[CLSA-2026:1779458678] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 14:04:44 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.2-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.2-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.2-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.2-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.2-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php72_7.2.34-74_amd64.deb
    sha:d89c6ae76ae55f00c7324d5c8a2e309b19e7dfea
  • alt-php72-bcmath_7.2.34-74_amd64.deb
    sha:bb6e27b7d5dc9bf3658ab2523c5d077bb526786e
  • alt-php72-cli_7.2.34-74_amd64.deb
    sha:bfff0f86e8e74c57ae459ed2e83c2e0dada3c32c
  • alt-php72-common_7.2.34-74_amd64.deb
    sha:265b44f91201085d2ac177f356abc5856b39a78f
  • alt-php72-dba_7.2.34-74_amd64.deb
    sha:c8386a71ebb2bef29187af08e83f0341e29353f4
  • alt-php72-dev_7.2.34-74_amd64.deb
    sha:7c525ebd6842bd1c0779151e8e062088456e4375
  • alt-php72-enchant_7.2.34-74_amd64.deb
    sha:d1495d8f607739d8a04717e5b5265d55baea0a18
  • alt-php72-firebird_7.2.34-74_amd64.deb
    sha:4d26357b7c9c10597ea28eba046db847c0ec02fb
  • alt-php72-fpm_7.2.34-74_amd64.deb
    sha:55bc5fc6203b59bf2a51b3a68364f1a3a538f9e1
  • alt-php72-gd_7.2.34-74_amd64.deb
    sha:5c4c8fb1f34e4443d7f0c43a15fcf876c5cae6da
  • alt-php72-imap_7.2.34-74_amd64.deb
    sha:fb5e2995c4f2025a785ac5d6463caf33fae56189
  • alt-php72-intl_7.2.34-74_amd64.deb
    sha:c29f2ab5adc9e6cbbd24149adf71da3eec2c94fb
  • alt-php72-ldap_7.2.34-74_amd64.deb
    sha:ae7228559d8d8dbd209e9a569c915de628dbede8
  • alt-php72-mbstring_7.2.34-74_amd64.deb
    sha:69bf1a0d111068eb26f082225c5a56a93f471aa9
  • alt-php72-mysqlnd_7.2.34-74_amd64.deb
    sha:ba3951f2bcd3aba62dd9adfef7e2a3d1d9bd752b
  • alt-php72-odbc_7.2.34-74_amd64.deb
    sha:bf3bcbfe441ee9037cae985440b52d3d9c508358
  • alt-php72-opcache_7.2.34-74_amd64.deb
    sha:307639aa19d578b94c87dc794ecdf20a59e4467d
  • alt-php72-pdo_7.2.34-74_amd64.deb
    sha:4aecfb1f95f97043595ebb37a10d5a59682aa83d
  • alt-php72-pgsql_7.2.34-74_amd64.deb
    sha:efadcad5d3436e6555dfcefdbb58783e23618338
  • alt-php72-process_7.2.34-74_amd64.deb
    sha:2f39460c5c688a3d03ff552a8d977b4c4a90dc81
  • alt-php72-pspell_7.2.34-74_amd64.deb
    sha:cd4883410739c63b6ec7248ce0ccf5f14f5dfe89
  • alt-php72-recode_7.2.34-74_amd64.deb
    sha:47d3750017ef795f6dfa2e580905be29ac7d6b26
  • alt-php72-snmp_7.2.34-74_amd64.deb
    sha:b75cb921b824f4e59de44debcdf3f0fadf326558
  • alt-php72-soap_7.2.34-74_amd64.deb
    sha:6d592d585396f3f3dfc8600b275771573dfeea91
  • alt-php72-sodium_7.2.34-74_amd64.deb
    sha:c8e71e1cd482c9bf9b3897dd5396eb3f77c2fec1
  • alt-php72-tidy_7.2.34-74_amd64.deb
    sha:1c635ce7057c2cbf7c21646499215bab7fcb3f0a
  • alt-php72-xml_7.2.34-74_amd64.deb
    sha:6a8b0ecd44c1ab87b48373343868d39466849025
  • alt-php72-xmlrpc_7.2.34-74_amd64.deb
    sha:426aebf007df5212dd9c456e94f2dc425baad104
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.