------------------------------------------------------------------------- Debian LTS Advisory DLA-4447-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin January 24, 2026 https://wiki.debian.org/LTS -------------------------------------------------------------------------
Package : php7.4
Version : 7.4.33-1+deb11u10
CVE ID : CVE-2025-14178
Debian Bug : 1123574
Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in server side
request forgery or denial of service.
CVE-2025-14178
Heap buffer overflow in array_merge().
GHSA-www2-q4fc-65wf
dns_get_record() and other DNS functions don't have any null contain
check, which may lead to SSRF or unexpected behavior. While this
has a (low) security impact, no CVE ID was assigned for this
vulnerability yet.
For Debian 11 bullseye, these problems have been fixed in version
7.4.33-1+deb11u10.
We recommend that you upgrade your php7.4 packages.
For the detailed security status of php7.4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.4
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
signature.asc
Description: PGP signature
