[SECURITY] [DLA 4088-1] php7.4 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4088-1] php7.4 security update
From: Guilhem Moulin <guilhem@debian.org>
Date: Thu, 20 Mar 2025 11:43:46 +0100
Message-id: <[🔎] Z9vxYqGI-RvpkeE4@debian.org>
Mail-followup-to: debian-lts-announce@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4088-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
March 20, 2025                                https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : php7.4
Version        : 7.4.33-1+deb11u8
CVE ID         : CVE-2025-1217 CVE-2025-1219 CVE-2025-1734 CVE-2025-1736
                 CVE-2025-1861

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in HTTP request
smuggling, validation bypass or denial of service.

CVE-2025-1217

    Tim Düsterhus discovered that the header parser of the `http` stream
    wrapper does not handle folded headers and passes incorrect MIME
    types to an attached stream notifier.

CVE-2025-1219

    Tim Düsterhus discovered that when requesting a HTTP resource using
    the DOM or SimpleXML extensions, the wrong `content-type` header is
    used to determine the charset when the requested resource performs a
    redirect.

CVE-2025-1734

    It was discovered that the streams HTTP wrapper does not fail for
    headers with invalid name and no colon, thereby violating
    RFC-mandated behavior.

CVE-2025-1736

    It was discovered that the stream HTTP wrapper header check might
    omit basic auth header in some cases.

CVE-2025-1861

    It was discovered that the stream HTTP wrapper truncate redirect
    location to 1024 bytes, while the RFC-recommended length is 8000 and
    browsers usually limit to around 2048.

GHSA-wg4p-4hqh-c3g9

    An out of bound read was discovered in the XML parsing logic when
    `XML_OPTION_SKIP_TAGSTART` is set to a high value and the XML
    document has shorter tag names than expected.

For Debian 11 bullseye, these problems have been fixed in version
7.4.33-1+deb11u8.

We recommend that you upgrade your php7.4 packages.

For the detailed security status of php7.4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.4

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 4087-1] python3.9 security update
Next by Date: [SECURITY] [DLA 4089-1] libxslt security update
Previous by thread: [SECURITY] [DLA 4087-1] python3.9 security update
Next by thread: [SECURITY] [DLA 4089-1] libxslt security update
Index(es):
- Date
- Thread