[CLSA-2026:1779448593] Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-05-22 11:16:42 UTC
Description:
* SECURITY UPDATE: soap extension use-after-free via apache:Map duplicate keys - debian/patches/php-7.2-CVE-2026-6722.patch: backport upstream commit aee3b3ac9b in ext/soap/php_encoding.c — add Z_TRY_ADDREF_P on soap_add_xml_ref insertion and change SOAP_GLOBAL(ref_map) destructor to ZVAL_PTR_DTOR. - CVE-2026-6722 * SECURITY UPDATE: soap extension NULL pointer dereference via apache:Map item missing element - debian/patches/php-7.2-CVE-2026-7262.patch: backport upstream commit 79551ab8b1 in ext/soap/php_encoding.c — fix typo'd null check in to_zval_map() (was checking xmlKey, should check xmlValue). - CVE-2026-7262 * SECURITY UPDATE: php-fpm status endpoint XSS via unescaped request_uri - debian/patches/php-7.2-CVE-2026-6735.patch: backport upstream commit 99a5ad7441 in sapi/fpm/fpm/fpm_status.c — escape proc.request_uri with php_escape_html_entities_ex() and fix the broken "ENT_HTML_IGNORE_ERRORS & ENT_COMPAT" flag (bitwise-AND of two flag constants evaluates to 0). Adapted to 7.x layout (struct access "proc.X", single encode flag, older 6-arg php_escape_html_entities_ex signature). - CVE-2026-6735 * SECURITY UPDATE: soap SoapServer use-after-free after header parsing failure when SOAP_PERSISTENCE_SESSION is set - debian/patches/php-7.2-CVE-2026-7261.patch: backport upstream commit db2a7f9348 in ext/soap/soap.c — guard both zval_ptr_dtor(soap_obj) call sites in PHP_METHOD(SoapServer, handle) with "if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION)". - CVE-2026-7261 * SECURITY UPDATE: metaphone() signed integer overflow on >INT_MAX input - debian/patches/php-7.2-CVE-2026-7568.patch: backport upstream commit 47def8ce1d in ext/standard/metaphone.c — retype w_idx and Lookahead's how_far/idx from int to size_t to avoid signed overflow while walking strings larger than 2 GB on 64-bit builds. - CVE-2026-7568
Updated packages:
  • alt-php72_7.2.34-74_amd64.deb
    sha:1a4f4ab1bb6900dc83d2865dfe0235ea4a299fec
  • alt-php72-bcmath_7.2.34-74_amd64.deb
    sha:dbd39182fbc28e5408b5120921ad0f0dcb7277eb
  • alt-php72-cli_7.2.34-74_amd64.deb
    sha:7a8d8ccb33fd309ff074bde98994a98750b6e65e
  • alt-php72-common_7.2.34-74_amd64.deb
    sha:e42c801c5062d9f64111fdfbdcd96a54e1eb95a7
  • alt-php72-dba_7.2.34-74_amd64.deb
    sha:4ce24a0e3b04226e8ebef160f93cbdd2cf9cedee
  • alt-php72-dev_7.2.34-74_amd64.deb
    sha:749a9e11971713dd643848579281492616857bb7
  • alt-php72-enchant_7.2.34-74_amd64.deb
    sha:41c22f8959a2a6f07f8626cea903a3e526bc448f
  • alt-php72-firebird_7.2.34-74_amd64.deb
    sha:61656b7f4394fdf98c49e890534c0fc7a5344994
  • alt-php72-fpm_7.2.34-74_amd64.deb
    sha:6af675f10cbed4da489204f3c8e617fa1b586977
  • alt-php72-gd_7.2.34-74_amd64.deb
    sha:087f367fa275bbc20205b23931e116f9061a9b0c
  • alt-php72-imap_7.2.34-74_amd64.deb
    sha:6a5c6c0da2f297e720bdd7e3d35b9d3052eb5dc0
  • alt-php72-intl_7.2.34-74_amd64.deb
    sha:e21b74cfb81c3d5439cde3137e0ff6a2a1ce8d11
  • alt-php72-ldap_7.2.34-74_amd64.deb
    sha:0b02adaeb70ff0255c6165790cbaf3c5ade85285
  • alt-php72-mbstring_7.2.34-74_amd64.deb
    sha:3e3849be1f4b88db226464519c01a43ccf074503
  • alt-php72-mysqlnd_7.2.34-74_amd64.deb
    sha:3b18a1db97949069f364f8d99e68e4ba32712557
  • alt-php72-odbc_7.2.34-74_amd64.deb
    sha:8ea6a64b5e8f0eee845cf934531176b2709bb9c6
  • alt-php72-opcache_7.2.34-74_amd64.deb
    sha:e7bfd13f572113591904e88133ebc73977ec6500
  • alt-php72-pdo_7.2.34-74_amd64.deb
    sha:8f05c00595d081bf670d25831d7493578790b0c0
  • alt-php72-pgsql_7.2.34-74_amd64.deb
    sha:0f71634a3d9ac669f1ea84358e465b4f0b3c1869
  • alt-php72-process_7.2.34-74_amd64.deb
    sha:398f963e16026d284ed177845dde689a65f9bc75
  • alt-php72-pspell_7.2.34-74_amd64.deb
    sha:e2b4075b396ce60a43acf1a33eaf07f797c650e9
  • alt-php72-recode_7.2.34-74_amd64.deb
    sha:7197f3668a63ca1aa439f63e6863810fbb380387
  • alt-php72-snmp_7.2.34-74_amd64.deb
    sha:4ebc79a1304d0bb0bbdc693e75eab8af906c68f0
  • alt-php72-soap_7.2.34-74_amd64.deb
    sha:7cb9e11d0782c28ad28fc4b4f9347b4d11135716
  • alt-php72-sodium_7.2.34-74_amd64.deb
    sha:07ed9021adf1cf29872f1caf7548d9dcd9b804c9
  • alt-php72-tidy_7.2.34-74_amd64.deb
    sha:7c5b80ac538cb182ed0565d42c1f835da60fd7af
  • alt-php72-xml_7.2.34-74_amd64.deb
    sha:6a31753477772599483fc20b0368276d298fac01
  • alt-php72-xmlrpc_7.2.34-74_amd64.deb
    sha:70cf0dce4100388ff09b4ac031494e4c206027a4
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.