[CLSA-2026:1779453493] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 12:38:20 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.0-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.0-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.0-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.0-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.0-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php70_7.0.33-124_amd64.deb
    sha:06ce1bef7da373f92b5728eaa360a1d16872c944
  • alt-php70-bcmath_7.0.33-124_amd64.deb
    sha:449bf7fd503df8ffdb21a433d1772163497fde18
  • alt-php70-cli_7.0.33-124_amd64.deb
    sha:595f84d76c86f66f01d81186a63eadf3029da2eb
  • alt-php70-common_7.0.33-124_amd64.deb
    sha:0e5ca13bd6f3c0cada3c1e368a0cf779745a86f1
  • alt-php70-dba_7.0.33-124_amd64.deb
    sha:e279846ff443489923281a707d68fd6571b6b7e1
  • alt-php70-dev_7.0.33-124_amd64.deb
    sha:d5994ab966343dfaf642b089f7a0240d496f4137
  • alt-php70-enchant_7.0.33-124_amd64.deb
    sha:fa9df33e0311a6f4bf05140fcce6abe3802056a2
  • alt-php70-firebird_7.0.33-124_amd64.deb
    sha:d5a1fd324e50eab609901b51083b21390af74969
  • alt-php70-fpm_7.0.33-124_amd64.deb
    sha:6c0d7fe8023c1a8f0251f417ceaecd39c03dac11
  • alt-php70-gd_7.0.33-124_amd64.deb
    sha:2799496ad64c880cf19e5cb1ea6d71dfd52f52a0
  • alt-php70-imap_7.0.33-124_amd64.deb
    sha:6471994a9b67617ab4341b6ab23a7646043a4a11
  • alt-php70-intl_7.0.33-124_amd64.deb
    sha:bc7e9aad7f59b932df58f030e7fe9b1eaffdf7dd
  • alt-php70-ldap_7.0.33-124_amd64.deb
    sha:7ee2524a0ea65240434d19572d984772c8736f9c
  • alt-php70-mbstring_7.0.33-124_amd64.deb
    sha:f09334b9c14dcbf1c97afa986f77cb61a4af75e8
  • alt-php70-mcrypt_7.0.33-124_amd64.deb
    sha:8f4d5bf4b9a29a8bd40b260a6dcb408b2c295d91
  • alt-php70-mysqlnd_7.0.33-124_amd64.deb
    sha:81e989c0952061191f52e811cc3eef3d3c93ba56
  • alt-php70-odbc_7.0.33-124_amd64.deb
    sha:acf04e2ab7a565381d877ac2f9f82d54cb660f17
  • alt-php70-opcache_7.0.33-124_amd64.deb
    sha:764e3e0078619bf63d651ad8a4ad6804856c0bf6
  • alt-php70-pdo_7.0.33-124_amd64.deb
    sha:48e46f807eae21b5c7600913314fd0ae51c1c698
  • alt-php70-pgsql_7.0.33-124_amd64.deb
    sha:13791e3015aa6266837175506a84b0f412d2e50a
  • alt-php70-process_7.0.33-124_amd64.deb
    sha:a9ac5633563b1f4a1536bdfd68e6ffbcab900450
  • alt-php70-pspell_7.0.33-124_amd64.deb
    sha:6acd4da1dae8c9a024dc3da166606c0fdd681b55
  • alt-php70-recode_7.0.33-124_amd64.deb
    sha:621c8ba9debe2f675f4185c1d998be7e4bcd463d
  • alt-php70-snmp_7.0.33-124_amd64.deb
    sha:3ae8a7fc84ff127f404c727ae29778380375f834
  • alt-php70-soap_7.0.33-124_amd64.deb
    sha:f019103a9b635363a5f863f6741993cd6ae3ee65
  • alt-php70-tidy_7.0.33-124_amd64.deb
    sha:916b7f9787b3b020bcd49c147c93741b71a61c20
  • alt-php70-xml_7.0.33-124_amd64.deb
    sha:85aac1d37109dcba5c35abd0dd3777bccbe4e2e7
  • alt-php70-xmlrpc_7.0.33-124_amd64.deb
    sha:59ee3c5c58cbe0479acf2ab1001fee56f4a20e5e
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.