Symfony 2.3.19 released

Warning: Symfony 2.3 is no longer supported. Consider upgrading your applications to the most recent Symfony version.

Symfony 2.3.19 has just been released. Here is a list of the most important changes:

  • security #11832 CVE-2014-6072 (fabpot)
  • security #11831 CVE-2014-5245 (stof)
  • security #11830 CVE-2014-4931 (aitboudad, Jérémy Derussé)
  • security #11829 CVE-2014-6061 (damz, fabpot)
  • security #11828 CVE-2014-5244 (nicolas-grekas, larowlan)
  • bug #10197 [FrameworkBundle] PhpExtractor bugfix and improvements (mtibben)
  • bug #11772 [Filesystem] Add FTP stream wrapper context option to enable overwrite (Damian Sromek)
  • bug #11788 [Yaml] fixed mapping keys containing a quoted # (hvt, fabpot)
  • bug #11160 [DoctrineBridge] Abstract Doctrine Subscribers with tags (merk)
  • bug #11768 [ClassLoader] Add a __call() method to XcacheClassLoader (tstoeckler)
  • bug #11726 [Filesystem Component] mkdir race condition fix #11626 (kcassam)
  • bug #11677 [YAML] resolve variables in inlined YAML (xabbuh)
  • bug #11639 [DependencyInjection] Fixed factory service not within the ServiceReferenceGraph. (boekkooi)
  • bug #11778 [Validator] Fixed wrong translations for Collection constraints (samicemalone)
  • bug #11756 [DependencyInjection] fix @return anno created by PhpDumper (jakubkulhan)
  • bug #11711 [DoctrineBridge] Fix empty parameter logging in the dbal logger (jakzal)
  • bug #11692 [DomCrawler] check for the correct field type (xabbuh)
  • bug #11672 [Routing] fix handling of nullable XML attributes (xabbuh)
  • bug #11624 [DomCrawler] fix the axes handling in a bc way (xabbuh)
  • bug #11676 [Form] Fixed #11675 ValueToDuplicatesTransformer accept "0" value (Nek-)
  • bug #11695 [Validators] Fixed failing tests requiring ICU 52.1 which are skipped otherwise (webmozart)
  • bug #11529 [WebProfilerBundle] Fixed double height of canvas (hason)
  • bug #11641 [WebProfilerBundle ] Fix toolbar vertical alignment (blaugueux)
  • bug #11559 [Validator] Convert objects to string in comparison validators (webmozart)
  • feature #11510 [HttpFoundation] MongoDbSessionHandler supports auto expiry via configurable expiry_field (catchamonkey)
  • bug #11408 [HttpFoundation] Update QUERY_STRING when overrideGlobals (yguedidi)
  • bug #11633 [FrameworkBundle] add missing attribute to XSD (xabbuh)
  • bug #11601 [Validator] Allow basic auth in url when using UrlValidator. (blaugueux)
  • bug #11609 [Console] fixed style creation when providing an unknown tag option (fabpot)
  • bug #10914 [HttpKernel] added an analyze of environment parameters for built-in server (mauchede)
  • bug #11598 [Finder] Shell escape and windows support (Gordon Franke, gimler)
  • bug #11499 [BrowserKit] Fixed relative redirects for ambiguous paths (pkruithof)
  • bug #11516 [BrowserKit] Fix browser kit redirect with ports (dakota)
  • bug #11545 [Bundle][FrameworkBundle] built-in server: exit when docroot does not exist (xabbuh)
  • bug #11560 Plural fix (1emming)
  • bug #11558 [DependencyInjection] Fixed missing 'factory-class' attribute in XmlDumper output (kerdany)
  • bug #11548 [Component][DomCrawler] fix axes handling in Crawler::filterXPath() (xabbuh)
  • bug #11422 [DependencyInjection] Self-referenced 'service_container' service breaks garbage collection (sun)
  • bug #11428 [Serializer] properly handle null data when denormalizing (xabbuh)
  • bug #10687 [Validator] Fixed string conversion in constraint violations (eagleoneraptor, webmozart)
  • bug #11475 [EventDispatcher] don't count empty listeners (xabbuh)
  • bug #11436 fix signal handling in wait() on calls to stop() (xabbuh, romainneutron)
  • bug #11469 [BrowserKit] Fixed server HTTP_HOST port uri conversion (bcremer, fabpot)
  • bug #11425 Fix issue described in #11421 (Ben, ben-rosio)
  • bug #11423 Pass a Scope instance instead of a scope name when cloning a container in the GrahpvizDumper (jakzal)
  • bug #11120 [Process] Reduce I/O load on Windows platform (romainneutron)
  • bug #11342 [Form] Check if IntlDateFormatter constructor returned a valid object before using it (romainneutron)
  • bug #11411 [Validator] Backported #11410 to 2.3: Object initializers are called only once per object (webmozart)
  • bug #11403 [Translator][FrameworkBundle] Added @ to the list of allowed chars in Translator (takeit)
  • bug #11381 [Process] Use correct test for empty string in UnixPipes (whs, romainneutron)

Want to check the integrity of this new version? Read my blog post about signing releases .

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.


Hi, the vuln that I reported was already in the process of beeing fixed, or do you have it under the same CVE? I'm a bit confused.
Filip: Yes, this is the same CVE as this is the same bug that we did not fix correctly in the previous version.

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.