Release date:
2026-05-20 12:25:17 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys
- debian/patches/php-8.0-CVE-2026-6722.patch: backport upstream commit
aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on
soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor
to ZVAL_PTR_DTOR.
- CVE-2026-6722
* SECURITY UPDATE: pdo_firebird SQL injection via NUL bytes in quoted strings
- debian/patches/php-8.0-CVE-2025-14179.patch: backport upstream commit
3f40b65323 in ext/pdo_firebird/firebird_driver.c — replace
strncat/strncpy/strcpy in preprocess() and the quoter with memcpy plus
explicit length tracking. Adapted to the 8.0 (const char*, size_t)
preprocess and quoter signatures.
- debian/patches/php-8.0-firebird-static-inline-classes.patch: build fix
required for the CVE-2025-14179 backport to be loadable on Debian.
Upstream PHP-8.0.30 declares the pdo_firebird tokenizer helper as
`inline char classes(char idx)` without `static`. C99 inline semantics
require an external definition when the function is not inlined; nothing
in PHP provides one. The Debian build's CFLAGS lacks `-O*` (falls back
to gcc's `-O0`), so classes() is emitted as an undefined external
reference, and pdo_firebird.so fails to load at runtime with "symbol
lookup error: undefined symbol: classes".
- CVE-2025-14179
* SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map
item missing element
- debian/patches/php-8.0-CVE-2026-7262.patch: backport upstream commit
79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in
to_zval_map() (was checking xmlKey, should check xmlValue).
- CVE-2026-7262
* SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri
- debian/patches/php-8.0-CVE-2026-6735.patch: backport upstream commit
99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc->request_uri
with php_escape_html_entities_ex() and fix the broken
"ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag
constants evaluates to 0). Adapted to 8.0's single-bool `encode`
model (8.0's JSON output branch already writes raw strings; this
backport only addresses the HTML/XML XSS the CVE describes).
- CVE-2026-6735
* SECURITY UPDATE: mbstring NULL pointer dereference in
php_mb_check_encoding() via mb_ereg_search_init()
- debian/patches/php-8.0-CVE-2026-7259.patch: backport upstream commit
79a054eae0 in ext/mbstring/php_mbregex.c — resolve the mbfl encoding
before storing it in MBREX(current_mbctype_mbfl_encoding) and
return FAILURE if NULL (encodings supported by Oniguruma but not
mbfl such as iso-8859-11, UJIS, KOI8-R).
- CVE-2026-7259
* SECURITY UPDATE: soap SoapServer use-after-free after header parsing
failure when SOAP_PERSISTENCE_SESSION is set
- debian/patches/php-8.0-CVE-2026-7261.patch: backport upstream commit
db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj)
call sites in PHP_METHOD(SoapServer, handle) with
"if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)".
Adapted to 8.0's fault path (extra efree(fn_name) before each dtor).
- CVE-2026-7261
* SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input
- debian/patches/php-8.0-CVE-2026-7568.patch: backport upstream commit
47def8ce1d in ext/standard/metaphone.c — retype w_idx and
Lookahead's how_far/idx from int to size_t to avoid signed overflow
while walking strings larger than 2 GB on 64-bit builds.
- CVE-2026-7568
Updated packages:
-
alt-php80_8.0.30-44_amd64.deb
sha:9ee52d41735b343e3ffc236ca33b31e55b36007b
-
alt-php80-bcmath_8.0.30-44_amd64.deb
sha:5e4927b92e6dd197353c85145582631b85ec5334
-
alt-php80-cli_8.0.30-44_amd64.deb
sha:bff07e0d8291726f34e73b1512302d93c5e0fdf9
-
alt-php80-common_8.0.30-44_amd64.deb
sha:6270300c07c64c2b1db1c67eca13827715ef4125
-
alt-php80-dba_8.0.30-44_amd64.deb
sha:e0eb6949c8b28f31b16ec9d2c5b9b5a9e847d3a6
-
alt-php80-dev_8.0.30-44_amd64.deb
sha:75d2d29260ec25923878604d60b953da273adbb3
-
alt-php80-enchant_8.0.30-44_amd64.deb
sha:aad403e0d917b499a12449c4c56ad29f5089b2fe
-
alt-php80-firebird_8.0.30-44_amd64.deb
sha:919a65ce2741c43e93464a6fb11ce7ce65637264
-
alt-php80-fpm_8.0.30-44_amd64.deb
sha:d40283fac35c03a098a8f03795da7db9bd1228bf
-
alt-php80-gd_8.0.30-44_amd64.deb
sha:faac64aa52395370d6d31d8428d19f3ee2023769
-
alt-php80-imap_8.0.30-44_amd64.deb
sha:fd0b75883fceca2b1f10773b15e7e07c043a771c
-
alt-php80-intl_8.0.30-44_amd64.deb
sha:def3914fe6ef6a192532914497cfaaa974badeb4
-
alt-php80-ldap_8.0.30-44_amd64.deb
sha:8947dc3d49d6ee8a5aba6c7e572a4055dc45966b
-
alt-php80-mbstring_8.0.30-44_amd64.deb
sha:6fe93ada56d43e3bf18509bf0fca829032fbb7a6
-
alt-php80-mysqlnd_8.0.30-44_amd64.deb
sha:d178c514e14a88454752a4adbb740ed09cdfaefc
-
alt-php80-odbc_8.0.30-44_amd64.deb
sha:7d4e67c1da4939be7fe0976d8888b7568e44136d
-
alt-php80-opcache_8.0.30-44_amd64.deb
sha:0b53d6603bc57938a7c2bbf275d7306cc05e9c0a
-
alt-php80-pdo_8.0.30-44_amd64.deb
sha:e497bc4fc70301e512bf012f7de73196761c6173
-
alt-php80-pgsql_8.0.30-44_amd64.deb
sha:cd700640c531aa320ad64d9fedb8d6a196aca32a
-
alt-php80-process_8.0.30-44_amd64.deb
sha:3e3b2f2af1676c5a9a7be1b52e8d097a13fdd9cd
-
alt-php80-pspell_8.0.30-44_amd64.deb
sha:907dbfdd215687891ca6ab06cb7f1e7ca8987fd8
-
alt-php80-snmp_8.0.30-44_amd64.deb
sha:af2c842ea3808ec74a377abf24063cec780dee5b
-
alt-php80-soap_8.0.30-44_amd64.deb
sha:561295d470048bafe1a7c8204d18c6da0b9d1120
-
alt-php80-sodium_8.0.30-44_amd64.deb
sha:8f1f12a2d5152e6aef2de26a23aa5005d683784d
-
alt-php80-tidy_8.0.30-44_amd64.deb
sha:82c64afd3ce35c644f08ded90674903b95cce5d4
-
alt-php80-xml_8.0.30-44_amd64.deb
sha:097d745abc72a44cb37c381d02ae214b968d4d8c
-
alt-php80_8.0.30-44_arm64.deb
sha:2550a536078d944fbbb1d8084a23ec85aa1336d4
-
alt-php80-bcmath_8.0.30-44_arm64.deb
sha:566d7654f5968d5af47a896254c1d6c8b4f0a5e9
-
alt-php80-cli_8.0.30-44_arm64.deb
sha:907caa9fd405438df6fb74544a5a0e8204027cdb
-
alt-php80-common_8.0.30-44_arm64.deb
sha:8662b3f62f1c4a7798277d7d0f737a6c3a99fabd
-
alt-php80-dba_8.0.30-44_arm64.deb
sha:c9465ac196d57c1e1cdfd9017bcea1c0f24b5da9
-
alt-php80-dev_8.0.30-44_arm64.deb
sha:1063be469fe015b1b2edafa18d2e67ec5d696b40
-
alt-php80-enchant_8.0.30-44_arm64.deb
sha:90a6ca8057f0e454cf24d0356af3b0f76a935cca
-
alt-php80-firebird_8.0.30-44_arm64.deb
sha:69f141efce4c653bdcdd910db70cfee1e569db4a
-
alt-php80-fpm_8.0.30-44_arm64.deb
sha:a4496f02b83014e0fad8c9594de30fea402949aa
-
alt-php80-gd_8.0.30-44_arm64.deb
sha:2b9ce048da300ddd2a9fe3380f43a861fcbe041c
-
alt-php80-imap_8.0.30-44_arm64.deb
sha:3b403d69748761f902be91fa0ba2fe9b1fcc46c7
-
alt-php80-intl_8.0.30-44_arm64.deb
sha:db849af6093276f17756c1a43f2d3755c3ad169b
-
alt-php80-ldap_8.0.30-44_arm64.deb
sha:1f678b9ba18a08850c77a33926e94af40d4f8aab
-
alt-php80-mbstring_8.0.30-44_arm64.deb
sha:26ca7c064d0da1c362ef4407b3c343414eee6dba
-
alt-php80-mysqlnd_8.0.30-44_arm64.deb
sha:176c123f533288a979fde86ba0bb3cbd40b74f00
-
alt-php80-odbc_8.0.30-44_arm64.deb
sha:96372577e4a44b032229d1bbe2abb51692d968e5
-
alt-php80-opcache_8.0.30-44_arm64.deb
sha:dd6bf1337416560fe559ee8c30d96f4a2d357c21
-
alt-php80-pdo_8.0.30-44_arm64.deb
sha:b63674d8b08408cc5ad8cc61dbb4d2d3f724db11
-
alt-php80-pgsql_8.0.30-44_arm64.deb
sha:3100507a59284177e06772abecb479ecb7fa3210
-
alt-php80-process_8.0.30-44_arm64.deb
sha:313c96a2c8fcf004034db49ec64ff6b531f65f53
-
alt-php80-pspell_8.0.30-44_arm64.deb
sha:15ac53625d521d56a08a175c5e6347b5a5dd7e18
-
alt-php80-snmp_8.0.30-44_arm64.deb
sha:7c854cdc9262e689e9e9ef2ff538db3b6f5b0e21
-
alt-php80-soap_8.0.30-44_arm64.deb
sha:77087f9310687366cdd72280b35c111a5f36118a
-
alt-php80-sodium_8.0.30-44_arm64.deb
sha:0ed924beff2c3ec3b6e43a6f3565341757a0fc86
-
alt-php80-tidy_8.0.30-44_arm64.deb
sha:519171c15c7f5a2046ad12ef94197182e63afd9d
-
alt-php80-xml_8.0.30-44_arm64.deb
sha:c0b754878f8005b6cc80a2fef8488029e37fd5d1
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
