-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 22 May 2026 01:06:27 +0200 Source: symfony Architecture: source Version: 6.4.40+dfsg-0+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: Debian PHP PEAR Maintainers Changed-By: David Prévot Changes: symfony (6.4.40+dfsg-0+deb13u1) trixie-security; urgency=medium . [ Fabien Potencier ] * Update VERSION for 6.4.40 . [ Nicolas Grekas ] * [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces in URLs [CVE-2026-45064] * [MonologBridge] Bind server:log to localhost by default [CVE-2026-45077] * [Yaml] Bound recursion depth in the parser [CVE-2026-45133] * [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() [CVE-2026-45072] * [Cache] Validate the prefix given to AbstractAdapter::clear() [CVE-2026-45073] * [Yaml] Bound collection-alias resolution in the parser [CVE-2026-45304] * [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking [CVE-2026-45305] * [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] [CVE-2026-46626] . [ Alexandre Daubois ] * [Routing] Fix regex alternation anchoring in UrlGenerator requirement validation [CVE-2026-45065] * [DomCrawler] Fix XXE in addXmlContent() by not enabling `validateOnParse` [CVE-2026-45071] * [HtmlSanitizer] Fix allowLinkHosts/allowMediaHosts bypass via URL parser differentials and misclassification [CVE-2026-45066] * [Security] Add missing claims in `OidcTokenHandler` [CVE-2026-45069] * [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator [CVE-2026-45063] * [Mime] Reject email addresses containing line breaks in Address [CVE-2026-45067] * [Mailer] Add end-of-options separator before recipients in SendmailTransport; reject addresses starting with a dash [CVE-2026-45068] * [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials [CVE-2026-45754] Checksums-Sha1: 7be80209827f9c93cd82105486f8590edc3eb010 16771 symfony_6.4.40+dfsg-0+deb13u1.dsc c5ea9fab70de2edc242d6f2c648140c46fbc9cca 8763292 symfony_6.4.40+dfsg.orig.tar.xz e76de6f27c166d9884f079bbf98e423a355764d2 78912 symfony_6.4.40+dfsg-0+deb13u1.debian.tar.xz cc0c28b3713358f096136fdaf3d321943a05ec86 71708 symfony_6.4.40+dfsg-0+deb13u1_amd64.buildinfo Checksums-Sha256: 1f99ba0b44cf7334167fdec9907d5f34997039a868edbbbfb694653e5595f0b6 16771 symfony_6.4.40+dfsg-0+deb13u1.dsc 7d869a6d4f763e1641cabc6349c63dd3fe9203fd24989e429894046effec276c 8763292 symfony_6.4.40+dfsg.orig.tar.xz 9a2498ee453e58a5b0882ff6c2ac13d172308ebdcbd90d7ddf55d998a1c7e9a3 78912 symfony_6.4.40+dfsg-0+deb13u1.debian.tar.xz 3d89b8e25f472389d3ec3c1f17f7781840d7168d19b1fdbd8a12b30e47a04651 71708 symfony_6.4.40+dfsg-0+deb13u1_amd64.buildinfo Files: c6f50466e670965e149158b43b911f60 16771 php optional symfony_6.4.40+dfsg-0+deb13u1.dsc 987aa5700fb6c17587842216c4f456f0 8763292 php optional symfony_6.4.40+dfsg.orig.tar.xz af6e4be4b4009a366313130610d6b43c 78912 php optional symfony_6.4.40+dfsg-0+deb13u1.debian.tar.xz f41ed4a485cf43d23c34680c80056525 71708 php optional symfony_6.4.40+dfsg-0+deb13u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmoT82MSHHRhZmZpdEBk ZWJpYW4ub3JnAAoJEAWMHPlE9r08Z0YIAJ66ZkFbWdLqKE3nPSSd/8xygCchZ/OT bF77NV5BeFLZcGwyUOwyKagXJAiNbUYhviLwLqCddYOdkGyMu7I4yxCWAVo5Ce7z vc2rwLVu+ISbtDQ/N2byq7M+YqgSW6q/RseaAN6k5zyvqVcsy7qRaPAfOUN9LCTG 4AIFMBtcwLxWHtamm8vmP6xsifyrZhflWKOKiS2TXaKhDUatAzYVZ9hK8TZA77m2 wjQGNuNi9i3CTb7DrUgl5vDMOPpgWwQQPXSoo1san5X+4dMOmbvBP4wM5TolIHUL H2daj/OPxxsBXd7J18fvQKuTf8zKBWq0HwVNHwZTJHtCBWDEiw6jqTg= =da0O -----END PGP SIGNATURE-----