Release date:
2026-05-22 08:30:40 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys
- debian/patches/php-5.2-CVE-2026-6722.patch: backport upstream commit
aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes
to pre-PHP7 zval** SOAP API.
- Note: the 5.2 backport applies the addref half of the upstream fix only;
the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is
intentionally omitted because in 5.x ref_map is heterogeneous (stores
both xmlNodePtr and zval* entries through the same API) and a
ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone
closes the UAF; cost is one bounded zval leak per request, released
with the emalloc pool at RSHUTDOWN.
- CVE-2026-6722
* SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map
item missing element
- debian/patches/php-5.2-CVE-2026-7262.patch: backport upstream commit
79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in
to_zval_map() (was checking xmlKey, should check xmlValue).
- CVE-2026-7262
* SECURITY UPDATE: soap extension use-after-free after header parsing
failure with SOAP_PERSISTENCE_SESSION
- debian/patches/php-5.2-CVE-2026-7261.patch: backport upstream commit
db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj)
sites in the header-handler failure paths with a
persistance!=SOAP_PERSISTENCE_SESSION guard.
- CVE-2026-7261
Updated packages:
-
alt-php52_5.2.17-221_amd64.deb
sha:59474cb1c55685fe836c920f05ba9627769208e2
-
alt-php52-bcmath_5.2.17-221_amd64.deb
sha:89f5401bb84ff201e39a1ffeb88285d8a6d79988
-
alt-php52-cli_5.2.17-221_amd64.deb
sha:c77e5439532efa5b0bb91aa04216efa8fbcb6f56
-
alt-php52-common_5.2.17-221_amd64.deb
sha:03f1b06fb97266ee26f2f193c2829361175e542d
-
alt-php52-dba_5.2.17-221_amd64.deb
sha:e0e62d8d89163e4e82fdb314ce025104f5eb1968
-
alt-php52-dbx_5.2.17-221_amd64.deb
sha:b885eeba5d43f5d24e1f1fcc2e17744008689246
-
alt-php52-dev_5.2.17-221_amd64.deb
sha:f5b88b278d319466fb83fb05f93a4be90a59321f
-
alt-php52-enchant_5.2.17-221_amd64.deb
sha:56b1f17ab7c902df82597d00beb3062ebf8fddaf
-
alt-php52-firebird_5.2.17-221_amd64.deb
sha:018b70a3900bd876b0e2d37e666a04a1cb265f0c
-
alt-php52-gd_5.2.17-221_amd64.deb
sha:ac8be969ac3e360c9659f79c249a610dbfc461cb
-
alt-php52-imap_5.2.17-221_amd64.deb
sha:f0e14c8396ec709bba01132658cecdebdda7108f
-
alt-php52-intl_5.2.17-221_amd64.deb
sha:fea5ca4fc1b6d9f71df1ba772478142c632043d2
-
alt-php52-ldap_5.2.17-221_amd64.deb
sha:62015a714f0132b7cb0161602afc59338c3912e9
-
alt-php52-mbstring_5.2.17-221_amd64.deb
sha:66f78691128505ad991a415f32cd2b90df11b6c1
-
alt-php52-mcrypt_5.2.17-221_amd64.deb
sha:2baf73781b305b8b56693d314f188443885de617
-
alt-php52-mysqlnd_5.2.17-221_amd64.deb
sha:cb6c1ebe1f9422643dad8035d788121d37361906
-
alt-php52-odbc_5.2.17-221_amd64.deb
sha:d452e90bfdd7593933cdee4ab0d4e9c0c8c63504
-
alt-php52-pdo_5.2.17-221_amd64.deb
sha:78488296d62179b9bfaf3109d033d100501949a6
-
alt-php52-pgsql_5.2.17-221_amd64.deb
sha:f2ad7e9b5d6f36d5c4c4c77da620f11b5f76c42c
-
alt-php52-process_5.2.17-221_amd64.deb
sha:a1aa8c6e7b03b6f1b41c1503bfb56add63f6c721
-
alt-php52-pspell_5.2.17-221_amd64.deb
sha:1ca7190a2fe21c13e0dcce7bb813771d277de3b4
-
alt-php52-recode_5.2.17-221_amd64.deb
sha:2c6e5d381715843f1e0e755139cd76275ab40fa8
-
alt-php52-snmp_5.2.17-221_amd64.deb
sha:52041b1e81d9d4698945e63c37caa61a72243297
-
alt-php52-soap_5.2.17-221_amd64.deb
sha:df92a831fa2213b97ec8a41a9ab25aa29d78c031
-
alt-php52-sqlite_5.2.17-221_amd64.deb
sha:b631a885035473a69d313c3384cf4a5304747c7e
-
alt-php52-sybase_5.2.17-221_amd64.deb
sha:2ef7805cead6dc920d557059d3c8a2b9b3990fdc
-
alt-php52-tidy_5.2.17-221_amd64.deb
sha:625844ac4ac500f02963f34bb896739b555f8e74
-
alt-php52-xml_5.2.17-221_amd64.deb
sha:a8f721ac79f9581b83f228daffcfbe96e252aa5e
-
alt-php52-xmlrpc_5.2.17-221_amd64.deb
sha:ad4f41249f88505db11d37412e75165fa52b2625
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
