Ubuntu 20.04: USN-7648-2 Advisory on Critical PHP Security Issues
Aug 22, 2025
•
LinuxSecurity Advisories
2 - 3 min read
Topics Covered
Several security issues were fixed in PHP.
==========================================================================
Ubuntu Security Notice USN-7648-2
August 21, 2025
php7.0, php7.2, php7.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in PHP.
Software Description:
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter
- php7.0: HTML-embedded scripting language interpreter
Details:
USN-7648-1 fixed several vulnerabilities in PHP. This update
provides the corresponding updates for Ubuntu 16.04 LTS, Ubuntu
18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that PHP incorrectly handled certain hostnames containing
null characters. A remote attacker could possibly use this issue to bypass
certain hostname validation checks. (CVE-2025-1220)
It was discovered that PHP incorrectly handled the pgsql and pdo_pgsql
escaping functions. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. (CVE-2025-1735)
It was discovered that PHP incorrectly handled parsing certain XML data in
SOAP extensions. A remote attacker could possibly use this issue to cause
PHP to crash, resulting in a denial of service. (CVE-2025-6491)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
php7.4 7.4.3-4ubuntu2.29+esm1
Available with Ubuntu Pro
php7.4-cgi 7.4.3-4ubuntu2.29+esm1
Available with Ubuntu Pro
php7.4-cli 7.4.3-4ubuntu2.29+esm1
Available with Ubuntu Pro
php7.4-fpm 7.4.3-4ubuntu2.29+esm1
Available with Ubuntu Pro
php7.4-pgsql 7.4.3-4ubuntu2.29+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
php7.2 7.2.24-0ubuntu0.18.04.17+esm9
Available with Ubuntu Pro
php7.2-cgi 7.2.24-0ubuntu0.18.04.17+esm9
Available with Ubuntu Pro
php7.2-cli 7.2.24-0ubuntu0.18.04.17+esm9
Available with Ubuntu Pro
php7.2-fpm 7.2.24-0ubuntu0.18.04.17+esm9
Available with Ubuntu Pro
php7.2-pgsql 7.2.24-0ubuntu0.18.04.17+esm9
Available with Ubuntu Pro
Ubuntu 16.04 LTS
php7.0 7.0.33-0ubuntu0.16.04.16+esm16
Available with Ubuntu Pro
php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm16
Available with Ubuntu Pro
php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm16
Available with Ubuntu Pro
php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm16
Available with Ubuntu Pro
php7.0-pgsql 7.0.33-0ubuntu0.16.04.16+esm16
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7648-2
https://ubuntu.com/security/notices/USN-7648-1
CVE-2025-1220, CVE-2025-1735, CVE-2025-6491
PREVIOUS
NEXT
Ubuntu 20.04: USN-7648-2 Advisory on Critical PHP Security Issues
ubuntu
August 22, 2025
Several security issues were fixed in PHP.
Summary
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in PHP. Software Description: - php7.4: HTML-embedded scripting language interpreter - php7.2: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter Details: USN-7648-1 fixed several vulnerabilities in PHP. This update provides the corresponding updates for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that PHP incorrectly handled certain hostnames containing null characters. A remote attacker could possibly use this issue to bypass certain hostname validation checks. (CVE-2025-1220) It was discovered that PHP incorrectly handled the pgsql and pdo_pgsql escaping functions. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2025-1735) It ...
Read the Full Advisory
Topics Covered
Update Instructions
The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS php7.4 7.4.3-4ubuntu2.29+esm1 Available with Ubuntu Pro php7.4-cgi 7.4.3-4ubuntu2.29+esm1 Available with Ubuntu Pro php7.4-cli 7.4.3-4ubuntu2.29+esm1 Available with Ubuntu Pro php7.4-fpm 7.4.3-4ubuntu2.29+esm1 Available with Ubuntu Pro php7.4-pgsql 7.4.3-4ubuntu2.29+esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS php7.2 7.2.24-0ubuntu0.18.04.17+esm9 Available with Ubuntu Pro php7.2-cgi 7.2.24-0ubuntu0.18.04.17+esm9 Available with Ubuntu Pro php7.2-cli 7.2.24-0ubuntu0.18.04.17+esm9 Available with Ubuntu Pro php7.2-fpm 7.2.24-0ubuntu0.18.04.17+esm9 Available with Ubuntu Pro php7.2-pgsql 7.2.24-0ubuntu0.18.04.17+esm9 Available with Ubuntu Pro Ubuntu 16.04 LTS php7.0 7.0.33-0ubuntu0.16.04.16+esm16 Available with Ubuntu Pro php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm16 Available with Ubuntu Pro php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm16 Available with Ubuntu Pro php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm16 Available with Ubuntu Pro php7.0-pgsql 7.0.33-0ubuntu0.16.04.16+esm16 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes.
References
https://ubuntu.com/security/notices/USN-7648-2
https://ubuntu.com/security/notices/USN-7648-1
CVE-2025-1220, CVE-2025-1735, CVE-2025-6491
Severity
critical
Lowest
Low
Medium
High
Critical
Ubuntu Security Notice USN-7648-2
Topics Covered
Package Information
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!