ELA-1488-1 php7.3 security update

multiple vulnerabilities

2025-07-28
Packagephp7.3
Version7.3.31-1~deb10u11 (buster)
Related CVEs CVE-2025-1220 CVE-2025-1735 CVE-2025-6491


CVE-2025-1220

Jihwan Kim discovered that fsockopen() lack validation that the hostname supplied does not contain null characters, which may lead to other functions like parse_url() to treat the hostname in an incorrect way, thereby potentially causing Server Side Request Forgery.

CVE-2025-1735

It was discovered that pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors, which may lead to crashes due to null pointer dereferences.

This issue is related to CVE-2025-1094 which was reported to PostgreSQL.

CVE-2025-6491

Ahmed Lekssays discovered that SoapVar instances created with a fully qualified name larger than 2G could lead to denial of service due to null pointer dereference.



For Debian 10 buster, these problems have been fixed in version 7.3.31-1~deb10u11.

We recommend that you upgrade your php7.3 packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.