[CLSA-2026:1779470699] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 17:25:13 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.3-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.3-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.3-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.3-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.3-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php73_7.3.33-59_amd64.deb
    sha:60a60f0dc3a400321dc47bf864bdbc6a42cde9cd
  • alt-php73-bcmath_7.3.33-59_amd64.deb
    sha:11cc71f708fc5fa9e63b7a09e652c10f3040ac3d
  • alt-php73-cli_7.3.33-59_amd64.deb
    sha:21c1ff93df9e8f8321f9bcde0ffc3d34122bf3fb
  • alt-php73-common_7.3.33-59_amd64.deb
    sha:5fd1321d47c6abff6f622f3b0616df673b7861c0
  • alt-php73-dba_7.3.33-59_amd64.deb
    sha:6f72a98f8b55ea4b7acf91efc66685c15671b300
  • alt-php73-dev_7.3.33-59_amd64.deb
    sha:0efc09e4bf15a428a8e0a2ca03b20940844f68b5
  • alt-php73-enchant_7.3.33-59_amd64.deb
    sha:4398d42327c742281d8dae9af8103fe84fef5025
  • alt-php73-firebird_7.3.33-59_amd64.deb
    sha:271df823501a37945d7dabfd38b44263ad02061f
  • alt-php73-fpm_7.3.33-59_amd64.deb
    sha:ed0599f6bfafe1fdb94072cd13c02551e5b139d9
  • alt-php73-gd_7.3.33-59_amd64.deb
    sha:ba912ffa73bd80493a14a5a3047cf3d4a008ba09
  • alt-php73-imap_7.3.33-59_amd64.deb
    sha:3ad87dc4b163128d8d3b1212665660063c605f02
  • alt-php73-intl_7.3.33-59_amd64.deb
    sha:c94457c4924f5f7a4a379201ad3995afb20da0aa
  • alt-php73-ldap_7.3.33-59_amd64.deb
    sha:9051a7361376ec9d88c4139c7a89293bc1d27f7c
  • alt-php73-mbstring_7.3.33-59_amd64.deb
    sha:97317df8de4d916855d6002ee6ccb057a06cb985
  • alt-php73-mysqlnd_7.3.33-59_amd64.deb
    sha:8cf1f255172962c43fdc43b5c9e16449bd4965e4
  • alt-php73-odbc_7.3.33-59_amd64.deb
    sha:1924b0a556250b41de8b17d64a36eaa034b8df22
  • alt-php73-opcache_7.3.33-59_amd64.deb
    sha:a3568c2177bc23ba512cda2e997d4d1d74761b4f
  • alt-php73-pdo_7.3.33-59_amd64.deb
    sha:49ab4b0bfa662d35a05e2184bf05e8b93e090957
  • alt-php73-pgsql_7.3.33-59_amd64.deb
    sha:c3849a634aa50e89c8f58560a328490308f461f9
  • alt-php73-process_7.3.33-59_amd64.deb
    sha:32f92d93884352a70d3470e94892d7c7d773a377
  • alt-php73-pspell_7.3.33-59_amd64.deb
    sha:c54f937fa629e79a5caa87f64f810781d4480b17
  • alt-php73-recode_7.3.33-59_amd64.deb
    sha:4ca5085bc585dd65877cf772c2b32507d61b3a88
  • alt-php73-snmp_7.3.33-59_amd64.deb
    sha:ba89d6596672b3f2ab19d38d48f88080b96b8872
  • alt-php73-soap_7.3.33-59_amd64.deb
    sha:11cbf448acdef5ba7e0e4a43025bca0c3ba4dcdc
  • alt-php73-sodium_7.3.33-59_amd64.deb
    sha:c9596c2fb033894c4e45cb3a3897944b714f8182
  • alt-php73-tidy_7.3.33-59_amd64.deb
    sha:6b4a05fe0fc580c32141b33673a2b1313ddeaa38
  • alt-php73-xml_7.3.33-59_amd64.deb
    sha:4358b27c959d00249b5a5ddf2a76b296527f7927
  • alt-php73-xmlrpc_7.3.33-59_amd64.deb
    sha:c1f78542254aea1989c44fac969c5cb707443f1b
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.