[pkg-php-pear] Bug#1034713: bullseye-pu: package php-guzzlehttp-psr7/1.7.0-1+deb11u2

David Prévot taffit at debian.org
Sat Apr 22 11:17:29 BST 2023


Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: php-guzzlehttp-psr7 at packages.debian.org, team at security.debian.org
Control: affects -1 + src:php-guzzlehttp-psr7

Hi,

[ Reason ]
I’d like to fix an improper input validation [CVE-2023-29197]
filed as #1034581. This is a follow up from [CVE-2022-24775]
filed as #1008236 that was fixed via a previous point release.
The security team filed those bugs with a non-RC severity, so
I assume they don’t expect to release a DSA for it (as for the
previous main issue), anyway the team is X-D-Cc.

[ Impact ]
It’a security flaw.

[ Tests ]
The (extended for this fix) upstream testsuite is run at build
time and debci.

[ Risks ]
The code change is fairly trivial, and was cherry-picked from
upstream (their fix for the 1.9 branch).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
It’s just a stricter validation regex.

[ Other info ]
Thanks a lot for your work!

Cheers

taffit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: php-guzzlehttp-psr7.diff
Type: text/x-diff
Size: 4921 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20230422/1a2c27bd/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20230422/1a2c27bd/attachment.sig>


More information about the pkg-php-pear mailing list