An update for php is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1889 Final 1.0 1.0 2025-07-25 Initial 2025-07-25 2025-07-25 openEuler SA Tool V1.0 2025-07-25 php security update An update for php is now available for openEuler-24.03-LTS-SP1 PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. %if 1 The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server when running in prefork mode. This module is deprecated. %endif Security Fix(es): In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.(CVE-2025-1220) In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.(CVE-2025-1735) In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.(CVE-2025-6491) An update for php is now available for openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High php https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1889 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-1220 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-1735 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-6491 https://nvd.nist.gov/vuln/detail/CVE-2025-1220 https://nvd.nist.gov/vuln/detail/CVE-2025-1735 https://nvd.nist.gov/vuln/detail/CVE-2025-6491 openEuler-24.03-LTS-SP1 php-8.3.23-1.oe2403sp1.aarch64.rpm php-bcmath-8.3.23-1.oe2403sp1.aarch64.rpm php-cli-8.3.23-1.oe2403sp1.aarch64.rpm php-common-8.3.23-1.oe2403sp1.aarch64.rpm php-dba-8.3.23-1.oe2403sp1.aarch64.rpm php-dbg-8.3.23-1.oe2403sp1.aarch64.rpm php-debuginfo-8.3.23-1.oe2403sp1.aarch64.rpm php-debugsource-8.3.23-1.oe2403sp1.aarch64.rpm php-devel-8.3.23-1.oe2403sp1.aarch64.rpm php-embedded-8.3.23-1.oe2403sp1.aarch64.rpm php-enchant-8.3.23-1.oe2403sp1.aarch64.rpm php-ffi-8.3.23-1.oe2403sp1.aarch64.rpm php-fpm-8.3.23-1.oe2403sp1.aarch64.rpm php-gd-8.3.23-1.oe2403sp1.aarch64.rpm php-gmp-8.3.23-1.oe2403sp1.aarch64.rpm php-intl-8.3.23-1.oe2403sp1.aarch64.rpm php-ldap-8.3.23-1.oe2403sp1.aarch64.rpm php-mbstring-8.3.23-1.oe2403sp1.aarch64.rpm php-mysqlnd-8.3.23-1.oe2403sp1.aarch64.rpm php-odbc-8.3.23-1.oe2403sp1.aarch64.rpm php-opcache-8.3.23-1.oe2403sp1.aarch64.rpm php-pdo-8.3.23-1.oe2403sp1.aarch64.rpm php-pgsql-8.3.23-1.oe2403sp1.aarch64.rpm php-process-8.3.23-1.oe2403sp1.aarch64.rpm php-snmp-8.3.23-1.oe2403sp1.aarch64.rpm php-soap-8.3.23-1.oe2403sp1.aarch64.rpm php-sodium-8.3.23-1.oe2403sp1.aarch64.rpm php-tidy-8.3.23-1.oe2403sp1.aarch64.rpm php-xml-8.3.23-1.oe2403sp1.aarch64.rpm php-8.3.23-1.oe2403sp1.src.rpm php-8.3.23-1.oe2403sp1.x86_64.rpm php-bcmath-8.3.23-1.oe2403sp1.x86_64.rpm php-cli-8.3.23-1.oe2403sp1.x86_64.rpm php-common-8.3.23-1.oe2403sp1.x86_64.rpm php-dba-8.3.23-1.oe2403sp1.x86_64.rpm php-dbg-8.3.23-1.oe2403sp1.x86_64.rpm php-debuginfo-8.3.23-1.oe2403sp1.x86_64.rpm php-debugsource-8.3.23-1.oe2403sp1.x86_64.rpm php-devel-8.3.23-1.oe2403sp1.x86_64.rpm php-embedded-8.3.23-1.oe2403sp1.x86_64.rpm php-enchant-8.3.23-1.oe2403sp1.x86_64.rpm php-ffi-8.3.23-1.oe2403sp1.x86_64.rpm php-fpm-8.3.23-1.oe2403sp1.x86_64.rpm php-gd-8.3.23-1.oe2403sp1.x86_64.rpm php-gmp-8.3.23-1.oe2403sp1.x86_64.rpm php-intl-8.3.23-1.oe2403sp1.x86_64.rpm php-ldap-8.3.23-1.oe2403sp1.x86_64.rpm php-mbstring-8.3.23-1.oe2403sp1.x86_64.rpm php-mysqlnd-8.3.23-1.oe2403sp1.x86_64.rpm php-odbc-8.3.23-1.oe2403sp1.x86_64.rpm php-opcache-8.3.23-1.oe2403sp1.x86_64.rpm php-pdo-8.3.23-1.oe2403sp1.x86_64.rpm php-pgsql-8.3.23-1.oe2403sp1.x86_64.rpm php-process-8.3.23-1.oe2403sp1.x86_64.rpm php-snmp-8.3.23-1.oe2403sp1.x86_64.rpm php-soap-8.3.23-1.oe2403sp1.x86_64.rpm php-sodium-8.3.23-1.oe2403sp1.x86_64.rpm php-tidy-8.3.23-1.oe2403sp1.x86_64.rpm php-xml-8.3.23-1.oe2403sp1.x86_64.rpm php-help-8.3.23-1.oe2403sp1.noarch.rpm In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions. 2025-07-25 CVE-2025-1220 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H php security update 2025-07-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1889 In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid. 2025-07-25 CVE-2025-1735 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H php security update 2025-07-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1889 In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server. 2025-07-25 CVE-2025-6491 openEuler-24.03-LTS-SP1 Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H php security update 2025-07-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1889