- Package:
- src:guzzle
- Source:
- guzzle
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2022-06-16 19:09:03 UTC
- Severity:
- grave
- Tags:
Hi, The following vulnerabilities were published for guzzle. CVE-2022-31042[0]: | Guzzle is an open source PHP HTTP client. In affected versions the | `Cookie` headers on requests are sensitive information. On making a | request using the `https` scheme to a server which responds with a | redirect to a URI with the `http` scheme, or on making a request to a | server which responds with a redirect to a a URI to a different host, | we should not forward the `Cookie` header on. Prior to this fix, only | cookies that were managed by our cookie middleware would be safely | removed, and any `Cookie` header manually added to the initial request | would not be stripped. We now always strip it, and allow the cookie | middleware to re-add any cookies that it deems should be there. | Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as | possible. Affected users using any earlier series of Guzzle should | upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider | an alternative approach to use your own redirect middleware, rather | than ours. If you do not require or expect redirects to be followed, | one should simply disable redirects all together. CVE-2022-31043[1]: | Guzzle is an open source PHP HTTP client. In affected versions | `Authorization` headers on requests are sensitive information. On | making a request using the `https` scheme to a server which responds | with a redirect to a URI with the `http` scheme, we should not forward | the `Authorization` header on. This is much the same as to how we | don't forward on the header if the host changes. Prior to this fix, | `https` to `http` downgrades did not result in the `Authorization` | header being removed, only changes to the host. Affected Guzzle 7 | users should upgrade to Guzzle 7.4.4 as soon as possible. Affected | users using any earlier series of Guzzle should upgrade to Guzzle | 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative | approach which would be to use their own redirect middleware. | Alternately users may simply disable redirects all together if | redirects are not expected or required. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31042 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31042 https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9 [1] https://security-tracker.debian.org/tracker/CVE-2022-31043 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31043 https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q [2] https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8 Regards, Salvatore
Hello Salvatore, thanks for the hint. I had already pushed 7.4.3 and now added 7.4.4 at https://salsa.debian.org/php-team/pear/php-guzzlehttp-guzzle but I can't upload. Someone else has to do that. Regards Katharina
Hi Katharina, Thanks for the status update. I guess you already reached out to your previous upload sponsor or another php-team / pear team member with upload rights? Regards, Salvatore
----- Forwarded message from Debian FTP Masters <ftpmaster@ftp-master.debian.org> -----
Format: 1.8
Date: Thu, 16 Jun 2022 18:22:39 +0200
Source: guzzle
Architecture: source
Version: 7.4.4-1
Distribution: sid
Urgency: medium
Maintainer: Katharina Drexel <katharina.drexel@bfh.ch>
Changed-By: Katharina Drexel <katharina.drexel@bfh.ch>
Closes: 1011636
Changes:
guzzle (7.4.4-1) sid; urgency=medium
.
* Upgrading to 7.4.4 because of cookie injection leak (Closes: #1011636)
[CVE-2022-31042, CVE-2022-31043]
* Adding test folder to debian.
* Adopting debian/rules to the salsa standard.
* Optimizing watchfile.
* Adding some more files which have to be cleaned.
* Adding gbp config file.
* Adding upstream/metadata and signing key.
* Adding newer standards version.
* debian/control: Correcting Vcs* paths.
* debian/control: Break should also be valid for Debian-replace.
Checksums-Sha1:
265ea1e07cd3cd6883be9d59c5285827d89d9c75 1974 guzzle_7.4.4-1.dsc
4f86ade754a2662ffc786786a06015ccbc6b5c1f 442168 guzzle_7.4.4.orig.tar.xz
a696912feb69845ede4aad02506cc58b0b64e776 3904 guzzle_7.4.4-1.debian.tar.xz
ef8405bf0dd26a364064043abbceb0857c3b45c6 6610 guzzle_7.4.4-1_amd64.buildinfo
Checksums-Sha256:
3c1252264c615bdb1a5041169824167829b1ff73357b9967bb43004db2b277a2 1974 guzzle_7.4.4-1.dsc
4fadb0a717e5a93beb340df52c6a4ec7767550ebee5cc15871396956d106398c 442168 guzzle_7.4.4.orig.tar.xz
3e7f0fd7324e71304f34f014ab21b69cf6a8188f0aceb5c6c4eb4a6f6117c888 3904 guzzle_7.4.4-1.debian.tar.xz
8825ad217c1a6bf66c24a6ad7ba3c117f07cccbcaa96ea1fab60f7f1caedda59 6610 guzzle_7.4.4-1_amd64.buildinfo
Files:
8bcde26fa9ea06d12ae7093d89eeb66a 1974 php optional guzzle_7.4.4-1.dsc
6440e249aa0738aa80d9b3c4c131180b 442168 php optional guzzle_7.4.4.orig.tar.xz
df5c9dfec9e2e6fc6da9eb8cf04b3cb9 3904 php optional guzzle_7.4.4-1.debian.tar.xz
31ae8ff8c4616bebd02f525a4c16038e 6610 php optional guzzle_7.4.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEgTbtJcfWfpLHSkKSVc8b+YaruccFAmKrXtMACgkQVc8b+Yar
ucfbhQ/+M7g7nWR71JfHMTOVmy9q/P/XckKGF7ZdV9VY9u/SSeEpCglLSxRBYMTB
vTkvupYq0L22FoOQIwVvVQvBE81K7ipr0C4N6sXHi0fqYe/2g0uY/EUvDX+6xB4J
/yGkTD317Qg37AQclND8D0O4b5sseHIB2OgPRD0x/Z+1c9CgQYvmu6V91ztRwPW3
VaZf+gxyOB++CTHnNKHspSRJeHluT2b7U4tSbfpR1boXu3EzBSOuj33rDxuhvktW
Fm9POP0YuP6SOUQfgp9kg1ys20439/5hehy7mBY2+5aLWo2RBBnZDyFiUT7N33t0
5ZMQvbYRSYnRCojHux+r/aNTi6lNcsUASSrBoBBWtaucEufHlV4Ix+hIBRJEeS9L
rFlgNA5kKpTE+qhcNhHTkMfvY7PDTahXIlbg215/uHgyUOn59SiOXS9j53HoQmq1
jVTIo5RbJKlTMXMf6jnLYGatTH7B4ABaU2JP1eCuywzhPG8eYjAEkn5SMANPFf+Z
KVz3ctt7YJVnXO5s3G23IzmZhy8lvetlTR2iB60herndGarZV1XJZFKr5rEmP9UP
MPRAcULT+u+4inUKYIzry3iAl+eayhoZqelQ/eZWEK5rC2tsZl5QgcVmgqSwDI/W
3DJcnjgikHOMEZeYgscwF+SLnqwm1j9ui6J3UmETIuBHWu608wY=
=NEEK
-----END PGP SIGNATURE-----
----- End forwarded message -----