Page MenuHomePhabricator

CVE-2022-29248: Update "guzzlehttp/guzzle" to version 6.5.6
Closed, ResolvedPublicSecurity


There is a security issue with "guzzlehttp/guzzle" version 6.5.5 which is currently bundeled with MediaWiki LTS version 1.35 (branch REL1_35)


Apparently this has already been fixed in several branches of the mediawiki-vendor directory. But I couldn't find an open change to the mediawiki repository itself.

This should be fixed in REL1_35 only, as newer branches already have more recent versions of "guzzlehttp/guzzle".

Event Timeline

sbassett assigned this task to Osnard.
sbassett triaged this task as Low priority.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett added a project: SecTeam-Processed.

Change 808195 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@REL1_35] Upgrading guzzlehttp/guzzle (6.5.5 => 6.5.6)

Change 808195 merged by Reedy:

[mediawiki/vendor@REL1_35] Upgrading guzzlehttp/guzzle (6.5.5 => 6.5.6)

Vendor also needed updating...

Reedy renamed this task from Update "guzzlehttp/guzzle" to version 6.5.6 to CVE-2022-29248: Update "guzzlehttp/guzzle" to version 6.5.6.Jun 29 2022, 7:46 PM
Reedy updated the task description. (Show Details)