[Security] Bump symfony/symfony from 3.1.10 to 3.4.35

[dependabot-preview]

Bumps symfony/symfony from 3.1.10 to 3.4.35. This update includes security fixes.

Vulnerabilities fixed

Sourced from The PHP Security Advisories Database.

CVE-2018-14773: Remove support for legacy and risky HTTP headers

Affected versions: >=2.0.0, <2.1.0; >=2.1.0, <2.2.0; >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.7.49; >=2.8.0, <2.8.44; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.18; >=3.4.0, <3.4.14; >=4.0.0, <4.0.14; >=4.1.0, <4.1.3

Sourced from The PHP Security Advisories Database.

CVE-2017-16653: CSRF protection does not use different tokens for HTTP and HTTPS

Affected versions: >=2.7.0, <2.7.38; >=2.8.0, <2.8.31; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.2.14; >=3.3.0, <3.3.13

Sourced from The PHP Security Advisories Database.

CVE-2017-16652: Open redirect vulnerability on security handlers

Affected versions: >=2.7.0, <2.7.38; >=2.8.0, <2.8.31; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.2.14; >=3.3.0, <3.3.13

Sourced from The PHP Security Advisories Database.

CVE-2017-16654: Intl bundle readers breaking out of paths

Affected versions: >=2.7.0, <2.7.38; >=2.8.0, <2.8.31; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.2.14; >=3.3.0, <3.3.13

Sourced from The PHP Security Advisories Database.

CVE-2017-16790: Ensure that submitted data are uploaded files

Affected versions: >=2.7.0, <2.7.38; >=2.8.0, <2.8.31; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.2.14; >=3.3.0, <3.3.13

Sourced from The PHP Security Advisories Database.

CVE-2018-11385: Session Fixation Issue for Guard Authentication

Affected versions: >=2.0.0, <2.7.48; >=2.1.0, <2.7.48; >=2.2.0, <2.7.48; >=2.3.0, <2.7.48; >=2.4.0, <2.7.48; >=2.5.0, <2.7.48; >=2.6.0, <2.7.48; >=2.7.0, <2.7.48; >=2.8.0, <2.8.41; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.17; >=3.4.0, <3.4.11; >=4.0.0, <4.0.11

Sourced from The PHP Security Advisories Database.

CVE-2018-11406: CSRF Token Fixation

Affected versions: >=2.0.0, <2.7.48; >=2.1.0, <2.7.48; >=2.2.0, <2.7.48; >=2.3.0, <2.7.48; >=2.4.0, <2.7.48; >=2.5.0, <2.7.48; >=2.6.0, <2.7.48; >=2.7.0, <2.7.48; >=2.8.0, <2.8.41; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.17; >=3.4.0, <3.4.11; >=4.0.0, <4.0.11

Sourced from The PHP Security Advisories Database.

CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an empty password

Affected versions: >=2.8.0, <2.8.41; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.17; >=3.4.0, <3.4.11; >=4.0.0, <4.0.11

Sourced from The PHP Security Advisories Database.

CVE-2018-11408: Open redirect vulnerability on security handlers

Affected versions: >=2.7.38, <2.7.48; >=2.8.0, <2.8.41; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.17; >=3.4.0, <3.4.11; >=4.0.0, <4.0.11

Sourced from The PHP Security Advisories Database.

CVE-2018-11386: Denial of service when using PDOSessionHandler

Affected versions: >=2.0.0, <2.7.48; >=2.1.0, <2.7.48; >=2.2.0, <2.7.48; >=2.3.0, <2.7.48; >=2.4.0, <2.7.48; >=2.5.0, <2.7.48; >=2.6.0, <2.7.48; >=2.7.0, <2.7.48; >=2.8.0, <2.8.41; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.17; >=3.4.0, <3.4.11; >=4.0.0, <4.0.11

Sourced from The PHP Security Advisories Database.

CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an empty password

Affected versions: >=2.8.0, <2.8.37; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.17; >=3.4.0, <3.4.7; >=4.0.0, <4.0.7

Sourced from The PHP Security Advisories Database.

CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances

Affected versions: >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.35; >=4.0.0, <4.1.0; >=4.1.0, <4.2.0; >=4.2.0, <4.2.12; >=4.3.0, <4.3.8

Sourced from The PHP Security Advisories Database.

CVE-2019-18887: Use constant time comparison in UriSigner

Affected versions: >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.8.0; >=2.8.0, <2.8.52; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.35; >=4.0.0, <4.1.0; >=4.1.0, <4.2.0; >=4.2.0, <4.2.12; >=4.3.0, <4.3.8

Sourced from The PHP Security Advisories Database.

CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser

Affected versions: >=2.0.0, <2.1.0; >=2.1.0, <2.2.0; >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.8.0; >=2.8.0, <2.8.52; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.35; >=4.0.0, <4.1.0; >=4.1.0, <4.2.0; >=4.2.0, <4.2.12; >=4.3.0, <4.3.8

Sourced from The PHP Security Advisories Database.

CVE-2018-19789: Temporary uploaded file path disclosure

Affected versions: >=2.7.38, <2.7.50; >=2.8.0, <2.8.49; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.19; >=4.0.0, <4.0.15; >=4.1.0, <4.1.9; >=4.2.0, <4.2.1

Sourced from The PHP Security Advisories Database.

CVE-2018-19790: Open Redirect Vulnerability on login

Affected versions: >=2.7.38, <2.7.50; >=2.8.0, <2.8.49; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.19; >=4.0.0, <4.0.15; >=4.1.0, <4.1.9; >=4.2.0, <4.2.1

Sourced from The PHP Security Advisories Database.

CVE-2018-19789: Temporary uploaded file path disclosure

Affected versions: >=2.7.38, <2.7.50; >=2.8.0, <2.8.49; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.20; >=4.0.0, <4.0.15; >=4.1.0, <4.1.9; >=4.2.0, <4.2.1

Sourced from The PHP Security Advisories Database.

CVE-2018-19790: Open Redirect Vulnerability on login

Affected versions: >=2.7.38, <2.7.50; >=2.8.0, <2.8.49; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.20; >=4.0.0, <4.0.15; >=4.1.0, <4.1.9; >=4.2.0, <4.2.1

Sourced from The PHP Security Advisories Database.

CVE-2018-11385: Session Fixation Issue for Guard Authentication

Affected versions: >=2.0.0, <2.1.0; >=2.1.0, <2.2.0; >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.7.48; >=2.8.0, <2.8.41; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.17; >=3.4.0, <3.4.11; >=4.0.0, <4.0.11

Sourced from The PHP Security Advisories Database.

CVE-2018-11406: CSRF Token Fixation

Affected versions: >=2.0.0, <2.1.0; >=2.1.0, <2.2.0; >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.7.48; >=2.8.0, <2.8.41; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.17; >=3.4.0, <3.4.11; >=4.0.0, <4.0.11

Sourced from The PHP Security Advisories Database.

CVE-2018-11386: Denial of service when using PDOSessionHandler

Affected versions: >=2.0.0, <2.1.0; >=2.1.0, <2.2.0; >=2.2.0, <2.3.0; >=2.3.0, <2.4.0; >=2.4.0, <2.5.0; >=2.5.0, <2.6.0; >=2.6.0, <2.7.0; >=2.7.0, <2.7.48; >=2.8.0, <2.8.41; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.3.17; >=3.4.0, <3.4.11; >=4.0.0, <4.0.11

Sourced from The PHP Security Advisories Database.

CVE-2019-10909: Escape validation messages in the PHP templating engine

Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Sourced from The PHP Security Advisories Database.

CVE-2019-10911: Add a separator in the remember me cookie hash

Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Sourced from The PHP Security Advisories Database.

CVE-2019-10913: Reject invalid HTTP method overrides

Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Sourced from The PHP Security Advisories Database.

CVE-2019-10912: Prevent destructors with side-effects from being unserialized

Affected versions: >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Sourced from The PHP Security Advisories Database.

CVE-2019-10910: Check service IDs are valid

Affected versions: >=2.7.0, <2.7.51; >=2.8.0, <2.8.50; >=3.0.0, <3.1.0; >=3.1.0, <3.2.0; >=3.2.0, <3.3.0; >=3.3.0, <3.4.0; >=3.4.0, <3.4.26; >=4.0.0, <4.1.0; >=4.1.0, <4.1.12; >=4.2.0, <4.2.7

Release notes

Sourced from symfony/symfony's releases.

v3.4.35

Changelog (since symfony/symfony@v3.4.34...v3.4.35)

• bug #34344 [Console] Constant STDOUT might be undefined (@​nicolas-grekas)
• security #cve-2019-18889 [Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances (@​nicolas-grekas)
• security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (@​nicolas-grekas)
• security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (@​stof)

[PR] symfony/symfony#34350
[SECURITY] Security release

v3.4.34

Changelog (since symfony/symfony@v3.4.33...v3.4.34)

• bug #34297 [DI] fix locators with numeric keys (@​nicolas-grekas)
• bug #34282 [DI] Dont cache classes with missing parents (@​nicolas-grekas)
• bug #34181 [Stopwatch] Fixed bug in getDuration when counting multiple ongoing periods (@​TimoBakx)
• bug #34179 [Stopwatch] Fixed a bug in StopwatchEvent::getStartTime (@​TimoBakx)
• bug #34203 [FrameworkBundle] [HttpKernel] fixed correct EOL and EOM month (@​erics86)

[PR] symfony/symfony#34322

v3.4.33

Changelog (since symfony/symfony@v3.4.32...v3.4.33)

• bug #33998 [Config] Disable default alphabet sorting in glob function due of unstable sort (@​hurricane-voronin)
• bug #34144 [Serializer] Improve messages for unexpected resources values (@​fancyweb)
• bug #34080 [SecurityBundle] correct types for default arguments for firewall configs (@​shieldo)
• bug #33999 [Form] Make sure to collect child forms created on *_SET_DATA events (@​yceruto)
• bug #34021 [TwigBridge] do not render errors for checkboxes twice (@​xabbuh)
• bug #34041 [HttpKernel] fix wrong removal of the just generated container dir (@​nicolas-grekas)
• bug #34023 [Dotenv] allow LF in single-quoted strings (@​nicolas-grekas)
• bug #33818 [Yaml] Throw exception for tagged invalid inline elements (@​gharlan)
• bug #33948 [PropertyInfo] Respect property name case when guessing from public method name (@​antograssiot)
• bug #33962 [Cache] fixed TagAwareAdapter returning invalid cache (@​v-m-i)
• bug #33965 [HttpFoundation] Add plus character + to legal mime subtype (@​ilzrv)
• bug #32943 [Dotenv] search variable values in ENV first then env file (@​soufianZantar)
• bug #33943 [VarDumper] fix resetting the "bold" state in CliDumper (@​nicolas-grekas)

[PR] symfony/symfony#34208

v3.4.32

Changelog (since symfony/symfony@v3.4.31...v3.4.32)

• bug #33834 [Validator] Fix ValidValidator group cascading usage (@​fancyweb)
• bug #33841 [VarDumper] fix dumping uninitialized SplFileInfo (@​nicolas-grekas)
• bug #33799 [Security]: Don't let falsy usernames slip through impersonation (@​j4nr6n)
• bug #33814 [HttpFoundation] Check if data passed to SessionBagProxy::initialize is an array (@​mynameisbogdan)
• bug #33805 [FrameworkBundle] Fix wrong returned status code in ConfigDebugCommand (@​jschaedl)
• bug #33781 [AnnotationCacheWarmer] add RedirectController to annotation cache (@​jenschude)

... (truncated)

Changelog

Sourced from symfony/symfony's changelog.

• 3.4.35 (2019-11-13)

• bug #34344 [Console] Constant STDOUT might be undefined (nicolas-grekas)

• security #cve-2019-18889 [Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances (nicolas-grekas)

• security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas)

• security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof)

• 3.4.34 (2019-11-11)

• bug #34297 [DI] fix locators with numeric keys (nicolas-grekas)

• bug #34282 [DI] Dont cache classes with missing parents (nicolas-grekas)

• bug #34181 [Stopwatch] Fixed bug in getDuration when counting multiple ongoing periods (TimoBakx)

• bug #34179 [Stopwatch] Fixed a bug in StopwatchEvent::getStartTime (TimoBakx)

• bug #34203 [FrameworkBundle] [HttpKernel] fixed correct EOL and EOM month (erics86)

• 3.4.33 (2019-11-01)

• bug #33998 [Config] Disable default alphabet sorting in glob function due of unstable sort (hurricane-voronin)

• bug #34144 [Serializer] Improve messages for unexpected resources values (fancyweb)

• bug #34080 [SecurityBundle] correct types for default arguments for firewall configs (shieldo)

• bug #33999 [Form] Make sure to collect child forms created on *_SET_DATA events (yceruto)

• bug #34021 [TwigBridge] do not render errors for checkboxes twice (xabbuh)

• bug #34041 [HttpKernel] fix wrong removal of the just generated container dir (nicolas-grekas)

• bug #34023 [Dotenv] allow LF in single-quoted strings (nicolas-grekas)

• bug #33818 [Yaml] Throw exception for tagged invalid inline elements (gharlan)

• bug #33948 [PropertyInfo] Respect property name case when guessing from public method name (antograssiot)

• bug #33962 [Cache] fixed TagAwareAdapter returning invalid cache (v-m-i)

• bug #33965 [HttpFoundation] Add plus character + to legal mime subtype (ilzrv)

• bug #32943 [Dotenv] search variable values in ENV first then env file (soufianZantar)

• bug #33943 [VarDumper] fix resetting the "bold" state in CliDumper (nicolas-grekas)

• 3.4.32 (2019-10-07)

• bug #33834 [Validator] Fix ValidValidator group cascading usage (fancyweb)

• bug #33841 [VarDumper] fix dumping uninitialized SplFileInfo (nicolas-grekas)

• bug #33799 [Security]: Don't let falsy usernames slip through impersonation (j4nr6n)

• bug #33814 [HttpFoundation] Check if data passed to SessionBagProxy::initialize is an array (mynameisbogdan)

• bug #33805 [FrameworkBundle] Fix wrong returned status code in ConfigDebugCommand (jschaedl)

• bug #33781 [AnnotationCacheWarmer] add RedirectController to annotation cache (jenschude)

• bug #33777 Fix the :only-of-type pseudo class selector (jakzal)

• bug #32051 [Serializer] Add CsvEncoder tests for PHP 7.4 (ro0NL)

• feature #33776 Copy phpunit.xsd to a predictable path (julienfalque)

• bug #33759 [Security/Http] fix parsing X509 emailAddress (nicolas-grekas)

• bug #33733 [Serializer] fix denormalization of string-arrays with only one element (mkrauser)

• bug #33754 [Cache] fix known tag versions ttl check (SwenVanZanten)

• bug #33646 [HttpFoundation] allow additinal characters in not raw cookies (marie)

• bug #33748 [Console] Do not include hidden commands in suggested alternatives (m-vo)

• bug #33625 [DependencyInjection] Fix wrong exception when service is synthetic (k0d3r1s)

• bug #32522 [Validator] Accept underscores in the URL validator, as the URL will load (battye)

• bug #32437 Fix toolbar load when GET params are present in "_wdt" route (Molkobain)

... (truncated)

Commits

• 2adc85d Merge pull request #34350 from fabpot/release-3.4.35
• 02257c8 updated VERSION for 3.4.35
• 3e25850 updated CHANGELOG for 3.4.35
• 32bde39 bug #34344 [Console] Constant STDOUT might be undefined (nicolas-grekas)
• 53dc781 minor #34340 Allow returning null from NormalizerInterface::normalize (teohha...
• bb8c82c [Console] Constant STDOUT might be undefined.
• 1c8edc5 Allow returning null from NormalizerInterface::normalize
• 4cc37df security #cve-2019-18889 [Cache] forbid serializing AbstractAdapter and TagAw...
• b21025b security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files wi...
• 0102134 security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSign...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)