ZendPHP September 2024 Releases

September 25, 2024

Support ended for IBM i = V7R2
- PHP is now built with OpenSSL v3. OpenSSL 3 is available from IBM i v7r3 OpenSource base rpm repositories.
- NOTE FOR USERS ON IBM i : due to packaging issues by IBM, postgresql12-libpq package upgrade may not complete properly (missing symbolic links for libraries) and causes PHP postgreql extensions to not load. Fix: yum reinstall postgresql12-libpq

PHP version 8.3.12, 8.2.24, 8.1.30 CVE fixes

CGI
- Fixed bug GHSA-p99j-rfp4-xqvq: Bypass of CVE-2024-4577, Parameter Injection Vulnerability. (CVE-2024-8926)
- Fixed bug GHSA-94p6-54jq-9mwp: cgi.force_redirect configuration is bypassable due to the environment variable collision. (CVE-2024-8927)
FPM
- Fixed bug GHSA-865w-9rf3-2wh5: Logs from childrens may be altered. (CVE-2024-9026)
SAPI
- Fixed bug GHSA-9pqp-7h25-4f32: Erroneous parsing of multipart form data. (CVE-2024-8925)

PHP version 7.2.34.20, 7.3.33.12, 7.4.33.7, 8.0.30.3 CVE fixes

CGI
- Fixed bug GHSA-p99j-rfp4-xqvq: Bypass of CVE-2024-4577, Parameter Injection Vulnerability. (CVE-2024-8926)
- Fixed bug GHSA-94p6-54jq-9mwp: cgi.force_redirect configuration is bypassable due to the environment variable collision. (CVE-2024-8927)
SAPI
- Fixed bug GHSA-9pqp-7h25-4f32: Erroneous parsing of multipart form data. (CVE-2024-8925)

PHP version 7.4.33.7, 8.0.30.3 CVE fixes

FPM
- Fixed bug GHSA-865w-9rf3-2wh5: Logs from childrens may be altered. (CVE-2024-9026)

PHP version 8.3.12 fixes

Core
- Fixed bug GH-15408: MSan false-positve on zend_max_execution_timer.
- Fixed bug GH-15515: Configure error grep illegal option q.
- Fixed bug GH-15514: Configure error: genif.sh: syntax error.
- Fixed bug GH-15565: --disable-ipv6 during compilation produces error EAI_SYSTEM not found.
- Fixed bug GH-15587: CRC32 API build error on arm 32-bit.
- Fixed bug GH-15330: Do not scan generator frames more than once.
- Fixed uninitialized lineno in constant AST of internal enums.
Curl
- FIxed bug GH-15547: curl_multi_select overflow on timeout argument.
DOM
- Fixed bug GH-15551: Segmentation fault (access null pointer) in ext/dom/xml_common.h.
- Fixed bug GH-15654: Signed integer overflow in ext/dom/nodelist.c.
Fileinfo
- Fixed bug GH-15752: Incorrect error message for finfo_file with an empty filename argument.
MySQLnd
- Fixed bug GH-15432: Heap corruption when querying a vector.
Opcache
- Fixed bug GH-15661: Access null pointer in Zend/Optimizer/zend_inference.c.
- Fixed bug GH-15658: Segmentation fault in Zend/zend_vm_execute.h.
Standard
- Fixed bug GH-15552: Signed integer overflow in ext/standard/scanf.c.
Streams
- Fixed bug GH-15628: php_stream_memory_get_buffer() not zero-terminated.

PHP version 8.2.24 fixes

Core
- Fixed bug GH-15408: MSan false-positve on zend_max_execution_timer.
- Fixed bug GH-15515: Configure error grep illegal option q.
- Fixed bug GH-15514: Configure error: genif.sh: syntax error.
- Fixed bug GH-15565: --disable-ipv6 during compilation produces error EAI_SYSTEM not found.
- Fixed bug GH-15587: CRC32 API build error on arm 32-bit.
- Fixed bug GH-15330: Do not scan generator frames more than once.
- Fixed uninitialized lineno in constant AST of internal enums.
Curl
- FIxed bug GH-15547: curl_multi_select overflow on timeout argument.
DOM
- Fixed bug GH-15551: Segmentation fault (access null pointer) in ext/dom/xml_common.h.
Fileinfo
- Fixed bug GH-15752: Incorrect error message for finfo_file with an empty filename argument.
MySQLnd
- Fixed bug GH-15432: Heap corruption when querying a vector.
Opcache
- Fixed bug GH-15661: Access null pointer in Zend/Optimizer/zend_inference.c.
- Fixed bug GH-15658: Segmentation fault in Zend/zend_vm_execute.h.
SOAP
- Fixed bug #73182: PHP SOAPClient does not support stream context HTTP headers in array form.
Standard
- Fixed bug GH-15552: Signed integer overflow in ext/standard/scanf.c.
Streams
- Fixed bug GH-15628: php_stream_memory_get_buffer() not zero-terminated.