File _patchinfo of Package patchinfo.37961
<patchinfo incident="37961">
<issue tracker="cve" id="2025-1861"/>
<issue tracker="cve" id="2025-1736"/>
<issue tracker="cve" id="2025-1219"/>
<issue tracker="cve" id="2024-11235"/>
<issue tracker="cve" id="2025-1734"/>
<issue tracker="cve" id="2025-1217"/>
<issue tracker="bnc" id="1239669">VUL-0: CVE-2025-1861: php53,php7,php72,php74,php8: Stream HTTP wrapper truncate redirect location to 1024 bytes</issue>
<issue tracker="bnc" id="1239666">VUL-0: CVE-2024-11235: php53,php7,php72,php74,php8: Reference counting in php_request_shutdown causes Use-After-Free</issue>
<issue tracker="bnc" id="1239667">VUL-0: CVE-2025-1219: php53,php7,php72,php74,php8: libxml streams use wrong `content-type` header when requesting a redirected resource</issue>
<issue tracker="bnc" id="1239668">VUL-0: CVE-2025-1734: php53,php7,php72,php74,php8: Streams HTTP wrapper does not fail for headers with invalid name and no colon</issue>
<issue tracker="bnc" id="1239670">VUL-0: CVE-2025-1736: php53,php7,php72,php74,php8: Stream HTTP wrapper header check might omit basic auth header</issue>
<issue tracker="bnc" id="1239664">VUL-0: CVE-2025-1217: php53,php7,php72,php74,php8: Header parser of `http` stream wrapper does not handle folded headers</issue>
<packager>pgajdos</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for php8</summary>
<description>This update for php8 fixes the following issues:
- CVE-2024-11235: Fixed reference counting in php_request_shutdown causing Use-After-Free (bsc#1239666)
- CVE-2025-1217: Fixed header parser of http stream wrapper not handling folded headers (bsc#1239664)
- CVE-2025-1219: Fixed libxml streams using wrong content-type header when requesting a redirected resource (bsc#1239667)
- CVE-2025-1734: Fixed streams HTTP wrapper not failing for headers with invalid name and no colon (bsc#1239668)
- CVE-2025-1736: Fixed stream HTTP wrapper header check might omitting basic auth header (bsc#1239670)
- CVE-2025-1861: Fixed stream HTTP wrapper truncate redirect location to 1024 bytes (bsc#1239669)
</description>
</patchinfo>