A week of symfony #394 (14->20 July 2014)

This week Symfony published three security releases to address a potential code injection issue in the way Symfony implements translation caching in FrameworkBundle. In addition, it fixed object initializers for Validator component and it removed spaceless blocks from Twig templates.

Symfony2 development highlights

2.3 changelog:

  • 8f9ed3e: [Twig Bridge] removed Spaceless Blocks from Twig Form Templates
  • 06fc97e: [HttpFoundation] prevented magic bytes injection in JSONP responses (CVE-2014-4671)
  • 06a80fb, 3176f8b: validate locales sets into translator
  • d418935: [Process] fixed unit tests on Windows platform
  • 91e32f8: [Process] use correct test for empty string in UnixPipes
  • 291cbf9: [Validator] object initializers are called only once per object

2.4 changelog:

  • 793a083: removed Spaceless Blocks From Twig Templates

2.5 changelog:

  • 2ac1bb4: [Console] removed estimated field from debug_nomax
  • 705d67b: [Form] solved dependency to ValidatorInterface

Master changelog:

Newest issues and pull requests

They talked about us

Comments

Any news regarding the CNET hack, which has been (at least, in the media) identified as a vulnerability in their Symfony installation? We're assuming that this was not a day-zero exploit, but rather something older or related to their specific configuration.

Anyway, there is a lot of speculation and conjecture on what exactly the issue was. I realize you guys may not know yourselves, but some official announcement from the Symfony team would be very welcome indeed.

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.