=========================================================================
Ubuntu Security Notice USN-7648-2
August 21, 2025

php7.0, php7.2, php7.4 vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter
- php7.0: HTML-embedded scripting language interpreter

Details:

USN-7648-1 fixed several vulnerabilities in PHP. This update
provides the corresponding updates for Ubuntu 16.04 LTS, Ubuntu
18.04 LTS, and Ubuntu 20.04 LTS.

Original advisory details:

 It was discovered that PHP incorrectly handled certain hostnames containing
 null characters. A remote attacker could possibly use this issue to bypass
 certain hostname validation checks. (CVE-2025-1220)

 It was discovered that PHP incorrectly handled the pgsql and pdo_pgsql
 escaping functions. A remote attacker could possibly use this issue to
 cause PHP to crash, resulting in a denial of service. (CVE-2025-1735)

 It was discovered that PHP incorrectly handled parsing certain XML data in
 SOAP extensions. A remote attacker could possibly use this issue to cause
 PHP to crash, resulting in a denial of service. (CVE-2025-6491)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
  php7.4                          7.4.3-4ubuntu2.29+esm1
                                  Available with Ubuntu Pro
  php7.4-cgi                      7.4.3-4ubuntu2.29+esm1
                                  Available with Ubuntu Pro
  php7.4-cli                      7.4.3-4ubuntu2.29+esm1
                                  Available with Ubuntu Pro
  php7.4-fpm                      7.4.3-4ubuntu2.29+esm1
                                  Available with Ubuntu Pro
  php7.4-pgsql                    7.4.3-4ubuntu2.29+esm1
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  php7.2                          7.2.24-0ubuntu0.18.04.17+esm9
                                  Available with Ubuntu Pro
  php7.2-cgi                      7.2.24-0ubuntu0.18.04.17+esm9
                                  Available with Ubuntu Pro
  php7.2-cli                      7.2.24-0ubuntu0.18.04.17+esm9
                                  Available with Ubuntu Pro
  php7.2-fpm                      7.2.24-0ubuntu0.18.04.17+esm9
                                  Available with Ubuntu Pro
  php7.2-pgsql                    7.2.24-0ubuntu0.18.04.17+esm9
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  php7.0                          7.0.33-0ubuntu0.16.04.16+esm16
                                  Available with Ubuntu Pro
  php7.0-cgi                      7.0.33-0ubuntu0.16.04.16+esm16
                                  Available with Ubuntu Pro
  php7.0-cli                      7.0.33-0ubuntu0.16.04.16+esm16
                                  Available with Ubuntu Pro
  php7.0-fpm                      7.0.33-0ubuntu0.16.04.16+esm16
                                  Available with Ubuntu Pro
  php7.0-pgsql                    7.0.33-0ubuntu0.16.04.16+esm16
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7648-2
  https://ubuntu.com/security/notices/USN-7648-1
  CVE-2025-1220, CVE-2025-1735, CVE-2025-6491