ZendPHP Changes
-
Support ended for IBM i = V7R2
- PHP is now built with OpenSSL v3. OpenSSL 3 is available from IBM i v7r3 OpenSource base rpm repositories.
-
NOTE FOR USERS ON IBM i : due to packaging issues by IBM, postgresql12-libpq package upgrade may not complete properly (missing symbolic links for libraries) and causes PHP postgreql extensions to not load. Fix:
yum reinstall postgresql12-libpq
Community CVE Fixes
PHP version 8.3.12, 8.2.24, 8.1.30 CVE fixes
-
CGI
- Fixed bug GHSA-p99j-rfp4-xqvq: Bypass of CVE-2024-4577, Parameter Injection Vulnerability. (CVE-2024-8926)
- Fixed bug GHSA-94p6-54jq-9mwp:
cgi.force_redirect
configuration is bypassable due to the environment variable collision. (CVE-2024-8927)
-
FPM
- Fixed bug GHSA-865w-9rf3-2wh5: Logs from childrens may be altered. (CVE-2024-9026)
-
SAPI
- Fixed bug GHSA-9pqp-7h25-4f32: Erroneous parsing of multipart form data. (CVE-2024-8925)
Backported PHP CVE Fixes
PHP version 7.2.34.20, 7.3.33.12, 7.4.33.7, 8.0.30.3 CVE fixes
-
CGI
- Fixed bug GHSA-p99j-rfp4-xqvq: Bypass of CVE-2024-4577, Parameter Injection Vulnerability. (CVE-2024-8926)
- Fixed bug GHSA-94p6-54jq-9mwp:
cgi.force_redirect
configuration is bypassable due to the environment variable collision. (CVE-2024-8927)
-
SAPI
- Fixed bug GHSA-9pqp-7h25-4f32: Erroneous parsing of multipart form data. (CVE-2024-8925)
PHP version 7.4.33.7, 8.0.30.3 CVE fixes
-
FPM
- Fixed bug GHSA-865w-9rf3-2wh5: Logs from childrens may be altered. (CVE-2024-9026)
Community Fixes
PHP version 8.3.12 fixes
-
Core
- Fixed bug GH-15408: MSan false-positve on
zend_max_execution_timer
. - Fixed bug GH-15515: Configure error grep illegal option q.
- Fixed bug GH-15514: Configure error:
genif.sh
: syntax error. - Fixed bug GH-15565:
--disable-ipv6
during compilation produces error EAI_SYSTEM not found. - Fixed bug GH-15587: CRC32 API build error on arm 32-bit.
- Fixed bug GH-15330: Do not scan generator frames more than once.
- Fixed uninitialized lineno in constant AST of internal enums.
- Fixed bug GH-15408: MSan false-positve on
-
Curl
- FIxed bug GH-15547:
curl_multi_select
overflow on timeout argument.
- FIxed bug GH-15547:
-
DOM
- Fixed bug GH-15551: Segmentation fault (access null pointer) in
ext/dom/xml_common.h
. - Fixed bug GH-15654: Signed integer overflow in
ext/dom/nodelist.c
.
- Fixed bug GH-15551: Segmentation fault (access null pointer) in
-
Fileinfo
- Fixed bug GH-15752: Incorrect error message for
finfo_file
with an empty filename argument.
- Fixed bug GH-15752: Incorrect error message for
-
MySQLnd
- Fixed bug GH-15432: Heap corruption when querying a vector.
-
Opcache
- Fixed bug GH-15661: Access null pointer in
Zend/Optimizer/zend_inference.c
. - Fixed bug GH-15658: Segmentation fault in
Zend/zend_vm_execute.h
.
- Fixed bug GH-15661: Access null pointer in
-
Standard
- Fixed bug GH-15552: Signed integer overflow in
ext/standard/scanf.c
.
- Fixed bug GH-15552: Signed integer overflow in
-
Streams
- Fixed bug GH-15628:
php_stream_memory_get_buffer()
not zero-terminated.
- Fixed bug GH-15628:
PHP version 8.2.24 fixes
-
Core
- Fixed bug GH-15408: MSan false-positve on
zend_max_execution_timer
. - Fixed bug GH-15515: Configure error grep illegal option q.
- Fixed bug GH-15514: Configure error:
genif.sh
: syntax error. - Fixed bug GH-15565:
--disable-ipv6
during compilation produces error EAI_SYSTEM not found. - Fixed bug GH-15587: CRC32 API build error on arm 32-bit.
- Fixed bug GH-15330: Do not scan generator frames more than once.
- Fixed uninitialized lineno in constant AST of internal enums.
- Fixed bug GH-15408: MSan false-positve on
-
Curl
- FIxed bug GH-15547:
curl_multi_select
overflow on timeout argument.
- FIxed bug GH-15547:
-
DOM
- Fixed bug GH-15551: Segmentation fault (access null pointer) in
ext/dom/xml_common.h
.
- Fixed bug GH-15551: Segmentation fault (access null pointer) in
-
Fileinfo
- Fixed bug GH-15752: Incorrect error message for
finfo_file
with an empty filename argument.
- Fixed bug GH-15752: Incorrect error message for
-
MySQLnd
- Fixed bug GH-15432: Heap corruption when querying a vector.
-
Opcache
- Fixed bug GH-15661: Access null pointer in
Zend/Optimizer/zend_inference.c
. - Fixed bug GH-15658: Segmentation fault in
Zend/zend_vm_execute.h
.
- Fixed bug GH-15661: Access null pointer in
-
SOAP
- Fixed bug #73182: PHP SOAPClient does not support stream context HTTP headers in array form.
-
Standard
- Fixed bug GH-15552: Signed integer overflow in
ext/standard/scanf.c
.
- Fixed bug GH-15552: Signed integer overflow in
-
Streams
- Fixed bug GH-15628:
php_stream_memory_get_buffer()
not zero-terminated.
- Fixed bug GH-15628: