Symfony 2.3.19 has just been released. Here is a list of the most important changes:

security #11832 `CVE-2014-6072 <http://symfony.com/blog/cve-2014-6072-csrf-vulnerability-in-the-web-profiler>`_ (fabpot)
security #11831 `CVE-2014-5245 <http://symfony.com/blog/cve-2014-5245-direct-access-of-esi-urls-behind-a-trusted-proxy>`_ (stof)
security #11830 `CVE-2014-4931 <http://symfony.com/blog/security-releases-cve-2014-4931-symfony-2-3-18-2-4-8-and-2-5-2-released>`_ (aitboudad, Jérémy Derussé)
security #11829 `CVE-2014-6061 <http://symfony.com/blog/cve-2014-6061-security-issue-when-parsing-the-authorization-header>`_ (damz, fabpot)
security #11828 `CVE-2014-5244 <http://symfony.com/blog/cve-2014-5244-denial-of-service-with-a-malicious-http-host-header>`_ (nicolas-grekas, larowlan)
bug #10197 [FrameworkBundle] PhpExtractor bugfix and improvements (mtibben)
bug #11772 [Filesystem] Add FTP stream wrapper context option to enable overwrite (Damian Sromek)
bug #11788 [Yaml] fixed mapping keys containing a quoted # (hvt, fabpot)
bug #11160 [DoctrineBridge] Abstract Doctrine Subscribers with tags (merk)
bug #11768 [ClassLoader] Add a __call() method to XcacheClassLoader (tstoeckler)
bug #11726 [Filesystem Component] mkdir race condition fix #11626 (kcassam)
bug #11677 [YAML] resolve variables in inlined YAML (xabbuh)
bug #11639 [DependencyInjection] Fixed factory service not within the ServiceReferenceGraph. (boekkooi)
bug #11778 [Validator] Fixed wrong translations for Collection constraints (samicemalone)
bug #11756 [DependencyInjection] fix @return anno created by PhpDumper (jakubkulhan)
bug #11711 [DoctrineBridge] Fix empty parameter logging in the dbal logger (jakzal)
bug #11692 [DomCrawler] check for the correct field type (xabbuh)
bug #11672 [Routing] fix handling of nullable XML attributes (xabbuh)
bug #11624 [DomCrawler] fix the axes handling in a bc way (xabbuh)
bug #11676 [Form] Fixed #11675 ValueToDuplicatesTransformer accept "0" value (Nek-)
bug #11695 [Validators] Fixed failing tests requiring ICU 52.1 which are skipped otherwise (webmozart)
bug #11529 [WebProfilerBundle] Fixed double height of canvas (hason)
bug #11641 [WebProfilerBundle ] Fix toolbar vertical alignment (blaugueux)
bug #11559 [Validator] Convert objects to string in comparison validators (webmozart)
feature #11510 [HttpFoundation] MongoDbSessionHandler supports auto expiry via configurable expiry_field (catchamonkey)
bug #11408 [HttpFoundation] Update QUERY_STRING when overrideGlobals (yguedidi)
bug #11633 [FrameworkBundle] add missing attribute to XSD (xabbuh)
bug #11601 [Validator] Allow basic auth in url when using UrlValidator. (blaugueux)
bug #11609 [Console] fixed style creation when providing an unknown tag option (fabpot)
bug #10914 [HttpKernel] added an analyze of environment parameters for built-in server (mauchede)
bug #11598 [Finder] Shell escape and windows support (Gordon Franke, gimler)
bug #11499 [BrowserKit] Fixed relative redirects for ambiguous paths (pkruithof)
bug #11516 [BrowserKit] Fix browser kit redirect with ports (dakota)
bug #11545 [Bundle][FrameworkBundle] built-in server: exit when docroot does not exist (xabbuh)
bug #11560 Plural fix (1emming)
bug #11558 [DependencyInjection] Fixed missing 'factory-class' attribute in XmlDumper output (kerdany)
bug #11548 [Component][DomCrawler] fix axes handling in Crawler::filterXPath() (xabbuh)
bug #11422 [DependencyInjection] Self-referenced 'service_container' service breaks garbage collection (sun)
bug #11428 [Serializer] properly handle null data when denormalizing (xabbuh)
bug #10687 [Validator] Fixed string conversion in constraint violations (eagleoneraptor, webmozart)
bug #11475 [EventDispatcher] don't count empty listeners (xabbuh)
bug #11436 fix signal handling in wait() on calls to stop() (xabbuh, romainneutron)
bug #11469 [BrowserKit] Fixed server HTTP_HOST port uri conversion (bcremer, fabpot)
bug #11425 Fix issue described in #11421 (Ben, ben-rosio)
bug #11423 Pass a Scope instance instead of a scope name when cloning a container in the GrahpvizDumper (jakzal)
bug #11120 [Process] Reduce I/O load on Windows platform (romainneutron)
bug #11342 [Form] Check if IntlDateFormatter constructor returned a valid object before using it (romainneutron)
bug #11411 [Validator] Backported #11410 to 2.3: Object initializers are called only once per object (webmozart)
bug #11403 [Translator][FrameworkBundle] Added @ to the list of allowed chars in Translator (takeit)
bug #11381 [Process] Use correct test for empty string in UnixPipes (whs, romainneutron)

Want to check the integrity of this new version? Read my blog post about signing releases .

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.

Published in #Releases

Filip Procházka said on Sep 3, 2014 at 13:46

Hi, the vuln that I reported was already in the process of beeing fixed, or do you have it under the same CVE? I'm a bit confused.

Fabien Potencier Certified said on Sep 3, 2014 at 14:26

Filip: Yes, this is the same CVE as this is the same bug that we did not fix correctly in the previous version.

Symfony 2.3.19 released

Comments

Become a Symfony contributor