[SECURITY] [DLA 4586-1] php7.4 security update

[Guilhem Moulin]

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4586-1                debian-...@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
May 16, 2026                                  https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : php7.4
Version        : 7.4.33-1+deb11u11
CVE ID         : CVE-2026-6722 CVE-2026-6735 CVE-2026-7258 CVE-2026-7261
                 CVE-2026-7262 CVE-2026-7568
Debian Bug     : 1136054

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in remote code
execution, information disclosure, denial of service.

CVE-2026-6722

    A use-after-free issue was discovered in the SOAP extension which
    may lead to remote code execution when an apache:Map node contains
    duplicate key.

CVE-2026-6735

    Conrad Draper discovered that the request URI within the PHP-FPM
    status page was improperly sanitized, thereby allowing cross-site
    scripting (XSS).

CVE-2026-7258

    An out-of-bounds read issue was discovered in `urldecode()`, which
    may lead to denial of service on some platforms.

CVE-2026-7261

    Ilia Alshanetsky discovered a use-after-free issue after header
    parsing failure when SoapServer is configured with
    SOAP_PERSISTENCE_SESSION, which may lead to denial of service.

CVE-2026-7262

    Ilia Alshanetsky discovered a NULL pointer deference issue in SOAP
    apache:Map decoder with missing `<value>` element, thereby leading
    to denial of service.

CVE-2026-7568

    Aleksey Solovev discovered a signed integer overflow in the
    `metaphone()` function from the PHP standard library.

For Debian 11 bullseye, these problems have been fixed in version
7.4.33-1+deb11u11.

We recommend that you upgrade your php7.4 packages.

For the detailed security status of php7.4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.4

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

signature.asc
Description: PGP signature