ZendPHP August 2023 Releases

Added Platform Support

  • Added support for IBM i 7.5.

Community fixes for ZendPHP 8.2.9

  • Build

    • Fixed bug GH-11522: PHP version check fails with '-' separator.

  • CLI

    • Fix interrupted CLI output causing the process to exit.

  • Core

    • Fixed oss-fuzz #60011: Mis-compilation of by-reference nullsafe operator.
    • Fixed line number of JMP instruction over else block.
    • Fixed use-of-uninitialized-value with ??= on assert.
    • Fixed oss-fuzz #60411: Fix double-compilation of arrow-functions.
    • Fixed build for FreeBSD before the 11.0 releases.

  • Curl

    • Fix crash when an invalid callback function is passed to CURLMOPT_PUSHFUNCTION.

  • Date

    • Fixed bug GH-11368: Date::modify returns invalid datetime.
    • Fixed bug GH-11600: Can't parse time strings which include (narrow) non-breaking space characters).

  • DOM

    • Fixed bug GH-11625: DOMElement::replaceWith() doesn't replace node with DOMDocumentFragment but just deletes node or causes wrapping > depending on libxml2 version.

  • Fileinfo

    • Fixed bug GH-11298: finfo returns wrong mime type for xz files.

  • FTP

    • Fix context option check for "overwrite".
    • Fixed bug GH-10562: Memory leak and invalid state with consecutive ftp_nb_fget.

  • GD

    • Fix most of the external libgd test failures.

  • Intl

    • Fix memory leak in MessageFormatter::format() on failure.

  • Libxml

    • Fixed bug GHSA-3qrf-m4j2-pcrr: Security issue with external entity loading in XML without enabling it. (CVE-2023-3823)

  • MBString

    • Fix GH-11300: license issue: restricted unicode license headers.

  • Opcache

    • Fixed bug GH-10914: OPCache with Enum and Callback functions results in segmentation fault.
    • Prevent potential deadlock if accelerated globals cannot be allocated.

  • PCNTL

    • Fixed bug GH-11498: SIGCHLD is not always returned from proc_open.

  • PDO

    • Fix GH-11587: After php8.1, when PDO::ATTR_EMULATE_PREPARES is true and PDO::ATTR_STRINGIFY_FETCHES is true, decimal zeros are no longer filled.

  • PDO SQLite

    • Fix GH-11492: Make test failure: ext/pdo_sqlite/tests/bug_42589.phpt.

  • Phar

    • Add missing check on EVP_VerifyUpdate() in phar util.
    • Fixed bug GHSA-jqcx-ccgc-xwhv: Buffer mismanagement in phar_dir_read(). (CVE-2023-3824)

  • PHPDBG

    • Fixed bug GH-9669: phpdbg -h options doesn't list the -z option.

  • Session

    • Removed broken url support for transferring session ID.

  • Standard

    • Fix serialization of RC1 objects appearing in object graph twice.

  • Streams

    • Fixed bug GH-11735: Use-after-free when unregistering user stream wrapper from itself.

  • SQLite3

    • Fix replaced error handling in SQLite3Stmt::__construct.

  • XMLReader

    • Fix GH-11548: Argument corruption when calling XMLReader::open or XMLReader::XML non-statically with observer active).

Community fixes for ZendPHP 8.1.22

  • Build

    • Fixed bug GH-11522: PHP version check fails with '-' separator.

  • CLI

    • Fix interrupted CLI output causing the process to exit.

  • Core

    • Fixed oss-fuzz #60011: Mis-compilation of by-reference nullsafe operator.
    • Fixed use-of-uninitialized-value with ??= on assert.
    • Fixed build for FreeBSD before the 11.0 releases.

  • Curl

    • Fix crash when an invalid callback function is passed to CURLMOPT_PUSHFUNCTION.

  • Date

    • Fixed bug GH-11368: Date::modify returns invalid datetime.

  • DOM

    • Fixed bug GH-11625: DOMElement::replaceWith() doesn't replace node with DOMDocumentFragment but just deletes node or causes wrapping > depending on libxml2 version.

  • Fileinfo

    • Fixed bug GH-11298: finfo returns wrong mime type for xz files.

  • FTP

    • Fix context option check for "overwrite".
    • Fixed bug GH-10562: Memory leak and invalid state with consecutive ftp_nb_fget.

  • GD

    • Fix most of the external libgd test failures.

  • Hash

    • Fix use-of-uninitialized-value in hash_pbkdf2(), fix missing $options parameter in signature.

  • Intl

    • Fix memory leak in MessageFormatter::format() on failure.

  • Libxml

    • Fixed bug GHSA-3qrf-m4j2-pcrr: Security issue with external entity loading in XML without enabling it. (CVE-2023-3823)

  • MBString

    • Fix GH-11300: license issue: restricted unicode license headers.

  • Opcache

    • Fixed bug GH-10914: OPCache with Enum and Callback functions results in segmentation fault.
    • Prevent potential deadlock if accelerated globals cannot be allocated.

  • PCNTL

    • Fixed bug GH-11498: SIGCHLD is not always returned from proc_open.

  • PCRE

    • Mangle PCRE regex cache key with JIT option.

  • PDO

    • Fix GH-11587: After php8.1, when PDO::ATTR_EMULATE_PREPARES is true and PDO::ATTR_STRINGIFY_FETCHES is true, decimal zeros are no longer filled.

  • PDO SQLite

    • Fix GH-11492: Make test failure: ext/pdo_sqlite/tests/bug_42589.phpt.

  • Phar

    • Add missing check on EVP_VerifyUpdate() in phar util.
    • Fixed bug GHSA-jqcx-ccgc-xwhv: Buffer mismanagement in phar_dir_read(). (CVE-2023-3824)

  • PHPDBG

    • Fixed bug GH-9669: phpdbg -h options doesn't list the -z option.

  • Session

    • Removed broken url support for transferring session ID.

  • Standard

    • Fix serialization of RC1 objects appearing in object graph twice.

  • SQLite3

    • Fix replaced error handling in SQLite3Stmt::__construct.

Community Security Fixes for ZendPHP 8.0.30

  • Libxml

    • Fixed bug GHSA-3qrf-m4j2-pcrr: Security issue with external entity loading in XML without enabling it. (CVE-2023-3823)

  • Phar

    • Fixed bug GHSA-jqcx-ccgc-xwhv: Buffer mismanagement in phar_dir_read(). (CVE-2023-3824)

Backported CVE Fixes for 7.4.33.4, 7.3.33.9, 7.2.34.17

  • Libxml

    • Fixed bug GHSA-3qrf-m4j2-pcrr: Security issue with external entity loading in XML without enabling it. (CVE-2023-3823)

  • Phar

    • Fixed bug GHSA-jqcx-ccgc-xwhv: Buffer mismanagement in phar_dir_read(). (CVE-2023-3824)