------------------------------------------------------------------------- Debian LTS Advisory DLA-4254-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin July 27, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : php7.4 Version : 7.4.33-1+deb11u9 CVE ID : CVE-2025-1220 CVE-2025-1735 CVE-2025-6491 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in server side request forgery or denial of service. CVE-2025-1220 Jihwan Kim discovered that fsockopen() lack validation that the hostname supplied does not contain null characters, which may lead to other functions like parse_url() to treat the hostname in an incorrect way, thereby potentially causing Server Side Request Forgery. CVE-2025-1735 It was discovered that pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors, which may lead to crashes due to null pointer dereferences. This issue is related to CVE-2025-1094 which was reported to PostgreSQL. CVE-2025-6491 Ahmed Lekssays discovered that SoapVar instances created with a fully qualified name larger than 2G could lead to denial of service due to null pointer dereference. For Debian 11 bullseye, these problems have been fixed in version 7.4.33-1+deb11u9. We recommend that you upgrade your php7.4 packages. For the detailed security status of php7.4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php7.4 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature