Fabre

#1138265 php-guzzlehttp-psr7: CVE-2026-48998 CVE-2026-49214 #1138265

Package:: src:php-guzzlehttp-psr7

Source:: src:php-guzzlehttp-psr7

Submitter:: Salvatore Bonaccorso

Date:: 2026-06-09 19:19:03 UTC

Severity:: normal

Tags:

#1138265#5

Date:: 2026-05-30 08:51:32 UTC

From:

To:

Hi,

The following vulnerabilities were published for php-guzzlehttp-psr7.

CVE-2026-48998[0]:
| Host Confusion via Authority Reinterpretation in guzzlehttp/psr7

CVE-2026-49214[1]:
| CRLF Injection via URI Host Component in guzzlehttp/psr7


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-48998
https://www.cve.org/CVERecord?id=CVE-2026-48998
https://github.com/guzzle/psr7/security/advisories/GHSA-34xg-wgjx-8xph
[1] https://security-tracker.debian.org/tracker/CVE-2026-49214
https://www.cve.org/CVERecord?id=CVE-2026-49214
https://github.com/guzzle/psr7/security/advisories/GHSA-hq7v-mx3g-29hw

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1138265#16

Date:: 2026-06-09 18:47:07 UTC

From:

To:

We believe that the bug you reported is fixed in the latest version of
php-guzzlehttp-psr7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138265@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated php-guzzlehttp-psr7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 30 May 2026 13:39:01 +0200
Source: php-guzzlehttp-psr7
Architecture: source
Version: 2.7.1-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Closes: 1138265
Changes:
 php-guzzlehttp-psr7 (2.7.1-1+deb13u1) trixie; urgency=medium
 .
   * Backport fixes from upstream
     - Encode plus sign in withQueryValue() and withQueryValues() (#636)
     - Harden ServerRequest globals handling (#660)
     - Normalize global header values (#718)
     - Reject control characters in URI hosts (#715) [CVE-2026-49214]
     - Reject malformed Host authorities (#717) [CVE-2026-48998]
     (Closes: #1138265)
   * Track debian/trixie branch
Checksums-Sha1:
 20281a4c29fbebe869576678662c87a10b2bff10 2036 php-guzzlehttp-psr7_2.7.1-1+deb13u1.dsc
 2905a1d100d32f9884790dcc05099b62d2b51c3f 19020 php-guzzlehttp-psr7_2.7.1-1+deb13u1.debian.tar.xz
 d1ccbcf5a181653bf5c5dd5fc6765d26063d2c5b 8573 php-guzzlehttp-psr7_2.7.1-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
 b978602ec821e823b454c2d0e6029320cbf199b609dcc3d1da39076ad3c9f9f6 2036 php-guzzlehttp-psr7_2.7.1-1+deb13u1.dsc
 5ff8678208f1906fbeaa53ad903381df00f46ab99dbea6abf2ecab3bd55a79f8 19020 php-guzzlehttp-psr7_2.7.1-1+deb13u1.debian.tar.xz
 c3c3a16b2c69f2aba13474b7bc1e294d660ece4f8daab13772499217abeaebea 8573 php-guzzlehttp-psr7_2.7.1-1+deb13u1_amd64.buildinfo
Files:
 1eb225a17ea3663e2d000b8b7a2d38d1 2036 php optional php-guzzlehttp-psr7_2.7.1-1+deb13u1.dsc
 2a6edcc1e4659e6e4d5fbd2ff39e23bd 19020 php optional php-guzzlehttp-psr7_2.7.1-1+deb13u1.debian.tar.xz
 ca24f4516e513e8348fe12d0a467a9be 8573 php optional php-guzzlehttp-psr7_2.7.1-1+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmonrNESHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08mrwH/1w8OiSIGSlcBMzbG/Dj6sI7jBr5rakX
26bNQR/WH4/uT8L4ha4YnPSE1i6sU25uuTG6e0CkkWlVl6IZbdmI0B1g3DMX+Akn
hy1xBNXF+MULqa5dlMG6wugysE7WUr53iljRUJDiABYxfnW07/izFICx8Bv/xVZB
U9pM3ehgCjMbaFGRNoVrHfHhS0+WJgky7xqGHBuE2PjC9KvtYNhsnb5mava0Ap8R
talzdVCn9TuIFi1GsI+RLkuwteRSY84EmiTRMMswOrDQXt6EvBRLftd6xc02IM+D
iek2gBvhHm+JOWZeYJdK1uMOxb+gQQKksRG7YRAVVYNMSdwb//hP1ZE=
=YmVR
-----END PGP SIGNATURE-----

#1138265#21

Date:: 2026-06-09 19:17:20 UTC

From:

To:

We believe that the bug you reported is fixed in the latest version of
php-guzzlehttp-psr7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138265@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated php-guzzlehttp-psr7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 30 May 2026 16:57:02 +0200
Source: php-guzzlehttp-psr7
Architecture: source
Version: 2.4.5-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Closes: 1138265
Changes:
 php-guzzlehttp-psr7 (2.4.5-1+deb12u1) bookworm; urgency=medium
 .
   * Backport fixes from upstream
     - Encode plus sign in withQueryValue() and withQueryValues() (#636)
     - Harden ServerRequest globals handling (#660)
     - Normalize global header values (#718)
     - Reject control characters in URI hosts (#715) [CVE-2026-49214]
     - Reject malformed Host authorities (#717) [CVE-2026-48998]
     (Closes: #1138265)
Checksums-Sha1:
 0fd579f812818752dccfebde72d1bc7796ccf49c 2030 php-guzzlehttp-psr7_2.4.5-1+deb12u1.dsc
 eeacaa610d46f0d0a694a5d8e135aa7e39285b49 13256 php-guzzlehttp-psr7_2.4.5-1+deb12u1.debian.tar.xz
 cbc3a07ba9568448dc7603f74ad94dd2d8f29e78 8770 php-guzzlehttp-psr7_2.4.5-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
 595c5d988db0a57112bfcb37e2cb971419adbb5a29bca2f5372a76957da30ce1 2030 php-guzzlehttp-psr7_2.4.5-1+deb12u1.dsc
 c5d5dd0a85e138aeaf1ecd61e7a14aa7cf4acffd727ef60b2796b555fe44fa49 13256 php-guzzlehttp-psr7_2.4.5-1+deb12u1.debian.tar.xz
 02b46c87d70c0192d4368f32a9cbc7f350e705f7cfad0b7e64c7234a1375b680 8770 php-guzzlehttp-psr7_2.4.5-1+deb12u1_amd64.buildinfo
Files:
 b33873223ab355bbce87d7557a3c8869 2030 php optional php-guzzlehttp-psr7_2.4.5-1+deb12u1.dsc
 124944ba0b218de2bcc48c31792cc74f 13256 php optional php-guzzlehttp-psr7_2.4.5-1+deb12u1.debian.tar.xz
 3ecf476ad56bce6b02546800a9529780 8770 php optional php-guzzlehttp-psr7_2.4.5-1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmonrNISHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08KOAH+wRtV8tNIw22RVYf72rzLlFOWAQ4Ixwg
cUcHxshD4cSax8u5r8DAC9gRZpmB2TbYC6cBQvYszt4NRWajxoY/8SJeTe6R8XNZ
9dtKHbGfuMx+cc8f3Te2J5NgzSYxAME1282lLZd20IoNNM6iMN1HrKRibTSApPkv
q2UecHz9+x8EMoTAJ2AlgEvPCoAJW4aNJ0CIrF7G8X5xEbUzBr0duBWkUo9Wg7o5
urdyfb+tr3IHQVq5aybBgJJbnG3wCpdVwc0pw6+YcpVDLfgo6/hjIxCS9QmSTad3
tS3abI3/DJq58BMwxpgQitgnY8boYPSFH7pJXd6NkzVpc5seG8OGKUk=
=zcSQ
-----END PGP SIGNATURE-----

#1138265 php-guzzlehttp-psr7: CVE-2026-48998 CVE-2026-49214 #1138265

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)