Update dependency symfony/runtime to v6.4.14 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
symfony/runtime (source)	6.4.8 → 6.4.14

---

Symfony allows changing the environment through a query

CVE-2024-50340 / GHSA-x8vp-gf4q-mw5j

More information

Details

Description

When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.

Resolution

The SymfonyRuntime now ignores the argv values for non-cli SAPIs PHP runtimes

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

References

• https://github.com/symfony/symfony/security/advisories/GHSA-x8vp-gf4q-mw5j
• https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/runtime/CVE-2024-50340.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50340.yaml
• https://symfony.com/cve-2024-50340
• https://nvd.nist.gov/vuln/detail/CVE-2024-50340
• https://github.com/advisories/GHSA-x8vp-gf4q-mw5j

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

symfony/runtime (symfony/runtime)

v6.4.14

Compare Source

Changelog (symfony/runtime@v6.4.13...v6.4.14)

• security symfony/symfony#cve-2024-50340 [Runtime] Do not read from argv on non-CLI SAPIs (@​wouterj)

v6.4.13

Compare Source

Changelog (symfony/runtime@v6.4.12...v6.4.13)

• bug symfony/symfony#58372 Tweak error/exception handler registration (@​nicolas-grekas)

v6.4.12

Compare Source

Changelog (symfony/runtime@v6.4.11...v6.4.12)

• no significant changes

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: composer update symfony/runtime:6.4.14 --with-dependencies --ignore-platform-req=ext-* --ignore-platform-req=lib-* --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires symfony/runtime 6.4.*, found symfony/runtime[v6.4.0, ..., v6.4.40] but these were not loaded, because they are affected by security advisories ("PKSA-py8y-z9q7-q197", "PKSA-d1rr-z8zb-qnm7"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.