May 27, 2018 Javier Eguiluz

This week Symfony released 2.7.48, 2.8.41, 3.3.17, 3.4.11 and 4.0.11 versions to address several security vulnerabilities. Meanwhile Symfony 4.1.0 beta3 was published in preparation for next week's final release. Lastly, it was announced that the SymfonyLive USA 2018 conference will take place in San Francisco on October 11th and 12th.

Symfony development highlights

2.7 changelog:

47e7268: [HttpFoundation] break infinite loop in PdoSessionHandler when MySQL is in loose mode

fa5bf4b: [Security] added session strategy to ALL listeners to avoid any possible fixation

319e1bd: [Security] clear CSRF tokens when the user is logged out

b20e835: [SecurityBundle] fail if security.http_utils cannot be configured

ab32125: [HttpFoundation] fixed a performance issue during MimeTypeGuesser initialization

3.4 changelog:

fad1e1f: [Security] added session authentication strategy to Guard to avoid session fixation

194caff: [Security] migrated session for UsernamePasswordJsonAuthenticationListener

46c2d4b: [DependencyInjection] fixed bad exception on uninitialized references to non-shared services

e2ba3af: [HttpFoundation] fixed cookie test with xdebug

4279f53: [DependencyInjection] never inline lazy services

cb106fa: [Serializer] check the value of enable_max_depth if defined

79bd461: [HttpKernel] reset kernel start time on reboot

4.1 changelog:

70c70e2: [PhpUnit Bridge] supress deprecation notices thrown when getting private services from container in tests

7fb7cf2: [Serializer] fixed and improved constraintViolationListNormalizer's RFC7807 compliance

2fd30a6: [FrameworkBundle] fixed test.service_container usage when Client is rebooted

7d23ac5: [HttpKernel] fixed deprecation in AbstractTestSessionListener

9e6fbe8: [Routing] account for greediness when merging route patterns

Master changelog:

ec6d46c: [Security] added "is_granted()" to security expressions and deprecate "has_role()"

bd6769e: [Cache] added TaggableCacheInterface to simplify cache usage

f827fec: [DependencyInjection] allowed binding by type+name

eceabee: [DependencyInjection] allowed to select specific key from an array resolved env var

d314735: [Security] FirewallMap/FirewallContext deprecations

f557f94: [Security] no more support for custom anon/remember tokens based on FQCN

Newest issues and pull requests

They talked about us