Request for testing - symfony

To: debian-lts@lists.debian.org
Subject: Request for testing - symfony
From: Roberto C. Sánchez <roberto@debian.org>
Date: Sat, 2 Mar 2019 12:46:13 -0500
Message-id: <[🔎] 20190302174613.ijnid3gksi6loo4j@santiago.connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org

I have prepared an update to symfony (version 2.3.21+dfsg-4+deb8u4)
which is need of testing.  I intend to upload in one week's time if I do
not receive any reports of problems.  Read on for details if you are in
a position to help with testing these packages.

I attempted to test the changes myself (I am familiar with PHP) but it
turns out that Symfony an entirely different sort of matter.  In
particular, the Debian package itself contains no documentation about
how to setup even a basic Symfony app and all of the online
documentation is geared toward the upstream preferred installation
method which, among other things requires downloading an installer
script and ends up creating a symfony executable binary.

In any event, my attempts at testing have so far been unable to overcome
these obstacles and I fear that continuing to try to figure this out for
myself will only result in lots of wasted time and effort.

To that end, I am requesting that anyone out there using Symfony on
jessie and familiar with it please consider installing this upload
candidate and report any issues encountered.

Note that upstream has a very robust unit test suite and I made sure to
include any new or updated unit tests with each upstream commit that I
backported.

The packages may be downloaded here: https://people.debian.org/~roberto/

symfony (2.3.21+dfsg-4+deb8u4) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * Cherry-pick upstream commit to fix unit test regression caused by PHP
    5.6.27 (specifically, the fix for PHP bug 72972)
  * Fix additional unit test failures resulting from dates too far in the past
  * Cherry-pick upstream commits to fix security issues
    + Fix CVE-2017-16652: [Security] Validate redirect targets using the
      session cookie domain
    + Fix CVE-2017-16654: prevent bundle readers from breaking out of paths
    + Fix CVE-2018-11385: Adding session strategy to ALL listeners to avoid
      *any* possible fixation
    + Fix CVE-2018-11408: [SecurityBundle] Fail if security.http_utils cannot
      be configured
    + Fix CVE-2018-14773: [HttpFoundation] Remove support for legacy and risky
      HTTP headers
    + Fix CVE-2018-19789: [Form] Filter file uploads out of regular form types
    + Fix CVE-2018-19790: [Security\Http] detect bad redirect targets using
      backslashes

 -- Roberto C. Sanchez <roberto@debian.org>  Fri, 01 Mar 2019 09:20:42 -0500

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: Request for testing - symfony
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: February Report
Next by Date: Jessie update of drupal7?
Previous by thread: Re: qemu CVE-2019-6501: not-affected in Jessie and Stretch?
Next by thread: Re: Request for testing - symfony
Index(es):
- Date
- Thread