Source: php-slim-psr7 Version: 1.6.0-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for php-slim-psr7. CVE-2023-30536[0]: | slim/psr7 is a PSR-7 implementation for use with Slim 4. In versions | prior to 1.6.1 an attacker could sneak in a newline (\n) into both the | header names and values. While the specification states that \r\n\r\n | is used to terminate the header list, many servers in the wild will | also accept \n\n. An attacker that is able to control the header names | that are passed to Slilm-Psr7 would be able to intentionally craft | invalid messages, possibly causing application errors or invalid HTTP | requests being sent out with an PSR-18 HTTP client. The latter might | present a denial of service vector if a remote service&#8217;s web | application firewall bans the application due to the receipt of | malformed requests. The issue has been patched in version 1.6.1. There | are no known workarounds to this issue. Users are advised to upgrade. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-30536 https://www.cve.org/CVERecord?id=CVE-2023-30536 [1] https://github.com/slimphp/Slim-Psr7/security/advisories/GHSA-q2qj-628g-vhfw [2] https://github.com/slimphp/Slim-Psr7/commit/4fea29e910391b1883de5bf6e84b50f6900355fb Regards, Salvatore