Page MenuHomePhabricator
Create Task
Maniphest T311384

CVE-2022-31042/CVE-2022-31043/CVE-2022-31090/CVE-2022-31091: Update "guzzlehttp/guzzle" to 6.5.8/7.4.5
Closed, ResolvedPublicBUG REPORT
Actions

Description

There is a security issue with "guzzlehttp/guzzle" in version

  • 6.5.6 which is currently bundled with MediaWiki LTS version 1.35 (branch REL1_35)
  • 7.2.0 which is currently bundled with MediaWiki current stable version 1.37 (branch REL1_37)
  • 7.4.1 which is currently bundled with MediaWiki current stable version 1.38 (branch REL1_38)
  • 7.4.1 which is currently bundled with MediaWiki master

See

Both issues are probably not a threat to MediaWiki, given the way the library is used, yet the library should be updated.

See also T309377

Details

SubjectRepoBranchLines +/-
Update "guzzlehttp/guzzle" to version 7.4.5mediawiki/coreREL1_37+1 -1
Update "guzzlehttp/guzzle" to version 7.4.5mediawiki/coremaster+1 -1
Update "guzzlehttp/guzzle" to version 6.5.8mediawiki/coreREL1_35+1 -1
Update guzzlehttp/*mediawiki/vendorREL1_37+844 -169
Update "guzzlehttp/guzzle" to version 7.4.5mediawiki/coreREL1_38+1 -1
Update guzzlehttp/*mediawiki/vendormaster+1 K -218
Update guzzlehttp/*mediawiki/vendorREL1_35+175 -66
Update guzzlehttp/*mediawiki/vendorREL1_38+1 K -218
Customize query in gerrit

Related Objects
Search...

Event Timeline

Osnard created this task.Jun 27 2022, 8:32 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 27 2022, 8:32 AM
gerritbot added a comment.Jun 27 2022, 8:33 AM

Change 808805 had a related patch set uploaded (by Robert Vogel; author: Robert Vogel):

[mediawiki/core@REL1_35] Update "guzzlehttp/guzzle" to version 6.5.8

https://gerrit.wikimedia.org/r/808805

gerritbot added a project: Patch-For-Review.Jun 27 2022, 8:33 AM
Osnard added a comment.Jun 27 2022, 8:39 AM

I have provided patches for REL1_35 (https://gerrit.wikimedia.org/r/c/mediawiki/core/+/808805) and master (https://gerrit.wikimedia.org/r/c/mediawiki/core/+/808806). I can not provide patches to wikimedia/mediawiki-vendor, but I guess this will be done at release time anyways.

Reedy updated the task description. (Show Details)Jun 27 2022, 8:40 AM
In T311384#8028359, @Osnard wrote:

I have provided patches for REL1_35 (https://gerrit.wikimedia.org/r/c/mediawiki/core/+/808805) and master (https://gerrit.wikimedia.org/r/c/mediawiki/core/+/808806). I can not provide patches to wikimedia/mediawiki-vendor, but I guess this will be done at release time anyways.

Thanks! The vendor patches need doing so that the patches to the branches can land. I'll do them now.

Reedy added a comment.Jun 27 2022, 8:43 AM

And it looks like guzzlehttp/psr7 needs some love too...

gerritbot added a comment.Jun 27 2022, 8:44 AM

Change 808807 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@master] Update guzzlehttp/*

https://gerrit.wikimedia.org/r/808807

gerritbot added a comment.Jun 27 2022, 8:46 AM

Change 808808 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@REL1_38] Update guzzlehttp/*

https://gerrit.wikimedia.org/r/808808

gerritbot added a comment.Jun 27 2022, 8:50 AM

Change 808809 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@REL1_35] Update guzzlehttp/*

https://gerrit.wikimedia.org/r/808809

gerritbot added a comment.Jun 27 2022, 8:52 AM

Change 808806 had a related patch set uploaded (by Reedy; author: Robert Vogel):

[mediawiki/core@master] Update "guzzlehttp/guzzle" to version 7.4.5

https://gerrit.wikimedia.org/r/808806

gerritbot added a comment.Jun 27 2022, 8:52 AM

Change 808436 had a related patch set uploaded (by Reedy; author: Robert Vogel):

[mediawiki/core@REL1_38] Update "guzzlehttp/guzzle" to version 7.4.5

https://gerrit.wikimedia.org/r/808436

Reedy added projects: MW-1.35-release, MW-1.37-release, MW-1.38-release.Jun 27 2022, 8:58 AM
gerritbot added a comment.Jun 27 2022, 9:14 AM

Change 808808 merged by Reedy:

[mediawiki/vendor@REL1_38] Update guzzlehttp/*

https://gerrit.wikimedia.org/r/808808

gerritbot added a comment.Jun 27 2022, 9:15 AM

Change 808809 merged by Reedy:

[mediawiki/vendor@REL1_35] Update guzzlehttp/*

https://gerrit.wikimedia.org/r/808809

gerritbot added a comment.Jun 27 2022, 9:31 AM

Change 808807 merged by jenkins-bot:

[mediawiki/vendor@master] Update guzzlehttp/*

https://gerrit.wikimedia.org/r/808807

gerritbot added a comment.Jun 27 2022, 9:53 AM

Change 808840 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@REL1_37] Update guzzlehttp/*

https://gerrit.wikimedia.org/r/808840

gerritbot added a comment.Jun 27 2022, 9:56 AM

Change 808842 had a related patch set uploaded (by Reedy; author: Robert Vogel):

[mediawiki/core@REL1_37] Update "guzzlehttp/guzzle" to version 7.4.5

https://gerrit.wikimedia.org/r/808842

gerritbot added a comment.Jun 27 2022, 11:35 AM

Change 808436 merged by Reedy:

[mediawiki/core@REL1_38] Update "guzzlehttp/guzzle" to version 7.4.5

https://gerrit.wikimedia.org/r/808436

gerritbot added a comment.Jun 27 2022, 11:36 AM

Change 808806 merged by Reedy:

[mediawiki/core@master] Update "guzzlehttp/guzzle" to version 7.4.5

https://gerrit.wikimedia.org/r/808806

gerritbot added a comment.Jun 27 2022, 11:40 AM

Change 808805 merged by Reedy:

[mediawiki/core@REL1_35] Update "guzzlehttp/guzzle" to version 6.5.8

https://gerrit.wikimedia.org/r/808805

Reedy closed subtask T311387: Loosen guzzle requirement in MW 1.37 as Resolved.Jun 27 2022, 11:41 AM
gerritbot added a comment.Jun 27 2022, 11:44 AM

Change 808840 merged by Reedy:

[mediawiki/vendor@REL1_37] Update guzzlehttp/*

https://gerrit.wikimedia.org/r/808840

gerritbot added a comment.Jun 27 2022, 11:57 AM

Change 808842 merged by jenkins-bot:

[mediawiki/core@REL1_37] Update "guzzlehttp/guzzle" to version 7.4.5

https://gerrit.wikimedia.org/r/808842

ReleaseTaggerBot added projects: MW-1.38-notes, MW-1.39-notes (1.39.0-wmf.18; 2022-06-27), MW-1.35-notes, MW-1.37-notes.Jun 27 2022, 12:00 PM
Reedy renamed this task from Update "guzzlehttp/guzzle" to Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.Jun 27 2022, 12:01 PM
Reedy renamed this task from Update "guzzlehttp/guzzle" to 6.5.8/7.4.5 to CVE-2022-27776: Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.
Reedy closed this task as Resolved.
Reedy claimed this task.
Reedy added a project: Vuln-Misconfiguration.
Reedy removed a project: Patch-For-Review.
Reedy added a parent task: T305200: Tracking bug for MediaWiki 1.35.7/1.37.3/1.38.2.Jun 30 2022, 2:12 PM
MoritzMuehlenhoff subscribed.Jul 1 2022, 8:04 AM

JFTR, the mediawiki announcement referred to these under the CVE ID assigned for curl, but in the mean time these got assigned separate CVE IDs for guzzle, I'm renaming the task accordingly.

CVE-2022-31091:
https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699

CVE-2022-31090:
https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r

MoritzMuehlenhoff renamed this task from CVE-2022-27776: Update "guzzlehttp/guzzle" to 6.5.8/7.4.5 to CVE-2022-31090/CVE-2022-31091: Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.Jul 1 2022, 8:04 AM
MoritzMuehlenhoff added a comment.Jul 4 2022, 10:00 AM

The update to 6.5.8 (via the implicit 6.5.7 update) also fixed two additional CVEs:

CVE-2022-31043:
https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q

CVE-2022-31042:
https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9

MoritzMuehlenhoff renamed this task from CVE-2022-31090/CVE-2022-31091: Update "guzzlehttp/guzzle" to 6.5.8/7.4.5 to CVE-2022-31042/CVE-2022-31043/CVE-2022-31090/CVE-2022-31091: Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.Jul 4 2022, 10:01 AM
Bawolff mentioned this in T312059: Wrong version of guzzle shipped with 1.37.3 (breaks update.php).Jul 5 2022, 3:12 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL