A week of symfony #394 (14->20 July 2014)

July 20, 2014 · Published by Avatar of Javier Eguiluz Javier Eguiluz

This week Symfony published three security releases to address a potential code injection issue in the way Symfony implements translation caching in FrameworkBundle. In addition, it fixed object initializers for Validator component and it removed spaceless blocks from Twig templates.

Symfony2 development highlights

2.3 changelog:

  • 8f9ed3e: [Twig Bridge] removed Spaceless Blocks from Twig Form Templates
  • 06fc97e: [HttpFoundation] prevented magic bytes injection in JSONP responses (CVE-2014-4671)
  • 06a80fb, 3176f8b: validate locales sets into translator
  • d418935: [Process] fixed unit tests on Windows platform
  • 91e32f8: [Process] use correct test for empty string in UnixPipes
  • 291cbf9: [Validator] object initializers are called only once per object

2.4 changelog:

  • 793a083: removed Spaceless Blocks From Twig Templates

2.5 changelog:

  • 2ac1bb4: [Console] removed estimated field from debug_nomax
  • 705d67b: [Form] solved dependency to ValidatorInterface

Master changelog:

Newest issues and pull requests

They talked about us

Published in #A week of symfony

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of Peter Bailey
Peter Bailey said on Jul 21, 2014
Any news regarding the CNET hack, which has been (at least, in the media) identified as a vulnerability in their Symfony installation? We're assuming that this was not a day-zero exploit, but rather something older or related to their specific configuration.

Anyway, there is a lot of speculation and conjecture on what exactly the issue was. I realize you guys may not know yourselves, but some official announcement from the Symfony team would be very welcome indeed.

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.