| Package | php7.0 |
|---|---|
| Version | 7.0.33-0+deb9u21 (stretch) |
| Related CVEs | CVE-2025-1217 CVE-2025-1219 CVE-2025-1734 CVE-2025-1736 CVE-2025-1861 |
- CVE-2025-1217
-
Tim Düsterhus discovered that the header parser of the
httpstream wrapper does not handle folded headers and passes incorrect MIME types to an attached stream notifier. - CVE-2025-1219
-
Tim Düsterhus discovered that when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong
content-typeheader is used to determine the charset when the requested resource performs a redirect. This allows an attacker to cause a document to be parsed incorrectly, changing its meaning and possibly bypassing validation. - CVE-2025-1734
-
It was discovered that the streams HTTP wrapper does not fail for headers with invalid name and no colon, thereby violating RFC-mandated behavior and potentially leading to request smuggling.
- CVE-2025-1736
-
It was discovered that the stream HTTP wrapper header check might omit basic auth header in some cases, thereby stripping it.
- CVE-2025-1861
-
It was discovered that the stream HTTP wrapper truncate redirect location to 1024 bytes, while the RFC-recommended length is 8000 and browsers usually limit to around 2048.
The URI truncation might result in omitting some critical information (e.g. from the query) or even redirection to other resources. It could even result in DOS of the remote site if the trucated URL results in error.
- GHSA-wg4p-4hqh-c3g9
-
An out of bound read was discovered in the XML parsing logic when
XML_OPTION_SKIP_TAGSTARTis set to a high value and the XML document has shorter tag names than expected. (No CVE was assigned for this vulnerability at the time of writing.)
For Debian 9 stretch, these problems have been fixed in version 7.0.33-0+deb9u21.
We recommend that you upgrade your php7.0 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.