Hi, thanks for the hints. I pushed a new version in the repo (https://salsa.debian.org/php-team/pear/php-guzzlehttp-guzzle). TBD: someone should upload it in the debian repo.
Bye Katharina On Wednesday, 2022-07-06, 23:03:18 (GMT +0200), Moritz Mühlenhoff wrote: > Source: guzzle > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > The following vulnerabilities were published for guzzle. > > CVE-2022-31090[0]: > | Guzzle, an extensible PHP HTTP client. `Authorization` headers on > | requests are sensitive information. In affected versions when using > | our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option > | to specify an `Authorization` header. On making a request which > | responds with a redirect to a URI with a different origin (change in > | host, scheme or port), if we choose to follow it, we should remove the > | `CURLOPT_HTTPAUTH` option before continuing, stopping curl from > | appending the `Authorization` header to the new request. Affected > | Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. > | Affected users using any earlier series of Guzzle should upgrade to > | Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in > | Guzzle 7.4.2, where a change in host would trigger removal of the > | curl-added Authorization header, however this earlier fix did not > | cover change in scheme or change in port. If you do not require or > | expect redirects to be followed, one should simply disable redirects > | all together. Alternatively, one can specify to use the Guzzle steam > | handler backend, rather than curl. > > https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r > https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 > (7.4.5) > > CVE-2022-31091[1]: > | Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` > | headers on requests are sensitive information. In affected versions on > | making a request which responds with a redirect to a URI with a > | different port, if we choose to follow it, we should remove the > | `Authorization` and `Cookie` headers from the request, before > | containing. Previously, we would only consider a change in host or > | scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon > | as possible. Affected users using any earlier series of Guzzle should > | upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was > | implemented in Guzzle 7.4.2, where a change in host would trigger > | removal of the curl-added Authorization header, however this earlier > | fix did not cover change in scheme or change in port. An alternative > | approach would be to use your own redirect middleware, rather than > | ours, if you are unable to upgrade. If you do not require or expect > | redirects to be followed, one should simply disable redirects all > | together. > > https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699 > https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 > (7.4.5) > > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31090 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31090 > [1] https://security-tracker.debian.org/tracker/CVE-2022-31091 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091 > > Please adjust the affected versions in the BTS as needed.