Your message dated Mon, 18 Jul 2022 06:34:07 +0000 with message-id <e1odkkv-000ch2...@fasolo.debian.org> and subject line Bug#1014492: fixed in guzzle 7.4.5-1 has caused the Debian Bug report #1014492, regarding guzzle: CVE-2022-31090 CVE-2022-31091 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1014492: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014492 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: guzzle X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for guzzle. CVE-2022-31090[0]: | Guzzle, an extensible PHP HTTP client. `Authorization` headers on | requests are sensitive information. In affected versions when using | our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option | to specify an `Authorization` header. On making a request which | responds with a redirect to a URI with a different origin (change in | host, scheme or port), if we choose to follow it, we should remove the | `CURLOPT_HTTPAUTH` option before continuing, stopping curl from | appending the `Authorization` header to the new request. Affected | Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. | Affected users using any earlier series of Guzzle should upgrade to | Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in | Guzzle 7.4.2, where a change in host would trigger removal of the | curl-added Authorization header, however this earlier fix did not | cover change in scheme or change in port. If you do not require or | expect redirects to be followed, one should simply disable redirects | all together. Alternatively, one can specify to use the Guzzle steam | handler backend, rather than curl. https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 (7.4.5) CVE-2022-31091[1]: | Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` | headers on requests are sensitive information. In affected versions on | making a request which responds with a redirect to a URI with a | different port, if we choose to follow it, we should remove the | `Authorization` and `Cookie` headers from the request, before | containing. Previously, we would only consider a change in host or | scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon | as possible. Affected users using any earlier series of Guzzle should | upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was | implemented in Guzzle 7.4.2, where a change in host would trigger | removal of the curl-added Authorization header, however this earlier | fix did not cover change in scheme or change in port. An alternative | approach would be to use your own redirect middleware, rather than | ours, if you are unable to upgrade. If you do not require or expect | redirects to be followed, one should simply disable redirects all | together. https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699 https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 (7.4.5) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31090 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31090 [1] https://security-tracker.debian.org/tracker/CVE-2022-31091 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: guzzle Source-Version: 7.4.5-1 Done: Katharina Drexel <katharina.dre...@bfh.ch> We believe that the bug you reported is fixed in the latest version of guzzle, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1014...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Katharina Drexel <katharina.dre...@bfh.ch> (supplier of updated guzzle package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 07 Jul 2022 09:27:40 +0200 Source: guzzle Architecture: source Version: 7.4.5-1 Distribution: unstable Urgency: medium Maintainer: Katharina Drexel <katharina.dre...@bfh.ch> Changed-By: Katharina Drexel <katharina.dre...@bfh.ch> Closes: 1014492 Changes: guzzle (7.4.5-1) unstable; urgency=medium . * Upgrading to 7.4.5 because of patch concerning removing authorization and cookie headers (Closes: #1014492) [CVE-2022-31091, CVE-2022-31090] * d/watch: removing typo. * d/gbp.conf: Adopting vcs-tag to upstream tar name. Checksums-Sha1: d615bfab542111888257f13bb4186d5fbe26f441 2028 guzzle_7.4.5-1.dsc 92c322fea60df38b61f5e77764b6757d76e22792 442472 guzzle_7.4.5.orig.tar.xz e0e043ccf355224009d59d9d2850dcdefc5497ab 5004 guzzle_7.4.5-1.debian.tar.xz 7dc16199d3a47ba8e2f02def189032fe1355c294 7060 guzzle_7.4.5-1_source.buildinfo Checksums-Sha256: fdb72e07f08344ede5d404d6ba60e8281640b5218e149381d78a2747a2eb2110 2028 guzzle_7.4.5-1.dsc 16b2bc258de380028d0838346e724f398e604113096b502e4bb73e65da12f587 442472 guzzle_7.4.5.orig.tar.xz 1725d2ab512b0bcbe65db7b24027fff21deaac4519e9c563c059fb800fd06e36 5004 guzzle_7.4.5-1.debian.tar.xz 4d8ea9baff9ff6c16db108d4400cb8d7e1347509ff828a42b060cf453d800870 7060 guzzle_7.4.5-1_source.buildinfo Files: 97e8109cfa78b6ed9fd4f8a0ea9d39c7 2028 php optional guzzle_7.4.5-1.dsc 79e4477b81483b98160321640164ce30 442472 php optional guzzle_7.4.5.orig.tar.xz 6849957874d14e6adafe98751fe3f7d4 5004 php optional guzzle_7.4.5-1.debian.tar.xz a7ba5ef4e8f015c7bb69b66d29a5ffa2 7060 php optional guzzle_7.4.5-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEdyKS9veshfrgQdQe5fQ/nCc08ocFAmLU+YgSHG1lcmt5c0Bk ZWJpYW4ub3JnAAoJEOX0P5wnNPKHkE4P/3UdfaS/SAyWJg5jnmh1LNd4eH0+TDCZ ZkOdLpoLoij8jr57nWb48BdoFQKQ96W1YMIPVIb86AD0ezKZ/AA8slWw40PQwiHm 5wecW60QESrCl+Qn8T4WhTQkeDYUxtQeo7oaWIGS0qylzoMuZSgfGr+4JZueZtPJ z31yEawmwWhoNR+cFU7q1ytTNTkUP1abEvgWvpBtQdBg5UirbvkAn+mwrRImcU0W Vk5m/avjQ1JIum1Q8+nHdyZ9+Oh48+UDTr+ll5ImTvYL+WFglcb4ZvYIJ99Wu+Tq 9zF9p1i5Tb8BDrNRun3bnZIWAp0ZB3WGLmfxKfDJfv/ufRtEXEkRiPclNc3eBlWc aoI5XfWwY0OH1cuaiGoY79qINTJIybwg4U92ZxdME3nm3/Q9Z4Y+d6NxX1DYnrho N2ViKDqyYfiWd/Wfw1DQrCUg3wUCQpx9L+4stzzTrVm9mcNg/fcWOnBAtrjPwhmY 97TVpPT9soAE+rHcqMy1bvInzXIWnQt3oOaimcI4MOZnlRdb82P1MAyTUOxL9/tt kt2bWJ9rGtVLI3g7tvuZxndnR8zPxphnSzADoVCt1ep8TECbWwPNMOlwyktci6ol GYZguaq07e/psbBJlVsCs//L7TQ/WX6CcTVmyYSSvnrnRu5blWYCHk6H0ABy/Cvf In2kZZP08kxy =54b+ -----END PGP SIGNATURE-----
--- End Message ---
