UBUNTU-CVE-2025-1736

Details

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.

Affected Packages

php8.1

Ubuntu 22.04 LTS

Fixed in:

8.1.2-1ubuntu2.21

php8.3

Ubuntu 24.04 LTS

Fixed in:

8.3.6-0ubuntu0.24.04.4

php5

Ubuntu Pro 14.04 LTS

Affected versions:

5.5.3+dfsg-1ubuntu25.5.3+dfsg-1ubuntu35.5.6+dfsg-1ubuntu15.5.6+dfsg-1ubuntu25.5.8+dfsg-2ubuntu15.5.9+dfsg-1ubuntu15.5.9+dfsg-1ubuntu25.5.9+dfsg-1ubuntu35.5.9+dfsg-1ubuntu45.5.9+dfsg-1ubuntu4.1+37 more

php7.0

Ubuntu Pro 16.04 LTS

Fixed in:

7.0.33-0ubuntu0.16.04.16+esm15

php7.2

Ubuntu Pro 18.04 LTS

Fixed in:

7.2.24-0ubuntu0.18.04.17+esm8

php7.4

Ubuntu Pro 20.04 LTS

Affected versions:

7.4.3-4build17.4.3-4build27.4.3-4ubuntu17.4.3-4ubuntu1.17.4.3-4ubuntu2.107.4.3-4ubuntu2.117.4.3-4ubuntu2.127.4.3-4ubuntu2.137.4.3-4ubuntu2.157.4.3-4ubuntu2.16+20 more

References

REPORT

https://github.com/php/php-src/commit/41d49abbd99dab06cdae4834db664435f8177174

REPORT

https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528

REPORT

https://ubuntu.com/security/CVE-2025-1736

ADVISORY

https://ubuntu.com/security/notices/USN-7400-1

ADVISORY

https://ubuntu.com/security/notices/USN-7645-1

REPORT

https://www.cve.org/CVERecord?id=CVE-2025-1736