rpm package
suse/php8-fastcgi&distro=SUSE Linux Enterprise Module for Web and Scripting 15 SP7
pkg:rpm/suse/php8-fastcgi&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-14177 | — | < 8.3.29-150700.3.9.1 | 8.3.29-150700.3.9.1 | Dec 27, 2025 | In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://fi | ||
| CVE-2025-14178 | — | < 8.3.29-150700.3.9.1 | 8.3.29-150700.3.9.1 | Dec 27, 2025 | In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in | ||
| CVE-2025-14180 | — | < 8.3.29-150700.3.9.1 | 8.3.29-150700.3.9.1 | Dec 27, 2025 | In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may | ||
| CVE-2025-1735 | — | < 8.3.23-150700.3.3.1 | 8.3.23-150700.3.3.1 | Jul 13, 2025 | In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid. | ||
| CVE-2025-1220 | — | < 8.3.23-150700.3.3.1 | 8.3.23-150700.3.3.1 | Jul 13, 2025 | In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in | ||
| CVE-2025-6491 | — | < 8.3.23-150700.3.3.1 | 8.3.23-150700.3.3.1 | Jul 13, 2025 | In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the |
- CVE-2025-14177Dec 27, 2025affected < 8.3.29-150700.3.9.1fixed 8.3.29-150700.3.9.1
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://fi
- CVE-2025-14178Dec 27, 2025affected < 8.3.29-150700.3.9.1fixed 8.3.29-150700.3.9.1
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in
- CVE-2025-14180Dec 27, 2025affected < 8.3.29-150700.3.9.1fixed 8.3.29-150700.3.9.1
In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may
- CVE-2025-1735Jul 13, 2025affected < 8.3.23-150700.3.3.1fixed 8.3.23-150700.3.3.1
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.
- CVE-2025-1220Jul 13, 2025affected < 8.3.23-150700.3.3.1fixed 8.3.23-150700.3.3.1
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in
- CVE-2025-6491Jul 13, 2025affected < 8.3.23-150700.3.3.1fixed 8.3.23-150700.3.3.1
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the