Fedora 36: php-laminas-diactoros2 2022-794cd592d2 | LinuxSecurity.com

Advisories

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2022-794cd592d2
2022-07-16 01:21:53.770059
--------------------------------------------------------------------------------

Name        : php-laminas-diactoros2
Product     : Fedora 36
Version     : 2.13.0
Release     : 1.fc36
URL         : https://github.com/laminas/laminas-diactoros
Summary     : PSR HTTP Message implementations v2
Description :
A PHP package containing implementations of the accepted PSR-7 HTTP message
interfaces [1], as well as a "server" implementation similar to node's
http.Server [2].

Documentation: https://docs.laminas.dev/laminas-diactoros/

Autoloader: /usr/share/php/Laminas/Diactoros2/autoload.php

[1] https://www.php-fig.org/psr/psr-7/
[2] https://nodejs.org/api/http.html

--------------------------------------------------------------------------------
Update Information:

**Version 2.13.0**  Enhancement  *    106: Refined types as per laminas/laminas-
coding-standard:2.3.x upgrades thanks to @Ocramius *    103: Update to
laminas/laminas-coding-standard:2.3.x, improved types and internal API thanks to
@gsteel   ----  **Version 2.12.0**  Bug  *    99: Merge release 2.11.3 into
2.12.x thanks to @github-actions[bot] *    92: Fix typo in property name in
UploadedFileTest::setUp() thanks to @TimWolla  Enhancement  *    97: Ignore
obviously malformed host headers when constructing a ServerRequest thanks to
@TimWolla *    91: Fix typo thanks to @PhantomWatson  ----  **Version 2.11.3**
Bug, Enhancement  *    98: Fixed UploadedFile::moveTo() so it actually removes
the original file when used in CLI context, and doesn't leave orphaned files
thanks to @k2rn   ----  **Version 2.11.2**  Bug  *    95: Resolve Host header
and X-Forwarded-Proto regressions thanks to @weierophinney   ----  **Release
Notes for 2.11.1**  This is a **SECURITY** release. All users are encouraged to
upgrade immediately.  **Added**  This release adds features to allow filtering a
ServerRequest as generated by
Laminas\Diactoros\ServerRequestFactory::fromGlobals() for the purposes of
initialization. Examples include:  *    Adding a request identifier. *    Using
X-Forwarded-* headers to modify the URL to represent the original client
request.  The features are based on a new interface,
Laminas\Diactorors\ServerRequestFilter\FilterServerRequestInterface, which
defines a single method:  ``` public function __invoke(
\Psr\Http\Message\ServerRequestInterface $request ):
\Psr\Http\Message\ServerRequestInterface ```  We provide two implementations, as
follows:  *    Laminas\Diactoros\ServerRequestFilter\DoNotFilter will return the
provided request verbatim. *
Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders has named
constructors that allow you to define how and when X-Forwarded-* headers are
used to modify the URI instance associated with the request. These methods are:
* trustAny(): this method generates a filter instance that will trust all
X-Forwarded-* headers from any source.         * trustReservedSubnets(array
$trustedHeaders = ?): this method generates a filter instance that only modifies
the URL if the IP address of the requesting server is from a reserved, private
subnet (localhost; classes A, B, and C subnets; and IPv6 private and local-link
subnets). By default, it will trust all X-Forwarded-* headers from these
sources, but you may specify a list to allow via the $trustedHeaders argument.
* trustProxies(array $proxyCIDRList, array $trustedHeaders = ?): this method
will generate a filter instance that only modifies the URL if the requesting
server matches an entry in the $proxyCIDRList. These entries may be IP
addresses, or any IPv4 or IPv6 CIDR subnets. By default, it will trust all
X-Forwarded-* headers from these sources, but you may specify a list to allow
via the $trustedHeaders argument.  ServerRequestFactory::fromGlobals() now
accepts a FilterServerRequestInterface instance as the optional argument
$requestFilter. If none is provided, it uses one as produced by
FilterUsingXForwardedHeaders::trustReservedSubnets().  **Deprecated**  *    The
function Laminas\Diactoros\marshalUriFromSapi() is deprecated, and no longer
used internally.  **Changed**
Laminas\Diactoros\ServerRequestFactory::fromGlobals() no longer consumes
marshalUriFromSapi(), and instead inlines an alternate implementation. The new
implementation does not consider X-Forwarded-* headers by default when
generating the associated URI instance. Internally, if no
FilterServerRequestInterface implementation is provided, it defaults to using an
instance returned by FilterUsingXForwardeHeaders::trustReservedSubnets(). If you
previously relied on X-Forwarded-* headers, you MAY need to update your code to
use either the FilterUsingXForwardedHeaders::trustAny() or
FilterUsingXForwardedHeaders::trustProxies() methods to generate a filter to use
with ServerRequestFactory::fromGlobals().  **Fixed**  *   Fixes
**CVE-2022-31109**
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul  7 2022 Remi Collet  - 2.13.0-1
- update to 2.13.0
* Wed Jul  6 2022 Remi Collet  - 2.12.0-1
- update to 2.12.0
* Thu Jun 30 2022 Remi Collet  - 2.11.2-1
- update to 2.11.2
* Wed Jun 29 2022 Remi Collet  - 2.11.1-1
- update to 2.11.1
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-794cd592d2' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Fedora 36: php-laminas-diactoros2 2022-794cd592d2

July 15, 2022

Summary

A PHP package containing implementations of the accepted PSR-7 HTTP message

interfaces [1], as well as a "server" implementation similar to node's

http.Server [2].

Documentation: https://docs.laminas.dev/laminas-diactoros/

Autoloader: /usr/share/php/Laminas/Diactoros2/autoload.php

[1] https://www.php-fig.org/psr/psr-7/

[2] https://nodejs.org/api/http.html

Update Information:

**Version 2.13.0** Enhancement * 106: Refined types as per laminas/laminas- coding-standard:2.3.x upgrades thanks to @Ocramius * 103: Update to laminas/laminas-coding-standard:2.3.x, improved types and internal API thanks to @gsteel ---- **Version 2.12.0** Bug * 99: Merge release 2.11.3 into 2.12.x thanks to @github-actions[bot] * 92: Fix typo in property name in UploadedFileTest::setUp() thanks to @TimWolla Enhancement * 97: Ignore obviously malformed host headers when constructing a ServerRequest thanks to @TimWolla * 91: Fix typo thanks to @PhantomWatson ---- **Version 2.11.3** Bug, Enhancement * 98: Fixed UploadedFile::moveTo() so it actually removes the original file when used in CLI context, and doesn't leave orphaned files thanks to @k2rn ---- **Version 2.11.2** Bug * 95: Resolve Host header and X-Forwarded-Proto regressions thanks to @weierophinney ---- **Release Notes for 2.11.1** This is a **SECURITY** release. All users are encouraged to upgrade immediately. **Added** This release adds features to allow filtering a ServerRequest as generated by Laminas\Diactoros\ServerRequestFactory::fromGlobals() for the purposes of initialization. Examples include: * Adding a request identifier. * Using X-Forwarded-* headers to modify the URL to represent the original client request. The features are based on a new interface, Laminas\Diactorors\ServerRequestFilter\FilterServerRequestInterface, which defines a single method: ``` public function __invoke( \Psr\Http\Message\ServerRequestInterface $request ): \Psr\Http\Message\ServerRequestInterface ``` We provide two implementations, as follows: * Laminas\Diactoros\ServerRequestFilter\DoNotFilter will return the provided request verbatim. * Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders has named constructors that allow you to define how and when X-Forwarded-* headers are used to modify the URI instance associated with the request. These methods are: * trustAny(): this method generates a filter instance that will trust all X-Forwarded-* headers from any source. * trustReservedSubnets(array $trustedHeaders = ?): this method generates a filter instance that only modifies the URL if the IP address of the requesting server is from a reserved, private subnet (localhost; classes A, B, and C subnets; and IPv6 private and local-link subnets). By default, it will trust all X-Forwarded-* headers from these sources, but you may specify a list to allow via the $trustedHeaders argument. * trustProxies(array $proxyCIDRList, array $trustedHeaders = ?): this method will generate a filter instance that only modifies the URL if the requesting server matches an entry in the $proxyCIDRList. These entries may be IP addresses, or any IPv4 or IPv6 CIDR subnets. By default, it will trust all X-Forwarded-* headers from these sources, but you may specify a list to allow via the $trustedHeaders argument. ServerRequestFactory::fromGlobals() now accepts a FilterServerRequestInterface instance as the optional argument $requestFilter. If none is provided, it uses one as produced by FilterUsingXForwardedHeaders::trustReservedSubnets(). **Deprecated** * The function Laminas\Diactoros\marshalUriFromSapi() is deprecated, and no longer used internally. **Changed** Laminas\Diactoros\ServerRequestFactory::fromGlobals() no longer consumes marshalUriFromSapi(), and instead inlines an alternate implementation. The new implementation does not consider X-Forwarded-* headers by default when generating the associated URI instance. Internally, if no FilterServerRequestInterface implementation is provided, it defaults to using an instance returned by FilterUsingXForwardeHeaders::trustReservedSubnets(). If you previously relied on X-Forwarded-* headers, you MAY need to update your code to use either the FilterUsingXForwardedHeaders::trustAny() or FilterUsingXForwardedHeaders::trustProxies() methods to generate a filter to use with ServerRequestFactory::fromGlobals(). **Fixed** * Fixes **CVE-2022-31109**

Change Log

* Thu Jul 7 2022 Remi Collet - 2.13.0-1 - update to 2.13.0 * Wed Jul 6 2022 Remi Collet - 2.12.0-1 - update to 2.12.0 * Thu Jun 30 2022 Remi Collet - 2.11.2-1 - update to 2.11.2 * Wed Jun 29 2022 Remi Collet - 2.11.1-1 - update to 2.11.1

References

Fedora Update Notification FEDORA-2022-794cd592d2 2022-07-16 01:21:53.770059 Name : php-laminas-diactoros2 Product : Fedora 36 Version : 2.13.0 Release : 1.fc36 URL : https://github.com/laminas/laminas-diactoros Summary : PSR HTTP Message implementations v2 Description : A PHP package containing implementations of the accepted PSR-7 HTTP message interfaces [1], as well as a "server" implementation similar to node's http.Server [2]. Documentation: https://docs.laminas.dev/laminas-diactoros/ Autoloader: /usr/share/php/Laminas/Diactoros2/autoload.php [1] https://www.php-fig.org/psr/psr-7/ [2] https://nodejs.org/api/http.html

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-794cd592d2' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
Name : php-laminas-diactoros2
Product : Fedora 36
Version : 2.13.0
Release : 1.fc36
URL : https://github.com/laminas/laminas-diactoros
Summary : PSR HTTP Message implementations v2

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.