Your message dated Tue, 09 Jun 2026 18:47:07 +0000
with message-id <[email protected]>
and subject line Bug#1138265: fixed in php-guzzlehttp-psr7 2.7.1-1+deb13u1
has caused the Debian Bug report #1138265,
regarding php-guzzlehttp-psr7: CVE-2026-48998 CVE-2026-49214
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138265: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138265
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: php-guzzlehttp-psr7
Version: 2.9.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for php-guzzlehttp-psr7.

CVE-2026-48998[0]:
| Host Confusion via Authority Reinterpretation in guzzlehttp/psr7

CVE-2026-49214[1]:
| CRLF Injection via URI Host Component in guzzlehttp/psr7 


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-48998
    https://www.cve.org/CVERecord?id=CVE-2026-48998
    https://github.com/guzzle/psr7/security/advisories/GHSA-34xg-wgjx-8xph
[1] https://security-tracker.debian.org/tracker/CVE-2026-49214
    https://www.cve.org/CVERecord?id=CVE-2026-49214
    https://github.com/guzzle/psr7/security/advisories/GHSA-hq7v-mx3g-29hw

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: php-guzzlehttp-psr7
Source-Version: 2.7.1-1+deb13u1
Done: David Prévot <[email protected]>

We believe that the bug you reported is fixed in the latest version of
php-guzzlehttp-psr7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <[email protected]> (supplier of updated php-guzzlehttp-psr7 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 30 May 2026 13:39:01 +0200
Source: php-guzzlehttp-psr7
Architecture: source
Version: 2.7.1-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: David Prévot <[email protected]>
Closes: 1138265
Changes:
 php-guzzlehttp-psr7 (2.7.1-1+deb13u1) trixie; urgency=medium
 .
   * Backport fixes from upstream
     - Encode plus sign in withQueryValue() and withQueryValues() (#636)
     - Harden ServerRequest globals handling (#660)
     - Normalize global header values (#718)
     - Reject control characters in URI hosts (#715) [CVE-2026-49214]
     - Reject malformed Host authorities (#717) [CVE-2026-48998]
     (Closes: #1138265)
   * Track debian/trixie branch
Checksums-Sha1:
 20281a4c29fbebe869576678662c87a10b2bff10 2036 
php-guzzlehttp-psr7_2.7.1-1+deb13u1.dsc
 2905a1d100d32f9884790dcc05099b62d2b51c3f 19020 
php-guzzlehttp-psr7_2.7.1-1+deb13u1.debian.tar.xz
 d1ccbcf5a181653bf5c5dd5fc6765d26063d2c5b 8573 
php-guzzlehttp-psr7_2.7.1-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
 b978602ec821e823b454c2d0e6029320cbf199b609dcc3d1da39076ad3c9f9f6 2036 
php-guzzlehttp-psr7_2.7.1-1+deb13u1.dsc
 5ff8678208f1906fbeaa53ad903381df00f46ab99dbea6abf2ecab3bd55a79f8 19020 
php-guzzlehttp-psr7_2.7.1-1+deb13u1.debian.tar.xz
 c3c3a16b2c69f2aba13474b7bc1e294d660ece4f8daab13772499217abeaebea 8573 
php-guzzlehttp-psr7_2.7.1-1+deb13u1_amd64.buildinfo
Files:
 1eb225a17ea3663e2d000b8b7a2d38d1 2036 php optional 
php-guzzlehttp-psr7_2.7.1-1+deb13u1.dsc
 2a6edcc1e4659e6e4d5fbd2ff39e23bd 19020 php optional 
php-guzzlehttp-psr7_2.7.1-1+deb13u1.debian.tar.xz
 ca24f4516e513e8348fe12d0a467a9be 8573 php optional 
php-guzzlehttp-psr7_2.7.1-1+deb13u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmonrNESHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08mrwH/1w8OiSIGSlcBMzbG/Dj6sI7jBr5rakX
26bNQR/WH4/uT8L4ha4YnPSE1i6sU25uuTG6e0CkkWlVl6IZbdmI0B1g3DMX+Akn
hy1xBNXF+MULqa5dlMG6wugysE7WUr53iljRUJDiABYxfnW07/izFICx8Bv/xVZB
U9pM3ehgCjMbaFGRNoVrHfHhS0+WJgky7xqGHBuE2PjC9KvtYNhsnb5mava0Ap8R
talzdVCn9TuIFi1GsI+RLkuwteRSY84EmiTRMMswOrDQXt6EvBRLftd6xc02IM+D
iek2gBvhHm+JOWZeYJdK1uMOxb+gQQKksRG7YRAVVYNMSdwb//hP1ZE=
=YmVR
-----END PGP SIGNATURE-----

Attachment: pgp4LRrJAFsVV.pgp
Description: PGP signature


--- End Message ---

Reply via email to