This week Symfony released 2.7.48, 2.8.41, 3.3.17, 3.4.11 and 4.0.11 versions to address several security vulnerabilities. Meanwhile Symfony 4.1.0 beta3 was published in preparation for next week's final release. Lastly, it was announced that the SymfonyLive USA 2018 conference will take place in San Francisco on October 11th and 12th.

Symfony development highlights

2.7 changelog:

  • 47e7268: [HttpFoundation] break infinite loop in PdoSessionHandler when MySQL is in loose mode
  • fa5bf4b: [Security] added session strategy to ALL listeners to avoid any possible fixation
  • 319e1bd: [Security] clear CSRF tokens when the user is logged out
  • b20e835: [SecurityBundle] fail if security.http_utils cannot be configured
  • ab32125: [HttpFoundation] fixed a performance issue during MimeTypeGuesser initialization

3.4 changelog:

  • fad1e1f: [Security] added session authentication strategy to Guard to avoid session fixation
  • 194caff: [Security] migrated session for UsernamePasswordJsonAuthenticationListener
  • 46c2d4b: [DependencyInjection] fixed bad exception on uninitialized references to non-shared services
  • e2ba3af: [HttpFoundation] fixed cookie test with xdebug
  • 4279f53: [DependencyInjection] never inline lazy services
  • cb106fa: [Serializer] check the value of enable_max_depth if defined
  • 79bd461: [HttpKernel] reset kernel start time on reboot

4.1 changelog:

  • 70c70e2: [PhpUnit Bridge] supress deprecation notices thrown when getting private services from container in tests
  • 7fb7cf2: [Serializer] fixed and improved constraintViolationListNormalizer's RFC7807 compliance
  • 2fd30a6: [FrameworkBundle] fixed test.service_container usage when Client is rebooted
  • 7d23ac5: [HttpKernel] fixed deprecation in AbstractTestSessionListener
  • 9e6fbe8: [Routing] account for greediness when merging route patterns

Master changelog:

  • ec6d46c: [Security] added "is_granted()" to security expressions and deprecate "has_role()"
  • bd6769e: [Cache] added TaggableCacheInterface to simplify cache usage
  • f827fec: [DependencyInjection] allowed binding by type+name
  • eceabee: [DependencyInjection] allowed to select specific key from an array resolved env var
  • d314735: [Security] FirewallMap/FirewallContext deprecations
  • f557f94: [Security] no more support for custom anon/remember tokens based on FQCN

Newest issues and pull requests

They talked about us

Published in #A week of symfony