[CLSA-2026:1779446654] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 10:44:19 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.0-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.0-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.0-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.0-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.0-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php70_7.0.33-124_amd64.deb
    sha:fc77a9738ca6fe1fd0dae93e7feeea75d156b8c2
  • alt-php70-bcmath_7.0.33-124_amd64.deb
    sha:69a8d2bedbb13e8c531e9da4fadb625955b3e470
  • alt-php70-cli_7.0.33-124_amd64.deb
    sha:3ce93643203f14c063f8255e40dc8bf59efc993a
  • alt-php70-common_7.0.33-124_amd64.deb
    sha:f433ecdc743f28cdec4fa3d3d4fa0f0f04eb9939
  • alt-php70-dba_7.0.33-124_amd64.deb
    sha:09df1f7d29a3ad0cfaaf18e73b3a4ad1fd6ea1bb
  • alt-php70-dev_7.0.33-124_amd64.deb
    sha:06d88fbe0dfb95457071fe87c04a6dbe882ee886
  • alt-php70-enchant_7.0.33-124_amd64.deb
    sha:997ad4ad01197e83a2298088240c66f533cc7bb1
  • alt-php70-firebird_7.0.33-124_amd64.deb
    sha:51aeb9130ec7c8b9b4bc95bfdfe9651b2eb1983a
  • alt-php70-fpm_7.0.33-124_amd64.deb
    sha:502b229a48a34ae01082c185dc45f13e501cad5f
  • alt-php70-gd_7.0.33-124_amd64.deb
    sha:9d1fb0ebd96f966e5b789fdc11cf23e3cf6dec2f
  • alt-php70-imap_7.0.33-124_amd64.deb
    sha:e55e2e568185b5bd2a9dc299bc6e05142244aee7
  • alt-php70-intl_7.0.33-124_amd64.deb
    sha:671762b7021cb14238ba14ba89ff5e8fba015dc7
  • alt-php70-ldap_7.0.33-124_amd64.deb
    sha:3b573376399e40c2f508e5e7fb78dd5a1d9ef83a
  • alt-php70-mbstring_7.0.33-124_amd64.deb
    sha:99ce07e0a372148f303ce50e513ec03609502887
  • alt-php70-mcrypt_7.0.33-124_amd64.deb
    sha:f52b71a747fe6e708302d87c40826881c072f4eb
  • alt-php70-mysqlnd_7.0.33-124_amd64.deb
    sha:00f3860620b3b6e72ac8c4d361e196f8db247f38
  • alt-php70-odbc_7.0.33-124_amd64.deb
    sha:2826a9e567d0544be09d3d754add7571429dfeb8
  • alt-php70-opcache_7.0.33-124_amd64.deb
    sha:22aaed4082051b2b7e774c06a5f16a5a8b3d1bbb
  • alt-php70-pdo_7.0.33-124_amd64.deb
    sha:5a51ecceadbdea77446ee7053e79256e808658fc
  • alt-php70-pgsql_7.0.33-124_amd64.deb
    sha:92f55971db592b0a18f26122c2db986cc791e5db
  • alt-php70-process_7.0.33-124_amd64.deb
    sha:1ef3870b38dcb2cfde17a2042bfcac0c7b69c2ba
  • alt-php70-pspell_7.0.33-124_amd64.deb
    sha:da2d55a7606824ce6a355052bda52ca142b4b1d5
  • alt-php70-recode_7.0.33-124_amd64.deb
    sha:e2bb67c946301456535e80fb6d74c463a22a892a
  • alt-php70-snmp_7.0.33-124_amd64.deb
    sha:be5354fe76e446d6d68a6ebb547c45d8433902b4
  • alt-php70-soap_7.0.33-124_amd64.deb
    sha:e86848ceecbd0bb40857fe1b559a104d77d77775
  • alt-php70-tidy_7.0.33-124_amd64.deb
    sha:114105096e3bfa90e906392f096dd68bce3f1ced
  • alt-php70-xml_7.0.33-124_amd64.deb
    sha:79bd3a34805676bfef0c22b736d0e25a1bed2ca2
  • alt-php70-xmlrpc_7.0.33-124_amd64.deb
    sha:9bb9025aff8fa30125374a7da8d8dc289e564551
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.