Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <>
Subject: Accepted symfony 5.4.52+dfsg-0+deb12u1 (source) into oldstable-security
Date: Mon, 01 Jun 2026 18:03:55 +0000
Signed by: David Prévot <taffit@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 23 May 2026 23:32:47 +0200
Source: symfony
Architecture: source
Version: 5.4.52+dfsg-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Changes:
 symfony (5.4.52+dfsg-0+deb12u1) bookworm-security; urgency=medium
 .
   [ Fabien Potencier ]
   * Update VERSION for 5.4.52
 .
   [ Nicolas Grekas ]
   * [MonologBridge] Bind server:log to localhost by default [CVE-2026-45077]
   * [Yaml] Bound recursion depth in the parser [CVE-2026-45133]
   * [Cache] Validate the prefix given to AbstractAdapter::clear()
     [CVE-2026-45073]
   * [Yaml] Bound collection-alias resolution in the parser [CVE-2026-45304]
   * [Yaml] Harden the Parser::cleanup() regexes against catastrophic
     backtracking [CVE-2026-45305]
   * [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on
     $_SERVER['QUERY_STRING'] [CVE-2026-46626]
 .
   [ Alexandre Daubois ]
   * [Routing] Fix regex alternation anchoring in UrlGenerator requirement
     validation [CVE-2026-45065]
   * [DomCrawler] Fix XXE in addXmlContent() by not enabling `validateOnParse`
     [CVE-2026-45071]
   * [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator
     [CVE-2026-45063]
   * [Mime] Reject email addresses containing line breaks in Address
     [CVE-2026-45067]
   * [Mailer] Add end-of-options separator before recipients in
     SendmailTransport; reject addresses starting with a dash [CVE-2026-45068]
 .
   [ David Prévot ]
   * debian/gbp.conf: permit new upsteam release
   * Refresh patches
   * Update homemade autoload.php
   * Update copyright for new image
   * Exclude some test files for phpab
   * Use php-http-message-factory for tests
Checksums-Sha1:
 0fa327b1fff3780e861d4caf5b86fad54de66d28 13285 symfony_5.4.52+dfsg-0+deb12u1.dsc
 2b53955828cb301984bd0586565834034709073d 5107180 symfony_5.4.52+dfsg.orig.tar.xz
 d422dd9b1b2fd48d6d2f1a3af874682a00250a22 64884 symfony_5.4.52+dfsg-0+deb12u1.debian.tar.xz
 18b27af8e1908fd22e0aa9475cd0c99fe39f62c7 57646 symfony_5.4.52+dfsg-0+deb12u1_amd64.buildinfo
Checksums-Sha256:
 16e4ff5b8375d11bbb0627b87fb18be9db4bd8750eaaa6182228a912301ccb43 13285 symfony_5.4.52+dfsg-0+deb12u1.dsc
 ffc381be4966bec2f958abb63c5739b4b1c79f742ab10bea960173f76ad67b4f 5107180 symfony_5.4.52+dfsg.orig.tar.xz
 2c64547afbefef42c7f353a490ff1b473f00c3cde1ededbcee61580ee7844f83 64884 symfony_5.4.52+dfsg-0+deb12u1.debian.tar.xz
 d370e84ba9b28a9074abac1ebc967160f1483b72c93b39b5c8e520f41cc1f099 57646 symfony_5.4.52+dfsg-0+deb12u1_amd64.buildinfo
Files:
 5fe9d2569979040bcc75359ceb72158b 13285 php optional symfony_5.4.52+dfsg-0+deb12u1.dsc
 20a28646f1a1e5db17216cf1bb151592 5107180 php optional symfony_5.4.52+dfsg.orig.tar.xz
 6d5798762ece53fde2219a4ba8c0ea3c 64884 php optional symfony_5.4.52+dfsg-0+deb12u1.debian.tar.xz
 f624dbd00347e70e066633d370a1fd6b 57646 php optional symfony_5.4.52+dfsg-0+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmoUx9ISHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r0879oH/Rl+zs3oPHBY/bWUCGb3mGx4lSANTKRj
jRtbEncBu8mzRktvTn/AgQHwev8il8il89wfoiu9Vy06B2dpHGUp/j8RwoyHP1me
uWWG6m8DFWLtSyAw1INeNo4qKkUdRVNyWKbTvUTqXLPpp1qcnnj+e/PV+lR3/I+A
C53miX88RqBufKgCI6qe7VbLPLnK+SYyfUqcdiHh/yP9GArtOgB/0zYS2HZmZD2m
hrCTGgKSgV1XEnpv7eUWiyBIO2PM6venCv0pV4/eNocaSLGVzjbgjlyZt2ioqC74
o7SIfmX+kFoSwjZto+k0rMDnb06VdKo/wJl0bGLlow3A0ykWnuzRfZw=
=Bu+Z
-----END PGP SIGNATURE-----
News for package symfony
