php:8.3 security update

エラータID: AXSA:2025-10557:01

Release date: 
Tuesday, July 22, 2025 - 21:48
Subject: 
php:8.3 security update
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Security Fix(es):

* php: Header parser of http stream wrapper does not handle folded headers (CVE-2025-1217)
* php: Stream HTTP wrapper header check might omit basic auth header (CVE-2025-1736)
* php: Streams HTTP wrapper does not fail for headers with invalid name and no colon (CVE-2025-1734)
* php: libxml streams use wrong content-type header when requesting a redirected resource (CVE-2025-1219)
* php: Stream HTTP wrapper truncates redirect location to 1024 bytes (CVE-2025-1861)
* php: Reference counting in php_request_shutdown causes Use-After-Free (CVE-2024-11235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-11235
In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.
CVE-2025-1217
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.
CVE-2025-1219
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.
CVE-2025-1734
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
CVE-2025-1736
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.
CVE-2025-1861
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.

Modularity name: "php"
Stream name: "8.3"

Solution: 

Update packages.

CVEs: 
CVE-2024-11235
In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.
CVE-2025-1217
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.
CVE-2025-1219
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.
CVE-2025-1734
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
CVE-2025-1736
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.
CVE-2025-1861
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
Additional Info: 

N/A

Download: 

SRPMS
  1. php-pecl-apcu-5.1.23-1.module+el9+1096+992da292.src.rpm
    MD5: fca0b695df2792b8a8c46515a912de11
    SHA-256: dafe6a1c47f0832f372be73d8867eb712be5a6257fe8b7eea2d5c9928e65fa68
    Size: 101.79 kB
  2. php-pecl-redis6-6.1.0-2.module+el9+1096+992da292.src.rpm
    MD5: 53537473ce36d5b480af1cfd614db0ff
    SHA-256: 1b79fb44561b10360f547629c50b3e5c628834c2295695eca52e3b188b60eb3d
    Size: 379.60 kB
  3. php-pecl-rrd-2.0.3-4.module+el9+1096+992da292.src.rpm
    MD5: 8665718e75999d6674fb624b9b5de4bf
    SHA-256: c3523028fcf361efe00407d28f041b229ef859949a6bc22f5be8ac6bea2b8658
    Size: 29.68 kB
  4. php-pecl-xdebug3-3.3.1-1.module+el9+1096+992da292.src.rpm
    MD5: 448b68aca9277a279853d0553c9e9f55
    SHA-256: 1dcd02424ee7ded6edfd977cdb583e16d916c9e5e5d22add5fd83af13140918a
    Size: 472.95 kB
  5. php-pecl-zip-1.22.3-1.module+el9+1096+992da292.src.rpm
    MD5: 7101a5ea117490d50e22adfc9e5d7412
    SHA-256: 6cde27087e2c104f9e4e7f065a1d0984c1833c67aba9c3a336ad0da75ae5b449
    Size: 365.30 kB
  6. php-8.3.19-1.module+el9+1096+992da292.src.rpm
    MD5: 9aa3d8ae0ec6d60e208efd8ceb63dd7f
    SHA-256: e543010122c729ca4389e4692792f2234ef910a55cc8c51d5dbc759492cc6a8d
    Size: 12.12 MB

Asianux Server 9 for x86_64
  1. apcu-panel-5.1.23-1.module+el9+1096+992da292.noarch.rpm
    MD5: 8875870303385f241c84ff693a684133
    SHA-256: 59ce7c6c2a9e3b6f977eb0ba09e597c66337ad46235dabbd976cf1a8f191a5c0
    Size: 18.21 kB
  2. php-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: a67f39b35ab04cbbdf3ae44d7b7ccfed
    SHA-256: c2ef3b17bfb44a8deeb96d0851414c814ea3bb5938ed83e18ecbb688ac0dedd0
    Size: 7.69 kB
  3. php-bcmath-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: c430928e24f9d341f65276aa17186201
    SHA-256: 6cb648c406f4e8282a8629d801a27cc94147efa81f7c11babf9483298c6f3f9f
    Size: 33.21 kB
  4. php-cli-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 896ee7c40431e7c54834070fc346034f
    SHA-256: e912b2a332307b33b6bec0e97f026a673ceeb130f81bd0050a9b3c20521600f7
    Size: 3.72 MB
  5. php-common-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 45d97d376af2137f3fd2255259152138
    SHA-256: 9c31a7562b6887ae9a10f78cbd65d1dcf83b4b2b6c9b05bb3f07d18d0b86172b
    Size: 717.53 kB
  6. php-dba-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 48a1b83905f0aedb7923ea4492bf13ac
    SHA-256: bf2c38fb13012e26c469958d6c10665b3a7568ebfb483f55d66c8f450b2f8820
    Size: 32.39 kB
  7. php-dbg-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 289445177eb3f5c4aa3a5ace04e5832e
    SHA-256: 2cf0e3fdc47694b0a722b01d4cdb5d47af16b8ddbb8af331eecd226627e6c596
    Size: 1.92 MB
  8. php-debugsource-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 4c2ecce7fe275c2a59f37a6ad25523b3
    SHA-256: 89552ac34009d00735e12d47e384dda726bb90f1eca7369d41fc65b3a751bc3f
    Size: 4.34 MB
  9. php-devel-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 1a05dce0da640a63e67998e300e7010d
    SHA-256: 5e0da57ba05fe2e6d367eb1d36a2fcfe4d8ea0f58d7d19dd8534140a877b4997
    Size: 787.23 kB
  10. php-embedded-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 51e13452b4353fb54999a158fc1ab64a
    SHA-256: e7cfc0d07ac136ee80f5c668e46d0a03722f114911c928a2084d0f8e44a6074a
    Size: 1.83 MB
  11. php-enchant-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: d7357630dc516a63f722c4d803fdfe95
    SHA-256: b67c7ec4860ce6bc341b159d1bf8fe4cc5a775c7af0544ac8c80730f2a0a6f82
    Size: 17.24 kB
  12. php-ffi-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: dec37b247e8b3b1a7d9b95a7cfad5042
    SHA-256: 55419bcdd5fe8ffd01dbc58c5dba066860c3542cfa36cd3017a4da6181e88c65
    Size: 77.65 kB
  13. php-fpm-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: a3ac08b45ab58ca46c53be6e4a982fe0
    SHA-256: 3e763e0dd7d7881bc387f42335c5e7428ed85434f42ff72f373635f8dc04c4e7
    Size: 1.92 MB
  14. php-gd-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 86a94bfef56bfad85b7e9106aa1b6445
    SHA-256: 2faa760e85136f52ce0df40c04fd70e7dbb3a4342038b58d4d14b2875049ff07
    Size: 40.03 kB
  15. php-gmp-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 8aba7a25a2050078958b8adb06b8be1a
    SHA-256: 2c8bf7b8f4f46f0191ed14f406756d9b43cfd05d81af2e8a07eb8342e9b2d1b1
    Size: 30.24 kB
  16. php-intl-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 45f7a3d4a2c2e31752d4f3dbccba309c
    SHA-256: 865657da889725c80fa50554bcbb73ee9bae325c95b3b602d82bd5eda33004fe
    Size: 166.96 kB
  17. php-ldap-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: a1849a573d7ae82ae47326777202be58
    SHA-256: c2ffafa33f55463f6ac53fdcce5c7a87cca34ff607914830a65570037ea30a76
    Size: 41.39 kB
  18. php-mbstring-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 3a6798efa35727a2bb3c3992de9ccb43
    SHA-256: a6f87cabf39195949b882d99bb002437b8db1a9cf781f25845c91c35802d38b8
    Size: 524.08 kB
  19. php-mysqlnd-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 51ff09cd1c61422fa6c3357bfc1e4111
    SHA-256: 69c820e55cbb7de93feb693153efdda3193301de78ba7db7c27e4db2ad13e850
    Size: 143.81 kB
  20. php-odbc-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 348642523f0a6d3dbafac354d923c9b1
    SHA-256: 0a11aa04c666c7b81f69b14a206c08e9695ea0258be0eb7cd7663517737ccf47
    Size: 45.29 kB
  21. php-opcache-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: d17f50ca8d393b33f11aebe8789668b0
    SHA-256: 32485c7fa1c5a7cb54eb3562fed3293bf5b453a4d0ed585b6c52be9c2151a88a
    Size: 352.74 kB
  22. php-pdo-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 4c253fe66b5f9b292b2f4ff4f7a9964f
    SHA-256: d569d373522b86cbca9b1f4e5282e6a8398c133eb7ee7d9a1ad7d47f72ac0e92
    Size: 85.72 kB
  23. php-pecl-apcu-5.1.23-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 63ab4c7673a4c82655a46678015659cd
    SHA-256: 5c9833a09f406b66cc33a3d00a4ff843415d1d2586f85f4d24bbe7e2e4bcf8c9
    Size: 59.42 kB
  24. php-pecl-apcu-debugsource-5.1.23-1.module+el9+1096+992da292.x86_64.rpm
    MD5: b94790c4314e797ec65349be93de9b28
    SHA-256: c50a4dded66da0e7cbbe9a1af6bb5602d35d6ab585740c620e9b2973c500221e
    Size: 52.55 kB
  25. php-pecl-apcu-devel-5.1.23-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 9e32d264e456751accc8c3fe2a1320a0
    SHA-256: 1230e6ce8f2ad93c0b982c7463691e1f89290c378b14aedf79ee3ab04c0dda4d
    Size: 61.68 kB
  26. php-pecl-redis6-6.1.0-2.module+el9+1096+992da292.x86_64.rpm
    MD5: 2bf5b62ff341b3633edd9b9f6839c00a
    SHA-256: b34d48147046815ea1fd0d43bc622174dc50f2fc9c54b88ad029cdc5af9aef7a
    Size: 273.96 kB
  27. php-pecl-redis6-debugsource-6.1.0-2.module+el9+1096+992da292.x86_64.rpm
    MD5: 6fe04f9d33c2001018a4771626003570
    SHA-256: 84453cc59cbf54e915c7c0e6fd6c0215c6ee14b1be07ff1214cdb6ced8ab29ed
    Size: 151.40 kB
  28. php-pecl-rrd-2.0.3-4.module+el9+1096+992da292.x86_64.rpm
    MD5: 857e09c244a02c4316a2979b5c624bb3
    SHA-256: fce8326522746125f8266368683937b8cd635c132c5e8d1cfe8c5d57c545b7a5
    Size: 26.45 kB
  29. php-pecl-rrd-debugsource-2.0.3-4.module+el9+1096+992da292.x86_64.rpm
    MD5: b48eea18d3ace292c9d37a5f5dd8a1d6
    SHA-256: d7bca7b874d4d839dc06ef5c7dcbfed226febf7bbb5f5b880ff337e5cd674ce8
    Size: 17.68 kB
  30. php-pecl-xdebug3-3.3.1-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 9cb32a55fa40d8708da56ef03d11ebb6
    SHA-256: 561ba580e5776169dd548ff0b334bea2be25e1697ee3df816f06deb8b3dddc11
    Size: 209.64 kB
  31. php-pecl-xdebug3-debugsource-3.3.1-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 0e7a845d78674cc218d42c21091b2fd9
    SHA-256: 1a16817c8158bd7e61fd21697e29e33cb58af162bd0c8de0b9f13df8617fd3dc
    Size: 165.95 kB
  32. php-pecl-zip-1.22.3-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 4d7aac62431ab127e94b38fbcbd49af7
    SHA-256: ed69becee8a85234500d499a1d835c87e9dd3f1dcd9cab441e848dc3224c29ba
    Size: 63.46 kB
  33. php-pecl-zip-debugsource-1.22.3-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 3c3891b30ec2fbb515a1a9b02dfbd8a6
    SHA-256: df7426b02b233059604e303aae4d49da78d2b6570f5590fd9d73ddc73a537c1c
    Size: 30.79 kB
  34. php-pgsql-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: be01fb4cd35986fd4009c9e1ef1900fc
    SHA-256: 2817e668450e675e171b3ccedc552df831059d7c3d7a4a69d4fd9e3a687f3b2a
    Size: 73.67 kB
  35. php-process-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 70df2e56387d9745e0c533c4ed5bf0f4
    SHA-256: e0af04b477942051fd151799bcec7bbf604399c9c9d90c6cb183f5ed95610663
    Size: 41.22 kB
  36. php-snmp-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 8c27db0447ddd85c407b4b6cce0e1681
    SHA-256: 28138680c3c6218bd3864737f5d00ed9b0e991b419633c119b80f08a7655d392
    Size: 31.06 kB
  37. php-soap-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: d361ccdc5ca480d9719792f2427ecd5f
    SHA-256: e29149e549a31f7a1c80cf6b5fc224bf41bd78b23e3fefc650e992fb19635689
    Size: 140.84 kB
  38. php-xml-8.3.19-1.module+el9+1096+992da292.x86_64.rpm
    MD5: 9abd07d72e603f9b4eb238d023108b57
    SHA-256: 8359aa95935e85d33e9d455b4fc70bec5ecde894ffa1bba7fccdd85ed8fb2a90
    Size: 149.91 kB