- Package:
- src:guzzle
- Source:
- guzzle
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2022-07-18 06:36:05 UTC
- Severity:
- grave
- Tags:
Hi, The following vulnerabilities were published for guzzle. CVE-2022-31090[0]: | Guzzle, an extensible PHP HTTP client. `Authorization` headers on | requests are sensitive information. In affected versions when using | our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option | to specify an `Authorization` header. On making a request which | responds with a redirect to a URI with a different origin (change in | host, scheme or port), if we choose to follow it, we should remove the | `CURLOPT_HTTPAUTH` option before continuing, stopping curl from | appending the `Authorization` header to the new request. Affected | Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. | Affected users using any earlier series of Guzzle should upgrade to | Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in | Guzzle 7.4.2, where a change in host would trigger removal of the | curl-added Authorization header, however this earlier fix did not | cover change in scheme or change in port. If you do not require or | expect redirects to be followed, one should simply disable redirects | all together. Alternatively, one can specify to use the Guzzle steam | handler backend, rather than curl. https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 (7.4.5) CVE-2022-31091[1]: | Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` | headers on requests are sensitive information. In affected versions on | making a request which responds with a redirect to a URI with a | different port, if we choose to follow it, we should remove the | `Authorization` and `Cookie` headers from the request, before | containing. Previously, we would only consider a change in host or | scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon | as possible. Affected users using any earlier series of Guzzle should | upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was | implemented in Guzzle 7.4.2, where a change in host would trigger | removal of the curl-added Authorization header, however this earlier | fix did not cover change in scheme or change in port. An alternative | approach would be to use your own redirect middleware, rather than | ours, if you are unable to upgrade. If you do not require or expect | redirects to be followed, one should simply disable redirects all | together. https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699 https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 (7.4.5) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31090 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31090 [1] https://security-tracker.debian.org/tracker/CVE-2022-31091 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091 Please adjust the affected versions in the BTS as needed.
Hi, thanks for the hints. I pushed a new version in the repo (https://salsa.debian.org/php-team/pear/php-guzzlehttp-guzzle). TBD: someone should upload it in the debian repo. Bye Katharina
Hi, thanks for the hints. I pushed a new version in the repo (https://salsa.debian.org/php-team/pear/php-guzzlehttp-guzzle). TBD: someone should upload it in the debian repo. Bye Katharina
Hi Katharina, Debian versions for 7.4.5: 7.4.5-1 and 7.4.5-2. It does not seem 7.4.5-1 has been uploaded yet, could you merge both of them to be 7.4.5-1? Best, Andrius
Hi Katharina, Le Thu, Jul 07, 2022 at 10:56:06AM +0200, Katharina Drexel a écrit : […] request, or even better, actually set the list as Maintainers so everyone is made aware of the bug (before receiving hundreds of autoremoval warnings). The current repository is a mess, can you properly set up gbp please? Regards David
We believe that the bug you reported is fixed in the latest version of
guzzle, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1014492@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Katharina Drexel <katharina.drexel@bfh.ch> (supplier of updated guzzle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 07 Jul 2022 09:27:40 +0200
Source: guzzle
Architecture: source
Version: 7.4.5-1
Distribution: unstable
Urgency: medium
Maintainer: Katharina Drexel <katharina.drexel@bfh.ch>
Changed-By: Katharina Drexel <katharina.drexel@bfh.ch>
Closes: 1014492
Changes:
guzzle (7.4.5-1) unstable; urgency=medium
.
* Upgrading to 7.4.5 because of patch concerning removing authorization and
cookie headers
(Closes: #1014492)
[CVE-2022-31091, CVE-2022-31090]
* d/watch: removing typo.
* d/gbp.conf: Adopting vcs-tag to upstream tar name.
Checksums-Sha1:
d615bfab542111888257f13bb4186d5fbe26f441 2028 guzzle_7.4.5-1.dsc
92c322fea60df38b61f5e77764b6757d76e22792 442472 guzzle_7.4.5.orig.tar.xz
e0e043ccf355224009d59d9d2850dcdefc5497ab 5004 guzzle_7.4.5-1.debian.tar.xz
7dc16199d3a47ba8e2f02def189032fe1355c294 7060 guzzle_7.4.5-1_source.buildinfo
Checksums-Sha256:
fdb72e07f08344ede5d404d6ba60e8281640b5218e149381d78a2747a2eb2110 2028 guzzle_7.4.5-1.dsc
16b2bc258de380028d0838346e724f398e604113096b502e4bb73e65da12f587 442472 guzzle_7.4.5.orig.tar.xz
1725d2ab512b0bcbe65db7b24027fff21deaac4519e9c563c059fb800fd06e36 5004 guzzle_7.4.5-1.debian.tar.xz
4d8ea9baff9ff6c16db108d4400cb8d7e1347509ff828a42b060cf453d800870 7060 guzzle_7.4.5-1_source.buildinfo
Files:
97e8109cfa78b6ed9fd4f8a0ea9d39c7 2028 php optional guzzle_7.4.5-1.dsc
79e4477b81483b98160321640164ce30 442472 php optional guzzle_7.4.5.orig.tar.xz
6849957874d14e6adafe98751fe3f7d4 5004 php optional guzzle_7.4.5-1.debian.tar.xz
a7ba5ef4e8f015c7bb69b66d29a5ffa2 7060 php optional guzzle_7.4.5-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEdyKS9veshfrgQdQe5fQ/nCc08ocFAmLU+YgSHG1lcmt5c0Bk
ZWJpYW4ub3JnAAoJEOX0P5wnNPKHkE4P/3UdfaS/SAyWJg5jnmh1LNd4eH0+TDCZ
ZkOdLpoLoij8jr57nWb48BdoFQKQ96W1YMIPVIb86AD0ezKZ/AA8slWw40PQwiHm
5wecW60QESrCl+Qn8T4WhTQkeDYUxtQeo7oaWIGS0qylzoMuZSgfGr+4JZueZtPJ
z31yEawmwWhoNR+cFU7q1ytTNTkUP1abEvgWvpBtQdBg5UirbvkAn+mwrRImcU0W
Vk5m/avjQ1JIum1Q8+nHdyZ9+Oh48+UDTr+ll5ImTvYL+WFglcb4ZvYIJ99Wu+Tq
9zF9p1i5Tb8BDrNRun3bnZIWAp0ZB3WGLmfxKfDJfv/ufRtEXEkRiPclNc3eBlWc
aoI5XfWwY0OH1cuaiGoY79qINTJIybwg4U92ZxdME3nm3/Q9Z4Y+d6NxX1DYnrho
N2ViKDqyYfiWd/Wfw1DQrCUg3wUCQpx9L+4stzzTrVm9mcNg/fcWOnBAtrjPwhmY
97TVpPT9soAE+rHcqMy1bvInzXIWnQt3oOaimcI4MOZnlRdb82P1MAyTUOxL9/tt
kt2bWJ9rGtVLI3g7tvuZxndnR8zPxphnSzADoVCt1ep8TECbWwPNMOlwyktci6ol
GYZguaq07e/psbBJlVsCs//L7TQ/WX6CcTVmyYSSvnrnRu5blWYCHk6H0ABy/Cvf
In2kZZP08kxy
=54b+
-----END PGP SIGNATURE-----