[CLSA-2026:1779447015] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 10:50:21 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.2-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.2-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.2-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.2-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.2-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php72_7.2.34-74_amd64.deb
    sha:d89c6ae76ae55f00c7324d5c8a2e309b19e7dfea
  • alt-php72-bcmath_7.2.34-74_amd64.deb
    sha:ce051a5be607f3d10792dcbc62301e7406a81672
  • alt-php72-cli_7.2.34-74_amd64.deb
    sha:af1723f5ff6106ccb6f92c6d17abff01a7a4f787
  • alt-php72-common_7.2.34-74_amd64.deb
    sha:fc92671adb7efca336f9a8f01855f7b614c223a5
  • alt-php72-dba_7.2.34-74_amd64.deb
    sha:232646255b37f5922917b67c07ae953661252fcd
  • alt-php72-dev_7.2.34-74_amd64.deb
    sha:600efc399a0926fc2401617fd433f426a4bff487
  • alt-php72-enchant_7.2.34-74_amd64.deb
    sha:df50b9886b51021ad587fc6f73aa2ddf9619734a
  • alt-php72-firebird_7.2.34-74_amd64.deb
    sha:a1c7eeb2892693a661112a99093542cf914e9a25
  • alt-php72-fpm_7.2.34-74_amd64.deb
    sha:8d5b1850683bf0051155f95c1f4159375320c6ac
  • alt-php72-gd_7.2.34-74_amd64.deb
    sha:57eb4a98654c087519eef553e5dc235cb3045f1c
  • alt-php72-imap_7.2.34-74_amd64.deb
    sha:c54dbe45e2904989750eaea7a5399efedba84b2b
  • alt-php72-intl_7.2.34-74_amd64.deb
    sha:722b35994b1b67cb475e5fcc482503da6490425f
  • alt-php72-ldap_7.2.34-74_amd64.deb
    sha:718e3341bef3205e9f8cea23c3e108fc600fbef3
  • alt-php72-mbstring_7.2.34-74_amd64.deb
    sha:8f4849244913400f5ed94b703a8c0938025a6820
  • alt-php72-mysqlnd_7.2.34-74_amd64.deb
    sha:f5aebfc6da5c975cfa20f6d28af5cdb0bf215832
  • alt-php72-odbc_7.2.34-74_amd64.deb
    sha:3dca88ee695dcc225e145daf79e8e10c7b21e920
  • alt-php72-opcache_7.2.34-74_amd64.deb
    sha:72b9fb64f4d0b810d027c31edee3121c69d17c98
  • alt-php72-pdo_7.2.34-74_amd64.deb
    sha:5399e48db209d27b773d2337e18ee09b619d5bde
  • alt-php72-pgsql_7.2.34-74_amd64.deb
    sha:e1190f7af96d46c1da17cde7c8ef7153b749d9f3
  • alt-php72-process_7.2.34-74_amd64.deb
    sha:46725de1f20f188d9f1c64fa03ba03c32299e938
  • alt-php72-pspell_7.2.34-74_amd64.deb
    sha:ee3bc1656897c4640751300f8ac963920852d097
  • alt-php72-recode_7.2.34-74_amd64.deb
    sha:21fd9c407c094b3fe4468bf74543af4a45488d81
  • alt-php72-snmp_7.2.34-74_amd64.deb
    sha:d5a77ce7f9cd400f96d92973dbdc8f028276e8ad
  • alt-php72-soap_7.2.34-74_amd64.deb
    sha:8834547cb7c30980f2e0c9bfb5e898d6f6aefd26
  • alt-php72-sodium_7.2.34-74_amd64.deb
    sha:1884fe449f71072749079d01f87f772d3ed543cd
  • alt-php72-tidy_7.2.34-74_amd64.deb
    sha:57e6c5703a8431c7f62d991fa05cbdce3b4092c1
  • alt-php72-xml_7.2.34-74_amd64.deb
    sha:d19613e7ab1e7135f985830d8100ba16731dcf5f
  • alt-php72-xmlrpc_7.2.34-74_amd64.deb
    sha:45192c9def0e5fec7b7fa99b4a7616fd5a71116f
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.