-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 22 May 2026 01:06:27 +0200
Source: symfony
Architecture: source
Version: 6.4.40+dfsg-0+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Changes:
symfony (6.4.40+dfsg-0+deb13u1) trixie-security; urgency=medium
.
[ Fabien Potencier ]
* Update VERSION for 6.4.40
.
[ Nicolas Grekas ]
* [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces
in URLs [CVE-2026-45064]
* [MonologBridge] Bind server:log to localhost by default [CVE-2026-45077]
* [Yaml] Bound recursion depth in the parser [CVE-2026-45133]
* [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() [CVE-2026-45072]
* [Cache] Validate the prefix given to AbstractAdapter::clear()
[CVE-2026-45073]
* [Yaml] Bound collection-alias resolution in the parser [CVE-2026-45304]
* [Yaml] Harden the Parser::cleanup() regexes against catastrophic
backtracking [CVE-2026-45305]
* [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on
$_SERVER['QUERY_STRING'] [CVE-2026-46626]
.
[ Alexandre Daubois ]
* [Routing] Fix regex alternation anchoring in UrlGenerator requirement
validation [CVE-2026-45065]
* [DomCrawler] Fix XXE in addXmlContent() by not enabling `validateOnParse`
[CVE-2026-45071]
* [HtmlSanitizer] Fix allowLinkHosts/allowMediaHosts bypass via URL parser
differentials and <area> misclassification [CVE-2026-45066]
* [Security] Add missing claims in `OidcTokenHandler` [CVE-2026-45069]
* [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator
[CVE-2026-45063]
* [Mime] Reject email addresses containing line breaks in Address
[CVE-2026-45067]
* [Mailer] Add end-of-options separator before recipients in
SendmailTransport; reject addresses starting with a dash [CVE-2026-45068]
* [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials
[CVE-2026-45754]
Checksums-Sha1:
7be80209827f9c93cd82105486f8590edc3eb010 16771 symfony_6.4.40+dfsg-0+deb13u1.dsc
c5ea9fab70de2edc242d6f2c648140c46fbc9cca 8763292 symfony_6.4.40+dfsg.orig.tar.xz
e76de6f27c166d9884f079bbf98e423a355764d2 78912 symfony_6.4.40+dfsg-0+deb13u1.debian.tar.xz
cc0c28b3713358f096136fdaf3d321943a05ec86 71708 symfony_6.4.40+dfsg-0+deb13u1_amd64.buildinfo
Checksums-Sha256:
1f99ba0b44cf7334167fdec9907d5f34997039a868edbbbfb694653e5595f0b6 16771 symfony_6.4.40+dfsg-0+deb13u1.dsc
7d869a6d4f763e1641cabc6349c63dd3fe9203fd24989e429894046effec276c 8763292 symfony_6.4.40+dfsg.orig.tar.xz
9a2498ee453e58a5b0882ff6c2ac13d172308ebdcbd90d7ddf55d998a1c7e9a3 78912 symfony_6.4.40+dfsg-0+deb13u1.debian.tar.xz
3d89b8e25f472389d3ec3c1f17f7781840d7168d19b1fdbd8a12b30e47a04651 71708 symfony_6.4.40+dfsg-0+deb13u1_amd64.buildinfo
Files:
c6f50466e670965e149158b43b911f60 16771 php optional symfony_6.4.40+dfsg-0+deb13u1.dsc
987aa5700fb6c17587842216c4f456f0 8763292 php optional symfony_6.4.40+dfsg.orig.tar.xz
af6e4be4b4009a366313130610d6b43c 78912 php optional symfony_6.4.40+dfsg-0+deb13u1.debian.tar.xz
f41ed4a485cf43d23c34680c80056525 71708 php optional symfony_6.4.40+dfsg-0+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmoT82MSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08Z0YIAJ66ZkFbWdLqKE3nPSSd/8xygCchZ/OT
bF77NV5BeFLZcGwyUOwyKagXJAiNbUYhviLwLqCddYOdkGyMu7I4yxCWAVo5Ce7z
vc2rwLVu+ISbtDQ/N2byq7M+YqgSW6q/RseaAN6k5zyvqVcsy7qRaPAfOUN9LCTG
4AIFMBtcwLxWHtamm8vmP6xsifyrZhflWKOKiS2TXaKhDUatAzYVZ9hK8TZA77m2
wjQGNuNi9i3CTb7DrUgl5vDMOPpgWwQQPXSoo1san5X+4dMOmbvBP4wM5TolIHUL
H2daj/OPxxsBXd7J18fvQKuTf8zKBWq0HwVNHwZTJHtCBWDEiw6jqTg=
=da0O
-----END PGP SIGNATURE-----
