[CLSA-2026:1779450201] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 11:43:26 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.1-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.1-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.1-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.1-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.1-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php71_7.1.33-90_amd64.deb
    sha:cdf9b4041d2418393dca59e9773d6a48cb881672
  • alt-php71-bcmath_7.1.33-90_amd64.deb
    sha:4fd800df1324847dd2dbac3485f20056cc512761
  • alt-php71-cli_7.1.33-90_amd64.deb
    sha:ca0394b648ae7a85901a55e61eae9c5f1de852ff
  • alt-php71-common_7.1.33-90_amd64.deb
    sha:23071fe618e4cc2c499021b43a20e6a98150bfeb
  • alt-php71-dba_7.1.33-90_amd64.deb
    sha:19804d99caa19ec95686481a59a9a30de044e86a
  • alt-php71-dev_7.1.33-90_amd64.deb
    sha:6f86b0d3d7bbbd6a6edab934f51d573e48c97316
  • alt-php71-enchant_7.1.33-90_amd64.deb
    sha:eb57fa87facf1e6be95bc3e60be03c1ae992cad6
  • alt-php71-firebird_7.1.33-90_amd64.deb
    sha:9c035d2683c33c37a4d91fb72313c4fb6cad22b1
  • alt-php71-fpm_7.1.33-90_amd64.deb
    sha:c15f265d29e10675855128ece89121e8537ffc21
  • alt-php71-gd_7.1.33-90_amd64.deb
    sha:456121154677f97dd5a968f6f51b4a27d3b06b24
  • alt-php71-imap_7.1.33-90_amd64.deb
    sha:2bb1169fecf56a4b672b80f589fae6f181fa7d95
  • alt-php71-intl_7.1.33-90_amd64.deb
    sha:964675ffa462e511474aae664023d52068772de9
  • alt-php71-ldap_7.1.33-90_amd64.deb
    sha:7528e23b07f6780354b161a0da1b9af9a8b33953
  • alt-php71-mbstring_7.1.33-90_amd64.deb
    sha:2e2e0b4b4ae8879ab9c81f15883cf66b7b8e629e
  • alt-php71-mcrypt_7.1.33-90_amd64.deb
    sha:fd1c55511bf593a245a0ec7fd8b542a8084296d2
  • alt-php71-mysqlnd_7.1.33-90_amd64.deb
    sha:53fec328bd703bc600c962d5c75e9db7e100bc02
  • alt-php71-odbc_7.1.33-90_amd64.deb
    sha:091050f8e902a6fd958bec31aac1d94838eb4d07
  • alt-php71-opcache_7.1.33-90_amd64.deb
    sha:e44420e532e33f696cd503e6d030c639d6fe0f72
  • alt-php71-pdo_7.1.33-90_amd64.deb
    sha:ce4fc286098a9e9d17c6fa48e9a451b819c443f9
  • alt-php71-pgsql_7.1.33-90_amd64.deb
    sha:b1b611b1c24a7ebd198a39fdc6c1391116b129b6
  • alt-php71-process_7.1.33-90_amd64.deb
    sha:e453b126a3e713c62b794f478d2791235e977edf
  • alt-php71-pspell_7.1.33-90_amd64.deb
    sha:2d27913a7ef71004e02c9a77e538ec3d10a191c9
  • alt-php71-recode_7.1.33-90_amd64.deb
    sha:2b6f3976f4edf1bd56c0cdcc50d844cf83055b33
  • alt-php71-snmp_7.1.33-90_amd64.deb
    sha:374b36b6d1b6f251b315e882f38039b3c2ebd1f1
  • alt-php71-soap_7.1.33-90_amd64.deb
    sha:e92a950cf4cf9c101af50558eb5bd747fdff6bf4
  • alt-php71-tidy_7.1.33-90_amd64.deb
    sha:07bcac950f49dd75067cede0d6987bf21ceb8641
  • alt-php71-xml_7.1.33-90_amd64.deb
    sha:c5759b0d2149135aec823bd38742168b7ffe3015
  • alt-php71-xmlrpc_7.1.33-90_amd64.deb
    sha:8cbd3a94e8be920b958c1af78a4d01e9062d542c
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.