ZendPHP Release Notes

Community Changes

PHP Version 8.4.7 Changes

• Core

  • Fixed bug GH-18038: Lazy proxy calls magic methods twice.
  • Fixed bug GH-18209: Use-after-free in extract() with EXTR_REFS.
  • Fixed bug GH-18268: Segfault in array_walk() on object with added property hooks

Community changes

PHP version 8.4.6 changes

• BCMath

  • Fixed pointer subtraction for scale.

• Core

  • Fixed property hook backing value access in multi-level inheritance.
  • Fixed accidentally inherited default value in overridden virtual properties.
  • Fixed bug

Backported CVE Fixes for ZendPHP 8.0.30.6, 7.4.33.10, 7.3.33.16, and 7.2.34.24

• LibXML

  • Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714).
  • Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong content-type header when requesting a redirected resource).

Community CVE Fixes

PHP version 8.4.5, 8.3.19 CVE fixes

• Core

  • Fixed GHSA-rwp7-7vc6-8477: Reference counting in php_request_shutdown causes Use-After-Free. (CVE-2024-11235)

• LibXML

  • Fixed GHSA-p3x9-6h7p-cgfc: libxml streams use wrong content-type heade

Community changes

PHP version 8.4.4 changes

• Core

  • Fixed bug GH-17234: Numeric parent hook call fails with assertion
  • Fixed bug GH-16892: ini_parse_quantity() fails to parse inputs starting with 0x0b
  • Fixed bug GH-16886: ini_parse_quantity() fails to emit

Community changes

PHP version 8.4.3 changes

• BcMath

  • Fixed bug GH-17049: Correctly compare 0 and -0
  • Fixed bug GH-17061: Number::round() does not remove trailing zeros
  • Fixed bug GH-17064: Correctly round rounding mode with zero edge case
  • Fixed bug GH

Community changes

PHP version 8.4.2 changes

• BcMath

  • Fixed bug GH-16978: Avoid unnecessary padding with leading zeros

• COM

  • Fixed bug GH-16991: Getting typeinfo of non DISPATCH variant segfaults

• Core

  • Fixed bug GH-16344: setRawValueWithoutLazyInitia

ZendPHP Changes

PHP version 8.4.1

Community dropped some extensions from the PHP main sources, extensions are now built from PECL sources, therefore the packaging changes on Linux and IBM i:

• oci8
  • have different packaging names for RPM based releases

Community Fixes

PHP version 8.3.13 fixes

• Calendar

  • Fixed GH-16240: jdtounix overflow on argument value.
  • Fixed GH-16241: easter_days/easter_date overflow on year argument.
  • Fixed GH-16263: jddayofweek overflow.
  • Fixed GH-16234: jewishtojd overflow.

• CLI

ZendPHP Changes

• Support ended for IBM i = V7R2
  • PHP is now built with OpenSSL v3. OpenSSL 3 is available from IBM i v7r3 OpenSource base rpm repositories.
  • NOTE FOR USERS ON IBM i : due to packaging issues by IBM, postgresql12-libpq package upgrade may not complete properly (missing symbolic links for libraries) and causes PHP postgreql extensions to not load. Fix: yum reinstall postgresql12-libpq

Community CVE Fixes

PHP version 8.3.12, 8.2.24, 8.1.30 CVE fixes

• CGI

  • Fixed bug GHSA-p99j-rfp4-xqvq: Bypass of CVE-2024-4577, Parameter Injection Vulnerability. (CVE-2024-8926)
  • Fixed bug GHSA-94p6-54jq-9mwp: cgi.force_redirect configuration is bypassable due to the environment variable collision. (CVE-2024-8927)

• FPM

  • Fixed bug GHSA-865w-9rf3-2wh5: Logs from childrens may be altered. (CVE-2024-9026)

• SAPI

  • Fixed bug GHSA-9pqp-7h25-4f32: Erroneous parsing of multipart form data. (CVE-2024-8925)

Backported PHP CVE Fixes

PHP version 7.2.34.20, 7.3.33.12, 7.4.33.7, 8.0.30.3 CVE fixes

• CGI

  • Fixed bug GHSA-p99j-rfp4-xqvq: Bypass of CVE-2024-4577, Parameter Injection Vulnerability. (CVE-2024-8926)
  • Fixed bug GHSA-94p6-54jq-9mwp: cgi.force_redirect configuration is bypassable due to the environment variable collision. (CVE-2024-8927)

• SAPI

  • Fixed bug GHSA-9pqp-7h25-4f32: Erroneous parsing of multipart form data. (CVE-2024-8925)

PHP version 7.4.33.7, 8.0.30.3 CVE fixes

• FPM
  • Fixed bug GHSA-865w-9rf3-2wh5: Logs from childrens may be altered. (CVE-2024-9026)

Community Fixes

PHP version 8.3.12 fixes

• Core

  • Fixed bug GH-15408: MSan false-positve on zend_max_execution_timer.
  • Fixed bug GH-15515: Configure error grep illegal option q.
  • Fixed bug GH-15514: Configure error: genif.sh: syntax error.
  • Fixed bug GH-15565: --disable-ipv6 during compilation produces error EAI_SYSTEM not found.
  • Fixed bug GH-15587: CRC32 API build error on arm 32-bit.
  • Fixed bug GH-15330: Do not scan generator frames more than once.
  • Fixed uninitialized lineno in constant AST of internal enums.

• Curl

  • FIxed bug GH-15547: curl_multi_select overflow on timeout argument.

• DOM

  • Fixed bug GH-15551: Segmentation fault (access null pointer) in ext/dom/xml_common.h.
  • Fixed bug GH-15654: Signed integer overflow in ext/dom/nodelist.c.

• Fileinfo

  • Fixed bug GH-15752: Incorrect error message for finfo_file with an empty filename argument.

• MySQLnd

  • Fixed bug GH-15432: Heap corruption when querying a vector.

• Opcache

  • Fixed bug GH-15661: Access null pointer in Zend/Optimizer/zend_inference.c.
  • Fixed bug GH-15658: Segmentation fault in Zend/zend_vm_execute.h.

• Standard

  • Fixed bug GH-15552: Signed integer overflow in ext/standard/scanf.c.

• Streams

  • Fixed bug GH-15628: php_stream_memory_get_buffer() not zero-terminated.

PHP version 8.2.24 fixes

• Core

  • Fixed bug GH-15408: MSan false-positve on zend_max_execution_timer.
  • Fixed bug GH-15515: Configure error grep illegal option q.
  • Fixed bug GH-15514: Configure error: genif.sh: syntax error.
  • Fixed bug GH-15565: --disable-ipv6 during compilation produces error EAI_SYSTEM not found.
  • Fixed bug GH-15587: CRC32 API build error on arm 32-bit.
  • Fixed bug GH-15330: Do not scan generator frames more than once.
  • Fixed uninitialized lineno in constant AST of internal enums.

• Curl

  • FIxed bug GH-15547: curl_multi_select overflow on timeout argument.

• DOM

  • Fixed bug GH-15551: Segmentation fault (access null pointer) in ext/dom/xml_common.h.

• Fileinfo

  • Fixed bug GH-15752: Incorrect error message for finfo_file with an empty filename argument.

• MySQLnd

  • Fixed bug GH-15432: Heap corruption when querying a vector.

• Opcache

  • Fixed bug GH-15661: Access null pointer in Zend/Optimizer/zend_inference.c.
  • Fixed bug GH-15658: Segmentation fault in Zend/zend_vm_execute.h.

• SOAP

  • Fixed bug #73182: PHP SOAPClient does not support stream context HTTP headers in array form.

• Standard

  • Fixed bug GH-15552: Signed integer overflow in ext/standard/scanf.c.

• Streams

  • Fixed bug GH-15628: php_stream_memory_get_buffer() not zero-terminated.