December 6, 2018 Fabien Potencier

Symfony 4.2.1 has just been released. Here is a list of the most important changes:

security #cve-2018-19790 [SecurityHttp] detect bad redirect targets using backslashes (@xabbuh)

security #cve-2018-19789 [Form] Filter file uploads out of regular form types (@nicolas-grekas)

bug #29481 [TwigBridge] Deprecating legacy Twig paths in DebugCommand and simplifications (@yceruto)

bug #29436 [Cache] Fixed Memcached adapter doClear()to call flush() (@raitocz)

bug #29482 Fixes sprintf(): Too few arguments in MessageFormatter::choiceFormat (@stephanedelprat)

bug #29461 [Contracts] extract LocaleAwareInterface out of TranslatorInterface (@nicolas-grekas)

bug #29446 [VarExporter] fix dumping private properties from abstract classes (@nicolas-grekas)

bug #29441 [Routing] ignore trailing slash for non-GET requests (@nicolas-grekas)

bug #29445 [FrameworkBundle] Fix empty output for debug:autowiring when reflection-docblock is not installed (@chalasr)

bug #29444 [Workflow] Fixed BC break for Workflow metadata (@lyrixx)

bug #29432 [DI] dont inline when lazy edges are found (@nicolas-grekas)

bug #29413 [Serializer] fixed DateTimeNormalizer to maintain microseconds when a different timezone required (@rvitaliy)

bug #29424 [Routing] fix taking verb into account when redirecting (@nicolas-grekas)

bug #29418 [VarExporter] fix dumping protected property from abstract classes (@nicolas-grekas)

bug #29414 [DI] Fix dumping expressions accessing single-use private services (@chalasr)

bug #28853 [LDAP] Add TIMEOUT Option to LDAP Connection Options (@lmatte7)

bug #29399 [FrameworkBundle] define doctrine as defaul _pd _provider only if the package is installed (@nicolas-grekas)

bug #29375 [Validator] Allow ConstraintViolation::toString() to expose codes that are not null or emtpy strings (@phansys)

bug #29376 [EventDispatcher] Fix eventListener wrapper loop in TraceableEventDispatcher (@jderusse)

bug #29386 undeprecate the single-colon notation for controllers (@fbourigault)

bug #29393 [DI] fix edge case in InlineServiceDefinitionsPass (@nicolas-grekas)

bug #29394 [Config] fix path exclusion during glob discovery (@nicolas-grekas)

bug #29395 [FrameworkBundle][Messenger] Restore check for messenger serializer default id (@ogizanagi)

bug #29380 [Routing] fix greediness of trailing slash (@nicolas-grekas)

security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (@nicolas-grekas)

security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (@nicolas-grekas)

Want to upgrade to this new release? Fortunately, because Symfony protects backwards-compatibility very closely, this should be quite easy. Read our upgrade documentation to learn more.

Want to be notified whenever a new Symfony release is published? Or when a version is not maintained anymore? Or only when a security issue is fixed? Consider subscribing to the Symfony Roadmap Notifications.