Your message dated Tue, 09 Jun 2026 19:17:20 +0000
with message-id <[email protected]>
and subject line Bug#1138265: fixed in php-guzzlehttp-psr7 2.4.5-1+deb12u1
has caused the Debian Bug report #1138265,
regarding php-guzzlehttp-psr7: CVE-2026-48998 CVE-2026-49214
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138265: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138265
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: php-guzzlehttp-psr7
Version: 2.9.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for php-guzzlehttp-psr7.

CVE-2026-48998[0]:
| Host Confusion via Authority Reinterpretation in guzzlehttp/psr7

CVE-2026-49214[1]:
| CRLF Injection via URI Host Component in guzzlehttp/psr7 


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-48998
    https://www.cve.org/CVERecord?id=CVE-2026-48998
    https://github.com/guzzle/psr7/security/advisories/GHSA-34xg-wgjx-8xph
[1] https://security-tracker.debian.org/tracker/CVE-2026-49214
    https://www.cve.org/CVERecord?id=CVE-2026-49214
    https://github.com/guzzle/psr7/security/advisories/GHSA-hq7v-mx3g-29hw

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: php-guzzlehttp-psr7
Source-Version: 2.4.5-1+deb12u1
Done: David Prévot <[email protected]>

We believe that the bug you reported is fixed in the latest version of
php-guzzlehttp-psr7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <[email protected]> (supplier of updated php-guzzlehttp-psr7 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 30 May 2026 16:57:02 +0200
Source: php-guzzlehttp-psr7
Architecture: source
Version: 2.4.5-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: David Prévot <[email protected]>
Closes: 1138265
Changes:
 php-guzzlehttp-psr7 (2.4.5-1+deb12u1) bookworm; urgency=medium
 .
   * Backport fixes from upstream
     - Encode plus sign in withQueryValue() and withQueryValues() (#636)
     - Harden ServerRequest globals handling (#660)
     - Normalize global header values (#718)
     - Reject control characters in URI hosts (#715) [CVE-2026-49214]
     - Reject malformed Host authorities (#717) [CVE-2026-48998]
     (Closes: #1138265)
Checksums-Sha1:
 0fd579f812818752dccfebde72d1bc7796ccf49c 2030 
php-guzzlehttp-psr7_2.4.5-1+deb12u1.dsc
 eeacaa610d46f0d0a694a5d8e135aa7e39285b49 13256 
php-guzzlehttp-psr7_2.4.5-1+deb12u1.debian.tar.xz
 cbc3a07ba9568448dc7603f74ad94dd2d8f29e78 8770 
php-guzzlehttp-psr7_2.4.5-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
 595c5d988db0a57112bfcb37e2cb971419adbb5a29bca2f5372a76957da30ce1 2030 
php-guzzlehttp-psr7_2.4.5-1+deb12u1.dsc
 c5d5dd0a85e138aeaf1ecd61e7a14aa7cf4acffd727ef60b2796b555fe44fa49 13256 
php-guzzlehttp-psr7_2.4.5-1+deb12u1.debian.tar.xz
 02b46c87d70c0192d4368f32a9cbc7f350e705f7cfad0b7e64c7234a1375b680 8770 
php-guzzlehttp-psr7_2.4.5-1+deb12u1_amd64.buildinfo
Files:
 b33873223ab355bbce87d7557a3c8869 2030 php optional 
php-guzzlehttp-psr7_2.4.5-1+deb12u1.dsc
 124944ba0b218de2bcc48c31792cc74f 13256 php optional 
php-guzzlehttp-psr7_2.4.5-1+deb12u1.debian.tar.xz
 3ecf476ad56bce6b02546800a9529780 8770 php optional 
php-guzzlehttp-psr7_2.4.5-1+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmonrNISHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08KOAH+wRtV8tNIw22RVYf72rzLlFOWAQ4Ixwg
cUcHxshD4cSax8u5r8DAC9gRZpmB2TbYC6cBQvYszt4NRWajxoY/8SJeTe6R8XNZ
9dtKHbGfuMx+cc8f3Te2J5NgzSYxAME1282lLZd20IoNNM6iMN1HrKRibTSApPkv
q2UecHz9+x8EMoTAJ2AlgEvPCoAJW4aNJ0CIrF7G8X5xEbUzBr0duBWkUo9Wg7o5
urdyfb+tr3IHQVq5aybBgJJbnG3wCpdVwc0pw6+YcpVDLfgo6/hjIxCS9QmSTad3
tS3abI3/DJq58BMwxpgQitgnY8boYPSFH7pJXd6NkzVpc5seG8OGKUk=
=zcSQ
-----END PGP SIGNATURE-----

Attachment: pgpnpyhhOQw_h.pgp
Description: PGP signature


--- End Message ---

Reply via email to