Update dependency guzzlehttp/psr7 to v2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
guzzlehttp/psr7	1.8.1 → 2.4.5

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Improper Input Validation in guzzlehttp/psr7

CVE-2022-24775 / GHSA-q7rv-6hp3-vh96

More information

Details

Impact

Improper header parsing. An attacker could sneak in a carriage return character (\r) and pass untrusted values in both the header names and values.

Patches

The issue is patched in 1.8.4 and 2.1.1.

Workarounds

There are no known workarounds.

References

• https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
• https://nvd.nist.gov/vuln/detail/CVE-2022-24775
• https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1
• https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc
• https://www.drupal.org/sa-core-2022-006
• https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4
• https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yaml
• https://github.com/advisories/GHSA-q7rv-6hp3-vh96

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Improper header name validation in guzzlehttp/psr7

CVE-2023-29197 / GHSA-wxmh-65f7-jcvw

More information

Details

Impact

Improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n.

Patches

The issue is patched in 1.9.1 and 2.4.5.

Workarounds

There are no known workarounds.

References

• https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
• https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
• https://nvd.nist.gov/vuln/detail/CVE-2023-29197
• https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4
• https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2023-29197.yaml
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/
• https://lists.debian.org/debian-lts-announce/2023/12/msg00028.html
• https://github.com/advisories/GHSA-wxmh-65f7-jcvw

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

guzzle/psr7 (guzzlehttp/psr7)

v2.4.5

Compare Source

Fixed

• Prevent possible warnings on unset variables in ServerRequest::normalizeNestedFileSpec
• Fixed Message::bodySummary when preg_match fails
• Fixed header validation issue

v2.4.4

Compare Source

Changed

• Removed the need for AllowDynamicProperties in LazyOpenStream

v2.4.3

Compare Source

Changed

• Replaced sha1(uniqid()) by bin2hex(random_bytes(20))

v2.4.2

Compare Source

Fixed

• Fixed erroneous behaviour when combining host and relative path

v2.4.1

Compare Source

Fixed

• Rewind body before reading in Message::bodySummary

v2.4.0

Compare Source

Added

• Added provisional PHP 8.2 support
• Added UriComparator::isCrossOrigin method

v2.3.0

Compare Source

Fixed

• Added Header::splitList method
• Added Utils::tryGetContents method
• Improved Stream::getContents method
• Updated mimetype mappings

v2.2.2

Compare Source

Fixed

• Fix Message::parseRequestUri for numeric headers
• Re-wrap exceptions thrown in fread into runtime exceptions
• Throw an exception when multipart options is misformatted

v2.2.1

Compare Source

Fixed

• Correct header value validation

v2.2.0

Compare Source

Added

• A more compressive list of mime types
• Add JsonSerializable to Uri
• Missing return types

Fixed

• Bug MultipartStream no uri metadata
• Bug MultipartStream with filename for data:// streams
• Fixed new line handling in MultipartStream
• Reduced RAM usage when copying streams
• Updated parsing in Header::normalize()

v2.1.2

Compare Source

See change log for changes.

v2.1.1

Compare Source

Fixed

• Validate header values properly

v2.1.0

Compare Source

Changed

• Attempting to create a Uri object from a malformed URI will no longer throw a generic
  InvalidArgumentException, but rather a MalformedUriException, which inherits from the former
  for backwards compatibility. Callers relying on the exception being thrown to detect invalid
  URIs should catch the new exception.

Fixed

• Return null in caching stream size if remote size is null

v2.0.0

Compare Source

Identical to the RC release.

v1.9.1

Compare Source

See change log for changes.

v1.9.0

Compare Source

See change log for changes.

v1.8.5

Compare Source

See change log for changes.

v1.8.4

Compare Source

See change log for changes.

v1.8.3

Compare Source

See change log for changes.

v1.8.2

Compare Source

See change log for changes.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.