Updated php packages fix security vulnerabilities
Publication date: 13 May 2026Modification date: 13 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-6735 , CVE-2026-7259 , CVE-2025-14179 , CVE-2026-6722 , CVE-2026-7261 , CVE-2026-7262 , CVE-2026-7568 , CVE-2026-7258
Description
FPM: Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint).
(CVE-2026-6735)
MBString: Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in
php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259)
OpenSSL: Fix compatibility issues with OpenSSL 4.0.
PDO_Firebird: Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in
quoted strings). (CVE-2025-14179)
SOAP:
- Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with
Apache Map). (CVE-2026-6722)
- Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure
with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261)
- Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check).
(CVE-2026-7262)
Standard:
- Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array
offset). (CVE-2026-7568)
- Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h
functions). (CVE-2026-7258)
References
- https://bugs.mageia.org/show_bug.cgi?id=35481
- https://www.php.net/ChangeLog-8.php#8.2.31
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6735
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7259
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14179
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6722
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7261
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7262
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7568
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7258
SRPMS
9/core
- php-8.2.31-1.mga9