USN-7648-1: PHP vulnerabilities

USN-7648-1: PHP vulnerabilities
Publication date: 17 July 2025
Overview: Several security issues were fixed in PHP.

Packages

• php8.1 - HTML-embedded scripting language interpreter
• php8.3 - HTML-embedded scripting language interpreter
• php8.4 - HTML-embedded scripting language interpreter

Details
It was discovered that PHP incorrectly handled certain hostnames containing
null characters. A remote attacker could possibly use this issue to bypass
certain hostname validation checks. (CVE-2025-1220)

It was discovered that PHP incorrectly handled the pgsql and pdo_pgsql
escaping functions. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. (CVE-2025-1735)

It was discovered that PHP incorrectly handled parsing certain XML data in
SOAP extensions. A remote attacker could possibly use this issue to cause
PHP to crash, resulting in a denial of service. (CVE-2025-6491)

Update instructions
The problem can be corrected by updating your system to the following package versions:
25.04 plucky

• libapache2-mod-php8.4 – 8.4.5-1ubuntu1.1
• php8.4 – 8.4.5-1ubuntu1.1
• php8.4-cgi – 8.4.5-1ubuntu1.1
• php8.4-cli – 8.4.5-1ubuntu1.1
• php8.4-fpm – 8.4.5-1ubuntu1.1
• php8.4-pgsql – 8.4.5-1ubuntu1.1

24.04 noble:

• libapache2-mod-php8.3 – 8.3.6-0ubuntu0.24.04.5
• php8.3 – 8.3.6-0ubuntu0.24.04.5
• php8.3-cgi – 8.3.6-0ubuntu0.24.04.5
• php8.3-cli – 8.3.6-0ubuntu0.24.04.5
• php8.3-fpm – 8.3.6-0ubuntu0.24.04.5
• php8.3-pgsql – 8.3.6-0ubuntu0.24.04.5

22.04 jammy

• libapache2-mod-php7.4 – 8.1.2-1ubuntu2.22
• libapache2-mod-php8.0 – 8.1.2-1ubuntu2.22
• libapache2-mod-php8.1 – 8.1.2-1ubuntu2.22
• php8.1 – 8.1.2-1ubuntu2.22
• php8.1-cgi – 8.1.2-1ubuntu2.22
• php8.1-cli – 8.1.2-1ubuntu2.22
• php8.1-fpm – 8.1.2-1ubuntu2.22
• php8.1-pgsql – 8.1.2-1ubuntu2.22