Home / mailingsPDF  

[USN-7648-2] PHP vulnerabilities

Posted on 22 August 2025
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-7648-2
August 21, 2025

php7.0, php7.2, php7.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter
- php7.0: HTML-embedded scripting language interpreter

Details:

USN-7648-1 fixed several vulnerabilities in PHP. This update
provides the corresponding updates for Ubuntu 16.04 LTS, Ubuntu
18.04 LTS, and Ubuntu 20.04 LTS.

Original advisory details:

It was discovered that PHP incorrectly handled certain hostnames containing
null characters. A remote attacker could possibly use this issue to bypass
certain hostname validation checks. (CVE-2025-1220)

It was discovered that PHP incorrectly handled the pgsql and pdo_pgsql
escaping functions. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. (CVE-2025-1735)

It was discovered that PHP incorrectly handled parsing certain XML data in
SOAP extensions. A remote attacker could possibly use this issue to cause
PHP to crash, resulting in a denial of service. (CVE-2025-6491)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
php7.4 7.4.3-4ubuntu2.29+esm1
Available with Ubuntu Pro
php7.4-cgi 7.4.3-4ubuntu2.29+esm1
Available with Ubuntu Pro
php7.4-cli 7.4.3-4ubuntu2.29+esm1
Available with Ubuntu Pro
php7.4-fpm 7.4.3-4ubuntu2.29+esm1
Available with Ubuntu Pro
php7.4-pgsql 7.4.3-4ubuntu2.29+esm1
Available with Ubuntu Pro

Ubuntu 18.04 LTS
php7.2 7.2.24-0ubuntu0.18.04.17+esm9
Available with Ubuntu Pro
php7.2-cgi 7.2.24-0ubuntu0.18.04.17+esm9
Available with Ubuntu Pro
php7.2-cli 7.2.24-0ubuntu0.18.04.17+esm9
Available with Ubuntu Pro
php7.2-fpm 7.2.24-0ubuntu0.18.04.17+esm9
Available with Ubuntu Pro
php7.2-pgsql 7.2.24-0ubuntu0.18.04.17+esm9
Available with Ubuntu Pro

Ubuntu 16.04 LTS
php7.0 7.0.33-0ubuntu0.16.04.16+esm16
Available with Ubuntu Pro
php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm16
Available with Ubuntu Pro
php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm16
Available with Ubuntu Pro
php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm16
Available with Ubuntu Pro
php7.0-pgsql 7.0.33-0ubuntu0.16.04.16+esm16
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7648-2
https://ubuntu.com/security/notices/USN-7648-1
CVE-2025-1220, CVE-2025-1735, CVE-2025-6491

--===============3589752761691630904==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :