Symfony 4.2.1 released

Symfony 4.2.1 has just been released. Here is a list of the most important changes:

• security #cve-2018-19790 [SecurityHttp] detect bad redirect targets using backslashes (@xabbuh)
• security #cve-2018-19789 [Form] Filter file uploads out of regular form types (@nicolas-grekas)
• bug #29481 [TwigBridge] Deprecating legacy Twig paths in DebugCommand and simplifications (@yceruto)
• bug #29436 [Cache] Fixed Memcached adapter doClear()to call flush() (@raitocz)
• bug #29482 Fixes sprintf(): Too few arguments in MessageFormatter::choiceFormat (@stephanedelprat)
• bug #29461 [Contracts] extract LocaleAwareInterface out of TranslatorInterface (@nicolas-grekas)
• bug #29446 [VarExporter] fix dumping private properties from abstract classes (@nicolas-grekas)
• bug #29441 [Routing] ignore trailing slash for non-GET requests (@nicolas-grekas)
• bug #29445 [FrameworkBundle] Fix empty output for debug:autowiring when reflection-docblock is not installed (@chalasr)
• bug #29444 [Workflow] Fixed BC break for Workflow metadata (@lyrixx)
• bug #29432 [DI] dont inline when lazy edges are found (@nicolas-grekas)
• bug #29413 [Serializer] fixed DateTimeNormalizer to maintain microseconds when a different timezone required (@rvitaliy)
• bug #29424 [Routing] fix taking verb into account when redirecting (@nicolas-grekas)
• bug #29418 [VarExporter] fix dumping protected property from abstract classes (@nicolas-grekas)
• bug #29414 [DI] Fix dumping expressions accessing single-use private services (@chalasr)
• bug #28853 [LDAP] Add TIMEOUT Option to LDAP Connection Options (@lmatte7)
• bug #29399 [FrameworkBundle] define doctrine as defaul _pd _provider only if the package is installed (@nicolas-grekas)
• bug #29375 [Validator] Allow ConstraintViolation::toString() to expose codes that are not null or emtpy strings (@phansys)
• bug #29376 [EventDispatcher] Fix eventListener wrapper loop in TraceableEventDispatcher (@jderusse)
• bug #29386 undeprecate the single-colon notation for controllers (@fbourigault)
• bug #29393 [DI] fix edge case in InlineServiceDefinitionsPass (@nicolas-grekas)
• bug #29394 [Config] fix path exclusion during glob discovery (@nicolas-grekas)
• bug #29395 [FrameworkBundle][Messenger] Restore check for messenger serializer default id (@ogizanagi)
• bug #29380 [Routing] fix greediness of trailing slash (@nicolas-grekas)
• security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (@nicolas-grekas)
• security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (@nicolas-grekas)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.