* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-8.0-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: pdo_firebird SQL injection via NUL bytes in quoted strings - debian/patches/php-8.0-CVE-2025-14179.patch: backport upstream commit 3f40b65323 in ext/pdo_firebird/firebird_driver.c — replace strncat/strncpy/strcpy in preprocess() and the quoter with memcpy plus explicit length tracking. Adapted to the 8.0 (const char*, size_t) preprocess and quoter signatures. - debian/patches/php-8.0-firebird-static-inline-classes.patch: build fix required for the CVE-2025-14179 backport to be loadable on Debian. Upstream PHP-8.0.30 declares the pdo_firebird tokenizer helper as `inline char classes(char idx)` without `static`. C99 inline semantics require an external definition when the function is not inlined; nothing in PHP provides one. The Debian build's CFLAGS lacks `-O*` (falls back to gcc's `-O0`), so classes() is emitted as an undefined external reference, and pdo_firebird.so fails to load at runtime with "symbol lookup error: undefined symbol: classes". - CVE-2025-14179 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-8.0-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-8.0-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc->request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 8.0's single-bool `encode` model (8.0's JSON output branch already writes raw strings; this backport only addresses the HTML/XML XSS the CVE describes). - CVE-2026-6735 * SECURITY UPDATE: mbstring NULL pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() - debian/patches/php-8.0-CVE-2026-7259.patch: backport upstream commit 79a054eae0 in ext/mbstring/php_mbregex.c — resolve the mbfl encoding before storing it in MBREX(current_mbctype_mbfl_encoding) and return FAILURE if NULL (encodings supported by Oniguruma but not mbfl such as iso-8859-11, UJIS, KOI8-R). - CVE-2026-7259 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-8.0-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". Adapted to 8.0's fault path (extra efree(fn_name) before each dtor). - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-8.0-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568