Source: php-guzzlehttp-psr7 Version: 2.4.4-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for php-guzzlehttp-psr7. CVE-2023-29197[0]: | guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. | Affected versions are subject to improper header parsing. An attacker | could sneak in a newline (\n) into both the header names and values. | While the specification states that \r\n\r\n is used to terminate the | header list, many servers in the wild will also accept \n\n. This is a | follow-up to CVE-2022-24775 where the fix was incomplete. The issue | has been patched in versions 1.9.1 and 2.4.5. There are no known | workarounds for this vulnerability. Users are advised to upgrade. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-29197 https://www.cve.org/CVERecord?id=CVE-2023-29197 [1] https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw Please adjust the affected versions in the BTS as needed. Regards, Salvatore
