Home / mailingsPDF  

[USN-7648-3] PHP regression

Posted on 04 September 2025
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-7648-3
September 04, 2025

php7.0, php7.2, php7.4 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

USN-7648-2 introduced a regression in PHP

Software Description:
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter
- php7.0: HTML-embedded scripting language interpreter

Details:

USN-7648-2 fixed vulnerabilities in PHP. The patch for CVE-2025-1735
caused a regression in php7.0, php7.2 and php7.4. This update fixes
the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that PHP incorrectly handled certain hostnames containing
null characters. A remote attacker could possibly use this issue to bypass
certain hostname validation checks. (CVE-2025-1220)

It was discovered that PHP incorrectly handled the pgsql and pdo_pgsql
escaping functions. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. (CVE-2025-1735)

It was discovered that PHP incorrectly handled parsing certain XML data in
SOAP extensions. A remote attacker could possibly use this issue to cause
PHP to crash, resulting in a denial of service. (CVE-2025-6491)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
php7.4 7.4.3-4ubuntu2.29+esm2
Available with Ubuntu Pro
php7.4-cgi 7.4.3-4ubuntu2.29+esm2
Available with Ubuntu Pro
php7.4-cli 7.4.3-4ubuntu2.29+esm2
Available with Ubuntu Pro
php7.4-common 7.4.3-4ubuntu2.29+esm2
Available with Ubuntu Pro
php7.4-fpm 7.4.3-4ubuntu2.29+esm2
Available with Ubuntu Pro
php7.4-pgsql 7.4.3-4ubuntu2.29+esm2
Available with Ubuntu Pro

Ubuntu 18.04 LTS
php7.2 7.2.24-0ubuntu0.18.04.17+esm11
Available with Ubuntu Pro
php7.2-cgi 7.2.24-0ubuntu0.18.04.17+esm11
Available with Ubuntu Pro
php7.2-cli 7.2.24-0ubuntu0.18.04.17+esm11
Available with Ubuntu Pro
php7.2-fpm 7.2.24-0ubuntu0.18.04.17+esm11
Available with Ubuntu Pro
php7.2-pgsql 7.2.24-0ubuntu0.18.04.17+esm11
Available with Ubuntu Pro

Ubuntu 16.04 LTS
php7.0 7.0.33-0ubuntu0.16.04.16+esm18
Available with Ubuntu Pro
php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm18
Available with Ubuntu Pro
php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm18
Available with Ubuntu Pro
php7.0-common 7.0.33-0ubuntu0.16.04.16+esm18
Available with Ubuntu Pro
php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm18
Available with Ubuntu Pro
php7.0-pgsql 7.0.33-0ubuntu0.16.04.16+esm18
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7648-3
https://ubuntu.com/security/notices/USN-7648-2
https://ubuntu.com/security/notices/USN-7648-1
CVE-2025-1735, https://launchpad.net/bugs/2121643

--===============2181671489731199207==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :