Release Notes for Zend Server 2021

The list below provides the full release notes and changelog for Zend Server 2021.x.

Download Available Now for Linux, Windows, and IBM i

 

Zend Server 2021.3.2 (August 2023)

Changes

- Added Support for IBM i 7.5
- Backported PHP CVE fixes:

PHP version 7.1.33.21, 7.2.34.17, 7.3.33.9, 7.4.33.4 CVE fixes

  • Libxml:
    • Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)
  • Phar:
    • Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()). (CVE-2023-3824)

PHP version 7.1.33.20, 7.2.34.16, 7.3.33.8, 7.4.33.3 CVE fix

  • Soap:
    • Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP). (CVE-2023-3247)

PHP version 7.1.33.19, 7.2.34.15, 7.3.33.7 fix:

  • Intl:
    • Fixed bug #72809 (Locale::lookup() wrong result with canonicalize option).
- Windows package updates:
  • Apache 2.4.57

 

Zend Server 2021.3.1 (March 2023)

Backported PHP CVE fixes

PHP version 7.1.33.18, 7.2.34.14, 7.3.33.6, 7.4.33.2 CVE fixes
- Core:
 . Fixed bug #81744 (Password_verify() always return true with some hash).
   (CVE-2023-0567) (Tim Düsterhus)
 . Fixed bug #81746 (1-byte array overrun in common path resolve code).
   (CVE-2023-0568) (Niels Dossche)

- FPM:
 . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
   request body). (CVE-2023-0662) (Jakub Zelenka)
PHP version 7.1.33.17, 7.2.34.13, 7.3.33.5, 7.4.33.1 CVE fixes:

- PDO/SQLite:
 . Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631) 
   (cmb)

Windows Package Updates:

Apache 2.4.56 (adding also MS vs17 64-bit c++ redistributable installation)
OpenSSL 1.1.1t
cURL 7.88.1

Zend Server 2021.3.0 (November 2022)

Fixed:

  • JobQueue HTTPS requests failure on IBM i
  • Change lighttpd configuration for HTTPv.1.1 compatibility
  • JobQueue incorrect behavior during DST change 
  • Zend Server RPM php-sources-zend-server packages missing PHP 7.1 sources

Updated:

  • Upgrade angularjs to latest perforce-angular 1.8.4 in Zend Server
  • Update ZS2021.3.0 PHP versions: 7.1.33.16, 7.2.34.12, 7.3.33.4, 7.4.33

PHP CVE fixes in 7.2, 7.3, 7.4
Hash:

  • Fixed bug #81738: buffer overflow in hash_update() on long parameter.
    • (CVE-2022-37454) (nicky at mouha dot be)
  • (applies to 7.4.33 ONLY) 
    • Fixed bug #81739: OOB read due to insufficient input validation in imageloadfont(). (CVE-2022-31630) 

PHP CVE fixes (all supported versions):
- Core:
  . Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
    (CVE-2022-31628). (
  . Fixed bug #81727: Don't mangle HTTP variable names that clash with ones 
    that have a specific semantic meaning. (CVE-2022-31629).
 
 

Zend Server 2021.2.0 (July 2022)

 

Fixed:

  • jobqueueAddJob output in JSON format (ZEND-2244)
  • ZendServer MonitorNode schema check with invalid version  (ZEND-2077)
  • Vhost attach functionality with Nginx (ZEND-2351)
  • Installation on RHEL8, apache php-fpm setup (ZEND-2454)
  • Removed php-fpm binary from IBM i package (ZEND-2369)
  • IBM i green screen ZS info page errors (ZEND-2166)
  • PHP version check failure on zpk install (ZEND-1961)
  • Unable to Save changes after switching GUI tabs in ZS Settings (ZEND-2249)
  • Change UI License Expiration information for IBM i (suggesting ZendPHP) (ZEND-1141)
  • ZDD lock issues (zend_deployment.detect_apps ignored) (ZEND-1952)
  • Application defining failures (ZEND-2291)

Updated:

  • PHP versions 7.1.33.15 (incl. TLSv1.2 support for mysql), 7.2.34.10, 7.3.33.2, 7.4.30. CVE fixes:

    - mysqlnd:
      . Fixed bug #81719: mysqlnd/pdo password buffer overflow. (CVE-2022-31626)
        (c dot fol at ambionics dot io)
    - pgsql
      . Fixed bug #81720: Uninitialized array in pg_query_params(). 
        (CVE-2022-31625) (cmb)
  • IBM_DB2 extension v.2.1.5 for PHP v>=7.3 (not compatible with PHP 7.2) (ZEND-2172)
  • ssh2 extension v.1.3.1 (ZEND-2165)
  • PECL extensions updated: pdo_ibm v.1.4.2, imagick v.3.7.0 (Windows v.3.5.0), mongodb v. 1.11.1, redis v.5.3.5,
  • Windows: installer contains Apache 2.4.53, MS ODBC drivers v.17 (for sqlsrv ext), vcredist c++ 64 bit VS2017.
  • Linux: lighttpd v.1.4.64
  • ZendServerSDK v.1.2.1 (ZEND-2451)
  • PHPToolkit for IBM i v.1.9.1 (ZEND-2161)
  • angularJs update to 1.8.2 Perforce release (ZEND-2423,2434)

Added:

  • webp support for gd extension, linux and IBM i (ZEND-2255,2084)
  • php-cli.sh shell script on IBM i for running php scripts from green screen (ZEND-2374)
    Sample use: 

    CALL PGM(QP2SHELL) PARM('/usr/local/zendphp74/bin/php-cli.sh' 'test.php')

    Script output is stored as process print file, not displayed on the terminal screen.

  • IBM i support tool improvements - display created spool file location (ZEND-2167)

Other:

  • Windows installer - changed misleading message during upgrade (PHP version change) (ZEND-2230)

Extra notes:

  • Upgrade from 2019.x.x to 2021.2.0 on RHEL8.
    Upgrade may fail. Reporting:

    Problem: cannot install the best update candidate for package liboci8-zend-11.2.0.4-8.x86_64

      - nothing provides libaio.so.1 needed by liboci8-zend-21.1.0.0-25.x86_64

    To continue from such situation, liboci8-zend package (new version) should be installed manually.

    sudo yum install -y liboci8-zend

    Then restart the upgrade sequence from the step (including) that caused the error (re-run repository installer or other method you have chosen for ZendServer upgrade).

Known problems (fix postponed):

  • php-fpm restart on Linux.
    Related to PHP version change through GUI. php-fpm processes do not restart automatically.
    As a workaround, php-fpm should be restarted manually from the console after switching PHP version

    sudo /usr/local/zend/bin/php-fpm.sh restart
  • JobQueue misbehavior during DST change (DST end in October).
    Jobs scheduled during the hour of DST change get executed large number of times.
    No known easy workaround. One option is to temporarily disable specific jobs for the specific DST change time period.

 

Zend Server 2021.1.2 (March 2022)

UPDATED to PHP 7.4.28

  • PHP 7.4.28: Fix #81708: UAF due to php_filter_float() failing for ints. Relevant for PHP 7.4 only (CVE-2021-21708)
  • Older PHP versions 7.1.33.12, 7.2.34.8 and 7.3.33 are updated and rebuilt with the latest timezone database.
  • For IBM i build, the freetds library is updated to new version 1.3.9
  • Windows installer update notification text change
  • Linux rpm repositories: Qt libraries package dependency fix for libicu.
  • Repository installer script displays correct Zend Server Web Ui port number (10101)

Zend Server 2021.1.1 (December 2021)

Updated PHP from 7.4.22 to 7.4.26

  • Core: Fixed bug #81518 (Header injection via default_mimetype / default_charset).
  • Date: Fixed bug #81500 (Interval serialization regression since 7.3.14 / 7.4.2).
  • MBString: Fixed bug #76167 (mbstring may use pointer from some previous request).
  • MySQLi: Fixed bug #81494 (Stopped unbuffered query does not throw error).
  • PCRE: Fixed bug #81424 (PCRE2 10.35 JIT performance regression).
  • Streams: Fixed bug #54340 (Memory corruption with user_filter).
  • XML: Fixed bug #79971 (special character is breaking the path in xml function). (CVE-2021-21707)

Updated PHP from 7.3.29 to 7.3.33

  • XML: Fix #79971: special character is breaking the path in xml function. (CVE-2021-21707)

Updated PHP from 7.2.34.4 to 7.2.34.8

  • Fix #79971: special character is breaking the path in xml function.

Updated PHP from 7.1.33.8 to 7.1.33.12

  • Fix #79971: special character is breaking the path in xml function.

Zend Server 2021.1.0 (September 2021)

  • Fixed Code Tracing that used a conflicting function flag value with PHP 7.4 when marking traceable PHP internal functions causing potential memory leaks. In addition, Code Tracing was including extra PHP internal functions in code traces that were not supposed to be there.
  • Added pdo_odbc extension for IBM i build. This module has a conflict with ibm_db2, pdo_ibm and odbc extensions. Which means that those listed modules MUST be disabled when pdo_odbc is in use or else php will crash due to conflicting symbols from libodbc and libdb400 dynamically loaded system libraries. In addition, to be noted that odbc extension (not pdo_odbc) is heavily modified in Zend Server IBM i build, not functionally equal to ZendPHP (community) variant, adding db2 features and linked to libdb400 library instead of libodbc. This has been like that for long time in Zend Server and we do not change that functionality now to be backwards compatible for customers who may be using odbc extension to communicate with db2 database. ZendPHP does not have such modifications, being functionally different - community variant.
  • ZSD automatically disables ibm_db2, pdo_ibm and odbc extensions when pdo_odbc extension is enabled from GUI. This is true the other way around: when either ibm_db2, pdo_ibm or odbc extension are enabled from GUI pdo_odbc is disabled automatically by ZSD. A NOTICE message is written to zsd.log file when this is done. The functionality is there to avoid PHP crash as explained in the previous bulletin. This functionality can not resolve conflicts when extension .ini files are modified manually in the file system.
  • Fix the functionality to create zendadmin user during automated installation process on IBM i
  • Fix Zend Server directory access permissions on IBM i
  • Improve installation sequence on IBM i. Moved version message initialization logic out from nativelibrary package into zend-server package to avoid errors in nativelibrary install program and to fix version message content in case of ZS upgrades.
  • Improve ZS daemons startup logic, now all processes are in proper IBM "namespaces" after ZS restart from web GUI.
  • Improve nativelib-zendphp74 package installation scripts for upgrades (ZS subsystem stop/(re)start logic).
  • Improve uninstall script for IBM i to avoid uninstalling of ZendPHP when using automated uninstall script for Zend Server
  • Improve IBM i version detection in RepositoryInstaller script.
  • Fix/improve gd extension on linux (PHP 7.1, 7.2, 7.3) and IBM i (PHP 7.2, 7.3) builds to support FreeType formats.
  • Update qt version to 5.12.11 (old 5.12.6)
  • Update PHP versions to 7.1.33.8, 7.2.34.4, 7.3.29, 7.4.22
  • Updated libpng from 1.6.32 to1.6.37 on Windows. This eliminates CVE: CVE-2019-7317 http://www.libpng.org/pub/png/libpng.html
  • Fix in IBMi ZS2021.1 installer so that incorrect "INVALID_LICENSE" message would not be generated with side by side install.
  • Fix warnings in log files on Windows platform caused by bad formatting in install-time SQL scripts.
  • Updated Oracle OCI libraries on linux platform. x64 uses now v21.1, ppc64 uses 19.3.
  • Updated sqlsrv version to 5.9.0 for PHP 7.3 and 7.4 on Linux.
  • Updated ibm_db2 extension version to 2.1.3
  • Updated paragonie/random_compat from 2.0.17 to 9.99.99
  • Updated psr/log from 1.0.2 to 1.1.4
  • Updated symfony/polyfill-mbstring from 1.8.0 to 1.23.1
  • Updated zendframework/zend-authentication from 2.6.0 to 2.7.0
  • Updated zendframework/zend-barcode from 2.7.0 to 2.8.0
  • Updated zendframework/zend-cache from 2.8.2 to 2.9.0
  • Updated zendframework/zend-captcha from 2.8.0 to 2.9.0
  • Updated zendframework/zend-code from 3.3.0 to 3.4.1
  • Updated zendframework/zend-component-installer from 2.1.1 to 2.1.2
  • Updated zendframework/zend-console from 2.7.0 to 2.8.0
  • Updated zendframework/zend-crypt from 3.3.0 to 3.3.1
  • Updated zendframework/zend-db from 2.9.3 to 2.11.0
  • Updated zendframework/zend-diactoros from 1.8.2 to 1.8.7
  • Updated zendframework/zend-dom from 2.7.1 to 2.7.2
  • Updated zendframework/zend-escaper from 2.6.0 to 2.6.1
  • Updated zendframework/zend-feed from 2.10.2 to 2.12.0
  • Updated zendframework/zend-file from 2.8.1 to 2.8.3
  • Updated zendframework/zend-filter from 2.8.0 to 2.9.2
  • Updated zendframework/zend-form from 2.12.0 to 2.14.3
  • Updated zendframework/zend-http from 2.8.0 to 2.11.2
  • Updated zendframework/zend-hydrator from 2.4.0 to 2.4.2
  • Updated zendframework/zend-i18n from 2.9.0 to 2.10.1
  • Updated zendframework/zend-i18n-resources from 2.6.0 to 2.6.1
  • Updated zendframework/zend-inputfilter from 2.8.2 to 2.10.1
  • Updated zendframework/zend-json from 3.1.0 to 3.1.2
  • Updated zendframework/zend-json-server from 3.1.0 to 3.2.0
  • Updated zendframework/zend-ldap from 2.10.0 to 2.10.1
  • Updated zendframework/zend-loader from 2.6.0 to 2.6.1
  • Updated zendframework/zend-log from 2.10.0 to 2.12.0
  • Updated zendframework/zend-math from 3.1.1 to 3.2.0
  • Updated zendframework/zend-memory from 2.6.0 to 2.6.1
  • Updated zendframework/zend-mime from 2.7.1 to 2.7.2
  • Updated zendframework/zend-modulemanager from 2.8.2 to 2.8.4
  • Updated zendframework/zend-mvc-i18n from 1.1.0 to 1.1.1
  • Updated zendframework/zend-mvc-plugin-flashmessenger from 1.1.0 to 1.2.0
  • Updated zendframework/zend-mvc-plugin-identity from 1.1.0 to 1.1.1
  • Updated zendframework/zend-mvc-plugin-prg from 1.1.0 to 1.2.0
  • Updated zendframework/zend-navigation from 2.9.0 to 2.9.1
  • Updated zendframework/zend-paginator from 2.8.1 to 2.8.2
  • Updated zendframework/zend-permissions-acl from 2.7.0 to 2.7.1
  • Updated zendframework/zend-progressbar from 2.6.0 to 2.7.0
  • Updated zendframework/zend-router from 3.1.0 to 3.3.0
  • Updated zendframework/zend-serializer from 2.9.0 to 2.9.1
  • Updated zendframework/zend-server from 2.8.0 to 2.8.1
  • Updated zendframework/zend-servicemanager from 3.3.2 to 3.4.0
  • Updated zendframework/zend-servicemanager-di from 1.2.0 to 1.2.1
  • Updated zendframework/zend-session from 2.8.5 to 2.9.1
  • Updated zendframework/zend-soap from 2.7.0 to 2.8.0
  • Updated zendframework/zend-stdlib from 3.2.0 to 3.2.1
  • Updated zendframework/zend-tag from 2.7.0 to 2.7.1
  • Updated zendframework/zend-text from 2.7.0 to 2.7.1
  • Updated zendframework/zend-uri from 2.6.1 to 2.7.1
  • Updated zendframework/zend-validator from 2.10.2 to 2.13.0
  • Updated zendframework/zend-view from 2.10.0 to 2.11.4
  • Updated zendframework/zend-xml2json from 3.1.1 to 3.1.2
  • Updated zendframework/zend-xmlrpc from 2.7.0 to 2.9.0
  • Updated zendframework/zendxml from 1.1.0 to 1.2.0
  • Removed jquery-minicolors

Zend Server 2021 (May 2021)

Additions

  • Adds support for PHP 7.4, shipping 7.4.16.
  • New extensions available for Linux: pdo_oci, sqlsrv, and sodium; ffi is available when using PHP 7.4
  • Supported platforms:
    •  CentOS/RHEL 7.7 and 8 (both Linux and Power 8)
    •   Ubuntu 18.04 and 20.04
    •   Debian 9 and 10
    •   IBM i 7.2, 7.3, and 7.4
    •   Windows Server 2016 and 2019
  • Redis extension directives are now available in the Zend Server GUI
  • Implemented the functionality to suspend/resume individual JobQueue queues using API commands suspendQueue() and resumeQueue()
  • Implemented the functionality to suspend/resume multiple JobQueue queues using API commands suspendQueues() and resumeQueues()
  • SELinux additional settings for Power8 and x86 architecture - to fix failures on bootstrap and process restarts
  • Users can now customize the command for restarting the web server via the zend_utils.restart_cmd directive
  • Adds support for configuring the mbstring mbstring.regex_stack_limit setting in the Admin GUI.
  • Adds support for configuring the opcache.preload directive (PHP versions >= 7.2) in the Admin GUI.

Updates

  • Updates core dependencies used by Zend Server.
  • Updates ibm_db2 extensions to 2.1.2
  • Updates XDebug to 2.9.8
  • PHPToolkitForIBMi updated to version 1.8.3.
  • ZendServerSDK updated to 1.1.7.
  • ZS WebAPI token-based access is now idempotent.
  • Update Symfony Z-Ray plugin to version 1.0.6.
  • Enhance log messages during Zend Server install: being more specific if Zend Server installation fails or just Web Server configuration fails.

Changes and Removals

  • ZendGlobalDirectives.ini file moves from /etc/conf.d/ to /etc/ directory
  • IBM i: denies access to web.config and .htaccess files by default

Fixes

General

  • Updated vhost configuration template for Nginx-based installs so that the proper vhost URL is selectable during both App definition and deployment.
  • PHP extension directives support compatibility and visibility attributes
  • Vhost no longer goes to erroneus "Pending restart" state after app upgrade with hot deployment
  • Fixed applying a new Zend Server license when the previous one was expired
  • Fix bootstrap error message

UI

  • Showing error message when log file is not readable
  • Timezone detection removed, using configured value

IBM i

  • Detecting IBM i os400 properly
  • Fix Broken help link in Deploy application popup in IBMi
  • Fixed "ZRay is activated in production profile on IBMi"
  • Power 8 fixes - PHP patch and and improved build options.

ZSD

  • Fixed ZSD that failed to update the blueprint when discovering new PHP extensions
  • Fixed ZSD that picked up directives from inactive PHP versions when creating the blueprint
  • Fixed ZSD that picked up modified directives from an inactive PHP version
  • Fixed ZSD that failed to start up if there were errors in the zend_extensions_map.json file

Zend Monitor

  • PHP version switch audit trail status message
  • Fixed segfaulting of ZendMonitor extension when privacy filter was being applied to $_SERVER superglobal
  • Fixed Buffer Overflow error in Zend Monitor caused by a large number of socket descriptors

ZRay

  • Fixed a ZRay crash caused by closures in PHP code
  • Fixed a potential crash in the ZRay caused by an infinite loop when a ZRay extension added storage lines
  • Fixed ZRay that modified an internal PHP structure that it was not supposed to do
  • Fixed ZRay that failed to collect PHP local variables

Known Issues

  • When you upgrade Zend Server on Windows, the installer leaves an extra entry under “Programs and Features” page, referencing the former version. If you uninstall Zend Server later, the extra entry will remain on the list of installed programs and cannot be removed by running the “uninstall” action. To manually remove the extra entry, you can edit the registry, search for “Zend Server” under registry keys “HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall” and “HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall”, then remove the key holding the uninstall data. For any questions or concerns, please contact Zend Server support.