Release date:
2026-05-21 09:25:03 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys
- debian/patches/php-8.0-CVE-2026-6722.patch: backport upstream commit
aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on
soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor
to ZVAL_PTR_DTOR.
- CVE-2026-6722
* SECURITY UPDATE: pdo_firebird SQL injection via NUL bytes in quoted strings
- debian/patches/php-8.0-CVE-2025-14179.patch: backport upstream commit
3f40b65323 in ext/pdo_firebird/firebird_driver.c — replace
strncat/strncpy/strcpy in preprocess() and the quoter with memcpy plus
explicit length tracking. Adapted to the 8.0 (const char*, size_t)
preprocess and quoter signatures.
- debian/patches/php-8.0-firebird-static-inline-classes.patch: build fix
required for the CVE-2025-14179 backport to be loadable on Debian.
Upstream PHP-8.0.30 declares the pdo_firebird tokenizer helper as
`inline char classes(char idx)` without `static`. C99 inline semantics
require an external definition when the function is not inlined; nothing
in PHP provides one. The Debian build's CFLAGS lacks `-O*` (falls back
to gcc's `-O0`), so classes() is emitted as an undefined external
reference, and pdo_firebird.so fails to load at runtime with "symbol
lookup error: undefined symbol: classes".
- CVE-2025-14179
* SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map
item missing element
- debian/patches/php-8.0-CVE-2026-7262.patch: backport upstream commit
79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in
to_zval_map() (was checking xmlKey, should check xmlValue).
- CVE-2026-7262
* SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri
- debian/patches/php-8.0-CVE-2026-6735.patch: backport upstream commit
99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc->request_uri
with php_escape_html_entities_ex() and fix the broken
"ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag
constants evaluates to 0). Adapted to 8.0's single-bool `encode`
model (8.0's JSON output branch already writes raw strings; this
backport only addresses the HTML/XML XSS the CVE describes).
- CVE-2026-6735
* SECURITY UPDATE: mbstring NULL pointer dereference in
php_mb_check_encoding() via mb_ereg_search_init()
- debian/patches/php-8.0-CVE-2026-7259.patch: backport upstream commit
79a054eae0 in ext/mbstring/php_mbregex.c — resolve the mbfl encoding
before storing it in MBREX(current_mbctype_mbfl_encoding) and
return FAILURE if NULL (encodings supported by Oniguruma but not
mbfl such as iso-8859-11, UJIS, KOI8-R).
- CVE-2026-7259
* SECURITY UPDATE: soap SoapServer use-after-free after header parsing
failure when SOAP_PERSISTENCE_SESSION is set
- debian/patches/php-8.0-CVE-2026-7261.patch: backport upstream commit
db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj)
call sites in PHP_METHOD(SoapServer, handle) with
"if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)".
Adapted to 8.0's fault path (extra efree(fn_name) before each dtor).
- CVE-2026-7261
* SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input
- debian/patches/php-8.0-CVE-2026-7568.patch: backport upstream commit
47def8ce1d in ext/standard/metaphone.c — retype w_idx and
Lookahead's how_far/idx from int to size_t to avoid signed overflow
while walking strings larger than 2 GB on 64-bit builds.
- CVE-2026-7568
Updated packages:
-
alt-php80_8.0.30-44_amd64.deb
sha:893490e487f3256a966656fa97289290e7a56292
-
alt-php80-bcmath_8.0.30-44_amd64.deb
sha:ed10d0e3932834cd5fe761882ac9b44f907755f3
-
alt-php80-cli_8.0.30-44_amd64.deb
sha:be31a5f3deb6ae79521f1919af09494e11440f38
-
alt-php80-common_8.0.30-44_amd64.deb
sha:a691614753347382b70283f1b809f2fe3b6c68fc
-
alt-php80-dba_8.0.30-44_amd64.deb
sha:addf32e4781adc869df29a7c9cddbd25f6e2d6fb
-
alt-php80-dev_8.0.30-44_amd64.deb
sha:bbe231db6218c23d0aba82f1fab6395554cd3ef5
-
alt-php80-enchant_8.0.30-44_amd64.deb
sha:e4aa971713d2b59d9a43c0866ed835adde3b535b
-
alt-php80-firebird_8.0.30-44_amd64.deb
sha:ba561266955e0143a7b7657fbc519475849b7e55
-
alt-php80-fpm_8.0.30-44_amd64.deb
sha:b1948202ac3937665fc9a610ed20e2f0827f2510
-
alt-php80-gd_8.0.30-44_amd64.deb
sha:42722bb8580bf40449ee9894a394f5b0a8fb4550
-
alt-php80-imap_8.0.30-44_amd64.deb
sha:dd20c79b0b4003d0ca464a1e3c1d064f6cf7737d
-
alt-php80-intl_8.0.30-44_amd64.deb
sha:1ae5d81732450a89f4d29651709003ceb59ee40a
-
alt-php80-ldap_8.0.30-44_amd64.deb
sha:733a351b28fcad3f3958cd88c50649c1df7b0dd7
-
alt-php80-mbstring_8.0.30-44_amd64.deb
sha:cc60018bae671f331408a219913ca8fc9f4b2569
-
alt-php80-mysqlnd_8.0.30-44_amd64.deb
sha:6d0b08f3e5eced3f7e9fb2a34ee425b538ddbf12
-
alt-php80-odbc_8.0.30-44_amd64.deb
sha:61630133f7c49b0cdb9eb75e2977b9684a667ea4
-
alt-php80-opcache_8.0.30-44_amd64.deb
sha:5f975215fdd44b5bb1aa136283f3bbe4b0581007
-
alt-php80-pdo_8.0.30-44_amd64.deb
sha:8e97e3fd29bb4346f0240ab59041a58329b9da35
-
alt-php80-pgsql_8.0.30-44_amd64.deb
sha:913de7705563e9855c6eac17195cde1bba85af20
-
alt-php80-process_8.0.30-44_amd64.deb
sha:ecfb7b90b57e1a4fa6a7086480d918d3c26ef82f
-
alt-php80-pspell_8.0.30-44_amd64.deb
sha:960099753e120ccc487f6dd6f086f0c53d7ec918
-
alt-php80-snmp_8.0.30-44_amd64.deb
sha:e16d47c99fba8a74ff73b07e9657442790f02cf4
-
alt-php80-soap_8.0.30-44_amd64.deb
sha:5e7752c90898ac1dfd86ed37cc9c094a276e18f4
-
alt-php80-sodium_8.0.30-44_amd64.deb
sha:0a67eba8cd3f6dbccdb9c2c592f11db9d01dbe67
-
alt-php80-tidy_8.0.30-44_amd64.deb
sha:bb11b720286f6aebe232726f8386872259c6415e
-
alt-php80-xml_8.0.30-44_amd64.deb
sha:0570d9a85063eba71bfec2785c62935d5b4bf65f
-
alt-php80_8.0.30-44_arm64.deb
sha:1ac395ea4fb6afb951ce58f3bef449f56e5f6e8c
-
alt-php80-bcmath_8.0.30-44_arm64.deb
sha:a4c24faf0a55501dd777ae31d23bbb26ba55593e
-
alt-php80-cli_8.0.30-44_arm64.deb
sha:16bffbfe6f5a302a194133d20127a4b32f27e040
-
alt-php80-common_8.0.30-44_arm64.deb
sha:4b865bca5b0ff9b877554cec7741e6f3e0174948
-
alt-php80-dba_8.0.30-44_arm64.deb
sha:d41ee8a610960f9b212d6d0c8a207cbf2381afd9
-
alt-php80-dev_8.0.30-44_arm64.deb
sha:58698cb977cd6fb0863787ece4b4509526dba0bd
-
alt-php80-enchant_8.0.30-44_arm64.deb
sha:9c72d321da6daea8969a88428b96e2c86af24814
-
alt-php80-firebird_8.0.30-44_arm64.deb
sha:189b83cfe528326428e2c17ccaf32d53d5c9adba
-
alt-php80-fpm_8.0.30-44_arm64.deb
sha:0982770067fa4de9847ead125215ab6b795a6561
-
alt-php80-gd_8.0.30-44_arm64.deb
sha:04ee0fbd2530d8bc49a23ab6ae3cdf7324b5431d
-
alt-php80-imap_8.0.30-44_arm64.deb
sha:015cd1fd363f1c8bb0ebd6c7ea44853af7ba45c9
-
alt-php80-intl_8.0.30-44_arm64.deb
sha:122f271e7707cbe4fed2ef76da7c2fed9b806f81
-
alt-php80-ldap_8.0.30-44_arm64.deb
sha:6e66a0fdb11602dba74e3e0a118a47665741ba05
-
alt-php80-mbstring_8.0.30-44_arm64.deb
sha:757a04475d86757ce14248635ab7b95e41dd42bd
-
alt-php80-mysqlnd_8.0.30-44_arm64.deb
sha:2a908bc9536a7009e918fb5e722f8346641b93a8
-
alt-php80-odbc_8.0.30-44_arm64.deb
sha:c59986b9f29fbcd08cca1aae72feec27870e9941
-
alt-php80-opcache_8.0.30-44_arm64.deb
sha:de05e60ea0a3c951160056afbb445595ec8f3530
-
alt-php80-pdo_8.0.30-44_arm64.deb
sha:9250b0b4fc7b9540fae885a41a839e4e318c8c3f
-
alt-php80-pgsql_8.0.30-44_arm64.deb
sha:113e8631badfbba6d17cecb553bc4761f87828d7
-
alt-php80-process_8.0.30-44_arm64.deb
sha:da6ff8c2736c116657f6d754333bcaaebdfb24f5
-
alt-php80-pspell_8.0.30-44_arm64.deb
sha:f8f28a17cd7eb816c8829ddcedc33e6eb5d2cb02
-
alt-php80-snmp_8.0.30-44_arm64.deb
sha:7c351b7f4323f1f4466257da2fd3a628a9334128
-
alt-php80-soap_8.0.30-44_arm64.deb
sha:69d224033cfc30ef5fcebe1e7eee1aa8be006f4f
-
alt-php80-sodium_8.0.30-44_arm64.deb
sha:c66cb5fd21af2bf06df149a31f9093df8734c476
-
alt-php80-tidy_8.0.30-44_arm64.deb
sha:93f2426029466d1acbf32231a4971d33a1b93efa
-
alt-php80-xml_8.0.30-44_arm64.deb
sha:05287a018245ac2fe1244587dffd64cc13637daf
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
