Release date:
2026-05-22 09:36:30 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys
- debian/patches/php-5.2-CVE-2026-6722.patch: backport upstream commit
aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes
to pre-PHP7 zval** SOAP API.
- Note: the 5.2 backport applies the addref half of the upstream fix only;
the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is
intentionally omitted because in 5.x ref_map is heterogeneous (stores
both xmlNodePtr and zval* entries through the same API) and a
ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone
closes the UAF; cost is one bounded zval leak per request, released
with the emalloc pool at RSHUTDOWN.
- CVE-2026-6722
* SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map
item missing element
- debian/patches/php-5.2-CVE-2026-7262.patch: backport upstream commit
79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in
to_zval_map() (was checking xmlKey, should check xmlValue).
- CVE-2026-7262
* SECURITY UPDATE: soap extension use-after-free after header parsing
failure with SOAP_PERSISTENCE_SESSION
- debian/patches/php-5.2-CVE-2026-7261.patch: backport upstream commit
db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj)
sites in the header-handler failure paths with a
persistance!=SOAP_PERSISTENCE_SESSION guard.
- CVE-2026-7261
Updated packages:
-
alt-php52_5.2.17-221_amd64.deb
sha:59474cb1c55685fe836c920f05ba9627769208e2
-
alt-php52-bcmath_5.2.17-221_amd64.deb
sha:1b1158c0a50ecabc62b214996cb998ea2d2eddcb
-
alt-php52-cli_5.2.17-221_amd64.deb
sha:b56152de407b657ac4ed28a2442721cd4c030764
-
alt-php52-common_5.2.17-221_amd64.deb
sha:a4aed13934831ec314299726bcf5ef0d9f5ac84f
-
alt-php52-dba_5.2.17-221_amd64.deb
sha:341810dff22f1ffc98f2ec8a8ec820240264820b
-
alt-php52-dbx_5.2.17-221_amd64.deb
sha:2121fc477c9b10e5726e74edc3a8be3b12409a32
-
alt-php52-dev_5.2.17-221_amd64.deb
sha:9e627f70693e6003852237952bf022543de5a3d2
-
alt-php52-enchant_5.2.17-221_amd64.deb
sha:47155e6617b213b7c4bd3409eecfb3c23347ca36
-
alt-php52-firebird_5.2.17-221_amd64.deb
sha:e28f7dfaf8db3f882be74607ff955ace619d4d02
-
alt-php52-gd_5.2.17-221_amd64.deb
sha:3e1e22e4a485f878f15aeac1251fdc50bcface6f
-
alt-php52-imap_5.2.17-221_amd64.deb
sha:8f5dd87f10571fa222eba65202c5d5edb2bfadff
-
alt-php52-intl_5.2.17-221_amd64.deb
sha:68e2ed1ce8f783adaa8c971ef6f2c3d009ecafcb
-
alt-php52-ldap_5.2.17-221_amd64.deb
sha:94ac5cd9903149f318200478998797f66ab1ef24
-
alt-php52-mbstring_5.2.17-221_amd64.deb
sha:45eca9c563a1402c1ff531c61d7b0578e5e94bfc
-
alt-php52-mcrypt_5.2.17-221_amd64.deb
sha:354389e77ce6bd115117e1cb998ae4a18cb5180c
-
alt-php52-mysqlnd_5.2.17-221_amd64.deb
sha:cd0284314be6fab1a98c598664f6ba7a5ba1dd43
-
alt-php52-odbc_5.2.17-221_amd64.deb
sha:2a50b0e0a00403e35f2890705375ab50b5d34b9a
-
alt-php52-pdo_5.2.17-221_amd64.deb
sha:4a25e669090a4f9fae893c32afb70a9060661876
-
alt-php52-pgsql_5.2.17-221_amd64.deb
sha:831265a90c299d4bcf8e1682e0afb07a6d2e8340
-
alt-php52-process_5.2.17-221_amd64.deb
sha:cc7caf0db85c1cf251ac4fa49425b947a66a0224
-
alt-php52-pspell_5.2.17-221_amd64.deb
sha:ebbbe5f97c1c00c7f0139625bf788cb54731ac63
-
alt-php52-recode_5.2.17-221_amd64.deb
sha:e44cae4eab0f75c18f02f4eee84246eff6a57dcb
-
alt-php52-snmp_5.2.17-221_amd64.deb
sha:7a2c0c17561b731ea0c88040ba0cbcd437f486b0
-
alt-php52-soap_5.2.17-221_amd64.deb
sha:d6350946d46c07528d4c4c728cc0007361a7cd57
-
alt-php52-sqlite_5.2.17-221_amd64.deb
sha:f0cc0a3a1b17c4f0d4432b6500152a8b63a74fe1
-
alt-php52-sybase_5.2.17-221_amd64.deb
sha:67a159d4a236247bc43d24804967814dbe903159
-
alt-php52-tidy_5.2.17-221_amd64.deb
sha:b251c3d7fa249a92a9a48947accf1d4018324907
-
alt-php52-xml_5.2.17-221_amd64.deb
sha:5bb7915adccf828e2c97049d1e897029b1317c9e
-
alt-php52-xmlrpc_5.2.17-221_amd64.deb
sha:05b14f284c40bf80e96f55ed00631190b6625815
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
