Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

php-slim-psr7: CVE-2023-30536

Related Vulnerabilities: CVE-2023-30536  

Source

Debian Bug report logs - #1034580
php-slim-psr7: CVE-2023-30536

version graph

Package: src:php-slim-psr7; Maintainer for src:php-slim-psr7 is William Desportes <williamdes@wdes.fr>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 18 Apr 2023 21:15:02 UTC

Severity: important

Tags: security, upstream

Found in version php-slim-psr7/1.6.0-3

Fixed in version php-slim-psr7/1.6.1-1

Done: William Desportes <williamdes@wdes.fr>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, William Desportes <williamdes@wdes.fr>:
Bug#1034580; Package src:php-slim-psr7. (Tue, 18 Apr 2023 21:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, William Desportes <williamdes@wdes.fr>. (Tue, 18 Apr 2023 21:15:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php-slim-psr7: CVE-2023-30536
Date: Tue, 18 Apr 2023 23:12:04 +0200
Source: php-slim-psr7
Version: 1.6.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for php-slim-psr7.

CVE-2023-30536[0]:
| slim/psr7 is a PSR-7 implementation for use with Slim 4. In versions
| prior to 1.6.1 an attacker could sneak in a newline (\n) into both the
| header names and values. While the specification states that \r\n\r\n
| is used to terminate the header list, many servers in the wild will
| also accept \n\n. An attacker that is able to control the header names
| that are passed to Slilm-Psr7 would be able to intentionally craft
| invalid messages, possibly causing application errors or invalid HTTP
| requests being sent out with an PSR-18 HTTP client. The latter might
| present a denial of service vector if a remote service&amp;#8217;s web
| application firewall bans the application due to the receipt of
| malformed requests. The issue has been patched in version 1.6.1. There
| are no known workarounds to this issue. Users are advised to upgrade.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-30536
    https://www.cve.org/CVERecord?id=CVE-2023-30536
[1] https://github.com/slimphp/Slim-Psr7/security/advisories/GHSA-q2qj-628g-vhfw
[2] https://github.com/slimphp/Slim-Psr7/commit/4fea29e910391b1883de5bf6e84b50f6900355fb

Regards,
Salvatore

Reply sent to William Desportes <williamdes@wdes.fr>:
You have taken responsibility. (Wed, 19 Apr 2023 09:51:16 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 19 Apr 2023 09:51:16 GMT) (full text, mbox, link).

Message #10 received at 1034580-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1034580-close@bugs.debian.org
Subject: Bug#1034580: fixed in php-slim-psr7 1.6.1-1
Date: Wed, 19 Apr 2023 09:49:19 +0000
Source: php-slim-psr7
Source-Version: 1.6.1-1
Done: William Desportes <williamdes@wdes.fr>

We believe that the bug you reported is fixed in the latest version of
php-slim-psr7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1034580@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
William Desportes <williamdes@wdes.fr> (supplier of updated php-slim-psr7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 19 Apr 2023 10:46:48 +0200
Source: php-slim-psr7
Architecture: source
Version: 1.6.1-1
Distribution: unstable
Urgency: medium
Maintainer: William Desportes <williamdes@wdes.fr>
Changed-By: William Desportes <williamdes@wdes.fr>
Closes: 1034580
Changes:
 php-slim-psr7 (1.6.1-1) unstable; urgency=medium
 .
   * New upstream version 1.6.1 (Closes: #1034580, CVE-2023-30536)
Checksums-Sha1:
 6ccbc60a1582712fdd623ca0619a580e20a98036 2353 php-slim-psr7_1.6.1-1.dsc
 e7832c1293eb651fc516536ddcb89d1a8c218336 34860 php-slim-psr7_1.6.1.orig.tar.xz
 706b6611b5dfa97c2221a215dec7a71a99eba593 14584 php-slim-psr7_1.6.1-1.debian.tar.xz
 a63f36a3ca23f7434d621c0c63e497080687a7b4 8700 php-slim-psr7_1.6.1-1_source.buildinfo
Checksums-Sha256:
 f66e1b073e7297967b0e98598f1fd6b30ca7235cc94eb114696a30221c97dbd6 2353 php-slim-psr7_1.6.1-1.dsc
 6ceec7603f1de6da7e40e7aa84d899af2cd2adf8a3af4ac21a0c894a3c8b2eab 34860 php-slim-psr7_1.6.1.orig.tar.xz
 75cf8b29ee2fb48c56dca279c45f6bce08f4d61ee334faa40333e4f3e02bbed8 14584 php-slim-psr7_1.6.1-1.debian.tar.xz
 8f3dc3789db486f5ab6367cabfe8407ce21b020df68d3d48d4f78613c84033b0 8700 php-slim-psr7_1.6.1-1_source.buildinfo
Files:
 fd784e9970b12715ed3692781f527861 2353 php optional php-slim-psr7_1.6.1-1.dsc
 c5e02f6cbfafcda5aae90ed067c6c33d 34860 php optional php-slim-psr7_1.6.1.orig.tar.xz
 c297ec01ff594d5ead542dbbf941e130 14584 php optional php-slim-psr7_1.6.1-1.debian.tar.xz
 a825892d715268c2c2e2f6dd1445b94d 8700 php optional php-slim-psr7_1.6.1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExNkf3872tKPGU/14kKDvG4JRqIkFAmQ/tBoACgkQkKDvG4JR
qInRlg//Z87vp9k0DO6h8KRBeuuCuJ02sv80s8puRAbRsP7mSJRbTK8AZ6EKYdkz
mevkCVUvh4+zNVvR0MHIarU2UQJOcNDXzncH4oUJom0XTg3djfmXlsLdkdDvP+of
RNfmYuYY5V7zI7C/g6rWwdolduVDNxuMOfaVYW+lrHxWnyZYX6sEMqPRDq+wrLv5
y6aWuAcWwlOZp3+lk5MeXZlBupHt5fUxfqXG74uxLVvCna8A+/yviDIvWtifDG0t
pSF/ZdOehSqSLQycrcGUnudOfyU5qxLcCKIParrlzp9+IToLZL4LjJRH2kpxKP4L
mmy9DoYHZ/nPfPaRrYp56709U1uwvo07vBNBjPn7Ybmmfwb0ec6S82SoXiBEAGOx
Go+IlQMxW6B5wCvT9jGaQjCPUgHPmcL/ptttbvpt7J4fIr/fRn+JUMWQ2Q7jXogn
kar9kBANJw/TqqB3SeBN3MaRavGP0E7xAR6iOQbPUrrYx3QFCskx+LUHTXj+LiP7
mOQuwQsrInDN5DApMoE506GS3i9RIQO3IrDKRlKSmFUFxoSpuYNTCRW1Yg5iacqH
+FVH4ViueWqhV0Pm7jLKN8xSUGBg5IUE59YRiPjHLQ0E6tkTMrlOZtgPJxXz47eY
NKzlfCkf5QTTgj2RedbKTdogR3baOvb8gphhg1dfLhsneZw9Zjs=
=vdDA
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 19 13:11:57 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started