Zend Server 2021.4.3

Maintenance release, fixing CVE security issues for PHP.

Backported CVE fixes

• PHP versions 7.4.33.11, 7.3.33.17, 7.2.34.25, 7.1.33.27

• pgsql

  • Fixed CVE-2025-1735: pgsql extension does not check for errors during escaping. Requires additional fix provided for PostgreSQL drivers version >= 13. PHP fix is only valid for updated drivers. Zend Server uses database server drivers provided by the OS distribution. Please note that older Linux versions (such as RHEL 7.x, CentOS 7, Debian 10, Ubuntu 18.04) do not include this driver fix in the default operating system installation. Related to PostgreSQL CVE-2025-1094 (Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected).

• SOAP

  • Fixed CVE-2025-6491: NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix.

• Standard

  • Fixed CVE-2025-1220: Null byte termination in hostnames.