symfony (2.3.21+dfsg-4+deb8u6) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * Cherry-pick upstream commits to fix security issues
    + Fix CVE-2019-18886: [Security\Core] throw AccessDeniedException when
      switch user fails
    + Fix CVE-2019-18887: [HttpKernel] Use constant time comparison in UriSigner
    + Fix CVE-2019-18888: [HttpFoundation] fix guessing mime-types of files with
      leading dash

 -- Roberto C. Sanchez <roberto@debian.org>  Thu, 14 Nov 2019 21:04:20 -0500

symfony (2.3.21+dfsg-4+deb8u5) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS Security Team.
  * Cherry-pick upstream commits to fix security issues
    + Fix CVE-2019-10909: Escape validation messages in the PHP templating
      engine 
    + Fix CVE-2019-10910: Check service IDs are valid
    + Fix CVE-2019-10911: Add a separator in the remember me cookie hash
    + Fix CVE-2019-10913: Reject invalid HTTP method overrides

 -- Jonas Meurer <jonas@freesources.org>  Mon, 06 May 2019 18:33:45 +0200

symfony (2.3.21+dfsg-4+deb8u4) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * Cherry-pick upstream commit to fix unit test regression caused by PHP
    5.6.27 (specifically, the fix for PHP bug 72972)
  * Fix additional unit test failures resulting from dates too far in the past
  * Cherry-pick upstream commits to fix security issues
    + Fix CVE-2017-16652: [Security] Validate redirect targets using the
      session cookie domain
    + Fix CVE-2017-16654: prevent bundle readers from breaking out of paths
    + Fix CVE-2018-11385: Adding session strategy to ALL listeners to avoid
      *any* possible fixation
    + Fix CVE-2018-11408: [SecurityBundle] Fail if security.http_utils cannot
      be configured
    + Fix CVE-2018-14773: [HttpFoundation] Remove support for legacy and risky
      HTTP headers
    + Fix CVE-2018-19789: [Form] Filter file uploads out of regular form types
    + Fix CVE-2018-19790: [Security\Http] detect bad redirect targets using
      backslashes

 -- Roberto C. Sanchez <roberto@debian.org>  Fri, 01 Mar 2019 09:20:42 -0500

symfony (2.3.21+dfsg-4+deb8u3) jessie-security; urgency=high

  [ Daniel Beyer ]
  * Backport a security fix from 2.3.41
    - Large username storage in session [CVE-2016-4423]
  * Backport a security fix from 2.3.37
    - SecureRandom's fallback not secure when OpenSSL fails [CVE-2016-1902]

  [ David Prévot ]
  * Add copyright entry for embeded paragonie/random_compat

 -- Daniel Beyer <dabe@deb.ymc.ch>  Tue, 10 May 2016 06:21:09 +0200

symfony (2.3.21+dfsg-4+deb8u2) jessie-security; urgency=high

  * Backport security fixes from 2.3.35
    - Session Fixation in the "Remember Me" Login Feature [CVE-2015-8124]
    - Vulnerability in Security Remember-Me Service [CVE-2015-8125]

 -- Daniel Beyer <dabe@deb.ymc.ch>  Tue, 24 Nov 2015 01:07:45 +0100

symfony (2.3.21+dfsg-4+deb8u1) jessie-security; urgency=high

  [ Daniel Beyer ]
  * Backport a security fix from 2.3.29
    - ESI unauthorized access [CVE-2015-4050]

 -- David Prévot <taffit@debian.org>  Wed, 27 May 2015 08:57:06 -0400

symfony (2.3.21+dfsg-4) unstable; urgency=medium

  * Backport security fixes from 2.3.27:
    - Esi Code Injection [CVE-2015-2308]
    - Unsafe methods in the Request class [CVE-2015-2309]

 -- David Prévot <taffit@debian.org>  Wed, 01 Apr 2015 16:53:00 -0400

symfony (2.3.21+dfsg-3) unstable; urgency=medium

  [ Daniel Beyer ]
  * Increase timeout in a problematic test in the Process component.
    This should finally get tests on ci.debian.net working and might
    prevent BTS #775625 from occurring again, which probably was
    not solved within 2.3.21+dfsg-2.

 -- David Prévot <taffit@debian.org>  Fri, 30 Jan 2015 09:19:53 -0400

symfony (2.3.21+dfsg-2) unstable; urgency=low

  [ Daniel Beyer ]
  * Fix a misbehaving test in the Process component (Closes: #775625)

  [ David Prévot ]
  * gbp: Track the Jessie branch

 -- David Prévot <taffit@debian.org>  Wed, 21 Jan 2015 12:42:11 -0400

symfony (2.3.21+dfsg-1) unstable; urgency=low

  * New upstream version
  * Update build-dependencies (add php5-intl, drop php-symfony-icu and
    icu-devtools)
  * Exclude tests of type intl-data

 -- Daniel Beyer <dabe@deb.ymc.ch>  Sun, 26 Oct 2014 17:08:18 +0100

symfony (2.3.20+dfsg-1) unstable; urgency=low

  [ Daniel Beyer ]
  * New upstream version.
  * Drop patches (adopted upstream)
     - 0001-SwiftmailerBridge-Bump-allowed-versions-of-swiftmail.patch
     - 0004-Finder-Escape-location-for-regex-searches.patch
  * Fix DEP-8 tests failing if no tty is present

  [ David Prévot ]
  * Use repacksuffix feature of uscan

 -- Daniel Beyer <dabe@deb.ymc.ch>  Sat, 11 Oct 2014 01:44:50 +0200

symfony (2.3.19+dfsg-1) unstable; urgency=low

  * Initial release. (Closes: #513646)

 -- Daniel Beyer <dabe@deb.ymc.ch>  Sun, 07 Sep 2014 18:34:19 +0200
