Stay Secure with the Latest Linux Advisories

security advisorysecurity issuefedora

Fedora 43: PHP 8.4.16 Important Bug Fixes Vulnerability CVE-2025-14180

PHP version 8.4.16 (18 Dec 2025) Core: Sync all boost.context files with release 1.86.0. (mvorisek) Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). (ndossche). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-7e9290d67f 2025-12-19 04:19:43.952411+00:00 -------------------------------------------------------------------------------- Name : php Product : Fedora 43 Version : 8.4.16 Release : 1.fc43 URL : http://www.php.net/ Summary : PHP scripting language for creating dynamic web sites Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. -------------------------------------------------------------------------------- Update Information: PHP version 8.4.16 (18 Dec 2025) Core: Sync all boost.context files with release 1.86.0. (mvorisek) Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). (ndossche) Fixed bug GH-20286 (use-after-destroy during userland stream_close()). (ndossche, David Carlier) Bz2: Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche) Date: Fix crashes when trying to instantiate uninstantiable classes via date static constructors. (ndossche) DOM: Fix memory leak when edge case is hit when registering xpath callback. (ndossche) Fixed bug GH-20395 (querySelector and querySelectorAll requires elements in $selectors to be lowercase). (ndossche) Fix missing NUL byte check on C14NFile(). (ndossche) Fibers: Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_sizeINI small value). (David Carlier) FTP: Fixed bug GH-20601 (ftp_connect overflow on timeout). (David Carlier) GD: Fixed bug GH-20511 (imagegammacorrect out of range input/output values). (David Carlier) Fixed bug GH-20602 (imagescale overflow with large height values). (David Carlier) Intl: Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). (DanielEScherzer) LibXML: Fix some deprecations on newer libxml versions regarding input buffer/parser handling. (ndossche) MbString: Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). (ndossche) Fixed bug GH-20492 (mbstring compile warning due to non-strings). (ndossche) MySQLnd: Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). (Remi) Opcache: Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). (Arnaud) PDO: Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) (Jakub Zelenka) Phar: Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). (ndossche, TimWolla) Fix broken return value of fflush() for phar file entries. (ndossche) Fix assertion failure when fseeking a phar file out of bounds. (ndossche) PHPDBG: Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). (Girgias) SPL: Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). (ndossche) Standard: Fix memory leak in array_diff() with custom type checks. (ndossche) Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). (ndossche) Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). (ndossche) Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) (ndossche) Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) (ndossche) Tidy: Fixed bug GH-20374 (PHP with tidy and custom-tags). (ndossche) XML: Fixed bugGH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). (ndossche) Zlib: Fix assertion failures resulting in crashes with stream filter object parameters. (ndossche) -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 17 2025 Remi Collet - 8.4.16-1 - Update to 8.4.16 - http://www.php.net/releases/8_4_16.php -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-7e9290d67f' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it. Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue . PHP 8.4.16 for Fedora 43 focuses on enhancing performance and security with crucial bug fixes and updates.. Fedora PHP security threats bug fixes. . Severity: Important. LinuxSecurity.com Team

Dec 19, 2025 •Important Fedora