Debian LTS: DLA-4088-1: php7.4 Security Advisory Updates
debian lts
March 20, 2025
Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in HTTP request smuggling, validation bypass or denial ...
Topics Covered
Summary
CVE-2025-1217
Tim Düsterhus discovered that the header parser of the `http` stream
wrapper does not handle folded headers and passes incorrect MIME
types to an attached stream notifier.
CVE-2025-1219
Tim Düsterhus discovered that when requesting a HTTP resource using
the DOM or SimpleXML extensions, the wrong `content-type` header is
used to determine the charset when the requested resource performs a
redirect.
CVE-2025-1734
It was discovered that the streams HTTP wrapper does not fail for
headers with invalid name and no colon, thereby violating
RFC-mandated behavior.
CVE-2025-1736
It was discovered that the stream HTTP wrapper header check might
omit basic auth header in some cases.
CVE-2025-1861
It was discovered that the stream HTTP wrapper truncate redirect
location to 1024 bytes, while the RFC-recommended length is 8000 and
browsers usually limit to around 2048.
GHSA-wg4p-4hqh-c3g9
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: php7.4
Version: 7.4.33-1+deb11u8
CVE ID: CVE-2025-1217 CVE-2025-1219 CVE-2025-1734 CVE-2025-1736
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!