[CLSA-2026:1779450918] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 11:55:23 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.2-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.2-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.2-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.2-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.2-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php72_7.2.34-74_amd64.deb
    sha:52b92670a2170e7e355157f8a92f838ac311aa70
  • alt-php72-bcmath_7.2.34-74_amd64.deb
    sha:fee8131bc00a2eaeeda657e4b0973d9e4383aa89
  • alt-php72-cli_7.2.34-74_amd64.deb
    sha:5969faa2b9cd0bbeb19c20ae9bf49ca4dee6eb8e
  • alt-php72-common_7.2.34-74_amd64.deb
    sha:03ad41b2972e6166c16fa83e7de5fbad0ce6f751
  • alt-php72-dba_7.2.34-74_amd64.deb
    sha:e8e13706358475bd79f19e7ca564504eb703a56c
  • alt-php72-dev_7.2.34-74_amd64.deb
    sha:bd336f17632dd13106e45e5e88897242f088aace
  • alt-php72-enchant_7.2.34-74_amd64.deb
    sha:43d32ff80e0fa907f568f4073d3bf182dd923ba7
  • alt-php72-firebird_7.2.34-74_amd64.deb
    sha:016a50f5ad62ebb35cc0c9434ddc98e0c7564a57
  • alt-php72-fpm_7.2.34-74_amd64.deb
    sha:6966e2a1245d08fe4db8185a1ad9cde472fcdac2
  • alt-php72-gd_7.2.34-74_amd64.deb
    sha:f703b4cd07812212bb1e793d95741794e756e678
  • alt-php72-imap_7.2.34-74_amd64.deb
    sha:1a9f22335b69c6bd2f6a1fc0011577aba5c6e42c
  • alt-php72-intl_7.2.34-74_amd64.deb
    sha:d5967c470570e192aa0686f041dc3e58e62ef3e9
  • alt-php72-ldap_7.2.34-74_amd64.deb
    sha:10d46caa104f5ba723a4f44c9f24fd8e612eb024
  • alt-php72-mbstring_7.2.34-74_amd64.deb
    sha:cb7d5ae839b75dc27812f10fe836f7c72158acbe
  • alt-php72-mysqlnd_7.2.34-74_amd64.deb
    sha:2321f349767df133a785a22690f183ce5bfdb0cf
  • alt-php72-odbc_7.2.34-74_amd64.deb
    sha:4e87607b3764219f1186eb91934973430c294652
  • alt-php72-opcache_7.2.34-74_amd64.deb
    sha:3d3ac978c7bd77b3456eb684b400314fb58ef92d
  • alt-php72-pdo_7.2.34-74_amd64.deb
    sha:0e14b9b9e8b83f3509148de02053b4fa08f50246
  • alt-php72-pgsql_7.2.34-74_amd64.deb
    sha:92025e48e97c1830fe2727bcf7c4fc9874c0fd08
  • alt-php72-process_7.2.34-74_amd64.deb
    sha:b76a502bcc57e4bc4a11ed80b9b366726b1d0ee7
  • alt-php72-pspell_7.2.34-74_amd64.deb
    sha:384939b5256d8e0325c28495a3d20c9ffa653dab
  • alt-php72-recode_7.2.34-74_amd64.deb
    sha:a9f52eb69569a07458ef6c319efd7c947f3660fc
  • alt-php72-snmp_7.2.34-74_amd64.deb
    sha:d9ba818aa5a1385be66c456b21ca208d1951fd0c
  • alt-php72-soap_7.2.34-74_amd64.deb
    sha:7b1f53c166326cdf2ba7c17ec95df423ab7363d6
  • alt-php72-sodium_7.2.34-74_amd64.deb
    sha:2b3d8eb51b3f7f44e4c0eaa8d5c2524868d74884
  • alt-php72-tidy_7.2.34-74_amd64.deb
    sha:98c6363005548b4a65a906e8c2c26ab8a0ec5dd5
  • alt-php72-xml_7.2.34-74_amd64.deb
    sha:02a92ea6b0d30f1e16dce4ca2c55735647622932
  • alt-php72-xmlrpc_7.2.34-74_amd64.deb
    sha:04e70d61e0ad6ea89f8a8b7357bde4555bc46325
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.