jank/ventry
1
0
Fork 0
Code Issues 1 Pull requests 8 Projects Releases Wiki Activity

fix(deps): update dependency symfony/security-bundle to 6.4.* [security] #16

Open
Renovate wants to merge 1 commit from renovate/packagist-symfony-security-bundle-vulnerability into main
pull from: renovate/packagist-symfony-security-bundle-vulnerability
merge into: jank:main
Conversation 1 Commits 1 Files changed 1 +1 -1
Renovate commented 2025-08-21 15:12:07 +00:00
Collaborator
Copy link

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
symfony/security-bundle (source) 6.3.* -> 6.4.* age adoption passing confidence

Symfony's Security::login does not take into account custom user_checker

CVE-2024-50341 / GHSA-jxgr-3v7q-3w9v

More information

Details

Description

The custom user_checker defined on a firewall is not called when Login Programmaticaly with the Security::login method, leading to unwanted login.

Resolution

The Security::login method now ensure to call the configured user_checker.

The patch for this issue is available here for branch 6.4.

Credits

We would like to thank Oleg Andreyev, Antoine MAKDESSI for reporting the issue and Christian Flothmann for providing the fix.

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

symfony/security-bundle (symfony/security-bundle)

v6.4.10

Compare Source

Changelog (https://github.com/symfony/security-bundle/compare/v6.4.9...v6.4.10)

v6.4.9

Compare Source

Changelog (https://github.com/symfony/security-bundle/compare/v6.4.8...v6.4.9)

v6.4.8

Compare Source

Changelog (https://github.com/symfony/security-bundle/compare/v6.4.7...v6.4.8)

  • no significant changes

v6.4.7

Compare Source

Changelog (https://github.com/symfony/security-bundle/compare/v6.4.6...v6.4.7)

  • no significant changes

v6.4.6

Compare Source

Changelog (https://github.com/symfony/security-bundle/compare/v6.4.5...v6.4.6)

v6.4.5

Compare Source

Changelog (https://github.com/symfony/security-bundle/compare/v6.4.4...v6.4.5)

  • no significant changes

v6.4.4

Compare Source

Changelog (https://github.com/symfony/security-bundle/compare/v6.4.3...v6.4.4)

v6.4.3

Compare Source

Changelog (https://github.com/symfony/security-bundle/compare/v6.4.2...v6.4.3)

v6.4.2

Compare Source

Changelog (https://github.com/symfony/security-bundle/compare/v6.4.1...v6.4.2)

v6.4.0

Compare Source

Changelog (https://github.com/symfony/security-bundle/compare/v6.4.0-RC2...v6.4.0)

  • no significant changes

v6.3.12

Compare Source

Changelog (https://github.com/symfony/security-bundle/compare/v6.3.11...v6.3.12)

  • no significant changes

v6.3.11

Compare Source

Changelog (https://github.com/symfony/security-bundle/compare/v6.3.10...v6.3.11)

v6.3.8

Compare Source

Changelog (https://github.com/symfony/security-bundle/compare/v6.3.7...v6.3.8)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [symfony/security-bundle](https://symfony.com) ([source](https://github.com/symfony/security-bundle)) | `6.3.*` -> `6.4.*` | [![age](https://developer.mend.io/api/mc/badges/age/packagist/symfony%2fsecurity-bundle/6.4.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/packagist/symfony%2fsecurity-bundle/6.4.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/packagist/symfony%2fsecurity-bundle/6.3.7/6.4.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/packagist/symfony%2fsecurity-bundle/6.3.7/6.4.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Symfony's `Security::login` does not take into account custom `user_checker` [CVE-2024-50341](https://nvd.nist.gov/vuln/detail/CVE-2024-50341) / [GHSA-jxgr-3v7q-3w9v](https://github.com/advisories/GHSA-jxgr-3v7q-3w9v) <details> <summary>More information</summary> #### Details ##### Description The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. ##### Resolution The `Security::login` method now ensure to call the configured `user_checker`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105) for branch 6.4. ##### Credits We would like to thank Oleg Andreyev, Antoine MAKDESSI for reporting the issue and Christian Flothmann for providing the fix. #### Severity - CVSS Score: 2.3 / 10 (Low) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/symfony/symfony/security/advisories/GHSA-jxgr-3v7q-3w9v](https://github.com/symfony/symfony/security/advisories/GHSA-jxgr-3v7q-3w9v) - [https://nvd.nist.gov/vuln/detail/CVE-2024-50341](https://nvd.nist.gov/vuln/detail/CVE-2024-50341) - [https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105](https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2024-50341.yaml](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2024-50341.yaml) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50341.yaml](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50341.yaml) - [https://github.com/symfony/symfony](https://github.com/symfony/symfony) - [https://symfony.com/cve-2024-50341](https://symfony.com/cve-2024-50341) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-jxgr-3v7q-3w9v) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>symfony/security-bundle (symfony/security-bundle)</summary> ### [`v6.4.10`](https://github.com/symfony/security-bundle/releases/tag/v6.4.10) [Compare Source](https://github.com/symfony/security-bundle/compare/v6.4.9...v6.4.10) **Changelog** (<https://github.com/symfony/security-bundle/compare/v6.4.9...v6.4.10>) - bug [symfony/symfony#57748](https://github.com/symfony/symfony/issues/57748) \[SecurityBundle] use firewall-specific user checkers when manually logging in users ([@&#8203;xabbuh](https://github.com/xabbuh)) ### [`v6.4.9`](https://github.com/symfony/security-bundle/releases/tag/v6.4.9) [Compare Source](https://github.com/symfony/security-bundle/compare/v6.4.8...v6.4.9) **Changelog** (<https://github.com/symfony/security-bundle/compare/v6.4.8...v6.4.9>) - bug [symfony/symfony#57520](https://github.com/symfony/symfony/issues/57520) \[SecurityBundle] Remove unused memory users’ `name` attribute from the XSD ([@&#8203;MatTheCat](https://github.com/MatTheCat)) - bug [symfony/symfony#57467](https://github.com/symfony/symfony/issues/57467) \[SecurityBundle] Add `provider` XML attribute to the authenticators it’s missing from ([@&#8203;MatTheCat](https://github.com/MatTheCat)) ### [`v6.4.8`](https://github.com/symfony/security-bundle/releases/tag/v6.4.8) [Compare Source](https://github.com/symfony/security-bundle/compare/v6.4.7...v6.4.8) **Changelog** (<https://github.com/symfony/security-bundle/compare/v6.4.7...v6.4.8>) - no significant changes ### [`v6.4.7`](https://github.com/symfony/security-bundle/releases/tag/v6.4.7) [Compare Source](https://github.com/symfony/security-bundle/compare/v6.4.6...v6.4.7) **Changelog** (<https://github.com/symfony/security-bundle/compare/v6.4.6...v6.4.7>) - no significant changes ### [`v6.4.6`](https://github.com/symfony/security-bundle/releases/tag/v6.4.6) [Compare Source](https://github.com/symfony/security-bundle/compare/v6.4.5...v6.4.6) **Changelog** (<https://github.com/symfony/security-bundle/compare/v6.4.5...v6.4.6>) - bug [symfony/symfony#54248](https://github.com/symfony/symfony/issues/54248) \[Security] Correctly initialize the voter property ([@&#8203;aschempp](https://github.com/aschempp)) ### [`v6.4.5`](https://github.com/symfony/security-bundle/releases/tag/v6.4.5) [Compare Source](https://github.com/symfony/security-bundle/compare/v6.4.4...v6.4.5) **Changelog** (<https://github.com/symfony/security-bundle/compare/v6.4.4...v6.4.5>) - no significant changes ### [`v6.4.4`](https://github.com/symfony/security-bundle/releases/tag/v6.4.4) [Compare Source](https://github.com/symfony/security-bundle/compare/v6.4.3...v6.4.4) **Changelog** (<https://github.com/symfony/security-bundle/compare/v6.4.3...v6.4.4>) - bug [symfony/symfony#53913](https://github.com/symfony/symfony/issues/53913) \[TwigBridge] Fix compat with Twig v3.9 ([@&#8203;nicolas-grekas](https://github.com/nicolas-grekas)) - bug [symfony/symfony#53744](https://github.com/symfony/symfony/issues/53744) \[SecurityBundle] add missing partition attribute to the schema definition ([@&#8203;xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#53703](https://github.com/symfony/symfony/issues/53703) \[HttpFoundation] Fix clearing CHIPS cookies ([@&#8203;misaert](https://github.com/misaert)) ### [`v6.4.3`](https://github.com/symfony/security-bundle/releases/tag/v6.4.3) [Compare Source](https://github.com/symfony/security-bundle/compare/v6.4.2...v6.4.3) **Changelog** (<https://github.com/symfony/security-bundle/compare/v6.4.2...v6.4.3>) - bug [symfony/symfony#53656](https://github.com/symfony/symfony/issues/53656) \[Form] Use self-closing `<input />` syntax again, reverting [#&#8203;47715](https://github.com/symfony/security-bundle/issues/47715) ([@&#8203;mpdude](https://github.com/mpdude)) ### [`v6.4.2`](https://github.com/symfony/security-bundle/releases/tag/v6.4.2) [Compare Source](https://github.com/symfony/security-bundle/compare/v6.4.0...v6.4.2) **Changelog** (<https://github.com/symfony/security-bundle/compare/v6.4.1...v6.4.2>) - bug [symfony/symfony#53172](https://github.com/symfony/symfony/issues/53172) \[SecurityBundle] Prevent to login/logout without a request context ([@&#8203;symfonyaml](https://github.com/symfonyaml)) - bug [symfony/symfony#52870](https://github.com/symfony/symfony/issues/52870) \[SecurityBundle] Fix redeclaration of `InternalSecurity` class when opcache preload is active ([@&#8203;kaznovac](https://github.com/kaznovac)) ### [`v6.4.0`](https://github.com/symfony/security-bundle/releases/tag/v6.4.0) [Compare Source](https://github.com/symfony/security-bundle/compare/v6.3.12...v6.4.0) **Changelog** (<https://github.com/symfony/security-bundle/compare/v6.4.0-RC2...v6.4.0>) - no significant changes ### [`v6.3.12`](https://github.com/symfony/security-bundle/releases/tag/v6.3.12) [Compare Source](https://github.com/symfony/security-bundle/compare/v6.3.11...v6.3.12) **Changelog** (<https://github.com/symfony/security-bundle/compare/v6.3.11...v6.3.12>) - no significant changes ### [`v6.3.11`](https://github.com/symfony/security-bundle/releases/tag/v6.3.11) [Compare Source](https://github.com/symfony/security-bundle/compare/v6.3.8...v6.3.11) **Changelog** (<https://github.com/symfony/security-bundle/compare/v6.3.10...v6.3.11>) - bug [symfony/symfony#53172](https://github.com/symfony/symfony/issues/53172) \[SecurityBundle] Prevent to login/logout without a request context ([@&#8203;symfonyaml](https://github.com/symfonyaml)) ### [`v6.3.8`](https://github.com/symfony/security-bundle/releases/tag/v6.3.8) [Compare Source](https://github.com/symfony/security-bundle/compare/v6.3.7...v6.3.8) **Changelog** (<https://github.com/symfony/security-bundle/compare/v6.3.7...v6.3.8>) - bug [symfony/symfony#52506](https://github.com/symfony/symfony/issues/52506) \[SecurityBundle] wire the secret for Symfony 6.4 compatibility ([@&#8203;xabbuh](https://github.com/xabbuh)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44Mi4zIiwidXBkYXRlZEluVmVyIjoiNDEuMTA3LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbIidzZWN1cml0eSciXX0=-->
fix(deps): update dependency symfony/security-bundle to 6.4.* [security]
Some checks failed
renovate/artifacts Artifact file update failure
47ae0731c4
Renovate commented 2025-08-21 15:12:07 +00:00
Author
Collaborator
Copy link

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock
Command failed: composer update symfony/security-bundle:6.4.10 --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes
Loading composer repositories with package information
Dependency symfony/mime is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Dependency symfony/property-access is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Dependency symfony/process is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - symfony/framework-bundle is locked to version v6.3.7 and an update of this package was not requested.
    - Root composer.json requires symfony/security-bundle 6.4.* -> satisfiable by symfony/security-bundle[v6.4.10].
    - symfony/security-bundle v6.4.10 conflicts with symfony/framework-bundle <6.4.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.
### ⚠️ Artifact update problem Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens: - any of the package files in this branch needs updating, or - the branch becomes conflicted, or - you click the rebase/retry checkbox if found above, or - you rename this PR's title to start with "rebase!" to trigger it manually The artifact failure details are included below: ##### File name: composer.lock ``` Command failed: composer update symfony/security-bundle:6.4.10 --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes Loading composer repositories with package information Dependency symfony/mime is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies. Dependency symfony/property-access is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies. Dependency symfony/process is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies. Updating dependencies Your requirements could not be resolved to an installable set of packages. Problem 1 - symfony/framework-bundle is locked to version v6.3.7 and an update of this package was not requested. - Root composer.json requires symfony/security-bundle 6.4.* -> satisfiable by symfony/security-bundle[v6.4.10]. - symfony/security-bundle v6.4.10 conflicts with symfony/framework-bundle <6.4. Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions. ```
Some checks failed
renovate/artifacts Artifact file update failure
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/packagist-symfony-security-bundle-vulnerability:renovate/packagist-symfony-security-bundle-vulnerability
git switch renovate/packagist-symfony-security-bundle-vulnerability

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main
git merge --no-ff renovate/packagist-symfony-security-bundle-vulnerability
git switch renovate/packagist-symfony-security-bundle-vulnerability
git rebase main
git switch main
git merge --ff-only renovate/packagist-symfony-security-bundle-vulnerability
git switch renovate/packagist-symfony-security-bundle-vulnerability
git rebase main
git switch main
git merge --no-ff renovate/packagist-symfony-security-bundle-vulnerability
git switch main
git merge --squash renovate/packagist-symfony-security-bundle-vulnerability
git switch main
git merge --ff-only renovate/packagist-symfony-security-bundle-vulnerability
git switch main
git merge renovate/packagist-symfony-security-bundle-vulnerability
git push origin main
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: jank/ventry#16
No description provided.
Delete branch "renovate/packagist-symfony-security-bundle-vulnerability"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?