ZendPHP April 2024 Releases

ZendPHP Changes

  • PHP version 8.3.6, 8.2.18, 8.1.28, 8.0.30.1, 7.4.33.5, 7.3.33.10, 7.2.34.18

    • IBM i PHP error log is stored as /www/zendphp/logs/php_errors.log by default for new installations

    • Windows build:

      • OpenSSL v3.2.1
      • Fixed PostrgreSQL drivers build. v.16.2
      • Fixed MSI, added missing MSVC dependency library for imagick extension

  • PHP versions 8.3.6, 8.2.18, 8.1.28

  • Debian and Ubuntu packages

    • Fix php-fpm configuration file path

Community Fixes

  • PHP version 8.3.6 fixes

    • Core

      • Fixed GH-13569: GC buffer unnecessarily grows up to GC_MAX_BUF_SIZE when scanning WeakMaps.
      • Fixed bug GH-13612: Corrupted memory in destructor with weak references.
      • Fixed bug GH-13446: Restore exception handler after it finishes.
      • Fixed bug GH-13784: AX_GCC_FUNC_ATTRIBUTE failure.
      • Fixed bug GH-13670: GC does not scale well with a lot of objects created in destructor.

    • DOM

      • Add some missing ZPP checks.
      • Fix potential memory leak in XPath evaluation results.

    • FPM

      • Fixed GH-11086: FPM: config test runs twice in daemonised mode.
      • Fix incorrect check in fpm_shm_free().

    • GD

      • Fixed bug GH-12019: add GDLIB_CFLAGS in feature tests.

    • Gettext

      • Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5 with category set to LC_ALL.

    • MySQLnd

      • Fix GH-13452: Fixed handshake response [mysqlnd].
      • Fix incorrect charset length in check_mb_eucjpms().

    • Opcache

      • Fixed GH-13508: JITed QM_ASSIGN may be optimized out when op1 is null.
      • Fixed GH-13712: Segmentation fault for enabled observers when calling trait method of internal trait when opcache is loaded.

    • Random

      • Fixed bug GH-13544: Pre-PHP 8.2 compatibility for mt_srand with unknown modes.
      • Fixed bug GH-13690: Global Mt19937 is not properly reset in-between requests when MT_RAND_PHP is used.

    • Session

      • Fixed bug GH-13680: Segfault with session_decode and compilation error.

    • SPL

      • Fixed bug GH-13685: Unexpected null pointer in zend_string.h.

    • Standard

      • Fixed bug GH-11808: Live filesystem modified by tests.
      • Fixed GH-13402: Added validation of \n in $additional_headers of mail().
      • Fixed bug GH-13203: file_put_contents fail on strings over 4GB on Windows.
      • Fix bug GH-13932: Attempt to fix mbstring on windows build (msvc).

  • PHP version 8.2.18 fixes

    • Core

      • Fixed bug GH-13612: Corrupted memory in destructor with weak references.
      • Fixed bug GH-13784: AX_GCC_FUNC_ATTRIBUTE failure.
      • Fixed bug GH-13670: GC does not scale well with a lot of objects created in destructor.

    • DOM

      • Add some missing ZPP checks.
      • Fix potential memory leak in XPath evaluation results.
      • Fix phpdoc for DOMDocument load methods.

    • FPM

      • Fixed incorrect check in fpm_shm_free().

    • GD

      • Fixed bug GH-12019: add GDLIB_CFLAGS in feature tests.

    • Gettext

      • Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5 with category set to LC_ALL.

    • MySQLnd

      • Fix GH-13452: Fixed handshake response [mysqlnd].
      • Fix incorrect charset length in check_mb_eucjpms().

    • Opcache

      • Fixed GH-13508: JITed QM_ASSIGN may be optimized out when op1 is null.
      • Fixed GH-13712: Segmentation fault for enabled observers when calling trait method of internal trait when opcache is loaded.

    • PDO

      • Fix various PDORow bugs.

    • Random

      • Fixed bug GH-13544: Pre-PHP 8.2 compatibility for mt_srand with unknown modes.
      • Fixed bug GH-13690: Global Mt19937 is not properly reset in-between requests when MT_RAND_PHP is used.

    • Session

      • Fixed bug GH-13680: Segfault with session_decode and compilation error.

    • Sockets

      • Fixed bug GH-13604: socket_getsockname returns random characters in the end of the socket name.

    • SPL

      • Fixed bug GH-13531: Unable to resize SplfixedArray after being unserialized in PHP 8.2.15.
      • Fixed bug GH-13685: Unexpected null pointer in zend_string.h.

    • Standard

      • Fixed bug GH-11808: Live filesystem modified by tests.
      • Fixed GH-13402: Added validation of \n in $additional_headers of mail().
      • Fixed bug GH-13203: file_put_contents fail on strings over 4GB on Windows.

    • XML

      • Fixed bug GH-13517: Multiple test failures when building with --with-expat.

Community CVE Fixes

  • PHP version 8.3.6, 8.2.18, 8.1.28 CVE fixes

    • Standard
      • Fixed bug GHSA-pc52-254m-w9w7: Command injection via array-ish $command parameter of proc_open. (CVE-2024-1874)
      • Fixed bug GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix. (CVE-2024-2756)
      • Fixed bug GHSA-h746-cjrr-wfmr: password_verify can erroneously return true, opening ATO risk. (CVE-2024-3096)

  • PHP version 8.3.6 CVE fixes

    • Standard
      • Fixed bug GHSA-fjp9-9hwx-59fq: mb_encode_mimeheader runs endlessly for some inputs. (CVE-2024-2757)

Backported PHP CVE Fixes

  • PHP version 7.2.34.18, 7.3.33.10, 7.4.33.5, 8.0.30.1 CVE fixes

    • Standard
      • Fixed bug GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix. (CVE-2024-2756)
      • Fix bug GHSA-h746-cjrr-wfmr: password_verify can erroneously return true, opening ATO risk. (CVE-2024-3096)

  • PHP version 7.4.33.5, 8.0.30.1 CVE fixes

    • Standard
      • Fixed bug GHSA-pc52-254m-w9w7: Command injection via array-ish $command parameter of proc_open. (CVE-2024-1874)