{ "schema_version": "1.7.0", "id": "MGASA-2026-0127", "published": "2026-05-13T07:00:52Z", "modified": "2026-05-13T06:12:21Z", "summary": "Updated php packages fix security vulnerabilities", "details": "FPM: Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint).\n(CVE-2026-6735)\nMBString: Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in\nphp_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259)\nOpenSSL: Fix compatibility issues with OpenSSL 4.0.\nPDO_Firebird: Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in\nquoted strings). (CVE-2025-14179)\nSOAP:\n- Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with\nApache Map). (CVE-2026-6722)\n- Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure\nwith SOAP_PERSISTENCE_SESSION). (CVE-2026-7261)\n- Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check).\n(CVE-2026-7262)\nStandard:\n- Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array\noffset). (CVE-2026-7568)\n- Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h\nfunctions). (CVE-2026-7258)\n", "upstream": [ "CVE-2026-6735", "CVE-2026-7259", "CVE-2025-14179", "CVE-2026-6722", "CVE-2026-7261", "CVE-2026-7262", "CVE-2026-7568", "CVE-2026-7258" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2026-0127.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=35481" }, { "type": "WEB", "url": "https://www.php.net/ChangeLog-8.php#8.2.31" } ], "affected": [ { "package": { "ecosystem": "Mageia:9", "name": "php", "purl": "pkg:rpm/mageia/php?arch=source&distro=mageia-9" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "8.2.31-1.mga9" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }