[CLSA-2026:1779449495] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 11:31:39 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.0-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.0-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.0-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.0-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.0-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php70_7.0.33-124_amd64.deb
    sha:ca150404b2c579786242619deab7e095a4ffda21
  • alt-php70-bcmath_7.0.33-124_amd64.deb
    sha:3aa91b4e42b6d97af868b633355a10f36a10b69a
  • alt-php70-cli_7.0.33-124_amd64.deb
    sha:db1d62946a17c7340e77a7414fed5a2d6eab0251
  • alt-php70-common_7.0.33-124_amd64.deb
    sha:7198fe9c6ef79e996c789a2a9ed6bcd63b28afc8
  • alt-php70-dba_7.0.33-124_amd64.deb
    sha:089e2065889885b9bd76c1df9757bca0535a6295
  • alt-php70-dev_7.0.33-124_amd64.deb
    sha:892ec132fef538b5305f55b42582a0cbf60c39a3
  • alt-php70-enchant_7.0.33-124_amd64.deb
    sha:2fdc5ee956a674efaf02946eccc6d417528d29e9
  • alt-php70-firebird_7.0.33-124_amd64.deb
    sha:2fc71eda0e159ed49ff21548d8adb9a44a10fd65
  • alt-php70-fpm_7.0.33-124_amd64.deb
    sha:29a8b1c6e952613ea5fda720488f2f4d4aae4d21
  • alt-php70-gd_7.0.33-124_amd64.deb
    sha:d3f5f73f9609b5d0bb4b3bfd3e0f88737ca7b254
  • alt-php70-imap_7.0.33-124_amd64.deb
    sha:6e80831e0523b2c55a05420166b8d428c5060894
  • alt-php70-intl_7.0.33-124_amd64.deb
    sha:101c1b17aade27e61ec6be30249b315f15986841
  • alt-php70-ldap_7.0.33-124_amd64.deb
    sha:dc3fb3379f6b582526987324c1e47552c4d15805
  • alt-php70-mbstring_7.0.33-124_amd64.deb
    sha:25286837ad5c06cab5cc6fa9d453780ca6d125b2
  • alt-php70-mcrypt_7.0.33-124_amd64.deb
    sha:7b3c3db51e62ec1457a70f34bef9d556622c4c90
  • alt-php70-mysqlnd_7.0.33-124_amd64.deb
    sha:a60489823bcae444ea4f5f12906f38c4aafba6c9
  • alt-php70-odbc_7.0.33-124_amd64.deb
    sha:19c4888f4e96715d46166588ff984d34114ec7c5
  • alt-php70-opcache_7.0.33-124_amd64.deb
    sha:1f30000705f4055125e3d0971d679b8854898d32
  • alt-php70-pdo_7.0.33-124_amd64.deb
    sha:89c98bec05b1f9fe41e28461048a76fa26cf99ba
  • alt-php70-pgsql_7.0.33-124_amd64.deb
    sha:bc18131e52a412293b4eeb18126e9e3886b285aa
  • alt-php70-process_7.0.33-124_amd64.deb
    sha:edb93a72aa31c78a76c18f6d5a6244292942298a
  • alt-php70-pspell_7.0.33-124_amd64.deb
    sha:7efe562181cd9f02b4789eab932bfb3d8e8aa8af
  • alt-php70-recode_7.0.33-124_amd64.deb
    sha:480cc551594683873613efc6f7cdf4ecaf954733
  • alt-php70-snmp_7.0.33-124_amd64.deb
    sha:60f4cfa6bac05231b4f9fb0739bf809e5217c406
  • alt-php70-soap_7.0.33-124_amd64.deb
    sha:ccae62cd5eedaff3887da4507611751213c1eff8
  • alt-php70-tidy_7.0.33-124_amd64.deb
    sha:bacde6183290ddc6464aa756a9b0a42d1b12a6ce
  • alt-php70-xml_7.0.33-124_amd64.deb
    sha:14b2e9b50127f612c411e53eb1554c3488a790ee
  • alt-php70-xmlrpc_7.0.33-124_amd64.deb
    sha:289c6f0db839591a4e14df3b2ad763aa2b74bef4
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.