Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <>
Subject: Accepted symfony 6.4.41+dfsg-0+deb13u1 (source) into stable-security
Date: Sun, 31 May 2026 12:16:08 +0000
Signed by: David Prévot <taffit@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 27 May 2026 19:56:10 +0200
Source: symfony
Architecture: source
Version: 6.4.41+dfsg-0+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Changes:
 symfony (6.4.41+dfsg-0+deb13u1) trixie-security; urgency=medium
 .
   [ Fabien Potencier ]
   * Update VERSION for 6.4.41
 .
   [ Nicolas Grekas ]
   * [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces
     in URLs [CVE-2026-45064]
   * [MonologBridge] Bind server:log to localhost by default [CVE-2026-45077]
   * [Yaml] Bound recursion depth in the parser [CVE-2026-45133]
   * [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() [CVE-2026-45072]
   * [Cache] Validate the prefix given to AbstractAdapter::clear()
     [CVE-2026-45073]
   * [Yaml] Bound collection-alias resolution in the parser [CVE-2026-45304]
   * [Yaml] Harden the Parser::cleanup() regexes against catastrophic
     backtracking [CVE-2026-45305]
   * [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on
     $_SERVER['QUERY_STRING'] [CVE-2026-46626]
   * [HttpClient] Block IPv6 transition forms in NoPrivateNetworkHttpClient
     [CVE-2026-48736]
   * [HttpFoundation] Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS
     [CVE-2026-48736]
   * [HtmlSanitizer] Reject percent-encoded BiDi marks and Unicode whitespace
      in URLs [CVE-2026-48760]
   * [HtmlSanitizer] Sanitize URL attributes on <object>, <applet>, <iframe>,
     <img>, and the URL inside <meta http-equiv="refresh"> content
     [CVE-2026-48761]
   * [Routing] Fix dot-segment encoding for chained "../" and "./" in generated
     URLs [CVE-2026-48784]
   * [Security] Don't honor user-supplied _failure_path on failure_forward
     [CVE-2026-48489]
 .
   [ Alexandre Daubois ]
   * [Routing] Fix regex alternation anchoring in UrlGenerator requirement
     validation [CVE-2026-45065]
   * [DomCrawler] Fix XXE in addXmlContent() by not enabling `validateOnParse`
     [CVE-2026-45071]
   * [HtmlSanitizer] Fix allowLinkHosts/allowMediaHosts bypass via URL parser
     differentials and <area> misclassification [CVE-2026-45066]
   * [Security] Add missing claims in `OidcTokenHandler` [CVE-2026-45069]
   * [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator
     [CVE-2026-45063]
   * [Mime] Reject email addresses containing line breaks in Address
     [CVE-2026-45067]
   * [Mailer] Add end-of-options separator before recipients in
     SendmailTransport; reject addresses starting with a dash [CVE-2026-45068]
   * [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials
     [CVE-2026-45754]
Checksums-Sha1:
 134554c1dfcb68d673eb89a0c0537e53d75621c1 16771 symfony_6.4.41+dfsg-0+deb13u1.dsc
 27c32d81117e02a728dbca200ae01d5375fd9a30 8773824 symfony_6.4.41+dfsg.orig.tar.xz
 4bad294031b5650e584bdf444c4a01c2623a9ea5 79176 symfony_6.4.41+dfsg-0+deb13u1.debian.tar.xz
 1cd8beb61840d7c90878f938a985b2d2f83a457a 71613 symfony_6.4.41+dfsg-0+deb13u1_i386.buildinfo
Checksums-Sha256:
 6d9136ed0a864da685f1938f1562d1113e7b1a425c35c81bece32ddd174d13fe 16771 symfony_6.4.41+dfsg-0+deb13u1.dsc
 cb5a93b47cbfea37894e6907bdcf2e75373ca10fc377c85a58c4aeaae11d6083 8773824 symfony_6.4.41+dfsg.orig.tar.xz
 b269532472c5881ce090cb6193a5f63cea725e92d2633c953a45f07afbab6212 79176 symfony_6.4.41+dfsg-0+deb13u1.debian.tar.xz
 60bef30803cc851011e0b850dbdad010efd4eb5267c6010ef77a464ab226cfec 71613 symfony_6.4.41+dfsg-0+deb13u1_i386.buildinfo
Files:
 8f3aad631aea8d8803b6af366d5a3805 16771 php optional symfony_6.4.41+dfsg-0+deb13u1.dsc
 a50992625fa71b57d933f95a5ef79d56 8773824 php optional symfony_6.4.41+dfsg.orig.tar.xz
 0b14214dd0ca1935544e16531e0e1b0e 79176 php optional symfony_6.4.41+dfsg-0+deb13u1.debian.tar.xz
 58f67dfdbf1b1550b6ae735bd8fc428c 71613 php optional symfony_6.4.41+dfsg-0+deb13u1_i386.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmoYs/ISHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08i3oH/1eNy40d5+dnfiRE+A4skxM+pMqI9omb
q2awpyGawxQPULTNEEjwyp7ru4fdyN2K2DsqDCUpGA1ZwCT7/cqWQYDQRGMZNntP
qOzDCF+d2KYhSREeSZ0NlP4DFXyA+kmv2LTDIa3yXyIXVMfhOXaU7RzfTO2KmNmo
kSpfTWS6hCwQh5JWbge44FamIC+PLWrxAx2QXaJJcDXwCK90a1NRz2GFdA60aSKn
83n81uZbj0xjdVAkQrHIM8t6+7sa6LhSjoru2XmQYLb6Z1XLsKqfaM2VRLyXUCKR
TtTLCnKUoTUlX93Dky+igMMduALiAQgSPC8b+/ZwVyqtacEIJwQizPE=
=DNRF
-----END PGP SIGNATURE-----
News for package symfony
