Updates for version 8.5.13

06 May 2019, PHP 5.6.40.1

  • Exif:
    • Fixed integer overflows on 32-bits. (Stas)
    • Fixed bug #77540 (Invalid Read on exif_process_SOFn). (Stas)
    • Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE.
      Also fixes bug #77659). (Stas)
    • Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas)
    • Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value in EXIF). (Stas)
    • Fixed illegal arithmetic on void pointers. (cmb)
    • Fixed bug #77950 (Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG). (Stas)
  • Mbstring:
    • Implemented RF bug #72777. (Yasuo)
  • Phar:
    • Fixed bug #77396 (Null Pointer Dereference in phar_create_or_parse_filename). (Stas)
    • Fixed bug #77586 (phar_tar_writeheaders_int() buffer overflow). (Stas)
  • SPL:
    • Fixed bug #77431 (SplFileInfo::__construct() accepts NUL bytes). (cmb)
  • Sqlite3:
    • Added DEFENSIVE config for SQLite >= 3.26.0 as a mitigation strategy against potential security flaws. (bohwaz)

Updates for version 8.5.12

Updates for version 8.5.11

  • PHP 5.6.38 http://www.php.net/ChangeLog-5.php#5.6.38

  • CVEs included since Zend Server 8.5.10/ PHP 5.6.36
  • Exif: Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c (CVE-2018-14883)
  • Exif: heap-buffer-overflow (READ of size 48) while reading exif data (CVE-2018-14851)
  • Win32: windows linkinfo lacks openbasedir check (CVE-2018-15132)

Updates for version 8.5.10

  • PHP 5.6.36 http://www.php.net/ChangeLog-5.php#5.6.36

  • CVEs included since Zend Server 8.5.9/ PHP 5.6.34
    • FPM: Fixed bug #75605 (Dumpable FPM child processes allow bypassing opcache access controls). (CVE-2018-10545)
    • iconv: Fixed bug #76249 (stream filter convert.iconv leads to infinite loop on invalid sequence). (CVE-2018-10546)
    • Phar: Fixed bug #76129 (fix for CVE-2018-5712 may not be complete). (CVE-2018-10547)
    • LDAP: Fixed bug #76248 (Malicious LDAP-Server Response causes Crash). (CVE-2018-10548)
    • Exif: Fixed bug #76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value). (CVE-2018-10549)
  • Main Zend Server fixes:
    • PHP memory exhausted and Apache segfault (ZSR-1111)
    • Cross-Site Scripting vulnerabilities in Zend Debugger (ZSR-2446)
    • Jobs aren't executed at accurate scheduled time (ZSR-1993)
    • IBM DB2 pconnect issue (ZSR-2008)
    • Apache segfaults with Data Cache (ZSR-2132)
    • Segfaults with Zend Statistics component (ZSR-2143)
    • Z-Ray Selective mode is not available for Dev Enterprise edition (ZSR-2202)
    • Job Queue Daemon is crashing (ZSR-2229)

Installation

  • Zend Server 8.5 supports both new installations and upgrades from Zend Server 6.x, 7.x and 8.0 versions. Upgrading from a version prior to Zend Server 6.0 is not supported. If you would like to upgrade a Zend Server that's older than 6.0, you should first upgrade to a newer version and only then upgrade to 8.5.

  • For Linux users we recommend to install a new - or upgrade an existing - Zend Server installation using the supplied Repository Installer script. The script ensures that the correct repositories are set, verifies system requirements and issues the correct package management commands to set Zend Server up properly. While it’s still possible to install Zend Server by manually setting up repositories, we advise to always use the installation script.
  • For detailed installation instructions for all supported operating systems, please refer to the Zend Server Installation Guide. For a full list of system requirements, see the Zend Server System Requirements.
  • If you previously installed Zend Guard Loader on your Zend Server 8.0.2, once updating your installation with this package, you will need to open the opcache.ini (Linux/Mac) or php.ini (Windows) file, and comment out the line loading the Zend Guard Loader extension (zend_extension=""). Then, enable the extension via the Zend Server UI Components page and restart Zend Server.

Limitations and Known Issues

The following issues are known at the time of the 8.0 release:


General

  • Zend Server cannot communicate with MySQL databases that are configured with old_passwords=1 (ZSRV-8104)
  • Cluster DB user password length is limited by length to 32 chars max (ZSR-1239)
  • Zend Server cannot join cluster if MySQL is configured for ANSI mode (ZSRV-14477)
  • Misconfiguring LDAP authentication can result in the user being locked out of their Zend Server console. If this occurs, reset your Zend Server password. For more information, see the Zend Server User Guide.
  • On Centos/RHEL 7, when the SELinux related packages are updated as part of our installation, the SELinux command don't funcion. Solution is to work with an updated Centos/RHEL 7 machine
  • Session Clustering does not support value=6 for the php.ini directive session.hash_bits_per_character (the Zend Server UI does not currently warn about this issue).
  • Nginx Deployment: deploying to the root of the default virtual host does not work out-of-the-box and causes configuration problems (ZSRV-10098). Workaround: comment out the location / entry in /etc/nginx/conf.d/default.conf

         #location / {
         # include /etc/nginx/fastcgi.conf;
         #
         # root /usr/share/nginx/html;
         #
         # index index.php index.html index.htm;
         # }
     
  • No support for nginx on SELinux
  • CentOS6: upgrading OpenSSL to 1.0.1, curl still doesn't works with TLS1.1/1.2 due to local libcurl (ZSRV-15297)
  • Zend Debugger is causing fatal error when phar file is debugged (ZSRV-14518)


Z-Ray

  • Z-Ray now supports Selective Mode to Developer Enterprise edition
  • Z-Ray might be blocked by using the browser content security policy (e.g PHPMyADmin on firefox)
  • Specific configuration is required in order for Z-Ray to collect and display data on HTTPS requests in Windows with IIS and IBMi (needs specific configuration)
  • Load balancer configuration is required for Z-Ray to be displayed:
    • An accessible ZS GUI address must be set
    • The Load Balancer IP address must be included in the Z-Ray allowed IPs list (token)
  • Z-Ray is not to be included or enabled in performance tests context (e.g in AB testing)
  • Z-Ray currently supports the following database drivers: PDO, MySQL/i, OCI8, MS SSQL, Postgre, SQLite and DB2
  • Z-Ray is not collecting information and is not visible when executing encoded files


Upgrade & Installation Related

  • When upgrading PHP major versions (e.g. PHP 5.5 -> PHP 5.6), configuration settings (php.ini) are not retained and a the new php.ini is used
  • After upgrade, cannot import exported Configuration from 6.0.1 or earlier - (ZSRV-10773)
  • Windows:
    • Upgrade Cluster from earlier version with a different PHP version may cause Deployment Daemon stop functioning on some of the nodes. Workaround: manually restart the Deployment daemon from GUI (ZSRV-12052)
    • Upgrade from earlier version with a different PHP version may cause reset configuration not to work. Use export/import configuration instead (ZSRV-12048)
    • Upgrade from earlier version with a different PHP version may cause some UI operations to hang. Workaround: clear the ZSD_TASKS table in the Zend DB (ZSRV-12048)
    • Upgrade from earlier version with a different PHP version may cause the license to reset (ZSRV-10885)
  • Linux:
    • Upgrade from earlier version with a different PHP on DEB may fail on due to: php-5.x-java-bridge-zend-server unmet dependencies. Workaround: remove java-bridge , then upgrade (ZSRV-10436)