[Git][security-tracker-team/security-tracker][master] new php issues

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fb688e64 by Moritz Muehlenhoff at 2026-05-08T10:06:44+02:00
new php issues

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,67 @@
+CVE-2026-7258
+	- php8.4 <unfixed>
+	- php8.2 <removed>
+	- php7.4 <removed>
+	NOTE: https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4
+	NOTE: https://github.com/php/php-src/commit/b8dad9314c1e225a1a2d50608e4e7d478c34365c
+	NOTE: https://github.com/php/php-src/commit/dc9e21b81c143faa9677bb0cf157e83960a24d0d
+	NOTE: https://github.com/php/php-src/commit/398b7dabfbd2e8f4f4ed2065dbcf3e3794e8ca47
+	NOTE: https://github.com/php/php-src/commit/a38418777f65780d9d622197677e90567690fc07
+	NOTE: https://github.com/php/php-src/commit/
+CVE-2026-7568
+	- php8.4 <unfixed>
+	- php8.2 <removed>
+	- php7.4 <removed>
+	NOTE: https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57
+	NOTE: https://github.com/php/php-src/commit/47def8ce1db1fdbffcfc1f5bb11877a0e22d4b32
+CVE-2026-7262
+	- php8.4 <unfixed>
+	- php8.2 <removed>
+	- php7.4 <removed>
+	NOTE: https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv
+	NOTE: https://github.com/php/php-src/commit/79551ab8b1a97760c739e372f9bc359619f3554d
+CVE-2026-7261
+	- php8.4 <unfixed>
+	- php8.2 <removed>
+	- php7.4 <removed>
+	NOTE: https://github.com/php/php-src/commit/db2a7f9348fd5dda5fd162061786a664c417bf5b
+	NOTE: https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q
+CVE-2026-6722
+	- php8.4 <unfixed>
+	- php8.2 <removed>
+	- php7.4 <removed>
+	NOTE: https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5
+	NOTE: https://github.com/php/php-src/commit/aee3b3ac9b816b0def1c462695b483b49a83148e
+CVE-2025-14179
+	- php8.4 <unfixed>
+	- php8.2 <removed>
+	- php7.4 <removed>
+	NOTE: https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm
+	NOTE: https://github.com/php/php-src/commit/3f40b65323dd1b85e9bab6878237d3867e449d5c
+CVE-2026-6104
+	- php8.4 <unfixed>
+	- php8.2 <not-affected> (Only affects 8.4 and later)
+	- php7.4 <not-affected> (Only affects 8.4 and later)
+	NOTE: https://github.com/php/php-src/security/advisories/GHSA-74r9-qxhc-fx53
+	NOTE: https://github.com/php/php-src/commit/56ee76f82045ab728f3e63e20bf9530621e829cb
+CVE-2026-7259
+	- php8.4 <unfixed>
+	- php8.2 <removed>
+	- php7.4 <removed>
+	NOTE: https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75
+	NOTE: https://github.com/php/php-src/commit/79a054eae016c56409432e69aebc8ca908a88838
+CVE-2026-6735
+	- php8.4 <unfixed>
+	- php8.2 <removed>
+	- php7.4 <removed>
+	NOTE: https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv
+	NOTE: https://github.com/php/php-src/commit/99a5ad7441de9914246c7863adb6997396008b9d
+CVE-2026-7263
+	- php8.4 <unfixed>
+	- php8.2 <not-affected> (Only affects 8.4 and later)
+	- php7.4 <not-affected> (Only affects 8.4 and later)
+	NOTE: https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733
+	NOTE: https://github.com/php/php-src/commit/d43c523c48960e9ca0bf9c747e9bad8e5121edff
 CVE-2026-8149 (A vulnerability in Legion of the Bouncy Castle Inc. BC-FJA BC-FIPS on  ...)
 	TODO: check
 CVE-2026-8148 (NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local atta ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -86,6 +86,10 @@ openvswitch
 pdfminer (carnil)
   Required followup for CVE-2025-64512 as original fix was incomplete.
 --
+php8.4/stable (jmm)
+--
+php8.2/oldstable (jmm)
+--
 php-laravel-framework/oldstable
 --
 postorius (jmm)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb688e64da8f7cb33d38616886ca3def8effccea

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb688e64da8f7cb33d38616886ca3def8effccea
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260508/bc7ca860/attachment-0001.htm>