Bug #97759
closed
Update vulnerable guzzlehttp/guzzle version
100%
Description
guzzlehttp/guzzle must be updated to version 6.5.7 and 7.4.4 which fixes the following security vulnerabilities:
Failure to strip the Cookie header on change in host or HTTP downgrade
https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9
Fix failure to strip Authorization header on HTTP downgrade
https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
Since TYPO3 is not affected by the vulnerabilities by default, the update is handled in public.
Updated by Gerrit Code Review over 2 years ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/74876
Updated by Gerrit Code Review over 2 years ago
Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/74878
Updated by Gerrit Code Review over 2 years ago
Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/74879
Updated by Torben Hansen over 2 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 8cf1f942bd0c9aa631cca723e5cc641bc090d636.
Updated by