USN-7648-1

Details

It was discovered that PHP incorrectly handled certain hostnames containing null characters. A remote attacker could possibly use this issue to bypass certain hostname validation checks. (CVE-2025-1220)

It was discovered that PHP incorrectly handled the pgsql and pdo_pgsql escaping functions. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2025-1735)

It was discovered that PHP incorrectly handled parsing certain XML data in SOAP extensions. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2025-6491)

Affected Packages

php8.1

Ubuntu 22.04 LTS

Fixed in:

8.1.2-1ubuntu2.22

php8.3

Ubuntu 24.04 LTS

Fixed in:

8.3.6-0ubuntu0.24.04.5

References

REPORT

https://ubuntu.com/security/CVE-2025-1220

REPORT

https://ubuntu.com/security/CVE-2025-1735

REPORT

https://ubuntu.com/security/CVE-2025-6491

ADVISORY

https://ubuntu.com/security/notices/USN-7648-1