Fedora 36: 2022-794cd592d2 Critical: php-laminas-diactoros2 Security Fix

A PHP package containing implementations of the accepted PSR-7 HTTP message

interfaces [1], as well as a "server" implementation similar to node's

http.Server [2].

Documentation: https://docs.laminas.dev/laminas-diactoros/

Autoloader: /usr/share/php/Laminas/Diactoros2/autoload.php

[1] https://www.php-fig.org/psr/psr-7/

[2] https://nodejs.org/api/http.html

**Version 2.13.0** Enhancement * 106: Refined types as per laminas/laminas-coding-standard:2.3.x upgrades thanks to @Ocramius * 103: Update to

laminas/laminas-coding-standard:2.3.x, improved types and internal API thanks to

@gsteel ---- **Version 2.12.0** Bug * 99: Merge release 2.11.3 into

2.12.x thanks to @github-actions[bot] * 92: Fix typo in property name in

UploadedFileTest::setUp() thanks to @TimWolla Enhancement * 97: Ignore

obviously malformed host headers when constructing a ServerRequest thanks to

@TimWolla * 91: Fix typo thanks to @PhantomWatson ---- **Version 2.11.3**

Bug, Enhancement * 98: Fixed UploadedFile::moveTo() so it actually removes

the original file when used in CLI context, and doesn't leave orphaned files

thanks to @k2rn ---- **Version 2.11.2** Bug * 95: Resolve Host header

and X-Forwarded-Proto regressions thanks to @weierophinney ---- **Release

Notes for 2.11.1** This is a **SECURITY** release. All users are encouraged to

upgrade immediately. **Added** This release adds features to allow filtering a

ServerRequest as generated by

Laminas\Diactoros\ServerRequestFactory::fromGlobals() for the purposes of

initialization. Examples include: * Adding a request identifier. * Using

X-Forwarded-* headers to modify the URL to represent the original client

request. The features are based on a new interface,

Laminas\Diactorors\ServerRequestFilter\FilterServerRequestInterface, which

defines a single method: ``` public function __invoke(

\Psr\Http\Message\ServerRequestInterface $request ):

\Psr\Http\Message\ServerRequestInterface ``` We provide two implementations, as

follows: * Laminas\Diactoros\ServerRequestFilter\DoNotFilter will return the

provided request verbatim. *

Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders has named

constructors that allow you to define how and when X-Forwarded-* headers are

used to modify the URI instance associated with the request. These methods are:

* trustAny(): this method generates a filter instance that will trust all

X-Forwarded-* headers from any source. * trustReservedSubnets(array

$trustedHeaders = ?): this method generates a filter instance that only modifies

the URL if the IP address of the requesting server is from a reserved, private

subnet (localhost; classes A, B, and C subnets; and IPv6 private and local-link

subnets). By default, it will trust all X-Forwarded-* headers from these

sources, but you may specify a list to allow via the $trustedHeaders argument.

* trustProxies(array $proxyCIDRList, array $trustedHeaders = ?): this method

will generate a filter instance that only modifies the URL if the requesting

server matches an entry in the $proxyCIDRList. These entries may be IP

addresses, or any IPv4 or IPv6 CIDR subnets. By default, it will trust all

X-Forwarded-* headers from these sources, but you may specify a list to allow

via the $trustedHeaders argument. ServerRequestFactory::fromGlobals() now

accepts a FilterServerRequestInterface instance as the optional argument

$requestFilter. If none is provided, it uses one as produced by

FilterUsingXForwardedHeaders::trustReservedSubnets(). **Deprecated** * The

function Laminas\Diactoros\marshalUriFromSapi() is deprecated, and no longer

used internally. **Changed**

Laminas\Diactoros\ServerRequestFactory::fromGlobals() no longer consumes

marshalUriFromSapi(), and instead inlines an alternate implementation. The new

implementation does not consider X-Forwarded-* headers by default when

generating the associated URI instance. Internally, if no

FilterServerRequestInterface implementation is provided, it defaults to using an

instance returned by FilterUsingXForwardeHeaders::trustReservedSubnets(). If you

previously relied on X-Forwarded-* headers, you MAY need to update your code to

use either the FilterUsingXForwardedHeaders::trustAny() or

FilterUsingXForwardedHeaders::trustProxies() methods to generate a filter to use

with ServerRequestFactory::fromGlobals(). **Fixed** * Fixes

**CVE-2022-31109**

* Thu Jul 7 2022 Remi Collet - 2.13.0-1

- update to 2.13.0

* Wed Jul 6 2022 Remi Collet - 2.12.0-1

- update to 2.12.0

* Thu Jun 30 2022 Remi Collet - 2.11.2-1

- update to 2.11.2

* Wed Jun 29 2022 Remi Collet - 2.11.1-1

- update to 2.11.1

su -c 'dnf upgrade --advisory FEDORA-2022-794cd592d2' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure