USN-7648-3

Details

USN-7648-2 fixed vulnerabilities in PHP. The patch for CVE-2025-1735 caused a regression in php7.0, php7.2 and php7.4. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that PHP incorrectly handled certain hostnames containing null characters. A remote attacker could possibly use this issue to bypass certain hostname validation checks. (CVE-2025-1220)

It was discovered that PHP incorrectly handled the pgsql and pdo_pgsql escaping functions. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2025-1735)

It was discovered that PHP incorrectly handled parsing certain XML data in SOAP extensions. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2025-6491)

Affected Packages

php7.0

Ubuntu Pro 16.04 LTS

Fixed in:

7.0.33-0ubuntu0.16.04.16+esm18

php7.2

Ubuntu Pro 18.04 LTS

Fixed in:

7.2.24-0ubuntu0.18.04.17+esm11

php7.4

Ubuntu Pro 20.04 LTS

Fixed in: