[CLSA-2026:1779471361] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 17:36:06 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.3-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.3-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.3-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.3-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.3-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php73_7.3.33-59_amd64.deb
    sha:795edcf0756a9839d07b2accb6e5f1cb8438cc0d
  • alt-php73-bcmath_7.3.33-59_amd64.deb
    sha:5f5d5635ccd28465df55e4df7319ff1f3332ab38
  • alt-php73-cli_7.3.33-59_amd64.deb
    sha:ea125660458aee336b6f1cdd37c015d6919235c2
  • alt-php73-common_7.3.33-59_amd64.deb
    sha:0ce81d95110640c2806c51f0d14fe32065086ff1
  • alt-php73-dba_7.3.33-59_amd64.deb
    sha:ee9037d686e8248353a46b86d76c085e6e1ab8d1
  • alt-php73-dev_7.3.33-59_amd64.deb
    sha:552d18852e49832aa21a07f7a67b368efd3a47af
  • alt-php73-enchant_7.3.33-59_amd64.deb
    sha:a77a16d5448d5ed6ce3074a733b460f49bbbecf4
  • alt-php73-firebird_7.3.33-59_amd64.deb
    sha:540405752c0bc7cebfdf97612383514321898f0d
  • alt-php73-fpm_7.3.33-59_amd64.deb
    sha:12459f1605e3d606ca49b12f811f97f85ee8da42
  • alt-php73-gd_7.3.33-59_amd64.deb
    sha:53a41cfb6e54e6d317f649dc25bf3afb2506d684
  • alt-php73-imap_7.3.33-59_amd64.deb
    sha:3af3a48551c44fd8905d0527eb682b996c699608
  • alt-php73-intl_7.3.33-59_amd64.deb
    sha:99ece38dc301c4fa608401192ea2d52e728de4cf
  • alt-php73-ldap_7.3.33-59_amd64.deb
    sha:024d9537128f5338a3bdb290f14ec21104d41036
  • alt-php73-mbstring_7.3.33-59_amd64.deb
    sha:7c5899180022a92c2553a37bea0607daf07c46b8
  • alt-php73-mysqlnd_7.3.33-59_amd64.deb
    sha:efa34df72165ee5573d09b1dd04335e74627b543
  • alt-php73-odbc_7.3.33-59_amd64.deb
    sha:9668087d8c3fd4bfd11c55dd010c4bc09732243e
  • alt-php73-opcache_7.3.33-59_amd64.deb
    sha:f6206ddeccda133ea797fcab9336bfefc3f32fa1
  • alt-php73-pdo_7.3.33-59_amd64.deb
    sha:9353d58bbe3a71534957b7b491afe73bbd9b4ead
  • alt-php73-pgsql_7.3.33-59_amd64.deb
    sha:cfe5fdefcf6cfc0cb42f1fd6ef5a2ed1472de2f1
  • alt-php73-process_7.3.33-59_amd64.deb
    sha:60532d250056f0ffad02c39c3a946ffafa328b45
  • alt-php73-pspell_7.3.33-59_amd64.deb
    sha:259cf4864480c259dae0c4b41715b6ec180a09f7
  • alt-php73-recode_7.3.33-59_amd64.deb
    sha:713d4fffe486f6f94344df079e209a6246baf9c7
  • alt-php73-snmp_7.3.33-59_amd64.deb
    sha:0d93bf5047c8d25710cb7f5245ad08cd7d7626c2
  • alt-php73-soap_7.3.33-59_amd64.deb
    sha:66b5930ebdcfaf40bf83e99b092aee0be09646dc
  • alt-php73-sodium_7.3.33-59_amd64.deb
    sha:6080f2e851fc0c2450505420f4d450425bef14d5
  • alt-php73-tidy_7.3.33-59_amd64.deb
    sha:2f52b8efaef1505f74121575bb308401ae5b5068
  • alt-php73-xml_7.3.33-59_amd64.deb
    sha:e42ff181dd7a5e7a278ee9f0e3d51ba58d90dc2a
  • alt-php73-xmlrpc_7.3.33-59_amd64.deb
    sha:79d9f782dacf15a24747948de4533b8bc18eff51
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.