Register | Log in

guzzle

Guzzle is a PHP HTTP client library

Choose email to subscribe with

general

source: guzzle (main)
version: 7.12.3-1
maintainer: Debian PHP PEAR Maintainers (archive) (DMD)
uploaders: David Prévot [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 7.4.5-1
stable: 7.9.2-0.1
testing: 7.12.1-1
unstable: 7.12.3-1

versioned links

7.4.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.9.2-0.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.12.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.12.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

php-guzzlehttp-guzzle

action needed

2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:

CVE-2026-55568: Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials (the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPT_PROXYUSERPWD) are sent without encryption, and the CONNECT target host and port for tunneled HTTPS requests are exposed. The built-in cURL handlers (GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available) accept an https:// proxy. libcurl older than 7.50.2 silently treats an https:// proxy as a plaintext http:// proxy. The TLS connection to the proxy is never established, and the proxy leg is cleartext with no error or warning. An application is affected when it sends requests through one of the built-in cURL handlers, configures an https:// proxy expecting the proxy connection itself to be encrypted, and runs with libcurl older than 7.50.2. This vulnerability is fixed in 7.12.1.
CVE-2026-55767: Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain() removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::validate() only rejected a strictly empty domain, so these cookies could be stored and the empty normalized domain was treated as matching any request host. An attacker-controlled origin that an application requests with a shared cookie jar can therefore set a cookie that Guzzle later sends to unrelated hosts using the same jar. This may allow cookie injection or session fixation against downstream services, depending on how those services interpret the injected cookie. This vulnerability is fixed in 7.12.1.

Created: 2026-06-19 Last update: 2026-06-25 07:00

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-25 Last update: 2026-06-25 12:48

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2026-55568: (needs triaging) Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials (the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPT_PROXYUSERPWD) are sent without encryption, and the CONNECT target host and port for tunneled HTTPS requests are exposed. The built-in cURL handlers (GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available) accept an https:// proxy. libcurl older than 7.50.2 silently treats an https:// proxy as a plaintext http:// proxy. The TLS connection to the proxy is never established, and the proxy leg is cleartext with no error or warning. An application is affected when it sends requests through one of the built-in cURL handlers, configures an https:// proxy expecting the proxy connection itself to be encrypted, and runs with libcurl older than 7.50.2. This vulnerability is fixed in 7.12.1.
CVE-2026-55767: (needs triaging) Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain() removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::validate() only rejected a strictly empty domain, so these cookies could be stored and the empty normalized domain was treated as matching any request host. An attacker-controlled origin that an application requests with a shared cookie jar can therefore set a cookie that Guzzle later sends to unrelated hosts using the same jar. This may allow cookie injection or session fixation against downstream services, depending on how those services interpret the injected cookie. This vulnerability is fixed in 7.12.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-06-19 Last update: 2026-06-25 07:00

testing migrations

excuses:
- Migration status for guzzle (7.12.1-1 to 7.12.3-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Too young, only 3 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/g/guzzle.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[2026-06-25] guzzle 7.12.1-1 MIGRATED to testing (Debian testing watch)
[2026-06-24] Accepted guzzle 7.12.3-1 (source) into unstable (David Prévot)
[2026-06-19] Accepted guzzle 7.12.1-1 (source) into unstable (David Prévot)
[2026-06-17] Accepted guzzle 7.12.0-1 (source) into unstable (David Prévot)
[2026-06-09] guzzle 7.11.0-1 MIGRATED to testing (Debian testing watch)
[2026-06-04] Accepted guzzle 7.11.0-1 (source) into unstable (David Prévot)
[2026-05-28] guzzle 7.9.2-0.1 MIGRATED to testing (Debian testing watch)
[2026-05-11] guzzle REMOVED from testing (Debian testing watch)
[2024-12-20] guzzle 7.9.2-0.1 MIGRATED to testing (Debian testing watch)
[2024-12-14] Accepted guzzle 7.9.2-0.1 (source) into unstable (Ondřej Surý)
[2022-07-23] guzzle 7.4.5-1 MIGRATED to testing (Debian testing watch)
[2022-07-18] Accepted guzzle 7.4.5-1 (source) into unstable (Katharina Drexel) (signed by: Andrius Merkys)
[2022-06-25] guzzle 7.4.4-2 MIGRATED to testing (Debian testing watch)
[2022-06-19] Accepted guzzle 7.4.4-2 (source) into unstable (David Prévot)
[2022-06-16] Accepted guzzle 7.4.4-1 (source) into unstable (Katharina Drexel) (signed by: Daniel Baumann)
[2022-02-27] Accepted guzzle 7.4.1-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Daniel Baumann)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 2)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7.9.2-0.1build1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing