Release date:
2026-05-22 09:49:39 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys
- debian/patches/php-5.2-CVE-2026-6722.patch: backport upstream commit
aee3b3ac9b in ext/soap/php_encoding.c — adapt addref/dtor changes
to pre-PHP7 zval** SOAP API.
- Note: the 5.2 backport applies the addref half of the upstream fix only;
the matching ref_map destructor change (NULL -> ZVAL_PTR_DTOR) is
intentionally omitted because in 5.x ref_map is heterogeneous (stores
both xmlNodePtr and zval* entries through the same API) and a
ZVAL_PTR_DTOR would corrupt the xmlNodePtr entries. The addref alone
closes the UAF; cost is one bounded zval leak per request, released
with the emalloc pool at RSHUTDOWN.
- CVE-2026-6722
* SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map
item missing element
- debian/patches/php-5.2-CVE-2026-7262.patch: backport upstream commit
79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in
to_zval_map() (was checking xmlKey, should check xmlValue).
- CVE-2026-7262
* SECURITY UPDATE: soap extension use-after-free after header parsing
failure with SOAP_PERSISTENCE_SESSION
- debian/patches/php-5.2-CVE-2026-7261.patch: backport upstream commit
db2a7f9348 in ext/soap/soap.c — wrap both zval_ptr_dtor(&soap_obj)
sites in the header-handler failure paths with a
persistance!=SOAP_PERSISTENCE_SESSION guard.
- CVE-2026-7261
Updated packages:
-
alt-php52_5.2.17-221_amd64.deb
sha:39909abe1903ebba235571e1eae6001176fa66c3
-
alt-php52-bcmath_5.2.17-221_amd64.deb
sha:63c7fd8a56f1f3ed425d52377c252153eb876f94
-
alt-php52-cli_5.2.17-221_amd64.deb
sha:89857f2102a135a4905408950e022bb53343a712
-
alt-php52-common_5.2.17-221_amd64.deb
sha:9a2a8beee736a235f0b2deef0f8ee77f9323a9b1
-
alt-php52-dba_5.2.17-221_amd64.deb
sha:5f408ea3491d4eedb5b7fcc23aea7e116a5a8ae2
-
alt-php52-dbx_5.2.17-221_amd64.deb
sha:0abadca9e139bdf4c123d0b65feb13ec6b7eea66
-
alt-php52-dev_5.2.17-221_amd64.deb
sha:15c976ae962cdc016c098d7026f7630920841ad5
-
alt-php52-enchant_5.2.17-221_amd64.deb
sha:bad2529ae44ee92627a0e883b3bc871e59af9a23
-
alt-php52-firebird_5.2.17-221_amd64.deb
sha:0caa6b1a5ece0b8517c421823ce843a5d4f4225b
-
alt-php52-gd_5.2.17-221_amd64.deb
sha:756f3fb9a8df1f6edf82470efde3e6c4f759ee1e
-
alt-php52-imap_5.2.17-221_amd64.deb
sha:c038fb54c7e29fa59191fbd213f38f2d6e0c0b49
-
alt-php52-intl_5.2.17-221_amd64.deb
sha:55d548c1fb21c1a430706285f70e6ed6512d7c1d
-
alt-php52-ldap_5.2.17-221_amd64.deb
sha:a3316af0074f0865c726167300172464c849faee
-
alt-php52-mbstring_5.2.17-221_amd64.deb
sha:140795072afcb2e1be9416f02e0334012923ba19
-
alt-php52-mcrypt_5.2.17-221_amd64.deb
sha:ae61200ca7421bd85a345f8c75325ca91d73d4a1
-
alt-php52-mysqlnd_5.2.17-221_amd64.deb
sha:8a3dcf70972ecd6ea69a5323b2bd388b14793a59
-
alt-php52-odbc_5.2.17-221_amd64.deb
sha:45bb2b33041fa1858779154bc0efa79e8dc8b985
-
alt-php52-pdo_5.2.17-221_amd64.deb
sha:098a1bb18848bca9024865621d4b955fb895b94c
-
alt-php52-pgsql_5.2.17-221_amd64.deb
sha:433d9f3270537e1c2d3127c91d68f9f93ff3496b
-
alt-php52-process_5.2.17-221_amd64.deb
sha:dfacd59f8878e98c6eea7f328629c5ef3411d7b3
-
alt-php52-pspell_5.2.17-221_amd64.deb
sha:024b21f6e112935da91acc31d693c82be852474e
-
alt-php52-recode_5.2.17-221_amd64.deb
sha:41463ac0c01f057d425dd76e651c88e878bca520
-
alt-php52-snmp_5.2.17-221_amd64.deb
sha:2632be257c88f0f1b4dd77caad01bac1e89a6797
-
alt-php52-soap_5.2.17-221_amd64.deb
sha:b3f987f684cbfc2d49a5daf53c8c06fe4e6aa951
-
alt-php52-sqlite_5.2.17-221_amd64.deb
sha:904d23d94fd81e7cf99b814eeb2154b33b34ce34
-
alt-php52-sybase_5.2.17-221_amd64.deb
sha:dd8b32a790d470672f9bf999fc1c76f6286a97e0
-
alt-php52-tidy_5.2.17-221_amd64.deb
sha:2afb54f4914893d3bdab82c944fa2c062f205a58
-
alt-php52-xml_5.2.17-221_amd64.deb
sha:530a20c1ef5d152f065e6a604b7230ab75010074
-
alt-php52-xmlrpc_5.2.17-221_amd64.deb
sha:3e04a9fb8526ed41f56ebdc283f5ba11de0dce4d
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
