[CLSA-2026:1779449034] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 11:24:05 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.1-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.1-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.1-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.1-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.1-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php71_7.1.33-90_amd64.deb
    sha:aa47990c9fac49bd616c731424f7f844a0258c47
  • alt-php71-bcmath_7.1.33-90_amd64.deb
    sha:bb1c42d5ef567a60c2cb2f43f544d2e9da2600ef
  • alt-php71-cli_7.1.33-90_amd64.deb
    sha:791d96ae766ef03835fce4a281cba46e7e014cd4
  • alt-php71-common_7.1.33-90_amd64.deb
    sha:39f5962d3c7f2bbbf85092fdb9904fe248fb3d76
  • alt-php71-dba_7.1.33-90_amd64.deb
    sha:be2ef8ebc874d1071b9fb373c3be2b8deb801d1c
  • alt-php71-dev_7.1.33-90_amd64.deb
    sha:f02b7c512d35191b8390fcbbc5cdb06c3b621fe0
  • alt-php71-enchant_7.1.33-90_amd64.deb
    sha:e5cc0a551a9a882930a64315994ec69756924ef1
  • alt-php71-firebird_7.1.33-90_amd64.deb
    sha:ad54e6bfaabd2c7f64a4bc5dd877c8946e30bb90
  • alt-php71-fpm_7.1.33-90_amd64.deb
    sha:2b086783ba33dd59be4e46de27b91a23fa9e588c
  • alt-php71-gd_7.1.33-90_amd64.deb
    sha:dd61f96f3b9838f08edc09e8117fa59151cfb99c
  • alt-php71-imap_7.1.33-90_amd64.deb
    sha:e76d90fd1cd361a5768803d917b505f21bdd75b2
  • alt-php71-intl_7.1.33-90_amd64.deb
    sha:2eb53855103e15f07e7e510844e1ab0b75ce7d16
  • alt-php71-ldap_7.1.33-90_amd64.deb
    sha:ab5346416c2a27edce11605042a0ffe45c2fb640
  • alt-php71-mbstring_7.1.33-90_amd64.deb
    sha:5a0b60b3aa681febcdc5a436ae6c3929db6fb452
  • alt-php71-mcrypt_7.1.33-90_amd64.deb
    sha:2ff76c891a281d472bac4340c655509f69d88edf
  • alt-php71-mysqlnd_7.1.33-90_amd64.deb
    sha:e1057057db5d7721bacedb333d1354b01cebd9de
  • alt-php71-odbc_7.1.33-90_amd64.deb
    sha:c73c88214d0b64c6747f454abde143386542bfb6
  • alt-php71-opcache_7.1.33-90_amd64.deb
    sha:f2cd66ab983d95b82eb8de8a699d91bfdc2a4fd1
  • alt-php71-pdo_7.1.33-90_amd64.deb
    sha:0816d00d9025a1fe237bb49e68543aaa9a6870bd
  • alt-php71-pgsql_7.1.33-90_amd64.deb
    sha:32688aba06d07a16bca8bad1bf62f5114cb5ad12
  • alt-php71-process_7.1.33-90_amd64.deb
    sha:e866409f3d0dbbd1fbadf8654b25968e09f268b8
  • alt-php71-pspell_7.1.33-90_amd64.deb
    sha:06e26b4158a46d8ed9274273b0c7f1c72e0562eb
  • alt-php71-recode_7.1.33-90_amd64.deb
    sha:651817162e30824c0473dc0d5c7722a1342823f0
  • alt-php71-snmp_7.1.33-90_amd64.deb
    sha:8c67b664d5ca1d45335ad4937d254eba03be3742
  • alt-php71-soap_7.1.33-90_amd64.deb
    sha:f4e1f2ce251f09c2c01d3b54620879472a855235
  • alt-php71-tidy_7.1.33-90_amd64.deb
    sha:42d1f9614cee3e147a55f24a3a55b68972011103
  • alt-php71-xml_7.1.33-90_amd64.deb
    sha:e516affea1cf580910fe402b34d33289c8a9009a
  • alt-php71-xmlrpc_7.1.33-90_amd64.deb
    sha:120ba4268fd1f9c6c68beabbf2150644e9027634
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.