fix(deps): update dependency symfony/http-client to 6.4.* [security] #10
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/packagist-symfony-http-client-vulnerability"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
6.3.*
->6.4.*
Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient
CVE-2024-50342 / GHSA-9c3x-r3wp-mgxm
More information
Details
Description
When using the
NoPrivateNetworkHttpClient
, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration.Resolution
The
NoPrivateNetworkHttpClient
now filters blocked IPs earlier to prevent such leaks.The fisrt patch for this issue is available here for branch 5.4.
The second one is available here for branch 5.4 also.
Credits
We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
symfony/http-client (symfony/http-client)
v6.4.15
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.14...v6.4.15)
v6.4.14
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.13...v6.4.14)
v6.4.13
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.12...v6.4.13)
v6.4.12
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.11...v6.4.12)
CURLMOPT_MAXCONNECTS
(@HypeMC)parse_url()
bug (@nicolas-grekas)v6.4.11
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.10...v6.4.11)
v6.4.10
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.9...v6.4.10)
v6.4.9
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.8...v6.4.9)
v6.4.8
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.7...v6.4.8)
v6.4.7
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.6...v6.4.7)
v6.4.6
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.5...v6.4.6)
v6.4.5
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.4...v6.4.5)
v6.4.4
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.3...v6.4.4)
v6.4.3
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.2...v6.4.3)
v6.4.2
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.1...v6.4.2)
v6.4.0
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.4.0-RC2...v6.4.0)
v6.3.12
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.3.11...v6.3.12)
v6.3.11
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.3.10...v6.3.11)
v6.3.8
Compare Source
Changelog (https://github.com/symfony/http-client/compare/v6.3.7...v6.3.8)
escapeshellarg
to prevent overpassingARG_MAX
(@alexandre-daubois)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.
c0406c3744
toe147d17147