Symfony Blog
CVE-2019-10912: Prevent destructors with side-effects from being unserialized
CVE-2019-10912 fixes an issue where files could be deleted or raw output echoed when some classes were unserialized.
CVE-2019-10911: Add a separator in the remember me cookie hash
CVE-2019-10911 fixes an issue where there was not a clear differentiation between different parts of the content of a cookie allowing for potential to authenticate as a different user in particular situations
CVE-2019-10913: Reject invalid HTTP method overrides
CVE-2019-10913 ensures that HTTP Methods are sanitized for use in unescaped contexts.
CVE-2019-10910: Check service IDs are valid
CVE-2019-10910 fixes an issue where crafted service IDs could be executed as code
New in Symfony 4.3: Sodium password encoder
In Symfony 4.3 we've replaced the Argon2iPasswordEncoder by a new generic SodiumPasswordEncoder that supports all the Argon2 variants (argon2d, argon2i, and argon2id)