0030416: Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8 - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0030416	mantisbt	security	public	2022-05-28 12:18	2022-06-24 04:05

Reporter	dregad	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	N/A
Status	closed	Resolution	fixed
Product Version	2.25.0
Target Version	2.25.5	Fixed in Version	2.25.5

Summary	0030416: Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8
Description	Security fixes: CVE-2022-29248 - cross-domain cookie leakage CVE-2022-31042 - Fix failure to strip the Cookie header on change in host or HTTP downgrade CVE-2022-31043 - Fix failure to strip Authorization header on HTTP downgrade CVE-2022-31090 - CURLOPT_HTTPAUTH option not cleared on change of origin CVE-2022-31091 - Change in port should be considered a change in origin Dependabot PRs https://github.com/mantisbt/mantisbt/pull/1816 https://github.com/mantisbt/mantisbt/pull/1823 https://github.com/mantisbt/mantisbt/pull/1827
Tags	No tags attached.

dregad 2022-06-10 10:01 developer ~0066714 Last edited: 2022-06-10 10:01	New hotfix 6.5.7 released yesterday https://github.com/mantisbt/mantisbt/pull/1823

dregad 2022-06-23 11:10 developer ~0066782 Last edited: 2022-06-23 11:13	New security release 6.5.8 released a few days ago https://github.com/mantisbt/mantisbt/pull/1827 (fixes CVE-2022-31090, CVE-2022-31091)

MantisBT: master-2.25 b0b81e2b 2022-05-25 14:16 dependabot[bot] Committer: dregad Details Diff	Bump guzzlehttp/guzzle from 6.5.5 to 6.5.6 Bumps [guzzlehttp/guzzle](https://github.com/guzzle/guzzle) from 6.5.5 to 6.5.6. - [Release notes](https://github.com/guzzle/guzzle/releases) - [Changelog](https://github.com/guzzle/guzzle/blob/6.5.6/CHANGELOG.md) - [Commits](https://github.com/guzzle/guzzle/compare/6.5.5...6.5.6) --- updated-dependencies: - dependency-name: guzzlehttp/guzzle dependency-type: direct:production ... Fixes 0030416, PR https://github.com/mantisbt/mantisbt/pull/1816 Signed-off-by: dependabot[bot] <support@github.com>		Affected Issues 0030416
	mod - composer.lock		Diff File
MantisBT: master c92ce0f5 2022-06-09 21:18 dependabot[bot] Committer: dregad Details Diff	Bump guzzlehttp/guzzle from 6.5.6 to 6.5.7 Bumps [guzzlehttp/guzzle](https://github.com/guzzle/guzzle) from 6.5.6 to 6.5.7. - [Release notes](https://github.com/guzzle/guzzle/releases) - [Changelog](https://github.com/guzzle/guzzle/blob/6.5.7/CHANGELOG.md) - [Commits](https://github.com/guzzle/guzzle/compare/6.5.6...6.5.7) --- updated-dependencies: - dependency-name: guzzlehttp/guzzle dependency-type: direct:production update-type: version-update:semver-patch ... Fixes 0030416, PR https://github.com/mantisbt/mantisbt/pull/1823 Signed-off-by: dependabot[bot] <support@github.com>		Affected Issues 0030416
	mod - composer.lock		Diff File
MantisBT: master-2.25 c9eb4900 2022-06-20 21:15 dependabot[bot] Committer: dregad Details Diff	Bump guzzlehttp/guzzle from 6.5.7 to 6.5.8 Bumps [guzzlehttp/guzzle](https://github.com/guzzle/guzzle) from 6.5.7 to 6.5.8. - [Release notes](https://github.com/guzzle/guzzle/releases) - [Changelog](https://github.com/guzzle/guzzle/blob/6.5.8/CHANGELOG.md) - [Commits](https://github.com/guzzle/guzzle/compare/6.5.7...6.5.8) --- updated-dependencies: - dependency-name: guzzlehttp/guzzle dependency-type: direct:production update-type: version-update:semver-patch ... Fixes 0030416, PR https://github.com/mantisbt/mantisbt/pull/1827 Signed-off-by: dependabot[bot] <support@github.com>		Affected Issues 0030416
	mod - composer.lock		Diff File