Debian LTS Advisory DLA-4088-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin March 20, 2025 https://wiki.debian.org/LTS Package : php7.4 Version : 7.4.33-1+deb11u8 CVE ID : CVE-2025-1217 CVE-2025-1219 CVE-2025-1734 CVE-2025-1736 CVE-2025-1861 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in HTTP request smuggling, validation bypass or denial of service. CVE-2025-1217 Tim Düsterhus discovered that the header parser of the `http` stream wrapper does not handle folded headers and passes incorrect MIME types to an attached stream notifier. CVE-2025-1219 Tim Düsterhus discovered that when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong `content-type` header is used to determine the charset when the requested resource performs a redirect. CVE-2025-1734 It was discovered that the streams HTTP wrapper does not fail for headers with invalid name and no colon, thereby violating RFC-mandated behavior. CVE-2025-1736 It was discovered that the stream HTTP wrapper header check might omit basic auth header in some cases. CVE-2025-1861 It was discovered that the stream HTTP wrapper truncate redirect location to 1024 bytes, while the RFC-recommended length is 8000 and browsers usually limit to around 2048. GHSA-wg4p-4hqh-c3g9 An out of bound…Read More