|
php8.5 (8.5.4-0ubuntu1.1) resolute-security; urgency=medium
* SECURITY UPDATE: SQL injection in PDO Firebird driver
- debian/patches/CVE-2025-14179.patch: GHSA-w476-322c-wpvm: [pdo_firebird]
Fix SQL injection via NUL bytes in quoted strings in
ext/pdo_firebird/firebird_driver.c,
ext/pdo_firebird/tests/ghsa-w476-322c-wpvm.phpt.
- CVE-2025-14179
* SECURITY UPDATE: out-of-bounds read via NUL byte
- debian/patches/CVE-2026-6104.patch: GHSA-74r9-qxhc-fx53: [mbstring] Fix
out-of-bounds access in mbfl_name2encoding_ex() in
ext/mbstring/libmbfl/mbfl/mbfl_encoding.c,
ext/mbstring/tests/GHSA-74r9-qxhc-fx53.phpt.
- CVE-2026-6104
* SECURITY UPDATE: use-after-free in SOAP extension
- debian/patches/CVE-2026-6722.patch: GHSA-85c2-q967-79q5: [soap] Fix stale
SOAP_GLOBAL(ref_map) pointer with Apache Map in ext/soap/php_encoding.c,
ext/soap/tests/GHSA-85c2-q967-79q5.phpt.
- CVE-2026-6722
* SECURITY UPDATE: XSS via incorrect sanitization
- debian/patches/CVE-2026-6735.patch: GHSA-7qg2-v9fj-4mwv: [fpm] XSS within
status endpoint in sapi/fpm/fpm/fpm_status.c,
sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt.
- CVE-2026-6735
* SECURITY UPDATE: DoS via passing signed chars
- debian/patches/CVE-2026-7258.patch: GHSA-m8rr-4c36-8gq4: Consistently pass
unsigned char to ctype.h functions in Zend/zend_compile.c,
Zend/zend_ini.c, Zend/zend_operators.c, Zend/zend_virtual_cwd.c,
Zend/zend_virtual_cwd.h, ext/com_dotnet/com_extension.c,
ext/date/lib/parse_date.c, ext/date/lib/parse_date.re,
ext/date/lib/parse_iso_intervals.c, ext/date/lib/parse_iso_intervals.re,
ext/date/lib/timelib.c, ext/filter/logical_filters.c, ext/ftp/ftp.c,
ext/gd/libgd/gd_xbm.c, ext/gmp/gmp.c, ext/intl/locale/locale_methods.cpp,
ext/mbstring/mbstring.c, ext/mbstring/php_mbregex.c, ext/pcre/php_pcre.c,
ext/pdo/pdo.c, ext/pdo/pdo_sql_parser.re, ext/standard/dl.c,
ext/standard/exec.c, ext/standard/file.c, ext/standard/filters.c,
ext/standard/formatted_print.c, ext/standard/ftp_fopen_wrapper.c,
ext/standard/html.c, ext/standard/math.c, ext/standard/metaphone.c,
ext/standard/quot_print.c, ext/standard/scanf.c, ext/standard/soundex.c,
ext/standard/string.c, ext/standard/strnatcmp.c, ext/standard/type.c,
ext/standard/url.c, ext/standard/url_scanner_ex.re,
ext/standard/versioning.c, main/SAPI.c, main/fopen_wrappers.c,
main/php_ini.c, main/php_ini_builder.c, main/php_variables.c,
main/rfc1867.c, main/snprintf.c, main/spprintf.c, main/streams/streams.c,
main/streams/transports.c, sapi/cli/php_cli_server.c,
sapi/fpm/fpm/fpm_conf.c, sapi/litespeed/lsapi_main.c,
sapi/litespeed/lsapilib.c, sapi/phpdbg/phpdbg_cmd.c,
sapi/phpdbg/phpdbg_prompt.c, sapi/phpdbg/phpdbg_utils.c, win32/sendmail.c.
- CVE-2026-7258
* SECURITY UPDATE: null pointer dereference via encoding lists mismatch
- debian/patches/CVE-2026-7259.patch: GHSA-wm6j-2649-pv75: [mbstring] Fix
null pointer dereference in php_mb_check_encoding() via
mb_ereg_search_init() in Zend/tests/GHSA-wm6j-2649-pv75.phpt,
ext/mbstring/php_mbregex.c.
- CVE-2026-7259
* SECURITY UPDATE: use-after-free in SOAP persistance handling
- debian/patches/CVE-2026-7261.patch: GHSA-m33r-qmcv-p97q: [soap] Fix use-
after-free after header parsing failure with SOAP_PERSISTENCE_SESSION in
ext/soap/soap.c, ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt.
- CVE-2026-7261
* SECURITY UPDATE: null pointer dereference in SOAP decoding process
- debian/patches/CVE-2026-7262.patch: GHSA-hmxp-6pc4-f3vv: [soap] Fix broken
Apache map value NULL check in ext/soap/php_encoding.c,
ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt.
- CVE-2026-7262
* SECURITY UPDATE: DoS via DOMNode::C14N() xml processing
- debian/patches/CVE-2026-7263.patch: Fix GH-21548: Dom\XMLDocument::C14N()
emits duplicate xmlns declarations after setAttributeNS(). in NEWS,
ext/dom/node.c, ext/dom/tests/modern/xml/gh21548.phpt.
- CVE-2026-7263
* SECURITY UPDATE: integer overflow in metaphone
- debian/patches/CVE-2026-7568.patch: GHSA-96wq-48vp-hh57: [metaphone] Fix
signed integer overflow of char array offset in ext/standard/metaphone.c,
ext/standard/tests/GHSA-96wq-48vp-hh57.phpt.
- CVE-2026-7568
-- Marc Deslauriers <email address hidden> Mon, 25 May 2026 08:19:37 -0400
|
| CVE-2025-14179 |
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL |
| CVE-2026-6104 |
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() |
| CVE-2026-6722 |
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mech |
| CVE-2026-6735 |
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows |
| CVE-2026-7258 |
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass si |
| CVE-2026-7259 |
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma |
| CVE-2026-7261 |
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSIS |
| CVE-2026-7262 |
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, t |
| CVE-2026-7263 |
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked li |
| CVE-2026-7568 |
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metap |
|
