ZendPHP Changes for 8.3.6, 8.2.18, 8.1.28, 8.0.30.1, 7.4.33.5, 7.3.33.10, 7.2.34.18

  • IBM i PHP error log is stored as /www/zendphp/logs/php_errors.log by default for new installations

  • Windows build:

    • OpenSSL v3.2.1
    • Fixed PostrgreSQL drivers build. v.16.2
    • Fixed MSI, added missing MSVC dependency library for imagick extension

ZendPHP Changes for 8.3.6, 8.2.18, 8.1.28

  • Debian and Ubuntu packages
    • Fix php-fpm configuration file path

Community Fixes for 8.3.6

  • Core:

    • Fixed GH-13569: GC buffer unnecessarily grows up to GC_MAX_BUF_SIZE when scanning WeakMaps.
    • Fixed bug GH-13612: Corrupted memory in destructor with weak references.
    • Fixed bug GH-13446: Restore exception handler after it finishes.
    • Fixed bug GH-13784: AX_GCC_FUNC_ATTRIBUTE failure.
    • Fixed bug GH-13670: GC does not scale well with a lot of objects created in destructor.

  • DOM:

    • Add some missing ZPP checks.
    • Fix potential memory leak in XPath evaluation results.

  • FPM:

    • Fixed GH-11086: FPM: config test runs twice in daemonised mode.
    • Fix incorrect check in fpm_shm_free().

  • GD:

    • Fixed bug GH-12019: add GDLIB_CFLAGS in feature tests.

  • Gettext:

    • Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5 with category set to LC_ALL.

  • MySQLnd:

    • Fix GH-13452: Fixed handshake response [mysqlnd].
    • Fix incorrect charset length in check_mb_eucjpms().

  • Opcache:

    • Fixed GH-13508: JITed QM_ASSIGN may be optimized out when op1 is null.
    • Fixed GH-13712: Segmentation fault for enabled observers when calling trait method of internal trait when opcache is loaded.

  • Random:

    • Fixed bug GH-13544: Pre-PHP 8.2 compatibility for mt_srand with unknown modes.
    • Fixed bug GH-13690: Global Mt19937 is not properly reset in-between requests when MT_RAND_PHP is used.

  • Session:

    • Fixed bug GH-13680: Segfault with session_decode and compilation error.

  • SPL:

    • Fixed bug GH-13685: Unexpected null pointer in zend_string.h.

  • Standard:

    • Fixed bug GH-11808: Live filesystem modified by tests.
    • Fixed GH-13402: Added validation of \n in $additional_headers of mail().
    • Fixed bug GH-13203: file_put_contents fail on strings over 4GB on Windows.
    • Fix bug GH-13932: Attempt to fix mbstring on windows build (msvc).

Community Fixes for 8.2.18

  • Core:

    • Fixed bug GH-13612: Corrupted memory in destructor with weak references.
    • Fixed bug GH-13784: AX_GCC_FUNC_ATTRIBUTE failure.
    • Fixed bug GH-13670: GC does not scale well with a lot of objects created in destructor.

  • DOM:

    • Add some missing ZPP checks.
    • Fix potential memory leak in XPath evaluation results.
    • Fix phpdoc for DOMDocument load methods.

  • FPM

    • Fixed incorrect check in fpm_shm_free().

  • GD:

    • Fixed bug GH-12019: add GDLIB_CFLAGS in feature tests.

  • Gettext:

    • Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5 with category set to LC_ALL.

  • MySQLnd:

    • Fix GH-13452: Fixed handshake response [mysqlnd].
    • Fix incorrect charset length in check_mb_eucjpms().

  • Opcache:

    • Fixed GH-13508: JITed QM_ASSIGN may be optimized out when op1 is null.
    • Fixed GH-13712: Segmentation fault for enabled observers when calling trait method of internal trait when opcache is loaded.

  • PDO:

    • Fix various PDORow bugs.

  • Random:

    • Fixed bug GH-13544: Pre-PHP 8.2 compatibility for mt_srand with unknown modes.
    • Fixed bug GH-13690: Global Mt19937 is not properly reset in-between requests when MT_RAND_PHP is used.

  • Session:

    • Fixed bug GH-13680: Segfault with session_decode and compilation error.

  • Sockets:

    • Fixed bug GH-13604: socket_getsockname returns random characters in the end of the socket name.

  • SPL:

    • Fixed bug GH-13531: Unable to resize SplfixedArray after being unserialized in PHP 8.2.15.
    • Fixed bug GH-13685: Unexpected null pointer in zend_string.h.

  • Standard:

    • Fixed bug GH-11808: Live filesystem modified by tests.
    • Fixed GH-13402: Added validation of \n in $additional_headers of mail().
    • Fixed bug GH-13203: file_put_contents fail on strings over 4GB on Windows.

  • XML:

    • Fixed bug GH-13517: Multiple test failures when building with --with-expat.

Community CVE Fixes for 8.3.6, 8.2.18, 8.1.28

  • Standard:
    • Fixed bug GHSA-pc52-254m-w9w7: Command injection via array-ish $command parameter of proc_open. (CVE-2024-1874)
    • Fixed bug GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix. (CVE-2024-2756)
    • Fixed bug GHSA-h746-cjrr-wfmr: password_verify can erroneously return true, opening ATO risk. (CVE-2024-3096)

Community CVE Fixes for 8.3.6

  • Fixed bug GHSA-fjp9-9hwx-59fq: mb_encode_mimeheader runs endlessly for some inputs. (CVE-2024-2757)

Backported CVE Fixes for 7.2.34.18, 7.3.33.10, 7.4.33.5, 8.0.30.1

  • Standard:
    • Fixed bug GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix. (CVE-2024-2756)
    • Fix bug GHSA-h746-cjrr-wfmr: password_verify can erroneously return true, opening ATO risk. (CVE-2024-3096)

Backported CVE Fixes for 7.4.33.5, 8.0.30.1

  • Standard:
    • Fixed bug GHSA-pc52-254m-w9w7: Command injection via array-ish $command parameter of proc_open. (CVE-2024-1874)