Guzzle 7.5.0 (and 7.4.3) has just been released fixing a
cross-domain cookie leakage.

More information:

https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3

Regards

David

P.-S. Please, consider maintaining this package within the Debian PHP
PEAR (and Composer) Maintainers <pkg-php-pear@lists.alioth.debian.org>
team.

FYI, I just started documenting our usual workflom.

https://wiki.debian.org/Teams/DebianPHPGroup/Composer

Hello David,

Thanks for the link. I uploaded a newer version to
https://salsa.debian.org/php-team/pear/php-guzzlehttp-guzzle . Problably someone
with the corresponding permissions should upload the package to the Debian
archive.

Regards
Katharina

Hello David,

Thanks for the link. I uploaded a newer version to
https://salsa.debian.org/php-team/pear/php-guzzlehttp-guzzle . Problably someone
with the corresponding permissions should upload the package to the Debian
archive.

Regards
Katharina

Hi Katharina,

Le 09/06/2022 à 09:18, Katharina Drexel a écrit :

Sure. Did you forget to push the pristine-tar branch, and your tags?
It’s difficult to get the differences with the previous version
(7.4.1-1) as is. d/changelog should close this bug by the way (I didn’t
look further yet). Did you find our recent [documentation]?

     documentation: https://wiki.debian.org/Teams/DebianPHPGroup/Composer

We may continue on the Debian PHP PEAR (and Composer) Maintainers
<pkg-php-pear@lists.alioth.debian.org> list if you wish.

Regards

David

Hi Katharina,

Le 09/06/2022 à 09:18, Katharina Drexel a écrit :

Sure. Did you forget to push the pristine-tar branch, and your tags?
It’s difficult to get the differences with the previous version
(7.4.1-1) as is. d/changelog should close this bug by the way (I didn’t
look further yet). Did you find our recent [documentation]?

     documentation: https://wiki.debian.org/Teams/DebianPHPGroup/Composer

We may continue on the Debian PHP PEAR (and Composer) Maintainers
<pkg-php-pear@lists.alioth.debian.org> list if you wish.

Regards

David

We believe that the bug you reported is fixed in the latest version of
guzzle, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1011636@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Katharina Drexel <katharina.drexel@bfh.ch> (supplier of updated guzzle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 16 Jun 2022 18:22:39 +0200
Source: guzzle
Architecture: source
Version: 7.4.4-1
Distribution: sid
Urgency: medium
Maintainer: Katharina Drexel <katharina.drexel@bfh.ch>
Changed-By: Katharina Drexel <katharina.drexel@bfh.ch>
Closes: 1011636
Changes:
 guzzle (7.4.4-1) sid; urgency=medium
 .
   * Upgrading to 7.4.4 because of cookie injection leak (Closes: #1011636)
     [CVE-2022-31042, CVE-2022-31043]
   * Adding test folder to debian.
   * Adopting debian/rules to the salsa standard.
   * Optimizing watchfile.
   * Adding some more files which have to be cleaned.
   * Adding gbp config file.
   * Adding upstream/metadata and signing key.
   * Adding newer standards version.
   * debian/control: Correcting Vcs* paths.
   * debian/control: Break should also be valid for Debian-replace.
Checksums-Sha1:
 265ea1e07cd3cd6883be9d59c5285827d89d9c75 1974 guzzle_7.4.4-1.dsc
 4f86ade754a2662ffc786786a06015ccbc6b5c1f 442168 guzzle_7.4.4.orig.tar.xz
 a696912feb69845ede4aad02506cc58b0b64e776 3904 guzzle_7.4.4-1.debian.tar.xz
 ef8405bf0dd26a364064043abbceb0857c3b45c6 6610 guzzle_7.4.4-1_amd64.buildinfo
Checksums-Sha256:
 3c1252264c615bdb1a5041169824167829b1ff73357b9967bb43004db2b277a2 1974 guzzle_7.4.4-1.dsc
 4fadb0a717e5a93beb340df52c6a4ec7767550ebee5cc15871396956d106398c 442168 guzzle_7.4.4.orig.tar.xz
 3e7f0fd7324e71304f34f014ab21b69cf6a8188f0aceb5c6c4eb4a6f6117c888 3904 guzzle_7.4.4-1.debian.tar.xz
 8825ad217c1a6bf66c24a6ad7ba3c117f07cccbcaa96ea1fab60f7f1caedda59 6610 guzzle_7.4.4-1_amd64.buildinfo
Files:
 8bcde26fa9ea06d12ae7093d89eeb66a 1974 php optional guzzle_7.4.4-1.dsc
 6440e249aa0738aa80d9b3c4c131180b 442168 php optional guzzle_7.4.4.orig.tar.xz
 df5c9dfec9e2e6fc6da9eb8cf04b3cb9 3904 php optional guzzle_7.4.4-1.debian.tar.xz
 31ae8ff8c4616bebd02f525a4c16038e 6610 php optional guzzle_7.4.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEgTbtJcfWfpLHSkKSVc8b+YaruccFAmKrXtMACgkQVc8b+Yar
ucfbhQ/+M7g7nWR71JfHMTOVmy9q/P/XckKGF7ZdV9VY9u/SSeEpCglLSxRBYMTB
vTkvupYq0L22FoOQIwVvVQvBE81K7ipr0C4N6sXHi0fqYe/2g0uY/EUvDX+6xB4J
/yGkTD317Qg37AQclND8D0O4b5sseHIB2OgPRD0x/Z+1c9CgQYvmu6V91ztRwPW3
VaZf+gxyOB++CTHnNKHspSRJeHluT2b7U4tSbfpR1boXu3EzBSOuj33rDxuhvktW
Fm9POP0YuP6SOUQfgp9kg1ys20439/5hehy7mBY2+5aLWo2RBBnZDyFiUT7N33t0
5ZMQvbYRSYnRCojHux+r/aNTi6lNcsUASSrBoBBWtaucEufHlV4Ix+hIBRJEeS9L
rFlgNA5kKpTE+qhcNhHTkMfvY7PDTahXIlbg215/uHgyUOn59SiOXS9j53HoQmq1
jVTIo5RbJKlTMXMf6jnLYGatTH7B4ABaU2JP1eCuywzhPG8eYjAEkn5SMANPFf+Z
KVz3ctt7YJVnXO5s3G23IzmZhy8lvetlTR2iB60herndGarZV1XJZFKr5rEmP9UP
MPRAcULT+u+4inUKYIzry3iAl+eayhoZqelQ/eZWEK5rC2tsZl5QgcVmgqSwDI/W
3DJcnjgikHOMEZeYgscwF+SLnqwm1j9ui6J3UmETIuBHWu608wY=
=NEEK
-----END PGP SIGNATURE-----