Debian Bug report logs -
#1012821
guzzle: CVE-2022-31042 CVE-2022-31043
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Katharina Drexel <katharina.drexel@bfh.ch>:
Bug#1012821; Package src:guzzle.
(Tue, 14 Jun 2022 20:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Katharina Drexel <katharina.drexel@bfh.ch>.
(Tue, 14 Jun 2022 20:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: guzzle
Version: 7.4.1-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for guzzle.
CVE-2022-31042[0]:
| Guzzle is an open source PHP HTTP client. In affected versions the
| `Cookie` headers on requests are sensitive information. On making a
| request using the `https` scheme to a server which responds with a
| redirect to a URI with the `http` scheme, or on making a request to a
| server which responds with a redirect to a a URI to a different host,
| we should not forward the `Cookie` header on. Prior to this fix, only
| cookies that were managed by our cookie middleware would be safely
| removed, and any `Cookie` header manually added to the initial request
| would not be stripped. We now always strip it, and allow the cookie
| middleware to re-add any cookies that it deems should be there.
| Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as
| possible. Affected users using any earlier series of Guzzle should
| upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider
| an alternative approach to use your own redirect middleware, rather
| than ours. If you do not require or expect redirects to be followed,
| one should simply disable redirects all together.
CVE-2022-31043[1]:
| Guzzle is an open source PHP HTTP client. In affected versions
| `Authorization` headers on requests are sensitive information. On
| making a request using the `https` scheme to a server which responds
| with a redirect to a URI with the `http` scheme, we should not forward
| the `Authorization` header on. This is much the same as to how we
| don't forward on the header if the host changes. Prior to this fix,
| `https` to `http` downgrades did not result in the `Authorization`
| header being removed, only changes to the host. Affected Guzzle 7
| users should upgrade to Guzzle 7.4.4 as soon as possible. Affected
| users using any earlier series of Guzzle should upgrade to Guzzle
| 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative
| approach which would be to use their own redirect middleware.
| Alternately users may simply disable redirects all together if
| redirects are not expected or required.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31042
https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9
[1] https://security-tracker.debian.org/tracker/CVE-2022-31043
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31043
https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
[2] https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#1012821; Package src:guzzle.
(Wed, 15 Jun 2022 08:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Katharina Drexel <katharina.drexel@bfh.ch>:
Extra info received and forwarded to list.
(Wed, 15 Jun 2022 08:00:03 GMT) (full text, mbox, link).
Message #10 received at 1012821@bugs.debian.org (full text, mbox, reply):
Hello Salvatore,
thanks for the hint. I had already pushed 7.4.3 and now added 7.4.4 at https://salsa.debian.org/php-team/pear/php-guzzlehttp-guzzle
but I can't upload. Someone else has to do that.
Regards
Katharina
On Tuesday, 2022-06-14, 22:11:55 (GMT +0200), Salvatore Bonaccorso wrote:
> Source: guzzle
> Version: 7.4.1-1
> Severity: grave
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>
> Hi,
>
> The following vulnerabilities were published for guzzle.
>
> CVE-2022-31042[0]:
> | Guzzle is an open source PHP HTTP client. In affected versions the
> | `Cookie` headers on requests are sensitive information. On making a
> | request using the `https` scheme to a server which responds with a
> | redirect to a URI with the `http` scheme, or on making a request to a
> | server which responds with a redirect to a a URI to a different host,
> | we should not forward the `Cookie` header on. Prior to this fix, only
> | cookies that were managed by our cookie middleware would be safely
> | removed, and any `Cookie` header manually added to the initial request
> | would not be stripped. We now always strip it, and allow the cookie
> | middleware to re-add any cookies that it deems should be there.
> | Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as
> | possible. Affected users using any earlier series of Guzzle should
> | upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider
> | an alternative approach to use your own redirect middleware, rather
> | than ours. If you do not require or expect redirects to be followed,
> | one should simply disable redirects all together.
>
>
> CVE-2022-31043[1]:
> | Guzzle is an open source PHP HTTP client. In affected versions
> | `Authorization` headers on requests are sensitive information. On
> | making a request using the `https` scheme to a server which responds
> | with a redirect to a URI with the `http` scheme, we should not forward
> | the `Authorization` header on. This is much the same as to how we
> | don't forward on the header if the host changes. Prior to this fix,
> | `https` to `http` downgrades did not result in the `Authorization`
> | header being removed, only changes to the host. Affected Guzzle 7
> | users should upgrade to Guzzle 7.4.4 as soon as possible. Affected
> | users using any earlier series of Guzzle should upgrade to Guzzle
> | 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative
> | approach which would be to use their own redirect middleware.
> | Alternately users may simply disable redirects all together if
> | redirects are not expected or required.
>
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-31042
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31042
> https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9
> [1] https://security-tracker.debian.org/tracker/CVE-2022-31043
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31043
> https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
> [2] https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8
>
> Regards,
> Salvatore
--
Berner Fachhochschule / Bern University of Applied Sciences
IT-Services / Team Linux & Infrastructure Services
Katharina Drexel
IT System Engineer
___________________________________________________________
Dammweg 3, CH-3013 Bern
Telefon direkt +41 31 848 48 87
Telefon Servicedesk +41 31 848 48 48
katharina.drexel@bfh.ch
https://bfh.ch
https://bfh.science
Information forwarded
to debian-bugs-dist@lists.debian.org, Katharina Drexel <katharina.drexel@bfh.ch>:
Bug#1012821; Package src:guzzle.
(Wed, 15 Jun 2022 08:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Katharina Drexel <katharina.drexel@bfh.ch>.
(Wed, 15 Jun 2022 08:24:02 GMT) (full text, mbox, link).
Message #15 received at 1012821@bugs.debian.org (full text, mbox, reply):
Hi Katharina,
On Wed, Jun 15, 2022 at 09:43:28AM +0200, Katharina Drexel wrote:
> Hello Salvatore,
>
> thanks for the hint. I had already pushed 7.4.3 and now added 7.4.4
> at https://salsa.debian.org/php-team/pear/php-guzzlehttp-guzzle
> but I can't upload. Someone else has to do that.
Thanks for the status update.
I guess you already reached out to your previous upload sponsor or
another php-team / pear team member with upload rights?
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 15 13:13:54 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon