916f7cca1c90e 74710 php optional symfony_7.4.12+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmoOEWcSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08TNoH/jBV6odVyPPKAMXtvJmGgI86VMsdiSsU
tI3n7qKvY46hc+L55qEQq8HegZYXJRiHIoLY1WXSCN1WS5VuKxdrFCN1GfRmFJX3
tPiAYUd9QT4mxO1D9pR9wnfGVMu0MBw0MuGPQhXo/IrTQwshvnI+Gb4evWoNFGW7
duMmCOj4YnGYrEj6t+jB+yn0NbKbTDP3RoXPO4QoG+FcnF+ncrlk33G/gl6s8jzT
ZS6OQo/kPYmBJdPHXzslJTwCCaZrDok/CJVav8KCnf+EN6sM5bBNvedG35g/us8v
TlEOL0jK40hk7khnqpx7exaATqqmg3UlTI9c2FU4jibEbGsQ4N2so2g=
=OMas
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20260520/06fc0024/attachment.sig>

More information about the pkg-php-pear mailing list