Updates for Version 9.1.16 (March 2023)

PHP 7.1 backported CVE fixes only


PHP version CVE fixes
- Core:
 . Fixed bug #81744 (Password_verify() always return true with some hash).
 . Fixed bug #81746 (1-byte array overrun in common path resolve code).

- FPM:
 . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
   request body). (CVE-2023-0662) 

PHP version CVE fixes:

- PDO/SQLite:
 . Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)

Note: 9.1.16 is the final release version for Zend Server 9.1

Updates for Version 9.1.15 (November 2022)


  • Updates PHP version to

CVE fixes:

  • Core:
    • Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628). 
    • Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629). 

Updates for Version 9.1.14 (August 2022)

PHP update to

CVE fixes:
- mysqlnd:
  . Fixed bug #81719: mysqlnd/pdo password buffer overflow. (CVE-2022-31626)
- pgsql
  . Fixed bug #81720: Uninitialized array in pg_query_params(). (CVE-2022-31625)

Updates for version 9.1.13 (March 2022)

  • PHP update to Includes TLS v1.2 support for mysqlnd.
    PHP Changes:

    14 Mar 2022, PHP

    -  main/streams
     . Set TLS value to TLS_ANY to support TLS 1.2 servers

    26 Nov 2021, PHP

    - Fix #79971: special character is breaking the path in xml function CVE-2021-21707

    29 Oct 2021, PHP

    - Fix bug #81026 (PHP-FPM oob R/W in root process leading to priv escalation) CVE-2021-21703

    05 Oct 2021, PHP

    - Fix #81420: ZipArchive::extractTo extracts outside of destination CVE-2021-21706

    02 Sep 2021, PHP

    - Fix #81211: Symlinks are followed when creating PHAR archive

    08 Jul 2021, PHP

    - Fix #76448: Stack buffer overflow in firebird_info_cb CVE-2021-21704
    - Fix #76449: SIGSEGV in firebird_handle_doer
    - Fix #76450: SIGSEGV in firebird_stmt_execute

    - Fix #76452: Crash while parsing blob data in firebird_fetch_blob
    - Fix #81122: SSRF bypass in FILTER_VALIDATE_URL CVE-2021-21705

    03 May 2021, PHP

    - ext/imap
     . Fix #80710: imap_mail_compose() header injection

Updates for Version 9.1.12

Latest backported security fixes in PHP are:

  • Alternative fix for bug 77423 (CVE-2020-7071)
  • Fix bug #80672 - Null Dereference in SoapClient (CVE-2021-21702)

Updates for Version 9.1.11

Latest backported changes in PHP v. are:

  • Fix #77423: parse_url() will deliver a wrong host to user

Updates for Version 9.1.10

  • Fixed an issue where session directives can't be changed from the UI (ZSR-3594)
  • PHP version update to 7.1.33 (last php.net release)
  • FPM
    • Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE). (CVE-2019-11043)

Updates for Version 9.1.9

  • PHP version update to v 7.1.32
    • Core
      • Fixed bug #77630 (rename() across the device may allow unwanted access during processing). (CVE-2019-9637)
    • mbstring
      • Fixed CVE-2019-13224 (don't allow different encodings for onig_new_deluxe)
    • EXIF
      • Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
      • Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)
      • Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16) (CVE-2019-11040).
      • Fixed bug #77950 (Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG) (CVE-2019-11036).
      • Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (CVE-2019-11034)
      • Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (CVE-2019-11035)
      • Fixed bug #77509 (Uninitialized read in exif_process_IFD_in_TIFF). (CVE-2019-9641)
      • Fixed bug #77540 (Invalid Read on exif_process_SOFn). (CVE-2019-9640)
      • Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (CVE-2019-9638)
      • Fixed bug #77659 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (CVE-2019-9639)
    • GD
      • Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm) (CVE-2019-11038).
    • Iconv
      • Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow) (CVE-2019-11039).

Updates for Version 9.1.8

  • PHP version update to 7.1.26
    • Core:
      • Fixed bug #77369 (memcpy with negative length via crafted DNS response). (CVE-2019-9022)
    • GD:
      • Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free). (CVE-2016-10166)
      • Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (CVE-2019-6977)
    • IMAP:
      • Fixed bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter). (CVE-2018-19518)
    • Mbstring:
      • Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (CVE-2019-9023)
      • Fixed bug #77371 (heap buffer overflow in mb regex functions - compile_string_node). (CVE-2019-9023)
      • Fixed bug #77381 (heap buffer overflow in multibyte match_at). (CVE-2019-9023)
      • Fixed bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string). (CVE-2019-9023)
      • Fixed bug #77385 (buffer overflow in fetch_token). (CVE-2019-9023)
      • Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (CVE-2019-9023)
      • Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (CVE-2019-9023)
    • Phar:
      • Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (CVE-2019-9021)
      • Fixed bug #77143 (Heap Buffer Overflow (READ: 4) in phar_parse_pharfile). (CVE-2018-20783)
    • Xmlrpc:
      • Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (CVE-2019-9020)
      • Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (CVE-2019-9024)

Updates for Version 9.1.6

Updates for Version 9.1.5

  • PHP 7.1.21 - http://www.php.net/ChangeLog-7.php#7.1.21
  • Updates since 9.1.4
    • CVEs
      • EXIF: Fixed bug #76423 (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c). (CVE-2018-14883)
      • EXIF: Fixed bug #76557 (heap-buffer-overflow (READ of size 48) while reading exif data). (CVE-2018-14851)
      • Win32: Fixed bug #76459 (windows linkinfo lacks openbasedir check). (CVE-2018-15132)
    • Zend Server fixes
      • Error 500 on Windows 10 (ZSR-2498)
      • Zend Server UI is sometimes stuck on loading screen (ZSR-2286)
  • CVEs included since Zend Server 9.1.1 with PHP 7.1.12
    • Standard: fixed bug #75981 (stack-buffer-overflow while parsing HTTP response). (CVE-2018-7584)
    • Phar: fixed bug #74782 (Reflected XSS in .phar 404 page). (CVE-2018-5712)
    • GD: fixed bug #75571 (Potential infinite loop in gdImageCreateFromGifCtx). (CVE-2018-5711)
    • Exif:Fixed bug #76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value). (CVE-2018-10549)
    • iconv:Fixed bug #76249 (stream filter convert.iconv leads to infinite loop on invalid sequence). (CVE-2018-10546)
    • ldap:Fixed bug #76248 (Malicious LDAP-Server Response causes Crash). (CVE-2018-10548)
    • Phar:Fixed bug #76129 (fix for CVE-2018-5712 may not be complete). (CVE-2018-10547)
  • Main Zend Server fixes
    • Apache is crashing due to Opcache errors on Windows (ZSR-2307)
    • Recurring jobs executing multiple times (ZSR-1821)
    • Recurring jobs is extremely slow with large number of jobs (ZSR- 2492)
    • Cross-Site Scripting vulnerability in Zend Debugger (ZSR-2455)
    • Z-Ray Selective mode is not available for Dev Enterprise edition (ZSR-2200)
    • Suspended recurring jobs getting deleted automatically from the UI (ZSR-1971)
    • Jobs aren't executed at accurate scheduled time (ZSR-1892)
    • The ImageMagick extension doesn't work correctly (ZSR-1868)
    • Segmentation faults with soap.so (ZSR-1834)

Introducing Zend Server 9.1

Read all about our Zend Server 9.1 features and capabilities in the What's New page.


  • Memcached extension - included only for Linux and Mac
  • Mac - changed to Apache 2.4
  • Bundled MySQL 5.7 for Windows installations
  • Microsoft IIS – security enhancement – following customer requests we added Zend Server support for IIS Application Pool, which allows better access control for different applications and resources


For detailed installation instructions for all supported operating systems, please refer to the Zend Server 9.1 Installation Guide.

Click here for specific IBMi notes


  • Only upgrades from Zend Server 9.X are supported
  • Upgrades on IBMi and Mac are supported from 9.1.0 and above
  • When upgrading PHP from PHP 7.0.X to PHP 7.1, configuration settings (php.ini) are not retained and a the new php.ini is used

Limitations and Known Issues

The following issues are known at the time of the Zend Server 9.1 release:

  • On Mac, in order to send mails via TLS, a couple of actions are required:
    • Get latest cert files:
      curl -k https://curl.haxx.se/ca/cacert.pem > /System/Library/OpenSSL/certs/cacert.pem
    • add the following to /usr/local/zend/gui/lighttpd/etc/php-fcgi.ini :
  • Nginx Deployment: deploying to the root of the default virtual host does not work out-of-the-box and causes configuration problems (ZSRV-10098). Workaround: comment out the location / entry in /etc/nginx/conf.d/default.conf
    #location / {
    # include /etc/nginx/fastcgi.conf;
    # root /usr/share/nginx/html;
    # index index.php index.html index.htm;
    # }
  • Zend Server's application deployment feature is not supported on IIS, but other application-related features are still available by defining applications.
  • Privacy – we enhanced Zend Server privacy feature, which required changes in the old privacy directives. Please refer to our KB for specific guidance

Z-Ray Notes

  • Z-Ray might be blocked by using the browser content security policy (e.g. PHPMyADmin on Firefox)
  • When using Z-Ray with Load Balanced domains, a special setup is needed:
    • An accessible ZS GUI address must be set in Z-Ray settings ( Zend Server Menu -> Z-Ray -> Settings -> Advanced)
    • The Load Balancer IP address must be included in the Z-Ray allowed IPs list (token)
  • Z-Ray is not to be included or enabled in performance tests context (e.g. in AB testing)
  • Z-Ray currently supports the following database drivers: PDO, MySQL/i, OCI8 , sqlite3 and DB2

Note: For more information please refer to the online documentation.



IBMi specific release notes


  • Zend Server for IBM i 9.1 can be installed as a new installation on a partition running Zend Server for IBM i 8.x, and both can be run at the same time, allowing for a migration from version 8 to version 9.
  • For detailed installation instructions, please refer to the Zend Server for IBM i Installation Guide.


  • Zend Server for IBMi now supports cluster! It requires the new Zend DBi (MariaDB)