fix(deps): update dependency symfony/http-client to v6.4.16 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
symfony/http-client (source)	6.4.12 -> 6.4.16

---

Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient

CVE-2024-50342 / GHSA-9c3x-r3wp-mgxm

More information

Details

Description

When using the NoPrivateNetworkHttpClient, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration.

Resolution

The NoPrivateNetworkHttpClient now filters blocked IPs earlier to prevent such leaks.

The fisrt patch for this issue is available here for branch 5.4.

The second one is available here for branch 5.4 also.

Credits

We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.

Severity

• CVSS Score: 3.1 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm
• https://nvd.nist.gov/vuln/detail/CVE-2024-50342
• https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-client/CVE-2024-50342.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50342.yaml
• https://github.com/symfony/symfony
• https://symfony.com/cve-2024-50342

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

symfony/http-client (symfony/http-client)

v6.4.16

Compare Source

Changelog (symfony/http-client@v6.4.15...v6.4.16)

• bug symfony/symfony#59013 [HttpClient] Fix checking for private IPs before connecting (@​nicolas-grekas)
• bug symfony/symfony#58562 [HttpClient] Close gracefull when the server closes the connection abruptly (@​discordier)
• bug symfony/symfony#58924 [HttpClient] Fix empty hosts in option "resolve" (@​nicolas-grekas)
• bug symfony/symfony#58915 [HttpClient] Fix option "resolve" with IPv6 addresses (@​nicolas-grekas)
• bug symfony/symfony#58914 [HttpClient] Fix option "bindto" with IPv6 addresses (@​nicolas-grekas)
• bug symfony/symfony#58875 [HttpClient] Removed body size limit (Carl Julian Sauter)
• bug symfony/symfony#58860 [HttpClient] Fix catching some invalid Location headers (@​nicolas-grekas)
• bug symfony/symfony#58836 Work around parse_url() bug (bis) (@​nicolas-grekas)
• bug symfony/symfony#58850 [HttpClient] fix PHP 7.2 compatibility (@​xabbuh)

v6.4.15

Compare Source

Changelog (symfony/http-client@v6.4.14...v6.4.15)

• security symfony/symfony#cve-2024-50342 [HttpClient] Resolve hostnames in NoPrivateNetworkHttpClient (@​nicolas-grekas)

v6.4.14

Compare Source

Changelog (symfony/http-client@v6.4.13...v6.4.14)

• security symfony/symfony#cve-2024-50342 [HttpClient] Filter private IPs before connecting when Host == IP (@​nicolas-grekas)
• bug symfony/symfony#58704 [HttpClient] fix for HttpClientDataCollector fails if proc_open is disabled via php.ini (@​ZaneCEO)

v6.4.13

Compare Source

---

Configuration

📅 Schedule: Branch creation - "* 2-5 * * 1" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.