[CLSA-2026:1779367656] Fix CVE(s): CVE-2026-6722, CVE-2026-6735, CVE-2026-7261, CVE-2026-7262
Type:
security
Severity:
Critical
Release date:
2026-05-21 12:47:41 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-5.5-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes to pre-PHP7 zval** SOAP API. - Note: the 5.5 backport applies the addref half of the upstream fix only; the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is intentionally omitted because in 5.x ref_map is heterogeneous (stores both xmlNodePtr and zval* entries through the same API) and a ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone closes the UAF; cost is one bounded zval leak per request, released with the emalloc pool at RSHUTDOWN. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-5.5-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: soap extension use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION - debian/patches/php-5.5-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj) sites in the header-handler failure paths with a persistance!=SOAP_PERSISTENCE_SESSION guard. - CVE-2026-7261 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri and query_string - debian/patches/php-5.5-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — fix bogus `ENT_HTML_IGNORE_ERRORS & ENT_COMPAT` (= 0) flag and add a parallel escape block for request_uri. - Note: upstream (PHP 8.x) routes JSON status output through php_json_encode_string(), which is not exported on 5.x. The 5.5 backport therefore applies the same HTML entity escape to both the HTML and JSON paths via the shared request_uri / query_string buffers. Consumers of `/status?json` will now see HTML-entity-encoded bytes in those fields (e.g. `&` instead of `&`); entities decode back to the original byte but JSON consumers must be prepared to handle them. - CVE-2026-6735
Updated packages:
  • alt-php55_5.5.38-159_amd64.deb
    sha:fd51435ef73264703c6046003fa11d6194a688dd
  • alt-php55-bcmath_5.5.38-159_amd64.deb
    sha:0aaa50bfa1c031ef8c1a2d28f23c4ceb20fecbc4
  • alt-php55-cli_5.5.38-159_amd64.deb
    sha:1e17f2d8e0311829c63245c085e7120488ac5c52
  • alt-php55-common_5.5.38-159_amd64.deb
    sha:afd250284f985fbdcabc865259ca729ecece8e05
  • alt-php55-dba_5.5.38-159_amd64.deb
    sha:f157aa455fc8b90f4eb641ef29c168cd58ce3563
  • alt-php55-dbx_5.5.38-159_amd64.deb
    sha:22960a327b6753678ec49137246459690de5d3ff
  • alt-php55-dev_5.5.38-159_amd64.deb
    sha:9ba07a8394548e8e75373725d2a13789acadfd2b
  • alt-php55-enchant_5.5.38-159_amd64.deb
    sha:15a6ae91f665200fa326c514285338b9dcd8fd49
  • alt-php55-firebird_5.5.38-159_amd64.deb
    sha:eb9d50e63caa4824bb21f7291f8af13ebb9f6e3a
  • alt-php55-fpm_5.5.38-159_amd64.deb
    sha:1f4592d842003e1cbb9d17b532a632a5e494b373
  • alt-php55-gd_5.5.38-159_amd64.deb
    sha:1d2e1eb430e58e8944df9405330a89c796b98336
  • alt-php55-imap_5.5.38-159_amd64.deb
    sha:f19d1db4f5a8d943daf4de96c0f8e5d101e5784b
  • alt-php55-intl_5.5.38-159_amd64.deb
    sha:2314effd807a23be6d1c18bf0109a3c83a1d2f77
  • alt-php55-ldap_5.5.38-159_amd64.deb
    sha:e92a46ddd2b6d8e5b0750e0f05b9e4e8e771b5e8
  • alt-php55-mbstring_5.5.38-159_amd64.deb
    sha:91c692d17162fefd5f9b01c47d9096fb11f4919f
  • alt-php55-mcrypt_5.5.38-159_amd64.deb
    sha:efa3b60b94551e586ec18bd71b3ce9a004d43ddd
  • alt-php55-mssql_5.5.38-159_amd64.deb
    sha:3c97fcbf894d58fc902bc34108c84faf84c266d5
  • alt-php55-mysqlnd_5.5.38-159_amd64.deb
    sha:0412ff22325c5d55dcc24ff64c1d781e900a41ab
  • alt-php55-odbc_5.5.38-159_amd64.deb
    sha:5791fd42d6734ab2a6b2e2ae198315e7c1a2f9d5
  • alt-php55-pdo_5.5.38-159_amd64.deb
    sha:83dc70389d3845aa3ced4469625e9ef77b447682
  • alt-php55-pgsql_5.5.38-159_amd64.deb
    sha:c1091085ff886ca9c2b8328995a9825d1164af6a
  • alt-php55-process_5.5.38-159_amd64.deb
    sha:e298429e9118c75c516633994f70274e942c4e67
  • alt-php55-pspell_5.5.38-159_amd64.deb
    sha:5c90ab5ab714e454d6db25b38a77faac10072d0a
  • alt-php55-recode_5.5.38-159_amd64.deb
    sha:5824a0dc71cfc3cfa5f19fa6b64fdce7d365202c
  • alt-php55-snmp_5.5.38-159_amd64.deb
    sha:f45106925bc0f0613c04e974ffffff078c9d4299
  • alt-php55-soap_5.5.38-159_amd64.deb
    sha:dd9e54a4dc065359817f87371dc3740de81b2c45
  • alt-php55-sybase_5.5.38-159_amd64.deb
    sha:271f907d6f53a25aa518aa25e8ede404e4255973
  • alt-php55-tidy_5.5.38-159_amd64.deb
    sha:0a5c5195b815d948444dcb861b19a58383a5983e
  • alt-php55-xml_5.5.38-159_amd64.deb
    sha:3f59f563acccea423b4228135a5c2dd4e07f4f1a
  • alt-php55-xmlrpc_5.5.38-159_amd64.deb
    sha:08b33f54b634b090bb5bc1a7625e0b90e2e25586
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.