==========================================================================
Ubuntu Security Notice USN-7648-1
July 17, 2025

php8.1, php8.3, php8.4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:
- php8.4: HTML-embedded scripting language interpreter
- php8.3: HTML-embedded scripting language interpreter
- php8.1: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain hostnames containing
null characters. A remote attacker could possibly use this issue to bypass
certain hostname validation checks. (CVE-2025-1220)

It was discovered that PHP incorrectly handled the pgsql and pdo_pgsql
escaping functions. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. (CVE-2025-1735)

It was discovered that PHP incorrectly handled parsing certain XML data in
SOAP extensions. A remote attacker could possibly use this issue to cause
PHP to crash, resulting in a denial of service. (CVE-2025-6491)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
  libapache2-mod-php8.4           8.4.5-1ubuntu1.1
  php8.4                          8.4.5-1ubuntu1.1
  php8.4-cgi                      8.4.5-1ubuntu1.1
  php8.4-cli                      8.4.5-1ubuntu1.1
  php8.4-fpm                      8.4.5-1ubuntu1.1
  php8.4-pgsql                    8.4.5-1ubuntu1.1

Ubuntu 24.04 LTS
  libapache2-mod-php8.3           8.3.6-0ubuntu0.24.04.5
  php8.3                          8.3.6-0ubuntu0.24.04.5
  php8.3-cgi                      8.3.6-0ubuntu0.24.04.5
  php8.3-cli                      8.3.6-0ubuntu0.24.04.5
  php8.3-fpm                      8.3.6-0ubuntu0.24.04.5
  php8.3-pgsql                    8.3.6-0ubuntu0.24.04.5

Ubuntu 22.04 LTS
  libapache2-mod-php7.4           8.1.2-1ubuntu2.22
  libapache2-mod-php8.0           8.1.2-1ubuntu2.22
  libapache2-mod-php8.1           8.1.2-1ubuntu2.22
  php8.1                          8.1.2-1ubuntu2.22
  php8.1-cgi                      8.1.2-1ubuntu2.22
  php8.1-cli                      8.1.2-1ubuntu2.22
  php8.1-fpm                      8.1.2-1ubuntu2.22
  php8.1-pgsql                    8.1.2-1ubuntu2.22

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7648-1
  CVE-2025-1220, CVE-2025-1735, CVE-2025-6491

Package Information:
  https://launchpad.net/ubuntu/+source/php8.4/8.4.5-1ubuntu1.1
  https://launchpad.net/ubuntu/+source/php8.3/8.3.6-0ubuntu0.24.04.5
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.22