SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-1025

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-1025

Security update for php7

Type: security

Severity: important

Issued: 2025-03-26

Description:

This update for php7 fixes the following issues:

- CVE-2024-11235: Fixed reference counting in php_request_shutdown causing Use-After-Free (bsc#1239666)
- CVE-2025-1217: Fixed header parser of http stream wrapper not handling folded headers (bsc#1239664)
- CVE-2025-1219: Fixed libxml streams using wrong content-type header when requesting a redirected resource (bsc#1239667)
- CVE-2025-1734: Fixed streams HTTP wrapper not failing for headers with invalid name and no colon (bsc#1239668)
- CVE-2025-1736: Fixed stream HTTP wrapper header check might omitting basic auth header (bsc#1239670)
- CVE-2025-1861: Fixed stream HTTP wrapper truncate redirect location to 1024 bytes (bsc#1239669)

References

CVE: CVE-2025-1861
CVE: CVE-2025-1736
CVE: CVE-2025-1734
CVE: CVE-2025-1219
CVE: CVE-2025-1217
CVE: CVE-2024-11235
Bugzilla: 1239670 VUL-0: CVE-2025-1736: php53,php7,php72,php74,php8: Stream HTTP wrapper header check might omit basic auth header
Bugzilla: 1239669 VUL-0: CVE-2025-1861: php53,php7,php72,php74,php8: Stream HTTP wrapper truncate redirect location to 1024 bytes
Bugzilla: 1239668 VUL-0: CVE-2025-1734: php53,php7,php72,php74,php8: Streams HTTP wrapper does not fail for headers with invalid name and no colon
Bugzilla: 1239667 VUL-0: CVE-2025-1219: php53,php7,php72,php74,php8: libxml streams use wrong `content-type` header when requesting a redirected resource
Bugzilla: 1239666 VUL-0: CVE-2024-11235: php53,php7,php72,php74,php8: Reference counting in php_request_shutdown causes Use-After-Free
Bugzilla: 1239664 VUL-0: CVE-2025-1217: php53,php7,php72,php74,php8: Header parser of `http` stream wrapper does not handle folded headers

Packages

php7-embed-7.4.33-150400.4.48.1