🚨 [security] Update drupal/core: 9.4.8 → 9.4.14 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ drupal/core (indirect, 9.4.8 → 9.4.14) · Repo · Changelog

Security Advisories 🚨

🚨 Access bypass in Drupal core

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ drupal/core-recommended (9.4.8 → 9.4.14) · Repo

Commits

See the full diff on Github. The new version differs by 12 commits:

• Drupal 9.4.14
• Drupal 9.4.13
• Merged 9.4.12.
• Drupal 9.4.12
• Back to dev.
• Drupal 9.4.11
• Issue #3338301 by catch, longwave, benjifisher, jungle: Update Symfony to v6.2.6 / v4.4.50
• Merged 9.4.10.
• Drupal 9.4.10
• Back to dev.
• Drupal 9.4.9
• Back to dev.

↗️ egulias/email-validator (indirect, 3.2.1 → 3.2.5) · Repo · Changelog

Release Notes

3.2.5

What's Changed

• GitHub Actions by @driesvints in #348
  • Also, Coveralls removed in favor of Scrutinizer
  • composer.lock removed

Full Changelog: 3.2.4...3.2.5

3.2.4

What's Changed

• Allow doctrine/lexer 2 by @derrabus in #345

Full Changelog: 3.2.3...3.2.4

3.2.2

Changelog

• #326
• #328
• #329
• #330
• #331
• #332
• #333
• #340
• #343

What's Changed

• Bump guzzlehttp/guzzle from 7.4.3 to 7.4.5 by @dependabot in #326
• No unused imports by @MathiasReker in #332
• No superfluous elseif by @MathiasReker in #331
• Single blank line at eof by @MathiasReker in #330
• Visibility required by @MathiasReker in #329
• Nullable type declaration for default null value by @MathiasReker in #328
• CHANGELOG: Fix typo “Breacking” by @alexislefebvre in #333
• Allow doctrine/lexer 2 by @derrabus in #340
• Bump all locked dependencies by @derrabus in #343

New Contributors

• @dependabot made their first contribution in #326
• @MathiasReker made their first contribution in #332
• @alexislefebvre made their first contribution in #333
• @derrabus made their first contribution in #340

Full Changelog: 3.2.1...3.2.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• GitHub Actions (#348)
• Allow doctrine/lexer 2 (#345)
• CHANGELOG: Fix typo “Breacking” (#333)
• Update LICENSE
• Nullable type declaration for default null value (#328)
• Visibility required (#329)
• Single blank line at eof (#330)
• No superfluous elseif (#331)
• No unused imports (#332)
• Bump guzzlehttp/guzzle from 7.4.3 to 7.4.5 (#326)

↗️ guzzlehttp/psr7 (indirect, 1.9.0 → 1.9.1) · Repo · Changelog

Security Advisories 🚨

🚨 Improper header name validation in guzzlehttp/psr7

Impact

Improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n.

Patches

The issue is patched in 1.9.1 and 2.4.5.

Workarounds

There are no known workarounds.

References

• https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

Release Notes

1.9.1

See change log for changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

• Release 1.9.1
• Release 1.9.1
• Patch header validation issue
• Remove branch alias
• Update CI workflows (#552)

↗️ pear/pear-core-minimal (indirect, 1.10.11 → 1.10.13) · Repo

Commits

See the full diff on Github. The new version differs by 3 commits:

• Deprecations for PHP 8.1
• fix: typo in _parseFeaturesHeaderFile
• Fix: Creation of dynamic property PEAR_Error::$callback is deprecated

↗️ psr/http-client (indirect, 1.0.1 → 1.0.2) · Repo · Changelog

Release Notes

1.0.2

• Allow PSR-7 (psr/http-message) 2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• Merge pull request #17 from ghostwriter/feature/http-message-v2
• Support `psr/http-message` v2
• Update url to HTTPS (#15)

↗️ psr/http-factory (indirect, 1.0.1 → 1.0.2) · Repo

Release Notes

1.0.2

• Allow PSR-7 (psr/http-message) 2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

• Merge pull request #13 from ghostwriter/feature/http-message-v2
• Support `psr/http-message` v2
• Merge pull request #12 from TimWolla/patch-1
• Add .gitattributes setting `export-ignore`
• Merge pull request #11 from J0WI/patch-1
• Update url to HTTPS
• Merge pull request #9 from gnumoksha/patch-1
• Update README.md
• docs: Standardize the README

↗️ symfony/console (indirect, 4.4.47 → 4.4.49) · Repo · Changelog

↗️ symfony/dependency-injection (indirect, 4.4.44 → 4.4.49) · Repo · Changelog

↗️ symfony/http-foundation (indirect, 4.4.47 → 4.4.49) · Repo · Changelog

↗️ symfony/http-kernel (indirect, 4.4.47 → 4.4.50) · Repo · Changelog

Security Advisories 🚨

🚨 Symfony storing cookie headers in HttpCache

Description

The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients.

In a recent AbstractSessionListener change, the response might now contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session.

Resolution

The HttpStore constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers.
The default value for this parameter is Set-Cookie, but it can be overridden or extended by the application.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Soner Sayakci for reporting the issue and Nicolas Grekas for fixing it.

Release Notes

4.4.50

Changelog (v4.4.49...v4.4.50)

• no significant changes

4.4.49

Changelog (v4.4.48...v4.4.49)

• bug #48273 Fix message for unresovable arguments of invokable controllers (fancyweb)

Does any of this look wrong? Please let us know.

↗️ symfony/polyfill-ctype (indirect, 1.25.0 → 1.27.0) · Repo

Commits

See the full diff on Github. The new version differs by 3 commits:

• Prepare for v1.27
• Update changelog
• Update CHANGELOG.md

↗️ symfony/polyfill-iconv (indirect, 1.25.0 → 1.27.0) · Repo

Commits

See the full diff on Github. The new version differs by 3 commits:

• Prepare for v1.27
• Update changelog
• Update CHANGELOG.md

↗️ symfony/polyfill-intl-idn (indirect, 1.25.0 → 1.27.0) · Repo

Commits

See the full diff on Github. The new version differs by 4 commits:

• Prepare for v1.27
• CS fix
• Update changelog
• Update CHANGELOG.md

↗️ symfony/polyfill-intl-normalizer (indirect, 1.25.0 → 1.27.0) · Repo

Commits

See the full diff on Github. The new version differs by 4 commits:

• Prepare for v1.27
• CS fix
• Update changelog
• Update CHANGELOG.md

↗️ symfony/polyfill-mbstring (indirect, 1.25.0 → 1.27.0) · Repo

Commits

See the full diff on Github. The new version differs by 5 commits:

• Prepare for v1.27
• CS fix
• Update changelog
• Update CHANGELOG.md
• Passing null to preg_split() throws deprecation on PHP 8.1

↗️ symfony/polyfill-php72 (indirect, 1.26.0 → 1.27.0) · Repo

Commits

See the full diff on Github. The new version differs by 2 commits:

• Prepare for v1.27
• CS fix

↗️ symfony/polyfill-php73 (indirect, 1.26.0 → 1.27.0) · Repo

Commits

See the full diff on Github. The new version differs by 1 commit:

• Prepare for v1.27

↗️ symfony/polyfill-php80 (indirect, 1.25.0 → 1.27.0) · Repo

Commits

See the full diff on Github. The new version differs by 4 commits:

• Prepare for v1.27
• CS fix
• Update CHANGELOG.md
• Update README

↗️ symfony/polyfill-php81 (indirect, 1.26.0 → 1.27.0) · Repo

Commits

See the full diff on Github. The new version differs by 2 commits:

• Prepare for v1.27
• CS fix

↗️ symfony/psr-http-message-bridge (indirect, 2.1.3 → 2.1.4) · Repo · Changelog

Release Notes

2.1.4

What's Changed

• perf: ensure timely flush stream buffers by @cidosx in #109
• Add PHP 8.2 to CI by @derrabus in #110

New Contributors

• @cidosx made their first contribution in #109

Full Changelog: v2.1.3...v2.1.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• minor #110 Add PHP 8.2 to CI (derrabus)
• Add PHP 8.2 to CI
• bug #109 perf: ensure timely flush stream buffers (cidosx)
• perf: ensure timely flush stream buffers

↗️ symfony/validator (indirect, 4.4.47 → 4.4.48) · Repo · Changelog

↗️ symfony/var-dumper (indirect, 5.4.14 → 5.4.22) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 13 commits:

• [VarDumper] Disable links for IntelliJ platform
• [VarDumper] Fixed dumping of CutStub
• [VarDumper] Add a bit of test coverage
• [VarDumper] Fix error when reflected class has default Enum parameter in constructor
• Fix phpdocs in components
• CS fix
• Migrate to `static` data providers using `rector/rector`
• Update license years (last time)
• [VarDumper] Fix JS to expand / collapse
• Bump license year to 2023
• Use static methods inside data providers
• Fix getting the name of closures on PHP 8.1.11+
• [VarDumper] Ignore \Error in __debugInfo()

↗️ twig/twig (indirect, 2.15.3 → 2.15.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 26 commits:

• Prepare the 2.15.4 release
• Update CHANGELOG
• bug #3738 do not clean up whitespace text nodes inside if tags (xabbuh)
• do not clean up whitespace text nodes inside if tags
• Bump version of actions/cache
• chore: Included githubactions in the dependabot config
• Fix tests
• bug #3769 Updates CoreExtension::twig_constant to check for definition first to avoid hard crash (Alex Henderson-Roche)
• Updates CoreExtension::twig_constant to check for definition first to avoid hard crash
• Do more Github actions updates
• Use checkout actions v3
• Add PHP 8.2 to the tests
• Remove a test that was a regression test for the C extension
• minor #3779 Cycle function: Add output to example code (kathi-at-datrycs)
• Add output
• minor #3780 Add missing argument for the cycle function (stof)
• minor #3781 Fix the drupal testing script (stof)
• Fix the drupal testing script
• Add missing argument for the cycle function
• bug #3777 Fix optimizing closures callbacks (nicolas-grekas)
• Fix optimizing closures callbacks
• minor #3759 Update templates.rst (Francoscopic)
• Update templates.rst
• minor #3751 Update michelf/php-markdown require-dev to allow v2 (bobvandevijver)
• Update michelf/php-markdown require-dev to allow v2
• Bump version

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)