Version in base suite: 3.4.22+dfsg-2

Base version: symfony_3.4.22+dfsg-2
Target version: symfony_3.4.22+dfsg-2+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/symfony/symfony_3.4.22+dfsg-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/symfony/symfony_3.4.22+dfsg-2+deb10u1.dsc

 /srv/release.debian.org/tmp/2aXymPKBlR/symfony-3.4.22+dfsg/debian/patches/HttpFoundation-fix-guessing-mime-types-of-files-with-lead.patch |binary
 symfony-3.4.22+dfsg/debian/changelog                                                                                                      |   12 ++
 symfony-3.4.22+dfsg/debian/patches/Cache-forbid-serializing-AbstractAdapter-and-TagAwareAdap.patch                                        |   53 ++++++++++
 symfony-3.4.22+dfsg/debian/patches/Drop-failing-tests-with-recent-PHP.patch                                                               |   24 ++++
 symfony-3.4.22+dfsg/debian/patches/Use-constant-time-comparison-in-UriSigner.patch                                                        |   35 ++++++
 symfony-3.4.22+dfsg/debian/patches/series                                                                                                 |    4 
 symfony-3.4.22+dfsg/debian/source/include-binaries                                                                                        |    1 
 7 files changed, 129 insertions(+)

diff -Nru symfony-3.4.22+dfsg/debian/changelog symfony-3.4.22+dfsg/debian/changelog
--- symfony-3.4.22+dfsg/debian/changelog	2019-04-18 12:14:25.000000000 +0000
+++ symfony-3.4.22+dfsg/debian/changelog	2019-11-13 19:10:15.000000000 +0000
@@ -1,3 +1,15 @@
+symfony (3.4.22+dfsg-2+deb10u1) buster-security; urgency=medium
+
+  * Drop failing tests with recent PHP (Closes: #930003)
+  * Backport security fixes from 3.4.35
+    - [HttpKernel] Use constant time comparison in UriSigner [CVE-2019-18887]
+    - [Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances
+      [CVE-2019-18889]
+    - [HttpFoundation] fix guessing mime-types of files with leading dash
+      [CVE-2019-18888]
+
+ -- David Prévot <taffit@debian.org>  Wed, 13 Nov 2019 09:10:15 -1000
+
 symfony (3.4.22+dfsg-2) unstable; urgency=medium
 
   * Drop incorrect and useless overrides
diff -Nru symfony-3.4.22+dfsg/debian/patches/Cache-forbid-serializing-AbstractAdapter-and-TagAwareAdap.patch symfony-3.4.22+dfsg/debian/patches/Cache-forbid-serializing-AbstractAdapter-and-TagAwareAdap.patch
--- symfony-3.4.22+dfsg/debian/patches/Cache-forbid-serializing-AbstractAdapter-and-TagAwareAdap.patch	1970-01-01 00:00:00.000000000 +0000
+++ symfony-3.4.22+dfsg/debian/patches/Cache-forbid-serializing-AbstractAdapter-and-TagAwareAdap.patch	2019-11-13 19:04:23.000000000 +0000
@@ -0,0 +1,53 @@
+From: Nicolas Grekas <nicolas.grekas@gmail.com>
+Date: Tue, 16 Jul 2019 11:30:28 +0200
+Subject: [Cache] forbid serializing AbstractAdapter and TagAwareAdapter
+ instances
+
+Origin: usptream, https://github.com/symfony/symfony/commit/150741390d93f67a92295edc4d699a2237fec545
+---
+ src/Symfony/Component/Cache/Adapter/AbstractAdapter.php | 10 ++++++++++
+ src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php | 10 ++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/src/Symfony/Component/Cache/Adapter/AbstractAdapter.php b/src/Symfony/Component/Cache/Adapter/AbstractAdapter.php
+index 099c97a..67aa29f 100644
+--- a/src/Symfony/Component/Cache/Adapter/AbstractAdapter.php
++++ b/src/Symfony/Component/Cache/Adapter/AbstractAdapter.php
+@@ -271,6 +271,16 @@ abstract class AbstractAdapter implements AdapterInterface, LoggerAwareInterface
+         return $ok;
+     }
+ 
++    public function __sleep()
++    {
++        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
++    }
++
++    public function __wakeup()
++    {
++        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
++    }
++
+     public function __destruct()
+     {
+         if ($this->deferred) {
+diff --git a/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php b/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php
+index d453e27..9d13ee6 100644
+--- a/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php
++++ b/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php
+@@ -274,6 +274,16 @@ class TagAwareAdapter implements TagAwareAdapterInterface, PruneableInterface, R
+         return $this->invalidateTags([]);
+     }
+ 
++    public function __sleep()
++    {
++        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
++    }
++
++    public function __wakeup()
++    {
++        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
++    }
++
+     public function __destruct()
+     {
+         $this->commit();
diff -Nru symfony-3.4.22+dfsg/debian/patches/Drop-failing-tests-with-recent-PHP.patch symfony-3.4.22+dfsg/debian/patches/Drop-failing-tests-with-recent-PHP.patch
--- symfony-3.4.22+dfsg/debian/patches/Drop-failing-tests-with-recent-PHP.patch	1970-01-01 00:00:00.000000000 +0000
+++ symfony-3.4.22+dfsg/debian/patches/Drop-failing-tests-with-recent-PHP.patch	2019-11-13 19:04:23.000000000 +0000
@@ -0,0 +1,24 @@
+From: =?utf-8?q?David_Pr=C3=A9vot?= <david@tilapin.org>
+Date: Tue, 25 Jun 2019 12:18:24 -1000
+Subject: Drop failing tests with recent PHP
+
+To be investigated
+
+Bug-Debian: https://bugs.debian.org/930003
+---
+ .../Component/Validator/Tests/Constraints/EmailValidatorTest.php        | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/Symfony/Component/Validator/Tests/Constraints/EmailValidatorTest.php b/src/Symfony/Component/Validator/Tests/Constraints/EmailValidatorTest.php
+index 60cf10e..15eeef1 100644
+--- a/src/Symfony/Component/Validator/Tests/Constraints/EmailValidatorTest.php
++++ b/src/Symfony/Component/Validator/Tests/Constraints/EmailValidatorTest.php
+@@ -154,8 +154,6 @@ class EmailValidatorTest extends ConstraintValidatorTestCase
+             ['"test".test@iana.org'],
+             ['"test"'.\chr(0).'@iana.org'],
+             ['"test\"@iana.org'],
+-            [\chr(226).'@iana.org'],
+-            ['test@'.\chr(226).'.org'],
+             ['\r\ntest@iana.org'],
+             ['\r\n test@iana.org'],
+             ['\r\n \r\ntest@iana.org'],
Binary files /srv/release.debian.org/tmp/LmdqBjDe6_/symfony-3.4.22+dfsg/debian/patches/HttpFoundation-fix-guessing-mime-types-of-files-with-lead.patch and /srv/release.debian.org/tmp/2aXymPKBlR/symfony-3.4.22+dfsg/debian/patches/HttpFoundation-fix-guessing-mime-types-of-files-with-lead.patch differ
diff -Nru symfony-3.4.22+dfsg/debian/patches/Use-constant-time-comparison-in-UriSigner.patch symfony-3.4.22+dfsg/debian/patches/Use-constant-time-comparison-in-UriSigner.patch
--- symfony-3.4.22+dfsg/debian/patches/Use-constant-time-comparison-in-UriSigner.patch	1970-01-01 00:00:00.000000000 +0000
+++ symfony-3.4.22+dfsg/debian/patches/Use-constant-time-comparison-in-UriSigner.patch	2019-11-13 19:04:23.000000000 +0000
@@ -0,0 +1,35 @@
+From: Christophe Coevoet <stof@notk.org>
+Date: Fri, 24 May 2019 12:09:27 +0200
+Subject: Use constant time comparison in UriSigner
+
+Origin: upstream, https://github.com/symfony/symfony/commit/23151ed1380c3212b9647c62f2385da00a6fe379
+---
+ src/Symfony/Component/HttpKernel/UriSigner.php | 2 +-
+ src/Symfony/Component/HttpKernel/composer.json | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/Symfony/Component/HttpKernel/UriSigner.php b/src/Symfony/Component/HttpKernel/UriSigner.php
+index 481270d..ffe31a2 100644
+--- a/src/Symfony/Component/HttpKernel/UriSigner.php
++++ b/src/Symfony/Component/HttpKernel/UriSigner.php
+@@ -79,7 +79,7 @@ class UriSigner
+         $hash = $params[$this->parameter];
+         unset($params[$this->parameter]);
+ 
+-        return $this->computeHash($this->buildUrl($url, $params)) === $hash;
++        return hash_equals($this->computeHash($this->buildUrl($url, $params)), $hash);
+     }
+ 
+     private function computeHash($uri)
+diff --git a/src/Symfony/Component/HttpKernel/composer.json b/src/Symfony/Component/HttpKernel/composer.json
+index f47f116..7f471c6 100644
+--- a/src/Symfony/Component/HttpKernel/composer.json
++++ b/src/Symfony/Component/HttpKernel/composer.json
+@@ -21,6 +21,7 @@
+         "symfony/http-foundation": "~3.4.12|~4.0.12|^4.1.1",
+         "symfony/debug": "^3.3.3|~4.0",
+         "symfony/polyfill-ctype": "~1.8",
++        "symfony/polyfill-php56": "~1.8",
+         "psr/log": "~1.0"
+     },
+     "require-dev": {
diff -Nru symfony-3.4.22+dfsg/debian/patches/series symfony-3.4.22+dfsg/debian/patches/series
--- symfony-3.4.22+dfsg/debian/patches/series	2019-04-18 12:14:25.000000000 +0000
+++ symfony-3.4.22+dfsg/debian/patches/series	2019-11-13 19:04:31.000000000 +0000
@@ -18,3 +18,7 @@
 Prevent-destructors-with-side-effects-from-being-unserial.patch
 HttpFoundation-reject-invalid-method-override.patch
 Workaround-for-DateInterval-createFromDateString.patch
+Drop-failing-tests-with-recent-PHP.patch
+Use-constant-time-comparison-in-UriSigner.patch
+HttpFoundation-fix-guessing-mime-types-of-files-with-lead.patch
+Cache-forbid-serializing-AbstractAdapter-and-TagAwareAdap.patch
diff -Nru symfony-3.4.22+dfsg/debian/source/include-binaries symfony-3.4.22+dfsg/debian/source/include-binaries
--- symfony-3.4.22+dfsg/debian/source/include-binaries	1970-01-01 00:00:00.000000000 +0000
+++ symfony-3.4.22+dfsg/debian/source/include-binaries	2019-11-13 19:10:15.000000000 +0000
@@ -0,0 +1 @@
+debian/patches/HttpFoundation-fix-guessing-mime-types-of-files-with-lead.patch