|
|
Subscribe / Log in / New account

Ubuntu alert USN-7648-3 (php7.0, php7.2, php7.4)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-7648-3] PHP regression


Date:
              Thu, 04 Sep 2025 09:06:23 +0000


Message-ID:
              <E1uu5vD-0005CL-Rs@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-7648-3
September 04, 2025

php7.0, php7.2, php7.4 regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

USN-7648-2 introduced a regression in PHP

Software Description:
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter
- php7.0: HTML-embedded scripting language interpreter

Details:

USN-7648-2 fixed vulnerabilities in PHP. The patch for CVE-2025-1735
caused a regression in php7.0, php7.2 and php7.4. This update fixes
the problem.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that PHP incorrectly handled certain hostnames containing
 null characters. A remote attacker could possibly use this issue to bypass
 certain hostname validation checks. (CVE-2025-1220)

 It was discovered that PHP incorrectly handled the pgsql and pdo_pgsql
 escaping functions. A remote attacker could possibly use this issue to
 cause PHP to crash, resulting in a denial of service. (CVE-2025-1735)

 It was discovered that PHP incorrectly handled parsing certain XML data in
 SOAP extensions. A remote attacker could possibly use this issue to cause
 PHP to crash, resulting in a denial of service. (CVE-2025-6491)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
  php7.4                          7.4.3-4ubuntu2.29+esm2
                                  Available with Ubuntu Pro
  php7.4-cgi                      7.4.3-4ubuntu2.29+esm2
                                  Available with Ubuntu Pro
  php7.4-cli                      7.4.3-4ubuntu2.29+esm2
                                  Available with Ubuntu Pro
  php7.4-common                   7.4.3-4ubuntu2.29+esm2
                                  Available with Ubuntu Pro
  php7.4-fpm                      7.4.3-4ubuntu2.29+esm2
                                  Available with Ubuntu Pro
  php7.4-pgsql                    7.4.3-4ubuntu2.29+esm2
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  php7.2                          7.2.24-0ubuntu0.18.04.17+esm11
                                  Available with Ubuntu Pro
  php7.2-cgi                      7.2.24-0ubuntu0.18.04.17+esm11
                                  Available with Ubuntu Pro
  php7.2-cli                      7.2.24-0ubuntu0.18.04.17+esm11
                                  Available with Ubuntu Pro
  php7.2-fpm                      7.2.24-0ubuntu0.18.04.17+esm11
                                  Available with Ubuntu Pro
  php7.2-pgsql                    7.2.24-0ubuntu0.18.04.17+esm11
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  php7.0                          7.0.33-0ubuntu0.16.04.16+esm18
                                  Available with Ubuntu Pro
  php7.0-cgi                      7.0.33-0ubuntu0.16.04.16+esm18
                                  Available with Ubuntu Pro
  php7.0-cli                      7.0.33-0ubuntu0.16.04.16+esm18
                                  Available with Ubuntu Pro
  php7.0-common                   7.0.33-0ubuntu0.16.04.16+esm18
                                  Available with Ubuntu Pro
  php7.0-fpm                      7.0.33-0ubuntu0.16.04.16+esm18
                                  Available with Ubuntu Pro
  php7.0-pgsql                    7.0.33-0ubuntu0.16.04.16+esm18
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7648-3
  https://ubuntu.com/security/notices/USN-7648-2
  https://ubuntu.com/security/notices/USN-7648-1
  CVE-2025-1735, https://launchpad.net/bugs/2121643




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmi5VZwACgkQcpJm3tlz
hgEGUBAAmflV/XK38xiX4DRo+75F6rmx7VXYEsrOlb2t5mNH7dlEyFS2J8UgjtXM
bvqkWQD0H0sGQt16tjIo/hkZyVDghwDckYNM1PMsnWtqibOahNzma7sw+547HKB4
J1z6MhxmRrmOTSuz7tfoSlGL9aYY6s/493RNSDK5lCSTP8Shsf8rGyNcXlQYm9Gs
trwUU3BGRVMDbJvPX3YvGkBERistTkCi078yrxRuErKH3Vl2TTdp7PmIpdFwCnAw
M29z8hpy4FZHh81JD7N8CXskMJUrOaqxyVODSCa3X9QTgmcExJnSBSY2ls3NF1MU
qqf8h/3RxbfooXzTEPndcY9V1dkDiozXhiDl7NwzhneRMPGQQIMqvLnwoXVUlt8S
QFnktL4DdAfwC9wn1yPlCFeH2oYibBY/JVhl1G/dZkgd+sq2GEPVLI5gYz4yawCi
ji45m3JN6sbRiElxq3ddz/l3D34yQ63wEhaW6f8Gcc2gnGHx21ZdRdi7qWT1CbxM
1NamVJunt6iUAWwynAcYypXhA34+aZMDa25xPP4swm+HU/c4o6UbwLrsCrDUdU7M
pUiDjJkO8WoUX4HNwyaHzDVJ6hY2DW7KI9xELzDl8t+XtabUVZBEuvtLcsuDR9SN
AE9rGNgMkR6rgSq5LJPwWQ7UNPztq36hfb9cSdmwfYW8+O170FY=
=0mDe
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds