View Issue Details

IDProjectCategoryView StatusLast Update
0030416mantisbtsecuritypublic2023-08-07 12:12
Reporterdregad Assigned Todregad  
PrioritynormalSeverityminorReproducibilityN/A
Status closedResolutionfixed 
Product Version2.25.0 
Target Version2.25.5Fixed in Version2.25.5 
Summary0030416: Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8
Description

Security fixes:

  • CVE-2022-29248 - cross-domain cookie leakage
  • CVE-2022-31042 - Fix failure to strip the Cookie header on change in host or HTTP downgrade
  • CVE-2022-31043 - Fix failure to strip Authorization header on HTTP downgrade
  • CVE-2022-31090 - CURLOPT_HTTPAUTH option not cleared on change of origin
  • CVE-2022-31091 - Change in port should be considered a change in origin

Dependabot PRs

TagsNo tags attached.

Relationships

related to 0026919 closeddregad Upgrade guzzlehttp/guzzle from 6.5.2 to 6.5.5 
related to 0032807 closeddregad Update Guzzle to 7.8.0 

Activities

dregad

dregad

2022-06-10 10:01

developer   ~0066714

Last edited: 2022-06-10 10:01

New hotfix 6.5.7 released yesterday https://github.com/mantisbt/mantisbt/pull/1823

dregad

dregad

2022-06-23 11:10

developer   ~0066782

Last edited: 2022-06-23 11:13

New security release 6.5.8 released a few days ago https://github.com/mantisbt/mantisbt/pull/1827 (fixes CVE-2022-31090, CVE-2022-31091)

Related Changesets

MantisBT: master-2.25 b0b81e2b

2022-05-25 14:16

dependabot[bot]

Committer: dregad


Details Diff
Bump guzzlehttp/guzzle from 6.5.5 to 6.5.6

Bumps [guzzlehttp/guzzle](https://github.com/guzzle/guzzle) from 6.5.5 to 6.5.6.
- [Release notes](https://github.com/guzzle/guzzle/releases)
- [Changelog](https://github.com/guzzle/guzzle/blob/6.5.6/CHANGELOG.md)
- [Commits](https://github.com/guzzle/guzzle/compare/6.5.5...6.5.6)

---
updated-dependencies:
- dependency-name: guzzlehttp/guzzle
dependency-type: direct:production
...

Fixes 0030416, PR https://github.com/mantisbt/mantisbt/pull/1816

Signed-off-by: dependabot[bot] <support@github.com>
Affected Issues
0030416
mod - composer.lock Diff File

MantisBT: master c92ce0f5

2022-06-09 21:18

dependabot[bot]

Committer: dregad


Details Diff
Bump guzzlehttp/guzzle from 6.5.6 to 6.5.7

Bumps [guzzlehttp/guzzle](https://github.com/guzzle/guzzle) from 6.5.6 to 6.5.7.
- [Release notes](https://github.com/guzzle/guzzle/releases)
- [Changelog](https://github.com/guzzle/guzzle/blob/6.5.7/CHANGELOG.md)
- [Commits](https://github.com/guzzle/guzzle/compare/6.5.6...6.5.7)

---
updated-dependencies:
- dependency-name: guzzlehttp/guzzle
dependency-type: direct:production
update-type: version-update:semver-patch
...

Fixes 0030416, PR https://github.com/mantisbt/mantisbt/pull/1823

Signed-off-by: dependabot[bot] <support@github.com>
Affected Issues
0030416
mod - composer.lock Diff File

MantisBT: master-2.25 c9eb4900

2022-06-20 21:15

dependabot[bot]

Committer: dregad


Details Diff
Bump guzzlehttp/guzzle from 6.5.7 to 6.5.8

Bumps [guzzlehttp/guzzle](https://github.com/guzzle/guzzle) from 6.5.7 to 6.5.8.
- [Release notes](https://github.com/guzzle/guzzle/releases)
- [Changelog](https://github.com/guzzle/guzzle/blob/6.5.8/CHANGELOG.md)
- [Commits](https://github.com/guzzle/guzzle/compare/6.5.7...6.5.8)

---
updated-dependencies:
- dependency-name: guzzlehttp/guzzle
dependency-type: direct:production
update-type: version-update:semver-patch
...

Fixes 0030416, PR https://github.com/mantisbt/mantisbt/pull/1827

Signed-off-by: dependabot[bot] <support@github.com>
Affected Issues
0030416
mod - composer.lock Diff File