Release date:
2026-05-22 08:36:04 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys
- debian/patches/php-5.2-CVE-2026-6722.patch: backport upstream commit
aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes
to pre-PHP7 zval** SOAP API.
- Note: the 5.2 backport applies the addref half of the upstream fix only;
the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is
intentionally omitted because in 5.x ref_map is heterogeneous (stores
both xmlNodePtr and zval* entries through the same API) and a
ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone
closes the UAF; cost is one bounded zval leak per request, released
with the emalloc pool at RSHUTDOWN.
- CVE-2026-6722
* SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map
item missing element
- debian/patches/php-5.2-CVE-2026-7262.patch: backport upstream commit
79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in
to_zval_map() (was checking xmlKey, should check xmlValue).
- CVE-2026-7262
* SECURITY UPDATE: soap extension use-after-free after header parsing
failure with SOAP_PERSISTENCE_SESSION
- debian/patches/php-5.2-CVE-2026-7261.patch: backport upstream commit
db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj)
sites in the header-handler failure paths with a
persistance!=SOAP_PERSISTENCE_SESSION guard.
- CVE-2026-7261
Updated packages:
-
alt-php52_5.2.17-221_amd64.deb
sha:82351af98125a4b529a9618ba3376bdacedd641e
-
alt-php52-bcmath_5.2.17-221_amd64.deb
sha:56fea745087c5018abce05b066747877b3a6451b
-
alt-php52-cli_5.2.17-221_amd64.deb
sha:8d32fc705521423a965f31124efae3f69914f372
-
alt-php52-common_5.2.17-221_amd64.deb
sha:8465fb61fa2466577a583acbc73f6fdb7b0004d6
-
alt-php52-dba_5.2.17-221_amd64.deb
sha:30df0240129351214fa3d90d0c3dfe937438a750
-
alt-php52-dbx_5.2.17-221_amd64.deb
sha:e4e1effcd368fac5ec63054de245c73a6c15d927
-
alt-php52-dev_5.2.17-221_amd64.deb
sha:fc17860751afca85dfd9ac010f6ad9d12b1afc70
-
alt-php52-enchant_5.2.17-221_amd64.deb
sha:e9acd5d347ab0871596fd5fa515d5c3b2de68d0e
-
alt-php52-firebird_5.2.17-221_amd64.deb
sha:d2e835161ab75828ce7add3e650658c1e15b6595
-
alt-php52-gd_5.2.17-221_amd64.deb
sha:11eca1364964e7774bd4e2859ac7abf356cedce2
-
alt-php52-imap_5.2.17-221_amd64.deb
sha:7baa4ac6183780cecbcea3ba1f3e2595b25d5ede
-
alt-php52-intl_5.2.17-221_amd64.deb
sha:bcc7c1cae1af14439fbda2916080e0e04ca099d2
-
alt-php52-ldap_5.2.17-221_amd64.deb
sha:dd4602be340474714f6d6206d80d730ae454ffce
-
alt-php52-mbstring_5.2.17-221_amd64.deb
sha:7bed647bb488a5abe9fb204417af490db2cc5b0b
-
alt-php52-mcrypt_5.2.17-221_amd64.deb
sha:76d4578578c1911566d7aeeabe75194525c2bc90
-
alt-php52-mysqlnd_5.2.17-221_amd64.deb
sha:c31a50114c11141149f5caa800c7a78ee0c9b07b
-
alt-php52-odbc_5.2.17-221_amd64.deb
sha:52b333b89b9698dfec660e7c0d000ca467099484
-
alt-php52-pdo_5.2.17-221_amd64.deb
sha:57a7c8de43c696267f64af1d793100f3ffc79a88
-
alt-php52-pgsql_5.2.17-221_amd64.deb
sha:0982906f2b5bfba83ba8c9bd2e5978fd1be56423
-
alt-php52-process_5.2.17-221_amd64.deb
sha:e86c9c53d5f6e94831e30caedd4cc14d2a1d5f9c
-
alt-php52-pspell_5.2.17-221_amd64.deb
sha:c1363475cde31303d704953a955ed74b43c8983f
-
alt-php52-recode_5.2.17-221_amd64.deb
sha:d086566aff4f4e2d925ba04901e79a980ea1519f
-
alt-php52-snmp_5.2.17-221_amd64.deb
sha:fd0d515956583f21757c66e1860d58212ccc54f1
-
alt-php52-soap_5.2.17-221_amd64.deb
sha:ea7c63dd7623f8ad91fa70d3e0b163317ec31f47
-
alt-php52-sqlite_5.2.17-221_amd64.deb
sha:3dc134cf5cdf9c5faa4ae28c7a7f9db1f025e782
-
alt-php52-sybase_5.2.17-221_amd64.deb
sha:3a3635225adb3baeb515846997720f9aa1ac826a
-
alt-php52-tidy_5.2.17-221_amd64.deb
sha:f62606bbad372b0f0cce0738d8f75e2ba623c28e
-
alt-php52-xml_5.2.17-221_amd64.deb
sha:234cd3e658456dc67ae8f9db85223686cc03bc5d
-
alt-php52-xmlrpc_5.2.17-221_amd64.deb
sha:164a6277cf54a98029e6b4ba16b51e856aee1b95
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
