jank/ventry

Fork 0

fix(deps): update dependency symfony/http-client to 6.4.* [security] #10

Merged

jank merged 1 commit from renovate/packagist-symfony-http-client-vulnerability into main

2025-08-21 09:11:21 +00:00

Renovate commented

2025-08-21 07:36:08 +00:00

Collaborator

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
symfony/http-client (source)	`6.3.` -> `6.4.`

Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient

CVE-2024-50342 / GHSA-9c3x-r3wp-mgxm

More information

Details

Description

When using the NoPrivateNetworkHttpClient, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration.

Resolution

The NoPrivateNetworkHttpClient now filters blocked IPs earlier to prevent such leaks.

The fisrt patch for this issue is available here for branch 5.4.

The second one is available here for branch 5.4 also.

Credits

We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.

Severity

CVSS Score: 3.1 / 10 (Low)
Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

symfony/http-client (symfony/http-client)

`v6.4.15`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.14...v6.4.15)

security symfony/symfony#cve-2024-50342 [HttpClient] Resolve hostnames in NoPrivateNetworkHttpClient (@nicolas-grekas)

`v6.4.14`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.13...v6.4.14)

security symfony/symfony#cve-2024-50342 [HttpClient] Filter private IPs before connecting when Host == IP (@nicolas-grekas)
bug symfony/symfony#58704 [HttpClient] fix for HttpClientDataCollector fails if proc_open is disabled via php.ini (@ZaneCEO)

`v6.4.13`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.12...v6.4.13)

no significant changes

`v6.4.12`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.11...v6.4.12)

bug symfony/symfony#58278 [HttpClient] Fix setting CURLMOPT_MAXCONNECTS (@HypeMC)
bug symfony/symfony#58218 Work around parse_url() bug (@nicolas-grekas)

`v6.4.11`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.10...v6.4.11)

bug symfony/symfony#58044 [HttpClient] Do not overwrite the host to request when using option "resolve" (@xabbuh)
bug symfony/symfony#57981 [HttpClient] reject malformed URLs with a meaningful exception (@xabbuh)
bug symfony/symfony#57870 [HttpClient] Disable HTTP/2 PUSH by default when using curl (@nicolas-grekas)

`v6.4.10`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.9...v6.4.10)

no significant changes

`v6.4.9`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.8...v6.4.9)

bug symfony/symfony#57569 [HttpClient][Mailer] Revert "Let curl handle transfer encoding", use HTTP/1.1 for Mailgun (@nicolas-grekas)
bug symfony/symfony#57453 [HttpClient] Fix parsing SSE (@fancyweb)

`v6.4.8`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.7...v6.4.8)

bug symfony/symfony#54860 [HttpClient] Revert fixing curl default options (@alexandre-daubois)
bug symfony/symfony#54830 [HttpClient] Fix cURL default options for PHP 8.4 (@alexandre-daubois)

`v6.4.7`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.6...v6.4.7)

bug symfony/symfony#54517 [HttpClient] Let curl handle transfer encoding (@michaelhue)
bug symfony/symfony#54242 [HttpClient] [EventSourceHttpClient] Fix consuming SSEs with \r\n separator (@fancyweb)

`v6.4.6`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.5...v6.4.6)

bug symfony/symfony#54400 [HttpClient] stop all server processes after tests have run (@xabbuh)
bug symfony/symfony#54207 [HttpClient] Lazily initialize CurlClientState (@arjenm)
bug symfony/symfony#54146 [HttpClient] Preserve float in JsonMockResponse (@Jibbarth)

`v6.4.5`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.4...v6.4.5)

bug symfony/symfony#54102 [HttpClient] Fix deprecation on PHP 8.3 (@nicolas-grekas)

`v6.4.4`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.3...v6.4.4)

bug symfony/symfony#53889 [HttpClient] Make retry strategy work again (@Nyholm)

`v6.4.3`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.2...v6.4.3)

bug symfony/symfony#53671 [HttpClient] Fix pausing responses before they start when using curl (@nicolas-grekas)
bug symfony/symfony#53506 [HttpClient] Fix error chunk creation in passthru (@rmikalkenas)

`v6.4.2`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.1...v6.4.2)

bug symfony/symfony#52864 [HttpClient][Mailer][Process] always pass microseconds to usleep as integers (@xabbuh)

`v6.4.0`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.4.0-RC2...v6.4.0)

no significant changes

`v6.3.12`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.3.11...v6.3.12)

bug symfony/symfony#53671 [HttpClient] Fix pausing responses before they start when using curl (@nicolas-grekas)
bug symfony/symfony#53506 [HttpClient] Fix error chunk creation in passthru (@rmikalkenas)

`v6.3.11`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.3.10...v6.3.11)

bug symfony/symfony#52864 [HttpClient][Mailer][Process] always pass microseconds to usleep as integers (@xabbuh)

`v6.3.8`

Compare Source

Changelog (https://github.com/symfony/http-client/compare/v6.3.7...v6.3.8)

bug symfony/symfony#52472 [HttpClient][WebProfilerBundle] Do not generate cURL command when files are uploaded (@MatTheCat)
bug symfony/symfony#52429 [HttpClient] Replace escapeshellarg to prevent overpassing ARG_MAX (@alexandre-daubois)
bug symfony/symfony#52442 Disable the "Copy as cURL" button when the debug info are disabled (@stof)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [symfony/http-client](https://symfony.com) ([source](https://github.com/symfony/http-client)) | `6.3.*` -> `6.4.*` | [![age](https://developer.mend.io/api/mc/badges/age/packagist/symfony%2fhttp-client/6.4.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/packagist/symfony%2fhttp-client/6.4.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/packagist/symfony%2fhttp-client/6.3.7/6.4.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/packagist/symfony%2fhttp-client/6.3.7/6.4.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient [CVE-2024-50342](https://nvd.nist.gov/vuln/detail/CVE-2024-50342) / [GHSA-9c3x-r3wp-mgxm](https://github.com/advisories/GHSA-9c3x-r3wp-mgxm) <details> <summary>More information</summary> #### Details ##### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ##### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also. ##### Credits We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix. #### Severity - CVSS Score: 3.1 / 10 (Low) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N` #### References - [https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm](https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm) - [https://nvd.nist.gov/vuln/detail/CVE-2024-50342](https://nvd.nist.gov/vuln/detail/CVE-2024-50342) - [https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-client/CVE-2024-50342.yaml](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-client/CVE-2024-50342.yaml) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50342.yaml](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50342.yaml) - [https://github.com/symfony/symfony](https://github.com/symfony/symfony) - [https://symfony.com/cve-2024-50342](https://symfony.com/cve-2024-50342) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-9c3x-r3wp-mgxm) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>symfony/http-client (symfony/http-client)</summary> ### [`v6.4.15`](https://github.com/symfony/http-client/releases/tag/v6.4.15) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.14...v6.4.15) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.14...v6.4.15>) - security symfony/symfony#cve-2024-50342 \[HttpClient] Resolve hostnames in NoPrivateNetworkHttpClient ([@nicolas-grekas](https://github.com/nicolas-grekas)) ### [`v6.4.14`](https://github.com/symfony/http-client/releases/tag/v6.4.14) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.13...v6.4.14) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.13...v6.4.14>) - security symfony/symfony#cve-2024-50342 \[HttpClient] Filter private IPs before connecting when Host == IP ([@nicolas-grekas](https://github.com/nicolas-grekas)) - bug [symfony/symfony#58704](https://github.com/symfony/symfony/issues/58704) \[HttpClient] fix for HttpClientDataCollector fails if proc\_open is disabled via php.ini ([@ZaneCEO](https://github.com/ZaneCEO)) ### [`v6.4.13`](https://github.com/symfony/http-client/releases/tag/v6.4.13) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.12...v6.4.13) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.12...v6.4.13>) - no significant changes ### [`v6.4.12`](https://github.com/symfony/http-client/releases/tag/v6.4.12) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.11...v6.4.12) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.11...v6.4.12>) - bug [symfony/symfony#58278](https://github.com/symfony/symfony/issues/58278) \[HttpClient] Fix setting `CURLMOPT_MAXCONNECTS` ([@HypeMC](https://github.com/HypeMC)) - bug [symfony/symfony#58218](https://github.com/symfony/symfony/issues/58218) Work around `parse_url()` bug ([@nicolas-grekas](https://github.com/nicolas-grekas)) ### [`v6.4.11`](https://github.com/symfony/http-client/releases/tag/v6.4.11) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.10...v6.4.11) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.10...v6.4.11>) - bug [symfony/symfony#58044](https://github.com/symfony/symfony/issues/58044) \[HttpClient] Do not overwrite the host to request when using option "resolve" ([@xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#57981](https://github.com/symfony/symfony/issues/57981) \[HttpClient] reject malformed URLs with a meaningful exception ([@xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#57870](https://github.com/symfony/symfony/issues/57870) \[HttpClient] Disable HTTP/2 PUSH by default when using curl ([@nicolas-grekas](https://github.com/nicolas-grekas)) ### [`v6.4.10`](https://github.com/symfony/http-client/releases/tag/v6.4.10) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.9...v6.4.10) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.9...v6.4.10>) - no significant changes ### [`v6.4.9`](https://github.com/symfony/http-client/releases/tag/v6.4.9) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.8...v6.4.9) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.8...v6.4.9>) - bug [symfony/symfony#57569](https://github.com/symfony/symfony/issues/57569) \[HttpClient]\[Mailer] Revert "Let curl handle transfer encoding", use HTTP/1.1 for Mailgun ([@nicolas-grekas](https://github.com/nicolas-grekas)) - bug [symfony/symfony#57453](https://github.com/symfony/symfony/issues/57453) \[HttpClient] Fix parsing SSE ([@fancyweb](https://github.com/fancyweb)) ### [`v6.4.8`](https://github.com/symfony/http-client/releases/tag/v6.4.8) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.7...v6.4.8) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.7...v6.4.8>) - bug [symfony/symfony#54860](https://github.com/symfony/symfony/issues/54860) \[HttpClient] Revert fixing curl default options ([@alexandre-daubois](https://github.com/alexandre-daubois)) - bug [symfony/symfony#54830](https://github.com/symfony/symfony/issues/54830) \[HttpClient] Fix cURL default options for PHP 8.4 ([@alexandre-daubois](https://github.com/alexandre-daubois)) ### [`v6.4.7`](https://github.com/symfony/http-client/releases/tag/v6.4.7) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.6...v6.4.7) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.6...v6.4.7>) - bug [symfony/symfony#54517](https://github.com/symfony/symfony/issues/54517) \[HttpClient] Let curl handle transfer encoding ([@michaelhue](https://github.com/michaelhue)) - bug [symfony/symfony#54242](https://github.com/symfony/symfony/issues/54242) \[HttpClient] \[EventSourceHttpClient] Fix consuming SSEs with \r\n separator ([@fancyweb](https://github.com/fancyweb)) ### [`v6.4.6`](https://github.com/symfony/http-client/releases/tag/v6.4.6) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.5...v6.4.6) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.5...v6.4.6>) - bug [symfony/symfony#54400](https://github.com/symfony/symfony/issues/54400) \[HttpClient] stop all server processes after tests have run ([@xabbuh](https://github.com/xabbuh)) - bug [symfony/symfony#54207](https://github.com/symfony/symfony/issues/54207) \[HttpClient] Lazily initialize CurlClientState ([@arjenm](https://github.com/arjenm)) - bug [symfony/symfony#54146](https://github.com/symfony/symfony/issues/54146) \[HttpClient] Preserve float in JsonMockResponse ([@Jibbarth](https://github.com/Jibbarth)) ### [`v6.4.5`](https://github.com/symfony/http-client/releases/tag/v6.4.5) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.4...v6.4.5) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.4...v6.4.5>) - bug [symfony/symfony#54102](https://github.com/symfony/symfony/issues/54102) \[HttpClient] Fix deprecation on PHP 8.3 ([@nicolas-grekas](https://github.com/nicolas-grekas)) ### [`v6.4.4`](https://github.com/symfony/http-client/releases/tag/v6.4.4) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.3...v6.4.4) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.3...v6.4.4>) - bug [symfony/symfony#53889](https://github.com/symfony/symfony/issues/53889) \[HttpClient] Make retry strategy work again ([@Nyholm](https://github.com/Nyholm)) ### [`v6.4.3`](https://github.com/symfony/http-client/releases/tag/v6.4.3) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.2...v6.4.3) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.2...v6.4.3>) - bug [symfony/symfony#53671](https://github.com/symfony/symfony/issues/53671) \[HttpClient] Fix pausing responses before they start when using curl ([@nicolas-grekas](https://github.com/nicolas-grekas)) - bug [symfony/symfony#53506](https://github.com/symfony/symfony/issues/53506) \[HttpClient] Fix error chunk creation in passthru ([@rmikalkenas](https://github.com/rmikalkenas)) ### [`v6.4.2`](https://github.com/symfony/http-client/releases/tag/v6.4.2) [Compare Source](https://github.com/symfony/http-client/compare/v6.4.0...v6.4.2) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.1...v6.4.2>) - bug [symfony/symfony#52864](https://github.com/symfony/symfony/issues/52864) \[HttpClient]\[Mailer]\[Process] always pass microseconds to usleep as integers ([@xabbuh](https://github.com/xabbuh)) ### [`v6.4.0`](https://github.com/symfony/http-client/releases/tag/v6.4.0) [Compare Source](https://github.com/symfony/http-client/compare/v6.3.12...v6.4.0) **Changelog** (<https://github.com/symfony/http-client/compare/v6.4.0-RC2...v6.4.0>) - no significant changes ### [`v6.3.12`](https://github.com/symfony/http-client/releases/tag/v6.3.12) [Compare Source](https://github.com/symfony/http-client/compare/v6.3.11...v6.3.12) **Changelog** (<https://github.com/symfony/http-client/compare/v6.3.11...v6.3.12>) - bug [symfony/symfony#53671](https://github.com/symfony/symfony/issues/53671) \[HttpClient] Fix pausing responses before they start when using curl ([@nicolas-grekas](https://github.com/nicolas-grekas)) - bug [symfony/symfony#53506](https://github.com/symfony/symfony/issues/53506) \[HttpClient] Fix error chunk creation in passthru ([@rmikalkenas](https://github.com/rmikalkenas)) ### [`v6.3.11`](https://github.com/symfony/http-client/releases/tag/v6.3.11) [Compare Source](https://github.com/symfony/http-client/compare/v6.3.8...v6.3.11) **Changelog** (<https://github.com/symfony/http-client/compare/v6.3.10...v6.3.11>) - bug [symfony/symfony#52864](https://github.com/symfony/symfony/issues/52864) \[HttpClient]\[Mailer]\[Process] always pass microseconds to usleep as integers ([@xabbuh](https://github.com/xabbuh)) ### [`v6.3.8`](https://github.com/symfony/http-client/releases/tag/v6.3.8) [Compare Source](https://github.com/symfony/http-client/compare/v6.3.7...v6.3.8) **Changelog** (<https://github.com/symfony/http-client/compare/v6.3.7...v6.3.8>) - bug [symfony/symfony#52472](https://github.com/symfony/symfony/issues/52472) \[HttpClient]\[WebProfilerBundle] Do not generate cURL command when files are uploaded ([@MatTheCat](https://github.com/MatTheCat)) - bug [symfony/symfony#52429](https://github.com/symfony/symfony/issues/52429) \[HttpClient] Replace `escapeshellarg` to prevent overpassing `ARG_MAX` ([@alexandre-daubois](https://github.com/alexandre-daubois)) - bug [symfony/symfony#52442](https://github.com/symfony/symfony/issues/52442) Disable the "Copy as cURL" button when the debug info are disabled ([@stof](https://github.com/stof)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

Renovate added 1 commit

2025-08-21 07:36:09 +00:00