Backported CVE Fixes for ZendPHP 8.0.30.6, 7.4.33.10, 7.3.33.16, and 7.2.34.24

  • LibXML

    • Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714).
    • Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong content-type header when requesting a redirected resource). (CVE-2025-1219)

  • Streams

    • Fixed GHSA-hgf54-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736)
    • Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861)
    • Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734)
    • Fixed GHSA-v8xr-gpvj-cx9g (Header parser of http stream wrapper does not handle folded headers). (CVE-2025-1217)