jank/ventry
1
0
Fork 0
Code Issues 1 Pull requests 8 Projects Releases Wiki Activity

fix(deps): update dependency symfony/validator to 6.4.* [security] #17

Open
Renovate wants to merge 1 commit from renovate/packagist-symfony-validator-vulnerability into main
pull from: renovate/packagist-symfony-validator-vulnerability
merge into: jank:main
Conversation 1 Commits 1 Files changed 1 +1 -1
Renovate commented 2025-08-21 15:12:14 +00:00
Collaborator
Copy link

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
symfony/validator (source) 6.3.* -> 6.4.* age adoption passing confidence

Symfony has an incorrect response from Validator when input ends with \n

CVE-2024-50343 / GHSA-g3rh-rrhp-jhh9

More information

Details

Description

It is possible to trick a Validator configured with a regular expression using the $ metacharacters, with an input ending with \n.

Resolution

Symfony now uses the D regex modifier to match the entire input.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix.

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

symfony/validator (symfony/validator)

v6.4.11

Compare Source

Changelog (https://github.com/symfony/validator/compare/v6.4.10...v6.4.11)

v6.4.10

Compare Source

Changelog (https://github.com/symfony/validator/compare/v6.4.9...v6.4.10)

v6.4.9

Compare Source

Changelog (https://github.com/symfony/validator/compare/v6.4.8...v6.4.9)

v6.4.8

Compare Source

Changelog (https://github.com/symfony/validator/compare/v6.4.7...v6.4.8)

v6.4.7

Compare Source

Changelog (https://github.com/symfony/validator/compare/v6.4.6...v6.4.7)

v6.4.6

Compare Source

Changelog (https://github.com/symfony/validator/compare/v6.4.5...v6.4.6)

v6.4.4

Compare Source

Changelog (https://github.com/symfony/validator/compare/v6.4.3...v6.4.4)

v6.4.3

Compare Source

Changelog (https://github.com/symfony/validator/compare/v6.4.2...v6.4.3)

v6.4.2

Compare Source

Changelog (https://github.com/symfony/validator/compare/v6.4.1...v6.4.2)

v6.4.0

Compare Source

Changelog (https://github.com/symfony/validator/compare/v6.4.0-RC2...v6.4.0)

  • no significant changes

v6.3.12

Compare Source

Changelog (https://github.com/symfony/validator/compare/v6.3.11...v6.3.12)

v6.3.11

Compare Source

Changelog (https://github.com/symfony/validator/compare/v6.3.10...v6.3.11)

v6.3.9

Compare Source

Changelog (https://github.com/symfony/validator/compare/v6.3.8...v6.3.9)

  • no significant changes

v6.3.8

Compare Source

Changelog (https://github.com/symfony/validator/compare/v6.3.7...v6.3.8)

  • no significant changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [symfony/validator](https://symfony.com) ([source](https://github.com/symfony/validator)) | `6.3.*` -> `6.4.*` | [![age](https://developer.mend.io/api/mc/badges/age/packagist/symfony%2fvalidator/6.4.11?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/packagist/symfony%2fvalidator/6.4.11?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/packagist/symfony%2fvalidator/6.3.7/6.4.11?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/packagist/symfony%2fvalidator/6.3.7/6.4.11?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Symfony has an incorrect response from Validator when input ends with `\n` [CVE-2024-50343](https://nvd.nist.gov/vuln/detail/CVE-2024-50343) / [GHSA-g3rh-rrhp-jhh9](https://github.com/advisories/GHSA-g3rh-rrhp-jhh9) <details> <summary>More information</summary> #### Details ##### Description It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. ##### Resolution Symfony now uses the `D` regex modifier to match the entire input. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f) for branch 5.4. ##### Credits We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix. #### Severity - CVSS Score: 2.3 / 10 (Low) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/symfony/symfony/security/advisories/GHSA-g3rh-rrhp-jhh9](https://github.com/symfony/symfony/security/advisories/GHSA-g3rh-rrhp-jhh9) - [https://nvd.nist.gov/vuln/detail/CVE-2024-50343](https://nvd.nist.gov/vuln/detail/CVE-2024-50343) - [https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f](https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50343.yaml](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50343.yaml) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/validator/CVE-2024-50343.yaml](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/validator/CVE-2024-50343.yaml) - [https://github.com/symfony/symfony](https://github.com/symfony/symfony) - [https://symfony.com/cve-2024-50343](https://symfony.com/cve-2024-50343) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-g3rh-rrhp-jhh9) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>symfony/validator (symfony/validator)</summary> ### [`v6.4.11`](https://github.com/symfony/validator/releases/tag/v6.4.11) [Compare Source](https://github.com/symfony/validator/compare/v6.4.10...v6.4.11) **Changelog** (<https://github.com/symfony/validator/compare/v6.4.10...v6.4.11>) - bug [symfony/symfony#58127](https://github.com/symfony/symfony/issues/58127) \[Validator] synchronize IBAN formats ([@&#8203;xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#57984](https://github.com/symfony/symfony/issues/57984) \[Validator] Add `D` regex modifier in relevant validators ([@&#8203;alexandre-daubois](https://github.com/alexandre-daubois)) - bug [symfony/symfony#57925](https://github.com/symfony/symfony/issues/57925) \[Validator] reset the validation context after validating nested constraints ([@&#8203;xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#57905](https://github.com/symfony/symfony/issues/57905) \[Validator] allow more unicode characters in URL paths ([@&#8203;xabbuh](https://github.com/xabbuh)) ### [`v6.4.10`](https://github.com/symfony/validator/releases/tag/v6.4.10) [Compare Source](https://github.com/symfony/validator/compare/v6.4.9...v6.4.10) **Changelog** (<https://github.com/symfony/validator/compare/v6.4.9...v6.4.10>) - bug [symfony/symfony#57812](https://github.com/symfony/symfony/issues/57812) \[Validator] treat uninitialized properties referenced by property paths as null ([@&#8203;xabbuh](https://github.com/xabbuh)) ### [`v6.4.9`](https://github.com/symfony/validator/releases/tag/v6.4.9) [Compare Source](https://github.com/symfony/validator/compare/v6.4.8...v6.4.9) **Changelog** (<https://github.com/symfony/validator/compare/v6.4.8...v6.4.9>) - bug [symfony/symfony#57213](https://github.com/symfony/symfony/issues/57213) \[Validator] \[UniqueValidator] Use correct variable as parameter in (custom) error message ([@&#8203;seho-nl](https://github.com/seho-nl), Sebastien Hoek) ### [`v6.4.8`](https://github.com/symfony/validator/releases/tag/v6.4.8) [Compare Source](https://github.com/symfony/validator/compare/v6.4.7...v6.4.8) **Changelog** (<https://github.com/symfony/validator/compare/v6.4.7...v6.4.8>) - bug [symfony/symfony#57275](https://github.com/symfony/symfony/issues/57275) Fix autoload configs to avoid warnings when building optimized autoloaders ([@&#8203;Seldaek](https://github.com/Seldaek)) - bug [symfony/symfony#54924](https://github.com/symfony/symfony/issues/54924) \[Validator] IBAN Check digits should always between 2 and 98 ([@&#8203;karstennilsen](https://github.com/karstennilsen)) - bug [symfony/symfony#54834](https://github.com/symfony/symfony/issues/54834) \[Validator] Check `Locale` class existence before using it ([@&#8203;alexandre-daubois](https://github.com/alexandre-daubois)) - bug [symfony/symfony#54758](https://github.com/symfony/symfony/issues/54758) \[Validator] handle edge cases when constructing constraints with named arguments ([@&#8203;xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#54760](https://github.com/symfony/symfony/issues/54760) \[Validator] handle union and intersection types for cascaded validations ([@&#8203;xabbuh](https://github.com/xabbuh)) ### [`v6.4.7`](https://github.com/symfony/validator/releases/tag/v6.4.7) [Compare Source](https://github.com/symfony/validator/compare/v6.4.6...v6.4.7) **Changelog** (<https://github.com/symfony/validator/compare/v6.4.6...v6.4.7>) - bug [symfony/symfony#54750](https://github.com/symfony/symfony/issues/54750) \[Validator] detect wrong usages of minMessage/maxMessage in options ([@&#8203;xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#54751](https://github.com/symfony/symfony/issues/54751) \[Validator]  detect wrong e-mail validation modes ([@&#8203;xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#54487](https://github.com/symfony/symfony/issues/54487) \[Validator] Accept `Stringable` in `ExecutionContext::build/addViolation()` ([@&#8203;alexandre-daubois](https://github.com/alexandre-daubois)) ### [`v6.4.6`](https://github.com/symfony/validator/releases/tag/v6.4.6) [Compare Source](https://github.com/symfony/validator/compare/v6.4.4...v6.4.6) **Changelog** (<https://github.com/symfony/validator/compare/v6.4.5...v6.4.6>) - bug [symfony/symfony#54191](https://github.com/symfony/symfony/issues/54191) \[Validator] add missing invalid extension error entry ([@&#8203;xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#54219](https://github.com/symfony/symfony/issues/54219) \[Validator] Allow BICs’ first four characters to be digits ([@&#8203;MatTheCat](https://github.com/MatTheCat)) - bug [symfony/symfony#54137](https://github.com/symfony/symfony/issues/54137) \[Validator] UniqueValidator - normalize before reducing keys ([@&#8203;Brajk19](https://github.com/Brajk19)) ### [`v6.4.4`](https://github.com/symfony/validator/releases/tag/v6.4.4) [Compare Source](https://github.com/symfony/validator/compare/v6.4.3...v6.4.4) **Changelog** (<https://github.com/symfony/validator/compare/v6.4.3...v6.4.4>) - bug [symfony/symfony#53755](https://github.com/symfony/symfony/issues/53755) \[Validator] Fix fields without constraints in `Collection` ([@&#8203;xabbuh](https://github.com/xabbuh), [@&#8203;HypeMC](https://github.com/HypeMC)) ### [`v6.4.3`](https://github.com/symfony/validator/releases/tag/v6.4.3) [Compare Source](https://github.com/symfony/validator/compare/v6.4.2...v6.4.3) **Changelog** (<https://github.com/symfony/validator/compare/v6.4.2...v6.4.3>) - bug [symfony/symfony#53620](https://github.com/symfony/symfony/issues/53620) \[Validator] Fix option filenameMaxLength to the File constraint (Image) ([@&#8203;mindaugasvcs](https://github.com/mindaugasvcs)) - bug [symfony/symfony#53383](https://github.com/symfony/symfony/issues/53383) \[Validator] re-allow an empty list of fields ([@&#8203;xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#53350](https://github.com/symfony/symfony/issues/53350) \[Validator] fix the exception being thrown ([@&#8203;xabbuh](https://github.com/xabbuh)) ### [`v6.4.2`](https://github.com/symfony/validator/releases/tag/v6.4.2) [Compare Source](https://github.com/symfony/validator/compare/v6.4.0...v6.4.2) **Changelog** (<https://github.com/symfony/validator/compare/v6.4.1...v6.4.2>) - bug [symfony/symfony#52406](https://github.com/symfony/symfony/issues/52406) \[Validator] Fix `Constraints\Email::ERROR_NAMES` ([@&#8203;mathroc](https://github.com/mathroc)) - bug [symfony/symfony#53133](https://github.com/symfony/symfony/issues/53133) \[Validator] Fix using known option names as field names ([@&#8203;HypeMC](https://github.com/HypeMC)) - bug [symfony/symfony#52996](https://github.com/symfony/symfony/issues/52996) \[Validator] add missing translation ([@&#8203;xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#52935](https://github.com/symfony/symfony/issues/52935) \[Validator] Missing translations for Slovak (sk) [#&#8203;51954](https://github.com/symfony/validator/issues/51954) (Jan Vernarsky) - bug [symfony/symfony#52867](https://github.com/symfony/symfony/issues/52867) \[Validator] Only trigger deprecation when Validator annotations are used ([@&#8203;HypeMC](https://github.com/HypeMC)) ### [`v6.4.0`](https://github.com/symfony/validator/releases/tag/v6.4.0) [Compare Source](https://github.com/symfony/validator/compare/v6.3.12...v6.4.0) **Changelog** (<https://github.com/symfony/validator/compare/v6.4.0-RC2...v6.4.0>) - no significant changes ### [`v6.3.12`](https://github.com/symfony/validator/releases/tag/v6.3.12) [Compare Source](https://github.com/symfony/validator/compare/v6.3.11...v6.3.12) **Changelog** (<https://github.com/symfony/validator/compare/v6.3.11...v6.3.12>) - bug [symfony/symfony#53383](https://github.com/symfony/symfony/issues/53383) \[Validator] re-allow an empty list of fields ([@&#8203;xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#53350](https://github.com/symfony/symfony/issues/53350) \[Validator] fix the exception being thrown ([@&#8203;xabbuh](https://github.com/xabbuh)) ### [`v6.3.11`](https://github.com/symfony/validator/releases/tag/v6.3.11) [Compare Source](https://github.com/symfony/validator/compare/v6.3.9...v6.3.11) **Changelog** (<https://github.com/symfony/validator/compare/v6.3.10...v6.3.11>) - bug [symfony/symfony#52406](https://github.com/symfony/symfony/issues/52406) \[Validator] Fix `Constraints\Email::ERROR_NAMES` ([@&#8203;mathroc](https://github.com/mathroc)) - bug [symfony/symfony#53133](https://github.com/symfony/symfony/issues/53133) \[Validator] Fix using known option names as field names ([@&#8203;HypeMC](https://github.com/HypeMC)) - bug [symfony/symfony#52996](https://github.com/symfony/symfony/issues/52996) \[Validator] add missing translation ([@&#8203;xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#52935](https://github.com/symfony/symfony/issues/52935) \[Validator] Missing translations for Slovak (sk) [#&#8203;51954](https://github.com/symfony/validator/issues/51954) (Jan Vernarsky) ### [`v6.3.9`](https://github.com/symfony/validator/releases/tag/v6.3.9) [Compare Source](https://github.com/symfony/validator/compare/v6.3.8...v6.3.9) **Changelog** (<https://github.com/symfony/validator/compare/v6.3.8...v6.3.9>) - no significant changes ### [`v6.3.8`](https://github.com/symfony/validator/releases/tag/v6.3.8) [Compare Source](https://github.com/symfony/validator/compare/v6.3.7...v6.3.8) **Changelog** (<https://github.com/symfony/validator/compare/v6.3.7...v6.3.8>) - no significant changes </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44Mi4zIiwidXBkYXRlZEluVmVyIjoiNDEuMTA3LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbIidzZWN1cml0eSciXX0=-->
fix(deps): update dependency symfony/validator to 6.4.* [security]
Some checks failed
renovate/artifacts Artifact file update failure
9f91b575e5
Renovate commented 2025-08-21 15:12:14 +00:00
Author
Collaborator
Copy link

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock
Command failed: composer update symfony/validator:6.4.11 --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - symfony/translation is locked to version v6.3.7 and an update of this package was not requested.
    - Root composer.json requires symfony/validator 6.4.* -> satisfiable by symfony/validator[v6.4.11].
    - symfony/validator v6.4.11 conflicts with symfony/translation <5.4.35|>=6.0,<6.3.12|>=6.4,<6.4.3|>=7.0,<7.0.3.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.
### ⚠️ Artifact update problem Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens: - any of the package files in this branch needs updating, or - the branch becomes conflicted, or - you click the rebase/retry checkbox if found above, or - you rename this PR's title to start with "rebase!" to trigger it manually The artifact failure details are included below: ##### File name: composer.lock ``` Command failed: composer update symfony/validator:6.4.11 --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes Loading composer repositories with package information Updating dependencies Your requirements could not be resolved to an installable set of packages. Problem 1 - symfony/translation is locked to version v6.3.7 and an update of this package was not requested. - Root composer.json requires symfony/validator 6.4.* -> satisfiable by symfony/validator[v6.4.11]. - symfony/validator v6.4.11 conflicts with symfony/translation <5.4.35|>=6.0,<6.3.12|>=6.4,<6.4.3|>=7.0,<7.0.3. Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions. ```
Some checks failed
renovate/artifacts Artifact file update failure
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/packagist-symfony-validator-vulnerability:renovate/packagist-symfony-validator-vulnerability
git switch renovate/packagist-symfony-validator-vulnerability

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main
git merge --no-ff renovate/packagist-symfony-validator-vulnerability
git switch renovate/packagist-symfony-validator-vulnerability
git rebase main
git switch main
git merge --ff-only renovate/packagist-symfony-validator-vulnerability
git switch renovate/packagist-symfony-validator-vulnerability
git rebase main
git switch main
git merge --no-ff renovate/packagist-symfony-validator-vulnerability
git switch main
git merge --squash renovate/packagist-symfony-validator-vulnerability
git switch main
git merge --ff-only renovate/packagist-symfony-validator-vulnerability
git switch main
git merge renovate/packagist-symfony-validator-vulnerability
git push origin main
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: jank/ventry#17
No description provided.
Delete branch "renovate/packagist-symfony-validator-vulnerability"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?