Innovate faster and cut risk with PHP experts from Zend Services.
See How Zend Helps Leading Hosting Providers Keep Their Managed Sites on Secure PHP
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Submit support requests and browse self-service resources.
Zend Server installer Windows package contains cURL library version 8.4.0 fixing CVE-2023-38545.
Zend Server Linux installation uses Linux distribution packages for curl library. Users shall update linux packages to fix security issues.Please note that Ubuntu 18.04 and Debian 9 are EOL, no publicly available fixes are available to fix cURL CVE for these distributions.
Information about the IBM i fix has been issued earlier. Here is the copy of that notification:
Please follow these instruction to update Zend Server 2019.1.4 PHP binaries (for cURL CVE-2023-38545 fix).
Enter the commands below using the terminal shell:
Download the update file:
Extract the downloaded file to the filesystem root directory:
gzip -dc /HOME/QSECOFR/zend-server-2019.1.4-curl-8.4.0-pase.tar.gz|tar -x -C /
Restart the Zend Server Apache instance. Either use Zend Server tools on the green screen or enter the following terminal shell command:
PHP Information shall display curl version 8.4.0 after this update.
Contains only PHP and installer/packaging fixes/changes. No changes in Zend Server.
Backported PHP 220.127.116.11, 18.104.22.168, 22.214.171.124 CVE Fixes
Backported PHP 126.96.36.199, 188.8.131.52, 184.108.40.206 CVE Fixes
Backported PHP 220.127.116.11, 18.104.22.168, 22.214.171.124 CVE Fixes
Updated Apache v.2.4.57 in Zend Server Windows installation package
PHP fixes only.
PHP version 126.96.36.199, 188.8.131.52, 184.108.40.206 CVE fixes- Core: . Fixed bug #81744 (Password_verify() always return true with some hash). (CVE-2023-0567) . Fixed bug #81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568)
- FPM: . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662) PHP version 220.127.116.11, 18.104.22.168, 22.214.171.124 CVE fixes:
- PDO/SQLite: . Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)
CVE Fixes for PHP versions: 126.96.36.199, 188.8.131.52, 184.108.40.206
CVE Fixes for PHP versions 220.127.116.11, 18.104.22.168, 22.214.171.124
Updates for version 2019.0.3
Zend Server 2019 now includes multiple versions of PHP:
For detailed installation instructions for all supported operating systems, please refer to the Zend Server 2019 Installation Guide.
Click here for specific IBM i notes.
When upgrading from previously installed (and supported) version of Zend Server, Zend Server 2019 will automatically set the active version of PHP to correspond to the version of PHP that you’ve upgraded from:
Upgrades from Zend Server 9.0.X and earlier versions and not supported.
Note: When upgrading from a previous installation, the PHP configuration settings (php.ini) will only be migrated for the active PHP version. If you later change the version of PHP in the Zend Server 2019 UI - you will need to reconfigure any changes you may have made to also apply for this new version.
Limitations and Known Issues
The following issues are known at the time of the Zend Server 2019 release:
IBM i Specific Release Notes