Hello Salvatore, thanks for the hint. I had already pushed 7.4.3 and now added 7.4.4 at https://salsa.debian.org/php-team/pear/php-guzzlehttp-guzzle but I can't upload. Someone else has to do that.
Regards Katharina On Tuesday, 2022-06-14, 22:11:55 (GMT +0200), Salvatore Bonaccorso wrote: > Source: guzzle > Version: 7.4.1-1 > Severity: grave > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerabilities were published for guzzle. > > CVE-2022-31042[0]: > | Guzzle is an open source PHP HTTP client. In affected versions the > | `Cookie` headers on requests are sensitive information. On making a > | request using the `https` scheme to a server which responds with a > | redirect to a URI with the `http` scheme, or on making a request to a > | server which responds with a redirect to a a URI to a different host, > | we should not forward the `Cookie` header on. Prior to this fix, only > | cookies that were managed by our cookie middleware would be safely > | removed, and any `Cookie` header manually added to the initial request > | would not be stripped. We now always strip it, and allow the cookie > | middleware to re-add any cookies that it deems should be there. > | Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as > | possible. Affected users using any earlier series of Guzzle should > | upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider > | an alternative approach to use your own redirect middleware, rather > | than ours. If you do not require or expect redirects to be followed, > | one should simply disable redirects all together. > > > CVE-2022-31043[1]: > | Guzzle is an open source PHP HTTP client. In affected versions > | `Authorization` headers on requests are sensitive information. On > | making a request using the `https` scheme to a server which responds > | with a redirect to a URI with the `http` scheme, we should not forward > | the `Authorization` header on. This is much the same as to how we > | don't forward on the header if the host changes. Prior to this fix, > | `https` to `http` downgrades did not result in the `Authorization` > | header being removed, only changes to the host. Affected Guzzle 7 > | users should upgrade to Guzzle 7.4.4 as soon as possible. Affected > | users using any earlier series of Guzzle should upgrade to Guzzle > | 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative > | approach which would be to use their own redirect middleware. > | Alternately users may simply disable redirects all together if > | redirects are not expected or required. > > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31042 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31042 > https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9 > [1] https://security-tracker.debian.org/tracker/CVE-2022-31043 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31043 > https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q > [2] > https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8 > > Regards, > Salvatore -- Berner Fachhochschule / Bern University of Applied Sciences IT-Services / Team Linux & Infrastructure Services Katharina Drexel IT System Engineer ___________________________________________________________ Dammweg 3, CH-3013 Bern Telefon direkt +41 31 848 48 87 Telefon Servicedesk +41 31 848 48 48 katharina.dre...@bfh.ch https://bfh.ch https://bfh.science