[CLSA-2026:1779455502] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 13:11:49 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.1-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.1-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.1-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.1-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.1-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php71_7.1.33-90_amd64.deb
    sha:f386ac695653d21b2c18e0f1e95f92842108721c
  • alt-php71-bcmath_7.1.33-90_amd64.deb
    sha:ca144ae5a4aab334059546dc0c5676c03cb375e9
  • alt-php71-cli_7.1.33-90_amd64.deb
    sha:7a8e6e0351e38e3f7e588f5377d947df7f40463e
  • alt-php71-common_7.1.33-90_amd64.deb
    sha:552d1d253a94c764c7268e6fceb080159ffa1bf9
  • alt-php71-dba_7.1.33-90_amd64.deb
    sha:72262185734c35de5be64da383ff5090f5c1fe49
  • alt-php71-dev_7.1.33-90_amd64.deb
    sha:0de50f7f1f686a31226035ff2f16db0d8161f002
  • alt-php71-enchant_7.1.33-90_amd64.deb
    sha:0aca094aa5885df988a20e341848f7e3d241db0e
  • alt-php71-firebird_7.1.33-90_amd64.deb
    sha:d3a23f512aa7cb652022821fce31308a2323738b
  • alt-php71-fpm_7.1.33-90_amd64.deb
    sha:d63ccb45e5cad8a3a47c458815326bfea8bc8369
  • alt-php71-gd_7.1.33-90_amd64.deb
    sha:9ee39bd9fa6729b6ef91e7dd99ef1fe526566eba
  • alt-php71-imap_7.1.33-90_amd64.deb
    sha:098768d320dcdac2ac73e2bba15c2d07326abb99
  • alt-php71-intl_7.1.33-90_amd64.deb
    sha:0192c0bebd5416a9804763f444642907a98b40b5
  • alt-php71-ldap_7.1.33-90_amd64.deb
    sha:4f010ec02b7c2170388be22ae54b0bee91dfbc7d
  • alt-php71-mbstring_7.1.33-90_amd64.deb
    sha:21771dba9ae3a731f6004c2219d075445cfa99b9
  • alt-php71-mcrypt_7.1.33-90_amd64.deb
    sha:9f3c2d8900ec309c99594b536cbd26e1c0d19ffb
  • alt-php71-mysqlnd_7.1.33-90_amd64.deb
    sha:850ed08e2ea96580d3478a5425bcf572211c7ef9
  • alt-php71-odbc_7.1.33-90_amd64.deb
    sha:093e15cc3566ea0179373ac26b4c1ac47eb36ea7
  • alt-php71-opcache_7.1.33-90_amd64.deb
    sha:59c5a20a6984a4782c256d1b89455476d46d3cf4
  • alt-php71-pdo_7.1.33-90_amd64.deb
    sha:c2884d4b44e27549481aba7d52f56f5459655db7
  • alt-php71-pgsql_7.1.33-90_amd64.deb
    sha:f4827a1065e1beafb538d138420c5d3f2eb3ee01
  • alt-php71-process_7.1.33-90_amd64.deb
    sha:853b18ef16f80ccc64febb06e02461ffe8ca3943
  • alt-php71-pspell_7.1.33-90_amd64.deb
    sha:8db22a59c1e14f3b74f979212e1f4f46bca2aaa8
  • alt-php71-recode_7.1.33-90_amd64.deb
    sha:ff5ea76306bfe5ed958eeb7351cc72c917d267fe
  • alt-php71-snmp_7.1.33-90_amd64.deb
    sha:5b7284bab9ed900a34eb96f2a83823ae7dc0dedf
  • alt-php71-soap_7.1.33-90_amd64.deb
    sha:bff272753e68f1a1a83556e8e55983e628208dfb
  • alt-php71-tidy_7.1.33-90_amd64.deb
    sha:94d9c1cf1d584f2b6772372843b86d1094c4ccdb
  • alt-php71-xml_7.1.33-90_amd64.deb
    sha:1d369cec07b3d1d4e79e58f6e18ae18bc9602412
  • alt-php71-xmlrpc_7.1.33-90_amd64.deb
    sha:552846842df1b2654b58d275d55b5566446e754b
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.