[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 4254-1] php7.4 security update



-------------------------------------------------------------------------
Debian LTS Advisory DLA-4254-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
July 27, 2025                                 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : php7.4
Version        : 7.4.33-1+deb11u9
CVE ID         : CVE-2025-1220 CVE-2025-1735 CVE-2025-6491

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in server side
request forgery or denial of service.

CVE-2025-1220

    Jihwan Kim discovered that fsockopen() lack validation that the
    hostname supplied does not contain null characters, which may lead
    to other functions like parse_url() to treat the hostname in an
    incorrect way, thereby potentially causing Server Side Request
    Forgery.

CVE-2025-1735

    It was discovered that pgsql and pdo_pgsql escaping functions do not
    check if the underlying quoting functions returned errors, which may
    lead to crashes due to null pointer dereferences.

    This issue is related to CVE-2025-1094 which was reported to
    PostgreSQL.

CVE-2025-6491

    Ahmed Lekssays discovered that SoapVar instances created with a
    fully qualified name larger than 2G could lead to denial of service
    due to null pointer dereference.

For Debian 11 bullseye, these problems have been fixed in version
7.4.33-1+deb11u9.

We recommend that you upgrade your php7.4 packages.

For the detailed security status of php7.4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.4

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature


Reply to: