-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 May 2026 00:18:24 +0200
Source: symfony
Architecture: source
Version: 5.4.53+dfsg-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Changes:
 symfony (5.4.53+dfsg-0+deb12u1) bookworm-security; urgency=medium
 .
   [ Fabien Potencier ]
   * Update VERSION for 5.4.53
 .
   [ Nicolas Grekas ]
   * [MonologBridge] Bind server:log to localhost by default [CVE-2026-45077]
   * [Yaml] Bound recursion depth in the parser [CVE-2026-45133]
   * [Cache] Validate the prefix given to AbstractAdapter::clear()
     [CVE-2026-45073]
   * [Yaml] Bound collection-alias resolution in the parser [CVE-2026-45304]
   * [Yaml] Harden the Parser::cleanup() regexes against catastrophic
     backtracking [CVE-2026-45305]
   * [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on
     $_SERVER['QUERY_STRING'] [CVE-2026-46626]
   * [HttpClient] Block IPv6 transition forms in NoPrivateNetworkHttpClient
     [CVE-2026-48736]
   * [Routing] Fix dot-segment encoding for chained "../" and "./" in generated
     URLs [CVE-2026-48784]
   * [Security] Don't honor user-supplied _failure_path on failure_forward
     [CVE-2026-48489]
 .
   [ Alexandre Daubois ]
   * [Routing] Fix regex alternation anchoring in UrlGenerator requirement
     validation [CVE-2026-45065]
   * [DomCrawler] Fix XXE in addXmlContent() by not enabling `validateOnParse`
     [CVE-2026-45071]
   * [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator
     [CVE-2026-45063]
   * [Mime] Reject email addresses containing line breaks in Address
     [CVE-2026-45067]
   * [Mailer] Add end-of-options separator before recipients in
     SendmailTransport; reject addresses starting with a dash [CVE-2026-45068]
 .
   [ David Prévot ]
   * debian/gbp.conf: permit new upstream release
   * Refresh patches
   * Update homemade autoload.php
   * Update copyright for new image
   * Exclude some test files for phpab
   * Use php-http-message-factory for tests
Checksums-Sha1:
 b7f13df88e4160caa7a6cc96a0ddcf5ac6b03f77 13285 symfony_5.4.53+dfsg-0+deb12u1.dsc
 d91a05c3b896b50d464a388a229cda1a09a913b1 5108528 symfony_5.4.53+dfsg.orig.tar.xz
 ee97fd59c6f6ab00c4d98637443f1f30088ac0db 64056 symfony_5.4.53+dfsg-0+deb12u1.debian.tar.xz
 68d56f5498759f6cd5376e773cbd55ce14f2d9d6 57541 symfony_5.4.53+dfsg-0+deb12u1_i386.buildinfo
Checksums-Sha256:
 5c805af7b6039ff7f6ebc11b4a8d7c41596bb65661f3f9ab7542e70310722681 13285 symfony_5.4.53+dfsg-0+deb12u1.dsc
 515820883adad6d72924de6414d2f51f8a4eea5d95d836075c89abd4ae6471f1 5108528 symfony_5.4.53+dfsg.orig.tar.xz
 5138be9553c51d51052ace592c63b8891465ca7766b998f39bb87e43bd8eaa6b 64056 symfony_5.4.53+dfsg-0+deb12u1.debian.tar.xz
 26655e226c394d2b60128d76fbaebb75260300fc717576d2b9657fc8446be5d7 57541 symfony_5.4.53+dfsg-0+deb12u1_i386.buildinfo
Files:
 d0a83f0a4623b2471a59d8dd8e704939 13285 php optional symfony_5.4.53+dfsg-0+deb12u1.dsc
 636a1196e39c0b956089140b8a2e3fa8 5108528 php optional symfony_5.4.53+dfsg.orig.tar.xz
 b86fbd4c44ea88d58306394f90044656 64056 php optional symfony_5.4.53+dfsg-0+deb12u1.debian.tar.xz
 9c1180ece15743a25005fa7e371a0a5a 57541 php optional symfony_5.4.53+dfsg-0+deb12u1_i386.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmoYs/MSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08ri0IAI8WPyfVbm07sM0474uNnccsVxAKJsdP
qTM4hxgGsCiXDsC+PiwCiE3Neo/6Na1RX/WxDivLpRY3pPYnpteC6Um0C1Svo8nv
KCslT0sMHMZngqPNcCBERULoxw1s5P8NT0HtU7/FcbHWX96OPA5yurEora4tM+LF
lj8ZPb1Lp56EZ49kp+1ZE34/VBekAbYuQM0M7KIecPjvVWdqIIRuiFUQsLm2ArjK
2QQ9Bun6/+LC4xTFSUAOliTtL1joUdOUtFtUDeeX/LCf/6bI4ZNyPf0rMEhp3amv
Lq23JdRL6zmBSQbPB11rlXK+cp80aWxXYGCtb2PMreNZqhzdiYZT6ho=
=lPaT
-----END PGP SIGNATURE-----