[CLSA-2026:1779456069] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 13:21:15 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.0-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.0-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.0-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.0-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.0-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php70_7.0.33-124_amd64.deb
    sha:fc77a9738ca6fe1fd0dae93e7feeea75d156b8c2
  • alt-php70-bcmath_7.0.33-124_amd64.deb
    sha:722f5b2ccd9776a3dee2c139073759191b64242c
  • alt-php70-cli_7.0.33-124_amd64.deb
    sha:9e09f6e010d1a633a6eb5acc458b7fba7cb8ee0a
  • alt-php70-common_7.0.33-124_amd64.deb
    sha:f59e4bd825b5f8000c4e78717ba4893914d4d052
  • alt-php70-dba_7.0.33-124_amd64.deb
    sha:fc95bbd746e5ea34ab1dcd204306acabf38dce66
  • alt-php70-dev_7.0.33-124_amd64.deb
    sha:39705246fa76e77bebbe73badb85fd60759e467f
  • alt-php70-enchant_7.0.33-124_amd64.deb
    sha:1e485b546df89950db1918b79331e6f71ecfb802
  • alt-php70-firebird_7.0.33-124_amd64.deb
    sha:fe4dcd57fbdbacd11975ff2c96c0492da2feb460
  • alt-php70-fpm_7.0.33-124_amd64.deb
    sha:bf4fdae7cea4511e687cdf1309f95cedd6b296ec
  • alt-php70-gd_7.0.33-124_amd64.deb
    sha:70f144d940b3d5227fef829374cc9d47a610cabb
  • alt-php70-imap_7.0.33-124_amd64.deb
    sha:a1ee2264c4b9deebc567500ff917524c8f2f1efc
  • alt-php70-intl_7.0.33-124_amd64.deb
    sha:5665e09815cfbcacca4b278a10636210c13d7cbb
  • alt-php70-ldap_7.0.33-124_amd64.deb
    sha:9f265d226e962ac2b30e944199708b5dcdbb7349
  • alt-php70-mbstring_7.0.33-124_amd64.deb
    sha:399ea5f74f40f1f07becae9d4deb47054bac28ad
  • alt-php70-mcrypt_7.0.33-124_amd64.deb
    sha:fdfeed88aa39b1b575cf50b8f8e2dd9291b365fc
  • alt-php70-mysqlnd_7.0.33-124_amd64.deb
    sha:6f8f17ed673bb369d66f89d58851db854d0e7ac6
  • alt-php70-odbc_7.0.33-124_amd64.deb
    sha:c8a42c92e751c6f1b352fd8adfedc61c7561fd9c
  • alt-php70-opcache_7.0.33-124_amd64.deb
    sha:564f2d8ab399971f1a67e787c4ff4547601fc812
  • alt-php70-pdo_7.0.33-124_amd64.deb
    sha:0a1f6aa9d871a7d0d5bd047454518e99c09453e0
  • alt-php70-pgsql_7.0.33-124_amd64.deb
    sha:785d5622dae7d95b43ff2394e27708e726bff8cd
  • alt-php70-process_7.0.33-124_amd64.deb
    sha:53020aa6589c67259b319f7620961ae4c3fb1295
  • alt-php70-pspell_7.0.33-124_amd64.deb
    sha:d071896f0aa070635c93c42fc5b0ee21197e046c
  • alt-php70-recode_7.0.33-124_amd64.deb
    sha:f9356f4d71fc364af4f709e004cffb79a216ac20
  • alt-php70-snmp_7.0.33-124_amd64.deb
    sha:dd94257b8b63ecaaeb7f39e2988da64e9bd35d72
  • alt-php70-soap_7.0.33-124_amd64.deb
    sha:b6e714658207f3f6b1355451c7f6a6b357e13493
  • alt-php70-tidy_7.0.33-124_amd64.deb
    sha:191a3ab7e53e3880c19d0e2618c702579f3ecaac
  • alt-php70-xml_7.0.33-124_amd64.deb
    sha:582bfc7f85740fdd8e4116d5817be0e3700c8c73
  • alt-php70-xmlrpc_7.0.33-124_amd64.deb
    sha:a547680466a8348777c84ab22a440f5e3fa828e7
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.