Welcome to Centmin Mod Community
Register Now

Security PHP 8.5.8, 8.4.23, 8.3.32, 8.2.32 Security Updates + EOL PHP 7.2-8.1 Backports

Discussion in 'Centmin Mod News' started by eva2000, Jul 11, 2026 at 1:48 AM.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    59,159
    12,507
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,139
    Local Time:
    7:11 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    PHP has released security updates for PHP 8.5.8, 8.4.23, 8.3.32, and 8.2.32 (CVE-2026-14355). Centmin Mod has backported relevant security fixes for EOL PHP 7.2/7.3/7.4/8.0/8.1 versions. Note PHP 8.1 branch is now end of life, so PHP 8.1.34 joins the Centmin Mod backported security patch lineup for the first time. For Centmin Mod 132.00stable, 140.00beta01 and 141.00beta01, you can update to those versions if you haven't already. And if you're already on Centmin Mod 132.00stable, 140.00beta01 or 141.00beta01, you can pull this latest update to your server via cmupdate command. Note, 141.00beta01 is currently for EL10 - AlmaLinux 10 development tests right now.


    Ensure that you run cmupdate command to update your Centmin Mod local server code BEFORE you run the centmin.sh menu option 5 to update their PHP versions.

    Security Vulnerabilities Fixed

    CVE/Advisory | Severity | Component | Description
    • CVE-2026-14355 | High | openssl_encrypt() | Memory corruption (zend_mm_heap corrupted) / heap buffer overflow in openssl_encrypt() when using AES-WRAP-PAD (RFC 5649 key wrap with padding) ciphers. Could cause crashes or memory corruption in the PHP process. Fixed upstream in PHP 8.5.8, 8.4.23, 8.3.32 and 8.2.32 (GH-22186 / GH-22187).
    In addition to CVE-2026-14355, this Centmin Mod update also catches the EOL PHP backport patch sets up on the earlier 2026 security fixes where they were previously missing for a given EOL PHP version:

    CVE/Advisory | Component | Description | Backported To
    • CVE-2026-7258 | Multiple components | Wide-ranging locale-handling hardening fix touching the Zend engine, streams, and many bundled extensions | PHP 7.4, 8.0, 8.1
    • CVE-2026-7568 | metaphone() | Fix in ext/standard/metaphone.c (GHSA-96wq-48vp-hh57) | PHP 7.2, 7.3, 7.4, 8.0, 8.1
    • CVE-2026-7259 | mbstring | Fix in mb_ereg regex handling (GHSA-wm6j-2649-pv75) | PHP 8.0, 8.1
    • CVE-2026-6735 | PHP-FPM | XSS within FPM status endpoint (GHSA-7qg2-v9fj-4mwv) | PHP 7.2, 7.3, 7.4, 8.0, 8.1
    • CVE-2026-6722 | SOAP | Fix in ext/soap encoding (GHSA-85c2-q967-79q5) | PHP 7.2, 7.3, 7.4, 8.0, 8.1
    • CVE-2026-7261 | SOAP | Fix in ext/soap (GHSA-m33r-qmcv-p97q) | PHP 7.2, 7.3, 7.4, 8.0, 8.1
    • CVE-2026-7262 | SOAP | Fix in ext/soap encoding (GHSA-hmxp-6pc4-f3vv) | PHP 7.2, 7.3, 7.4, 8.0, 8.1
    • CVE-2025-14179 | PDO Firebird | Fix in pdo_firebird driver (GHSA-w476-322c-wpvm) | PHP 8.0, 8.1
    • CVE-2025-14178 | array_merge() | Heap buffer overflow when merging arrays with combined element count exceeding 32-bit limit (GHSA-h96m-rvf9-jgm2) | PHP 7.2, 7.3
    PHP Releases
    • PHP 8.5.8 - latest newest PHP 8.5 minor version. Only supported in Centmin Mod 141.00beta01.
    • PHP 8.4.23 - latest newest PHP 8.4 minor version. Only supported in Centmin Mod 141.00beta01.
    • PHP 8.3.32 - latest newest PHP 8.3 minor version. Supported in Centmin Mod 132.00stable, 140.00beta01 and 141.00beta01.
    • PHP 8.2.32 - latest newest PHP 8.2 minor version.
    • PHP 8.1.34 - last release in PHP 8.1 branch which is now end of life - no more bug fixes or security updates. If you're still using PHP 8.1.34, run cmupdate and re-run centmin.sh menu option 5 to recompile PHP 8.1.34 with backported security patch fixes.
    • PHP 8.0.30 - last release in PHP 8.0 branch which is end of life. If you're still using PHP 8.0.30, run cmupdate and re-run centmin.sh menu option 5 to recompile PHP 8.0.30 with backported security patch fixes.
    • PHP 7.4.33 - last release in PHP 7.4 branch which is end of life. If you're still using PHP 7.4.33, run cmupdate and re-run centmin.sh menu option 5 to recompile PHP 7.4.33 with backported security patch fixes.
    • PHP 7.3.33 / 7.2.34 - last releases in the end of life PHP 7.3/7.2 branches. If you're still using them, run cmupdate and re-run centmin.sh menu option 5 to recompile with backported security patch fixes.
    • PHP 8.1.34, 8.0.30, 7.4.33, 7.3.33 and 7.2.34 are EOL as security and maintenance updates have ended. However, I have backported PHP 8.2.32+ security fixes to PHP 7.2, 7.3, 7.4, 8.0 and 8.1 branches for Centmin Mod 132.00stable, 140.00beta01 and 141.00beta01 branches.
    Who Is Affected?

    You need to take action if you are running any PHP version older than the patched releases:

    PHP Branch | Vulnerable Versions | Patched Version
    • PHP 7.2 | All 7.2.x (EOL) | 7.2.34 + Centmin Mod backport
    • PHP 7.3 | All 7.3.x (EOL) | 7.3.33 + Centmin Mod backport
    • PHP 7.4 | All 7.4.x (EOL) | 7.4.33 + Centmin Mod backport
    • PHP 8.0 | All 8.0.x (EOL) | 8.0.30 + Centmin Mod backport
    • PHP 8.1 | All 8.1.x (EOL) | 8.1.34 + Centmin Mod backport
    • PHP 8.2 | 8.2.31 and earlier | 8.2.32
    • PHP 8.3 | 8.3.31 and earlier | 8.3.32
    • PHP 8.4 | 8.4.22 and earlier | 8.4.23
    • PHP 8.5 | 8.5.7 and earlier | 8.5.8
    PHP Change logs
    Updating PHP On Centmin Mod LEMP Stacks
    • If you're on Centmin Mod 130.00beta01 or older and want PHP 7.4, 8.0, 8.1, 8.2, 8.3, 8.4 or 8.5 support, you will need to update your server from Centmin Mod 130.00beta01 to either 132.00stable, 140.00beta01 or 141.00beta01 first.
    • For Centmin Mod 132.00stable, 140.00beta01 or 141.00beta01, first update to latest version code via SSH command = cmupdate (same equivalent to centmin.sh menu option 23 submenu option 2 method). Then run centmin.sh menu option 5 to update to either PHP versions 8.5.8, 8.4.23, 8.3.32, 8.2.32 or recompile PHP 8.1.34/8.0.30/7.4.33/7.3.33/7.2.34 with backported security patches.
    Centmin Mod Branch PHP Version Support

    Centmin Mod Branch | Maximum PHP Version Supported
    • 132.00stable | PHP 8.3.32
    • 140.00beta01 | PHP 8.3.32
    • 141.00beta01 | PHP 8.5.8
    Recommended Actions

    Option 1: Recompile Current PHP Version (Minimum)

    If your web applications require PHP 7.2, 7.3, 7.4, 8.0 or 8.1:
    Code (Text):
    cmupdate
    centmin

    Select menu option 5 to recompile PHP 7.2.34, 7.3.33, 7.4.33, 8.0.30 or 8.1.34 with the security patches applied.
    Option 2: Upgrade to a Supported PHP Version (Recommended)

    PHP 7.2, 7.3, 7.4, 8.0 and 8.1 are end of life and will continue to accumulate unpatched vulnerabilities. Upgrading to a supported version is strongly recommended if your applications support it.
    Code (Text):
    cmupdate
    centmin

    Select menu option 5 and choose a newer PHP version. Before upgrading, verify your web applications (WordPress, Xenforo, Laravel, etc.) support your target PHP version.
    Security Advisory References
    PHP-FPM Upgrade Issues

    If you have issues with PHP-FPM upgrades via Centmin Mod centmin.sh menu option 5, check your PHP upgrade logs for details https://community.centminmod.com/threads/how-to-troubleshoot-php-installs-upgrades.17857/
     
Thread Status:
Not open for further replies.