-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 08 May 2026 07:56:48 +0200 Source: php8.4 Architecture: source Version: 8.4.21-1~deb13u1 Distribution: trixie-security Urgency: high Maintainer: Debian PHP Maintainers Changed-By: Ondřej Surý Changes: php8.4 (8.4.21-1~deb13u1) trixie-security; urgency=high . * New upstream version 8.4.21 + [CVE-2026-7263]: Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS() + [CVE-2026-29078, CVE-2026-29079]: Upgrade to lexbor v2.7.0 + [CVE-2026-6735]: XSS within status endpoint + [CVE-2026-7259]: Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init() + [CVE-2026-6104]: Out-of-bounds access in mbfl_name2encoding_ex() + [CVE-2025-14179]: SQL injection via NUL bytes in quoted strings + [CVE-2026-6722]: Stale SOAP_GLOBAL(ref_map) pointer with Apache Map + [CVE-2026-7261]: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION + [CVE-2026-7262]: Broken Apache map value NULL check + [CVE-2026-7568]: Signed integer overflow of char array offset + [CVE-2026-7258]: Consistently pass unsigned char to ctype.h functions Checksums-Sha1: bf7c18ffa03d9d3ecdbc749eb8f8307981407170 5619 php8.4_8.4.21-1~deb13u1.dsc f8a4690b8b3f1c231c111aaf70c7018f07d85dc9 13718684 php8.4_8.4.21.orig.tar.xz d5029b47e5df829630ee2df4693dffa9426aea8c 265 php8.4_8.4.21.orig.tar.xz.asc f6d644115bc6cdbc0592dc81c9b2cb84552c7155 74632 php8.4_8.4.21-1~deb13u1.debian.tar.xz e660ab5d2c142ad883b0df6c48c584e8e239a9ad 34165 php8.4_8.4.21-1~deb13u1_amd64.buildinfo Checksums-Sha256: b21423ed946e35ee62a97de0c344e7fc2c2c8c4ef67dcd476dc677d1f4846e5b 5619 php8.4_8.4.21-1~deb13u1.dsc 7cf5d8ab12c3b2016875bcfaec71bef1ef0b07bed6148f2c447577074431f984 13718684 php8.4_8.4.21.orig.tar.xz d881c47bbbe1d6e8f4ef1b247894dc67ece6127e91661ca0903a81143bfe4a25 265 php8.4_8.4.21.orig.tar.xz.asc 7c6583a2fe9cbe5e140a02297ddcfa3541ab481dea51aca7490df2eed8cf8499 74632 php8.4_8.4.21-1~deb13u1.debian.tar.xz a313fe20709cd3f9f696a1a3e0788c1d910a3f0891487e2854c126fc71b3e8b5 34165 php8.4_8.4.21-1~deb13u1_amd64.buildinfo Files: c791552f964c946d0350a335cf82f460 5619 php optional php8.4_8.4.21-1~deb13u1.dsc 60dc752b6bb6ab1c8e8fd930d94c199f 13718684 php optional php8.4_8.4.21.orig.tar.xz 3b47a8c0c849b79200cb5d78ddfccced 265 php optional php8.4_8.4.21.orig.tar.xz.asc 82e64b1cd4f3620e431fc1a4c5e9b530 74632 php optional php8.4_8.4.21-1~deb13u1.debian.tar.xz 295441049a5413990cee09e67053426e 34165 php optional php8.4_8.4.21-1~deb13u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmn9iJNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u WcINehAAo2RvdcK4m421gddhL4tjMccvI0hVVTRB1Sc2UL1W78+WtZXG7rLa0Apc CF2CaKPfks+VYRcIBY54s6SNh3xCAmjPHN/LX4hP+Tb9l3VvNv2God6zzuP9JD+a y1IKA1x6mo5FqM3MsEOthbsxocXKEu5W5BbAj57wG3dg7O5/7P3bo7uKcrc4HwYM D4mpY76TRWk0uJ09cOGEN5vCO3Hr7+oTWMRKNfAIbIMdlakfcrIgm+Pk/IVO7LVL QebiVj6UyAv/w2PqWJZBg4EkGFY9ceaAKifICbnLURwpkcocjWVbQhKzqEHsJvEq M5OtIMC46+HbC9svF9ZVaVSgsRrP3K1YGXC/3Hu5C2mD96Z0N1sdgEzdFF9Jq0VG aSCEYyMk9qLhOClGVgaUljdp80SmhidVnKKNOy5RiDVIWM9EfqGdPK9/m/Z2U1Mc 3SOI4/MavlRbk+b4eC23GQSlfXgBmFUjHKqN01q9PsNZWVy+/62PWm/2mVwCgpDo +xQJYDgYvzUhHbrxL4GJ8QUwdM6iFUO2fiMqrrzEdAS+X1SSHFzabPi/JgT4AfU0 DuD9hnb9ZzdVfdgciaHv8HmMs4ovuTBtuVOmlPmiATBk1870ogejILszBl6YGT/s TX9jUkt4P9XDp00aDzeOVTE6Kf6Tk8DJti67IaE7OnjzyXYpM7k= =8pvy -----END PGP SIGNATURE-----