[CLSA-2026:1779468124] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 16:42:10 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.3-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.3-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.3-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.3-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.3-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php73_7.3.33-59_amd64.deb
    sha:60a60f0dc3a400321dc47bf864bdbc6a42cde9cd
  • alt-php73-bcmath_7.3.33-59_amd64.deb
    sha:8b90a726bb57caa6fc4e3b6a9a52d4b54ece8882
  • alt-php73-cli_7.3.33-59_amd64.deb
    sha:de4d8a5d998bd21de05c476fef44aac3ab897e1f
  • alt-php73-common_7.3.33-59_amd64.deb
    sha:5cca59c46cedd75a1477e8e5c92701e79281e265
  • alt-php73-dba_7.3.33-59_amd64.deb
    sha:3c49cece8eb92a6d3a11476f7d6b2c522c24956d
  • alt-php73-dev_7.3.33-59_amd64.deb
    sha:4acc90b45c11af67c3e8b4ae0a85231086395d95
  • alt-php73-enchant_7.3.33-59_amd64.deb
    sha:51d37a65651cbfbc6cd3ff256c3b1fb8c7920525
  • alt-php73-firebird_7.3.33-59_amd64.deb
    sha:80cad544b74b7e6047d2da20b1e37d4a7025398b
  • alt-php73-fpm_7.3.33-59_amd64.deb
    sha:6dd00e1683e96c48f402a1eec07447156fead79b
  • alt-php73-gd_7.3.33-59_amd64.deb
    sha:da1aa8f9ce6a173b7ff6fb87f537363f9ca8f96c
  • alt-php73-imap_7.3.33-59_amd64.deb
    sha:3f3c0475bd0d41adb24cbb5b73a5eab9ee07d4f3
  • alt-php73-intl_7.3.33-59_amd64.deb
    sha:900c4ad28536b6cce70027edeb95929f5dd09f6b
  • alt-php73-ldap_7.3.33-59_amd64.deb
    sha:1b08339741727974a714ebdaf753fe66d4e75eee
  • alt-php73-mbstring_7.3.33-59_amd64.deb
    sha:5e648447db09c68bbf9eb0fbe0e40dfe4dd31c63
  • alt-php73-mysqlnd_7.3.33-59_amd64.deb
    sha:5d323f1e40e524203939ff2f0f023ecc182aa56d
  • alt-php73-odbc_7.3.33-59_amd64.deb
    sha:fb18edc105854c10300f2e41f84671f680ea4b10
  • alt-php73-opcache_7.3.33-59_amd64.deb
    sha:9a5010c011b7f9df803a4fc93df00a86003eed4b
  • alt-php73-pdo_7.3.33-59_amd64.deb
    sha:ceb8f7393483957562aaf2b739e539c9a89d9f72
  • alt-php73-pgsql_7.3.33-59_amd64.deb
    sha:ff219c0e297f21ffba004f947b8390bbd1bff9d7
  • alt-php73-process_7.3.33-59_amd64.deb
    sha:15a296c0448576bb9caed57480845c81b867d819
  • alt-php73-pspell_7.3.33-59_amd64.deb
    sha:d91d7364930a4dac8a4a2794c9c9ccbcd1c9a34c
  • alt-php73-recode_7.3.33-59_amd64.deb
    sha:c868dd3cb19e186f645137e203b95f12bbfed2ff
  • alt-php73-snmp_7.3.33-59_amd64.deb
    sha:030c2d3cf8c46c88b167bdae5579da09b2c3c4cb
  • alt-php73-soap_7.3.33-59_amd64.deb
    sha:da8c00b42013d9c07ef395ecef44b86b9db9b9e4
  • alt-php73-sodium_7.3.33-59_amd64.deb
    sha:092b45728f9eb35f2cc57a5a82ed9c01fe44ca54
  • alt-php73-tidy_7.3.33-59_amd64.deb
    sha:22d1aeef54c2ebc458b1ff6cf4e649e5aab816fe
  • alt-php73-xml_7.3.33-59_amd64.deb
    sha:10fc85d9aec1a7f18b320fdcf28a565f6d67c0c5
  • alt-php73-xmlrpc_7.3.33-59_amd64.deb
    sha:3fcca990202583a23aa0d63057027d38a68e1af8
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.