Source: guzzle Version: 7.4.1-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for guzzle. CVE-2022-31042[0]: | Guzzle is an open source PHP HTTP client. In affected versions the | `Cookie` headers on requests are sensitive information. On making a | request using the `https` scheme to a server which responds with a | redirect to a URI with the `http` scheme, or on making a request to a | server which responds with a redirect to a a URI to a different host, | we should not forward the `Cookie` header on. Prior to this fix, only | cookies that were managed by our cookie middleware would be safely | removed, and any `Cookie` header manually added to the initial request | would not be stripped. We now always strip it, and allow the cookie | middleware to re-add any cookies that it deems should be there. | Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as | possible. Affected users using any earlier series of Guzzle should | upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider | an alternative approach to use your own redirect middleware, rather | than ours. If you do not require or expect redirects to be followed, | one should simply disable redirects all together. CVE-2022-31043[1]: | Guzzle is an open source PHP HTTP client. In affected versions | `Authorization` headers on requests are sensitive information. On | making a request using the `https` scheme to a server which responds | with a redirect to a URI with the `http` scheme, we should not forward | the `Authorization` header on. This is much the same as to how we | don't forward on the header if the host changes. Prior to this fix, | `https` to `http` downgrades did not result in the `Authorization` | header being removed, only changes to the host. Affected Guzzle 7 | users should upgrade to Guzzle 7.4.4 as soon as possible. Affected | users using any earlier series of Guzzle should upgrade to Guzzle | 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative | approach which would be to use their own redirect middleware. | Alternately users may simply disable redirects all together if | redirects are not expected or required. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31042 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31042 https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9 [1] https://security-tracker.debian.org/tracker/CVE-2022-31043 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31043 https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q [2] https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8 Regards, Salvatore
