[Security] Bump symfony/security from 3.3.6 to 3.4.49

[dependabot-preview]

Bumps symfony/security from 3.3.6 to 3.4.49. This update includes security fixes.

Vulnerabilities fixed

Sourced from The PHP Security Advisories Database.

CVE-2018-11385: Session Fixation Issue for Guard Authentication

Affected versions: >=2.0.0, =4.0.0, <4.0.11

Sourced from The PHP Security Advisories Database.

CVE-2018-11406: CSRF Token Fixation

Affected versions: >=2.0.0, =4.0.0, <4.0.11

Sourced from The PHP Security Advisories Database.

CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an empty password

Affected versions: >=2.8.0, =4.0.0, <4.0.11

Sourced from The PHP Security Advisories Database.

CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an empty password

Affected versions: >=2.8.0, =4.0.0, <4.0.7

Sourced from The PHP Security Advisories Database.

CVE-2017-16652: Open redirect vulnerability on security handlers

Affected versions: >=2.7.0, =3.3.0, <3.3.13

Sourced from The PHP Security Advisories Database.

CVE-2018-19790: Open Redirect Vulnerability on login

Affected versions: >=2.7.38, =4.2.0, <4.2.1

Sourced from The PHP Security Advisories Database.

CVE-2017-16653: CSRF protection does not use different tokens for HTTP and HTTPS

Affected versions: >=2.7.0, =3.3.0, <3.3.13

Sourced from The PHP Security Advisories Database.

CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms

Affected versions: >=2.8.0, =5.2.0, <5.2.8

Sourced from The PHP Security Advisories Database.

CVE-2018-11385: Session Fixation Issue for Guard Authentication

Affected versions: >=2.0.0, =4.0.0, <4.0.11

Sourced from The PHP Security Advisories Database.

CVE-2018-11406: CSRF Token Fixation

Affected versions: >=2.0.0, =4.0.0, <4.0.11

Sourced from The PHP Security Advisories Database.

CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms

Affected versions: >=2.8.0, =4.4.0, <4.4.23

Sourced from The PHP Security Advisories Database.

CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms

Affected versions: >=2.8.0, =4.4.0, <4.4.24

Sourced from The PHP Security Advisories Database.

CVE-2019-10911: Add a separator in the remember me cookie hash

Affected versions: >=2.7.0, =4.2.0, <4.2.7

Release notes

Sourced from symfony/security's releases.

v3.4.49

Changelog (symfony/security@v3.4.48...v3.4.49)

• no significant changes

v3.4.48

Changelog (symfony/security@v3.4.47...v3.4.48)

• no significant changes

v3.4.47

Changelog (symfony/security@v3.4.46...v3.4.47)

• no changes

v3.4.46

Changelog (symfony/security@v3.4.45...v3.4.46)

• no changes

v3.4.45

Changelog (symfony/security@v3.4.44...v3.4.45)

• no changes

v3.4.44

Changelog (symfony/security@v3.4.43...v3.4.44)

• no changes

v3.4.43

Changelog (symfony/security@v3.4.42...v3.4.43)

• no changes

v3.4.42

Changelog (symfony/security@v3.4.41...v3.4.42)

• no changes

v3.4.41

Changelog (symfony/security@v3.4.40...v3.4.41)

• bug #36974 Fixed handling of CSRF logout error (wouterj)

v3.4.40

Changelog (symfony/security@v3.4.39...v3.4.40)

• bug #36498 fix escape for username in LdapBindAuthenticationProvider.php (stoccc)
• bug #36252 Allow setting cookie security settings for delete_cookies (wouterj)

... (truncated)

Changelog

Sourced from symfony/security's changelog.

CHANGELOG

4.4.0

• Deprecated class LdapUserProvider, use Symfony\Component\Ldap\Security\LdapUserProvider instead
• Added method needsRehash() to PasswordEncoderInterface and UserPasswordEncoderInterface
• Added MigratingPasswordEncoder
• Added and implemented PasswordUpgraderInterface, for opportunistic password migrations
• Added Guard\PasswordAuthenticatedInterface, an optional interface for "guard" authenticators that deal with user passwords
• Marked all dispatched event classes as @final
• Deprecated returning a non-boolean value when implementing Guard\AuthenticatorInterface::checkCredentials().
• Deprecated passing more than one attribute to AccessDecisionManager::decide() and AuthorizationChecker::isGranted()
• Added new argon2id encoder, undeprecated the bcrypt and argon2i ones (using auto is still recommended by default.)
• Added AbstractListener which replaces the deprecated ListenerInterface

4.3.0

• Added methods __serialize and __unserialize to the TokenInterface
• Added SodiumPasswordEncoder and NativePasswordEncoder
• The Role and SwitchUserRole classes are deprecated and will be removed in 5.0. Use strings for roles instead.
• The getReachableRoles() method of the RoleHierarchyInterface is deprecated and will be removed in 5.0. Role hierarchies must implement the getReachableRoleNames() method instead and return roles as strings.
• The getRoles() method of the TokenInterface is deprecated. Tokens must implement the getRoleNames() method instead and return roles as strings.
• Made the serialize() and unserialize() methods of AbstractToken and AuthenticationException final, use __serialize()/__unserialize() instead
• AuthenticationException doesn't implement Serializable anymore
• Deprecated the ListenerInterface, turn your listeners into callables instead
• Deprecated Firewall::handleRequest(), use Firewall::callListeners() instead
• Dispatch AuthenticationSuccessEvent on security.authentication.success
• Dispatch AuthenticationFailureEvent on security.authentication.failure
• Dispatch InteractiveLoginEvent on security.interactive_login
• Dispatch SwitchUserEvent on security.switch_user
• Deprecated Argon2iPasswordEncoder, use SodiumPasswordEncoder instead
• Deprecated BCryptPasswordEncoder, use NativePasswordEncoder instead
• Added DeauthenticatedEvent dispatched in case the user has changed when trying to refresh the token

4.2.0

• added the is_granted() function in security expressions
• deprecated the has_role() function in security expressions, use is_granted() instead
• Passing custom class names to the Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver to define custom anonymous and remember me token classes is deprecated. To

... (truncated)

Commits

• ac1af40 [Security\Core] Fix user enumeration via response body on invalid credentials
• 06dbfe4 [Security][Guard] Prevent user enumeration via response content
• 7f92437 minor #38848 Missing translations for Chinese (zh_TW) #38733 (fd6130)
• d283d9d Missing translations for Chinese (zh_TW) #38733
• 46f91cf Missing translations for Chinese (zh_CN) #38732
• fb09526 minor #38830 [Security] Add missing translations for Ukrainian (uk) (Comrade42)
• 8172d7a minor #38835 [Translation] added missing Albanian translations (abame)
• 461d1ae [Translation] added missing Albanian translations
• f645825 minor #38834 [Form, Security, Validator] Add missing Turkish translations (tr...
• fe0bb0a [Form, Security, Validator] Add missing Turkish translations (tr)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)