AddToAny

Share this

 

Feed items

  • warning: Declaration of views_handler_argument::init(&$view, &$options) should be compatible with views_handler::init(&$view, $options) in /home/clients/ru/domains/development4web.com/html/sites/all/modules/views/handlers/views_handler_argument.inc on line 48.
  • warning: Declaration of views_handler_filter_boolean_operator::value_validate(&$form, &$form_state) should be compatible with views_handler_filter::value_validate($form, &$form_state) in /home/clients/ru/domains/development4web.com/html/sites/all/modules/views/handlers/views_handler_filter_boolean_operator.inc on line 111.
  • warning: Declaration of views_plugin_row_node_view::options_form(&$form, &$form_state) should be compatible with views_plugin_row::options_form($form, &$form_state) in /home/clients/ru/domains/development4web.com/html/sites/all/modules/views/modules/node/views_plugin_row_node_view.inc on line 35.

Symfony 7.1.8 released

Symfony 7.1.8 has just been released.
Here is the list of the most important changes since 7.1.7:




Symfony 6.4.15 released

Symfony 6.4.15 has just been released.
Here is the list of the most important changes since 6.4.14:




Symfony 5.4.47 released

Symfony 5.4.47 has just been released.
Here is the list of the most important changes since 5.4.46:




A Week of Symfony #932 (4-10 November 2024)

This week, Symfony 5.4.46, 6.4.14, and 7.1.7, maintenance versions were released. In addition, we released the second beta version of Symfony 7.2 ahead of its final release at the end of November 2024.




Twig CVE-2024-51754: Unguarded calls to __toString() in a sandbox when an object is in an array or an argument list

Affected versions

Twig versions <3.11.2; >=3.12,<3.14.1 are affected by this security issue.

The issue has been fixed in Twig 3.11.2 and 3.14.1.
Note that Twig versions 1 and 2 are not maintained anymore and are vulnerable.

Description

In a sandbox, an attacker can call __toString() on an object even if the __toString() method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance).




Twig CVE-2024-51755: Unguarded calls to __isset() and to array-accesses in a sandbox

Affected versions

Twig versions <3.11.2; >=3.12,<3.14.1 are affected by this security issue.

The issue has been fixed in Twig 3.11.2 and 3.14.1.
Note that Twig versions 1 and 2 are not maintained anymore and are vulnerable.

Description

In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy.
They are now checked via the property policy and the __isset() method is now called after the security check.
This is a BC break.




CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

Affected versions

Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony HttpClient component are affected by this security issue.

The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.

Description

When using the NoPrivateNetworkHttpClient, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration.

Resolution

The NoPrivateNetworkHttpClient now filters blocked IPs earlier to prevent such leaks.