[CLSA-2026:1779451259] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 12:01:04 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.0-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.0-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.0-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.0-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.0-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php70_7.0.33-124_amd64.deb
    sha:e6431c0facf326013a7c14478e41694bef8d3972
  • alt-php70-bcmath_7.0.33-124_amd64.deb
    sha:1a2f22447d399204809c5069e47a8a7d4970e871
  • alt-php70-cli_7.0.33-124_amd64.deb
    sha:4df2f4da78a3c61f9d528c313c13457a95f42f49
  • alt-php70-common_7.0.33-124_amd64.deb
    sha:7df95596b2eb85d6600f67f77432b62a2231ed8d
  • alt-php70-dba_7.0.33-124_amd64.deb
    sha:8f77c44d358c7e7e43c1e1e42a82aed1137a462e
  • alt-php70-dev_7.0.33-124_amd64.deb
    sha:10449d97fb61b24f602404525f86e68b0e69b7e5
  • alt-php70-enchant_7.0.33-124_amd64.deb
    sha:7b1f3e4eb336524b229be03868b60fa05a95b8d4
  • alt-php70-firebird_7.0.33-124_amd64.deb
    sha:62c4a36ab015a5e6374398d27aad35a80dadc08e
  • alt-php70-fpm_7.0.33-124_amd64.deb
    sha:0a09ec05044ae574342efcbdccc2b25ab30ecf8f
  • alt-php70-gd_7.0.33-124_amd64.deb
    sha:d9d97437db46fcb972ceb87739af158b35fadc32
  • alt-php70-imap_7.0.33-124_amd64.deb
    sha:b546a92664099c2ce967019a408e963e47dc75da
  • alt-php70-intl_7.0.33-124_amd64.deb
    sha:99c2b3a7cf37c37cf18a3b26264b1a5d0d5d92f1
  • alt-php70-ldap_7.0.33-124_amd64.deb
    sha:1bc4f6387174f408ab254295418daafd6a05a7b0
  • alt-php70-mbstring_7.0.33-124_amd64.deb
    sha:89b88dbcd8880624a564d9c04c65749f547027fe
  • alt-php70-mcrypt_7.0.33-124_amd64.deb
    sha:a62fca2fcee66ea29a4ec23a1c0874661a0d5515
  • alt-php70-mysqlnd_7.0.33-124_amd64.deb
    sha:fcde56bcb3bc99867eb6524b1ff84c855d0bb458
  • alt-php70-odbc_7.0.33-124_amd64.deb
    sha:00c5e5f817e6cc26cd14890042730f4c315c40a0
  • alt-php70-opcache_7.0.33-124_amd64.deb
    sha:7e94234ba9e9e5748ca3856f28e2be9ceaddb80e
  • alt-php70-pdo_7.0.33-124_amd64.deb
    sha:0e48f41469e7d73ecd85233e4a7456ac457ce8bf
  • alt-php70-pgsql_7.0.33-124_amd64.deb
    sha:b2a7924e9afb2d2d6b04c0f3dc392b133d1c5b69
  • alt-php70-process_7.0.33-124_amd64.deb
    sha:134ecf8a092191626d681043789a36516d58405f
  • alt-php70-pspell_7.0.33-124_amd64.deb
    sha:4d767e3d54b048051e9a24ae5425f6f248cb8bee
  • alt-php70-recode_7.0.33-124_amd64.deb
    sha:65d089973034c905a795b6867a01858df784253f
  • alt-php70-snmp_7.0.33-124_amd64.deb
    sha:4a10be1f56a925018a6df1e87672f30dba96ab21
  • alt-php70-soap_7.0.33-124_amd64.deb
    sha:8f224c9d8b54b9d338f0b3b3b82454c23c0bc24e
  • alt-php70-tidy_7.0.33-124_amd64.deb
    sha:9a530ae43acb32315510f1337819e7a3ccb062ed
  • alt-php70-xml_7.0.33-124_amd64.deb
    sha:ad61e04e3b88caca700bc52b6464e3ad896bbb55
  • alt-php70-xmlrpc_7.0.33-124_amd64.deb
    sha:53d8b4fc42555f40183497991fc98a6803ecb258
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.