Zend Server Release Notes | Zend by Perforce

2021.4.2

April 2025

Maintenance release, fixing CVE security issues for PHP.

Backported PHP CVE fixes

PHP version 7.4.33.10, 7.3.33.16, 7.2.34.24, 7.1.33.26 CVE fixes
LibXML
- Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714)
- Fixed GHSA-p3x9-6h7p-cgfc: libxml streams use

2021.4.1

January 2025

Maintenance release, fixing CVE security issues for PHP.

Backported PHP CVE fixes

PHP version 7.1.33.25, 7.2.34.21, 7.3.33.13, 7.4.33.8 CVE fixes
CLI
- Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI

2021.4.0

November 2024

Deprecated support for IBM i v7r2 due to openssl 1.1.1 deprecation by IBM. All IBM i >= v7r3 must use at least OSS base 7.3 to be able to install/upgrade.

Fixed

Zend Server Z-Ray Database Queries failed to update placeholder value bindings in queries

2019.1.7

June 2024

Contains only PHP security fixes and updated apache, lighttpd, curl, openssl components. No changes in Zend Server

Backported PHP CVE fixes

PHP version 7.1.33.23, 7.2.34.19, 7.3.33.11 CVE fixes
- CGI
  - Fixed bug GHSA-3qgc-jrrr-25jv: Bypass of CVE-2012

2021.3.5

June 2024

Contains only PHP security fixes and updated apache, lighttpd, curl, openssl components. No changes in Zend Server

Backported PHP CVE fixes

PHP version 7.1.33.23, 7.2.34.19, 7.3.33.11, 7.4.33.6 CVE fixes
- CGI
  - Fixed bug GHSA-3qgc-jrrr-25jv: Bypass of

2019.1.6

May 2024

Contains only PHP and installer/packaging fixes/changes.

Backported PHP CVE fixes:

PHP version 7.1.33.22, 7.2.34.18, 7.3.33.10 CVE fixes:
- Standard:
  - Fixed bug GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix. (CVE

2021.3.4

April 2024

Contains only PHP and installer/packaging fixes/changes.

Added

Adds support for Rocky Linux 8 (x68_64 only)
- ZS Repository Installer script updated to allow usage with Rocky Linux 8.

Backported PHP CVE fixes

PHP version 7.1.33.22, 7.2.34.18, 7.3.33

2019.1.5

October 2023

Security Updates

cURL update to 8.4.0; Windows release only.
IBM i users can download a patched version of cURL here: https://downloads.zend.com/zendserver/2019.1.4/zend-server-2019.1.4-curl-8.4.0-pase.tar.gz

2021.3.3

October 2023

Security Updates

cURL updated to 8.4.0; Windows release only.

2019.1.4

August 2023

Contains only PHP and installer/packaging fixes/changes; no changes in Zend Server.

Backported PHP 7.1.33.21, 7.2.34.17, 7.3.33.9 CVE Fixes

Libxml: Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it).