Alpine: php81: security update to 8.1.32-r0

medium Tenable Cloud Security Plugin ID 421133

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before
8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed
incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.
(CVE-2025-1217)

- In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before
8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type
header is used to determine the charset when the requested resource performs a redirect. This may cause
the resulting document to be parsed incorrectly or bypass validations. (CVE-2025-1219)

- In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before
8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid
headers even though they are not. This may confuse applications into accepting invalid headers.
(CVE-2025-1734)

- In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before
8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may
prevent certain headers from being sent or lead to certain headers be misinterpreted. (CVE-2025-1736)

- In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before
8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the
location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the
limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong
location. (CVE-2025-1861)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-1217

https://security.alpinelinux.org/vuln/CVE-2025-1219

https://security.alpinelinux.org/vuln/CVE-2025-1734

https://security.alpinelinux.org/vuln/CVE-2025-1736

https://security.alpinelinux.org/vuln/CVE-2025-1861

Plugin Details

Severity: Medium

ID: 421133

Version: Revision 1.11

Type: Local

Published: 3/15/2025

Updated: 6/30/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.07

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-1861

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 2.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 3/12/2025

Reference Information

CVE: CVE-2025-1217, CVE-2025-1219, CVE-2025-1734, CVE-2025-1736, CVE-2025-1861