Source: guzzle X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for guzzle. CVE-2022-31090[0]: | Guzzle, an extensible PHP HTTP client. `Authorization` headers on | requests are sensitive information. In affected versions when using | our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option | to specify an `Authorization` header. On making a request which | responds with a redirect to a URI with a different origin (change in | host, scheme or port), if we choose to follow it, we should remove the | `CURLOPT_HTTPAUTH` option before continuing, stopping curl from | appending the `Authorization` header to the new request. Affected | Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. | Affected users using any earlier series of Guzzle should upgrade to | Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in | Guzzle 7.4.2, where a change in host would trigger removal of the | curl-added Authorization header, however this earlier fix did not | cover change in scheme or change in port. If you do not require or | expect redirects to be followed, one should simply disable redirects | all together. Alternatively, one can specify to use the Guzzle steam | handler backend, rather than curl. https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 (7.4.5) CVE-2022-31091[1]: | Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` | headers on requests are sensitive information. In affected versions on | making a request which responds with a redirect to a URI with a | different port, if we choose to follow it, we should remove the | `Authorization` and `Cookie` headers from the request, before | containing. Previously, we would only consider a change in host or | scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon | as possible. Affected users using any earlier series of Guzzle should | upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was | implemented in Guzzle 7.4.2, where a change in host would trigger | removal of the curl-added Authorization header, however this earlier | fix did not cover change in scheme or change in port. An alternative | approach would be to use your own redirect middleware, rather than | ours, if you are unable to upgrade. If you do not require or expect | redirects to be followed, one should simply disable redirects all | together. https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699 https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 (7.4.5) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31090 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31090 [1] https://security-tracker.debian.org/tracker/CVE-2022-31091 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091 Please adjust the affected versions in the BTS as needed.
