Home / mailingsPDF  

[USN-7648-1] PHP vulnerabilities

Posted on 17 July 2025
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-7648-1
July 17, 2025

php8.1, php8.3, php8.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:
- php8.4: HTML-embedded scripting language interpreter
- php8.3: HTML-embedded scripting language interpreter
- php8.1: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain hostnames containing
null characters. A remote attacker could possibly use this issue to bypass
certain hostname validation checks. (CVE-2025-1220)

It was discovered that PHP incorrectly handled the pgsql and pdo_pgsql
escaping functions. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. (CVE-2025-1735)

It was discovered that PHP incorrectly handled parsing certain XML data in
SOAP extensions. A remote attacker could possibly use this issue to cause
PHP to crash, resulting in a denial of service. (CVE-2025-6491)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
libapache2-mod-php8.4 8.4.5-1ubuntu1.1
php8.4 8.4.5-1ubuntu1.1
php8.4-cgi 8.4.5-1ubuntu1.1
php8.4-cli 8.4.5-1ubuntu1.1
php8.4-fpm 8.4.5-1ubuntu1.1
php8.4-pgsql 8.4.5-1ubuntu1.1

Ubuntu 24.04 LTS
libapache2-mod-php8.3 8.3.6-0ubuntu0.24.04.5
php8.3 8.3.6-0ubuntu0.24.04.5
php8.3-cgi 8.3.6-0ubuntu0.24.04.5
php8.3-cli 8.3.6-0ubuntu0.24.04.5
php8.3-fpm 8.3.6-0ubuntu0.24.04.5
php8.3-pgsql 8.3.6-0ubuntu0.24.04.5

Ubuntu 22.04 LTS
libapache2-mod-php7.4 8.1.2-1ubuntu2.22
libapache2-mod-php8.0 8.1.2-1ubuntu2.22
libapache2-mod-php8.1 8.1.2-1ubuntu2.22
php8.1 8.1.2-1ubuntu2.22
php8.1-cgi 8.1.2-1ubuntu2.22
php8.1-cli 8.1.2-1ubuntu2.22
php8.1-fpm 8.1.2-1ubuntu2.22
php8.1-pgsql 8.1.2-1ubuntu2.22

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7648-1
CVE-2025-1220, CVE-2025-1735, CVE-2025-6491

Package Information:
https://launchpad.net/ubuntu/+source/php8.4/8.4.5-1ubuntu1.1
https://launchpad.net/ubuntu/+source/php8.3/8.3.6-0ubuntu0.24.04.5
https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.22

--===============4019530782127970088==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :