Page MenuHomePhabricator
Create Task
Maniphest T309377

CVE-2022-29248: Update "guzzlehttp/guzzle" to version 6.5.6
Closed, ResolvedPublicSecurity
Actions

Description

There is a security issue with "guzzlehttp/guzzle" version 6.5.5 which is currently bundeled with MediaWiki LTS version 1.35 (branch REL1_35)

See https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3

Apparently this has already been fixed in several branches of the mediawiki-vendor directory. But I couldn't find an open change to the mediawiki repository itself.

This should be fixed in REL1_35 only, as newer branches already have more recent versions of "guzzlehttp/guzzle".

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
Upgrading guzzlehttp/guzzle (6.5.5 => 6.5.6)mediawiki/vendorREL1_35+185 -36
Update "guzzlehttp/guzzle" to version 6.5.6mediawiki/coreREL1_35+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Osnard created this task.May 27 2022, 7:37 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 27 2022, 7:37 AM
Osnard added a comment.May 27 2022, 7:42 AM

I have submitted a patch at https://gerrit.wikimedia.org/r/c/mediawiki/core/+/800615

sbassett closed this task as Resolved.May 27 2022, 2:59 PM
sbassett assigned this task to Osnard.
sbassett triaged this task as Low priority.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett added a project: SecTeam-Processed.
Reedy reopened this task as Open.Jun 24 2022, 8:48 AM
Reedy subscribed.

https://github.com/wikimedia/mediawiki-vendor/blob/e283657/composer.json#L20

Reedy added projects: MW-1.35-release, MediaWiki-Vendor.Jun 24 2022, 8:49 AM
gerritbot added a comment.Jun 24 2022, 8:50 AM

Change 808195 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@REL1_35] Upgrading guzzlehttp/guzzle (6.5.5 => 6.5.6)

https://gerrit.wikimedia.org/r/808195

gerritbot added a project: Patch-For-Review.Jun 24 2022, 8:50 AM
Reedy added a parent task: T305200: Tracking bug for MediaWiki 1.35.7/1.37.3/1.38.2.Jun 24 2022, 8:51 AM
gerritbot added a comment.Jun 24 2022, 8:52 AM

Change 808195 merged by Reedy:

[mediawiki/vendor@REL1_35] Upgrading guzzlehttp/guzzle (6.5.5 => 6.5.6)

https://gerrit.wikimedia.org/r/808195

Reedy closed this task as Resolved.Jun 24 2022, 8:53 AM

Vendor also needed updating...

Reedy mentioned this in T295175: Have at least one job running REL1_XX with it's appropriate vendor repo.Jun 24 2022, 9:08 AM
Maintenance_bot removed a project: Patch-For-Review.Jun 24 2022, 9:30 AM
Osnard mentioned this in T311384: CVE-2022-31042/CVE-2022-31043/CVE-2022-31090/CVE-2022-31091: Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.Jun 27 2022, 8:32 AM
Reedy renamed this task from Update "guzzlehttp/guzzle" to version 6.5.6 to CVE-2022-29248: Update "guzzlehttp/guzzle" to version 6.5.6.Jun 29 2022, 7:46 PM
Reedy updated the task description. (Show Details)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL