• Zend Server 2019.1.4

    Contains only PHP and installer/packaging fixes/changes; no changes in Zend Server.

    Backported PHP 7.1.33.21, 7.2.34.17, 7.3.33.9 CVE Fixes

    • Libxml: Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)
    • Phar: Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()). (CVE-2023-3824)

    Backported PHP 7.1.33.20, 7.2.34.16, 7.3.33.8 CVE Fixes

    • Soap: Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP). (CVE-2023-3247)

    Backported PHP 7.1.33.19, 7.2.34.15, 7.3.33.7 CVE Fixes

    • Intl: Fixed bug #72809 (Locale::lookup() wrong result with canonicalize option).

    Windows

    • Updated Apache v.2.4.57 in Zend Server Windows installation package

  • Zend Server 2021.3.2

    Changes

    • Added Support for IBM i 7.5

    Backported PHP CVE fixes

    • PHP version 7.1.33.21, 7.2.34.17, 7.3.33.9, 7.4.33.4
      • Libxml: Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)
      • Phar: Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()). (CVE-2023-3824)
    • PHP version 7.1.33.20, 7.2.34.16, 7.3.33.8, 7.4.33.3
      • Soap: Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP). (CVE-2023-3247)

    Bugfixes

    • PHP version 7.1.33.19, 7.2.34.15, 7.3.33.7
      • Intl: Fixed bug #72809 (Locale::lookup() wrong result with canonicalize option).

    Windows package updates

    • Apache 2.4.57

  • Zend Server 2021.3.1

    Backported PHP CVE fixes

    • PHP version 7.1.33.18, 7.2.34.14, 7.3.33.6, 7.4.33.2
      • Core
        • Fixed bug #81744 (Password_verify() always return true with some hash).   (CVE-2023-0567)
        • Fixed bug #81746 (1-byte array overrun in common path resolve code).   (CVE-2023-0568)
      • FPM
        • Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart   request body). (CVE-2023-0662)
    • PHP version 7.1.33.17, 7.2.34.13, 7.3.33.5, 7.4.33.1
      • PDO/SQLite: Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)

    Windows Package Updates

    • Apache 2.4.56 (adding also MS vs17 64-bit c++ redistributable installation)
    • OpenSSL 1.1.1t
    • cURL 7.88.1

  • Zend Server 2019.1.3

    PHP fixes only.

    PHP version 7.1.33.18, 7.2.34.14, 7.3.33.6 CVE fixes

    • Core
      • Fixed bug #81744 (password_verify() always return true with some hash). (CVE-2023-0567)
      • Fixed bug #81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568)
    • FPM
      • Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662)

    PHP version 7.1.33.17, 7.2.34.13, 7.3.33.5 CVE fixes

    • PDO/SQLite
      • Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)

  • Zend Server 9.1.16

    Note: 9.1.16 is the final release version for Zend Server 9.1.

    PHP version 7.1.33.18.

    Backported CVE fixes

    • Core
      • Fixed bug #81744 (password_verify() always return true with some hashes). (CVE-2023-0567)
      • Fixed bug #81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568)
    • FPM
      • Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662)
    • PDO/SQLite
      • Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)

  • Zend Server 9.1.15

    PHP version 7.1.33.16.

    Backported CVE fixes

    • Core
      • Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628)
      • Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629).

  • Zend Server 2021.3.0

    Fixed

    • JobQueue HTTPS requests failure on IBM i
    • Change lighttpd configuration for HTTPv.1.1 compatibility
    • JobQueue incorrect behavior during DST change
    •  Zend Server RPM php-sources-zend-server packages missing PHP 7.1 sources

    Updated

    • Upgrade angularjs to latest perforce-angular 1.8.4 in Zend Server

    Backported PHP CVE fixes

    • PHP versions: 7.1.33.16, 7.2.34.12, 7.3.33.4, 7.4.33
      • Fixed bug #81738: buffer overflow in hash_update() on long parameter.(CVE-2022-37454) (applies to 7.4.33 ONLY)
      • Fixed bug #81739: OOB read due to insufficient input validation in imageloadfont(). (CVE-2022-31630)
      • Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628)
      • Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629).

  • Zend Server 8.5.20

    PHP version 5.6.40.17.

    Backported CVE fixes

    • Core:
      • Fixed bug #81726: phar wrapper: DOS when using quine gzip file (CVE-2022-31628).
      • Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning (CVE-2022-31629).