Maintenance release, fixing CVE security issues for PHP.
Backported PHP CVE fixes
-
PHP version 7.4.33.10, 7.3.33.16, 7.2.34.24, 7.1.33.26 CVE fixes
-
LibXML
- Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714)
- Fixed GHSA-p3x9-6h7p-cgfc: libxml streams use wrong
content-type
header when requesting a redirected resource. (CVE-2025-1219)
-
Streams
- Fixed GHSA-hgf54-96fm-v528: Stream HTTP wrapper header check might omit basic auth header. (CVE-2025-1736)
- Fixed GHSA-52jp-hrpf-2jff: Stream HTTP wrapper truncates redirect location to 1024 bytes. (CVE-2025-1861)
- Fixed GHSA-pcmh-g36c-qc44: Streams HTTP wrapper does not fail for headers without colon. (CVE-2025-1734)
- Fixed GHSA-v8xr-gpvj-cx9g: Header parser of
http
stream wrapper does not handle folded headers. (CVE-2025-1217)