Updates for Zend Server 8.5.20 (November 2022)

PHP update to PHP 5.6.40.17

  • Core:
    • Fixed bug #81726: phar wrapper: DOS when using quine gzip file (CVE-2022-31628).
    • Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning (CVE-2022-31629).

Updates for Version 8.5.19 (August 2022)

PHP update to PHP version 5.6.40.16.

CVE fixes:

  • mysqlnd:
    • Fixed bug #81719: mysqlnd/pdo password buffer overflow. (CVE-2022-31626)
  • pgsql
    • Fixed bug #81720: Uninitialized array in pg_query_params(). (CVE-2022-31625)

Updates for version 8.5.17

  • Alternative fix for bug 77423 (CVE-2020-7071)
  • Fix bug #80672 - Null Dereference in SoapClient (CVE-2021-21702)

Updates for version 8.5.16

  • Fix for - CVE-2020-7071 - PHP will accept an URL with invalid password as valid URL

Updates for version 8.5.15

  • ext pgsql:
    • Fixed failing test
  • SAPI FPM:
    • Fix bug #78599 (env_path_info underflow can lead to RCE) (CVE-2019-11043)
  • ext Fileinfo:
    • Fix libmagic buffer overflow issue (CVE-2019-18218)

Updates for version 8.5.14

  • Fix #75457: heap-use-after-free in php7.0.25
  • Fix CVE-2019-13224: don't allow different encodings for onig_new_deluxe()
  • Fix #77919: Potential UAF in Phar RSHUTDOWN
  • Clean up in case phar_flush() is failing
  • Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)
  • Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
  • Fix test data
  • Fix bug #77967 - Bypassing open_basedir restrictions via file uris
  • Fix bug #77988 - heap-buffer-overflow on php_jpg_get16
  • Fix bug #78069 Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow
  • Fix #77973 - Uninitialized read in gdImageCreateFromXbm
  • Fix bug #77950 - Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG

Updates for version 8.5.13

  • Exif:
    • Fixed integer overflows on 32-bits. 
    • Fixed bug #77540 (Invalid Read on exif_process_SOFn). 
    • Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE.
    • Also fixes bug #77659. 
    • Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). 
    • Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value in EXIF). 
    • Fixed illegal arithmetic on void pointers. 
    • Fixed bug #77950 (Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG). 
  • Mbstring:
    • Implemented RF bug #72777. 
  • Phar:
    • Fixed bug #77396 (Null Pointer Dereference in phar_create_or_parse_filename). 
    • Fixed bug #77586 (phar_tar_writeheaders_int() buffer overflow). 
  • SPL:
    • Fixed bug #77431 (SplFileInfo::__construct() accepts NUL bytes). 
  • Sqlite3:
    • Added DEFENSIVE config for SQLite >= 3.26.0 as a mitigation strategy against potential security flaws. 

Updates for version 8.5.12

  • Updated to PHP 5.6.40 (last php.net release): 
    • Core
      • Fixed bug #77231 (Segfault when using convert.quoted-printable-encode filter).
    • GD
      • Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free). (CVE-2016-10166)
      • Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (CVE-2019-6977)
    • IMAP
      • Fixed bug #77020 (null pointer dereference in imap_mail).
      • Fixed bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter). (CVE-2018-19518)
    • Mbstring
      • Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (CVE-2019-9023)
      • Fixed bug #77371 (heap buffer overflow in mb regex functions - compile_string_node). (CVE-2019-9023)
      • Fixed bug #77381 (heap buffer overflow in multibyte match_at). (CVE-2019-9023)
      • Fixed bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string). (CVE-2019-9023)
      • Fixed bug #77385 (buffer overflow in fetch_token). (CVE-2019-9023)
      • Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (CVE-2019-9023)
      • Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (CVE-2019-9023)
    • Phar
      • Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (CVE-2019-9021)
      • Fixed bug #77022 (PharData always creates new files with mode 0666).
      • Fixed bug #77143 (Heap Buffer Overflow (READ: 4) in phar_parse_pharfile). (CVE-2018-20783)
    • Xmlrpc
      • Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (CVE-2019-9020)
      • Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (CVE-2019-9024)

Updates for version 8.5.11

  • Updated to PHP 5.6.38:
    • Exif: Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c (CVE-2018-14883) 
    • Exif: heap-buffer-overflow (READ of size 48) while reading exif data (CVE-2018-14851)
    • Win32: windows linkinfo lacks openbasedir check (CVE-2018-15132)

Updates for version 8.5.10

  • PHP 5.6.36 http://www.php.net/ChangeLog-5.php#5.6.36

  • CVEs included since Zend Server 8.5.9/ PHP 5.6.34
    • FPM: Fixed bug #75605 (Dumpable FPM child processes allow bypassing opcache access controls). (CVE-2018-10545)
    • iconv: Fixed bug #76249 (stream filter convert.iconv leads to infinite loop on invalid sequence). (CVE-2018-10546)
    • Phar: Fixed bug #76129 (fix for CVE-2018-5712 may not be complete). (CVE-2018-10547)
    • LDAP: Fixed bug #76248 (Malicious LDAP-Server Response causes Crash). (CVE-2018-10548)
    • Exif: Fixed bug #76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value). (CVE-2018-10549)
  • Main Zend Server fixes:
    • PHP memory exhausted and Apache segfault (ZSR-1111)
    • Cross-Site Scripting vulnerabilities in Zend Debugger (ZSR-2446)
    • Jobs aren't executed at accurate scheduled time (ZSR-1993)
    • IBM DB2 pconnect issue (ZSR-2008)
    • Apache segfaults with Data Cache (ZSR-2132)
    • Segfaults with Zend Statistics component (ZSR-2143)
    • Z-Ray Selective mode is not available for Dev Enterprise edition (ZSR-2202)
    • Job Queue Daemon is crashing (ZSR-2229)

Installation

  • Zend Server 8.5 supports both new installations and upgrades from Zend Server 6.x, 7.x and 8.0 versions. Upgrading from a version prior to Zend Server 6.0 is not supported. If you would like to upgrade a Zend Server that's older than 6.0, you should first upgrade to a newer version and only then upgrade to 8.5.

  • For Linux users we recommend to install a new - or upgrade an existing - Zend Server installation using the supplied Repository Installer script. The script ensures that the correct repositories are set, verifies system requirements and issues the correct package management commands to set Zend Server up properly. While it’s still possible to install Zend Server by manually setting up repositories, we advise to always use the installation script.
  • For detailed installation instructions for all supported operating systems, please refer to the Zend Server Installation Guide. For a full list of system requirements, see the Zend Server System Requirements.
  • If you previously installed Zend Guard Loader on your Zend Server 8.0.2, once updating your installation with this package, you will need to open the opcache.ini (Linux/Mac) or php.ini (Windows) file, and comment out the line loading the Zend Guard Loader extension (zend_extension=""). Then, enable the extension via the Zend Server UI Components page and restart Zend Server.

Limitations and Known Issues

The following issues are known at the time of the 8.0 release:


General

  • Zend Server cannot communicate with MySQL databases that are configured with old_passwords=1 (ZSRV-8104)
  • Cluster DB user password length is limited by length to 32 chars max (ZSR-1239)
  • Zend Server cannot join cluster if MySQL is configured for ANSI mode (ZSRV-14477)
  • Misconfiguring LDAP authentication can result in the user being locked out of their Zend Server console. If this occurs, reset your Zend Server password. For more information, see the Zend Server User Guide.
  • On Centos/RHEL 7, when the SELinux related packages are updated as part of our installation, the SELinux command don't funcion. Solution is to work with an updated Centos/RHEL 7 machine
  • Session Clustering does not support value=6 for the php.ini directive session.hash_bits_per_character (the Zend Server UI does not currently warn about this issue).
  • Nginx Deployment: deploying to the root of the default virtual host does not work out-of-the-box and causes configuration problems (ZSRV-10098). Workaround: comment out the location / entry in /etc/nginx/conf.d/default.conf

         #location / {
         # include /etc/nginx/fastcgi.conf;
         #
         # root /usr/share/nginx/html;
         #
         # index index.php index.html index.htm;
         # }
     
  • No support for nginx on SELinux
  • CentOS6: upgrading OpenSSL to 1.0.1, curl still doesn't works with TLS1.1/1.2 due to local libcurl (ZSRV-15297)
  • Zend Debugger is causing fatal error when phar file is debugged (ZSRV-14518)


Z-Ray

  • Z-Ray now supports Selective Mode to Developer Enterprise edition
  • Z-Ray might be blocked by using the browser content security policy (e.g PHPMyADmin on firefox)
  • Specific configuration is required in order for Z-Ray to collect and display data on HTTPS requests in Windows with IIS and IBMi (needs specific configuration)
  • Load balancer configuration is required for Z-Ray to be displayed:
    • An accessible ZS GUI address must be set
    • The Load Balancer IP address must be included in the Z-Ray allowed IPs list (token)
  • Z-Ray is not to be included or enabled in performance tests context (e.g in AB testing)
  • Z-Ray currently supports the following database drivers: PDO, MySQL/i, OCI8, MS SSQL, Postgre, SQLite and DB2
  • Z-Ray is not collecting information and is not visible when executing encoded files


Upgrade & Installation Related

  • When upgrading PHP major versions (e.g. PHP 5.5 -> PHP 5.6), configuration settings (php.ini) are not retained and a the new php.ini is used
  • After upgrade, cannot import exported Configuration from 6.0.1 or earlier - (ZSRV-10773)
  • Windows:
    • Upgrade Cluster from earlier version with a different PHP version may cause Deployment Daemon stop functioning on some of the nodes. Workaround: manually restart the Deployment daemon from GUI (ZSRV-12052)
    • Upgrade from earlier version with a different PHP version may cause reset configuration not to work. Use export/import configuration instead (ZSRV-12048)
    • Upgrade from earlier version with a different PHP version may cause some UI operations to hang. Workaround: clear the ZSD_TASKS table in the Zend DB (ZSRV-12048)
    • Upgrade from earlier version with a different PHP version may cause the license to reset (ZSRV-10885)
  • Linux:
    • Upgrade from earlier version with a different PHP on DEB may fail on due to: php-5.x-java-bridge-zend-server unmet dependencies. Workaround: remove java-bridge , then upgrade (ZSRV-10436)