ZendPHP Release Notes

Community Fixes

PHP version 8.3.13 fixes

• Calendar

  • Fixed GH-16240: jdtounix overflow on argument value.
  • Fixed GH-16241: easter_days/easter_date overflow on year argument.
  • Fixed GH-16263: jddayofweek overflow.
  • Fixed GH-16234: jewishtojd overflow.

• CLI

ZendPHP Changes

• Support ended for IBM i = V7R2
  • PHP is now built with OpenSSL v3. OpenSSL 3 is available from IBM i v7r3 OpenSource base rpm repositories.
  • NOTE FOR USERS ON IBM i : due to packaging issues by IBM, postgresql12-libpq package upgrade may not complete properly (missing symbolic links for libraries) and causes PHP postgreql extensions to not load. Fix: yum reinstall postgresql12-libpq

Community CVE Fixes

PHP version 8.3.12, 8.2.24, 8.1.30 CVE fixes

• CGI

  • Fixed bug GHSA-p99j-rfp4-xqvq: Bypass of CVE-2024-4577, Parameter Injection Vulnerability. (CVE-2024-8926)
  • Fixed bug GHSA-94p6-54jq-9mwp: cgi.force_redirect configuration is bypassable due to the environment variable collision. (CVE-2024-8927)

• FPM

  • Fixed bug GHSA-865w-9rf3-2wh5: Logs from childrens may be altered. (CVE-2024-9026)

• SAPI

  • Fixed bug GHSA-9pqp-7h25-4f32: Erroneous parsing of multipart form data. (CVE-2024-8925)

Backported PHP CVE Fixes

PHP version 7.2.34.20, 7.3.33.12, 7.4.33.7, 8.0.30.3 CVE fixes

• CGI

  • Fixed bug GHSA-p99j-rfp4-xqvq: Bypass of CVE-2024-4577, Parameter Injection Vulnerability. (CVE-2024-8926)
  • Fixed bug GHSA-94p6-54jq-9mwp: cgi.force_redirect configuration is bypassable due to the environment variable collision. (CVE-2024-8927)

• SAPI

  • Fixed bug GHSA-9pqp-7h25-4f32: Erroneous parsing of multipart form data. (CVE-2024-8925)

PHP version 7.4.33.7, 8.0.30.3 CVE fixes

• FPM
  • Fixed bug GHSA-865w-9rf3-2wh5: Logs from childrens may be altered. (CVE-2024-9026)

Community Fixes

PHP version 8.3.12 fixes

• Core

  • Fixed bug GH-15408: MSan false-positve on zend_max_execution_timer.
  • Fixed bug GH-15515: Configure error grep illegal option q.
  • Fixed bug GH-15514: Configure error: genif.sh: syntax error.
  • Fixed bug GH-15565: --disable-ipv6 during compilation produces error EAI_SYSTEM not found.
  • Fixed bug GH-15587: CRC32 API build error on arm 32-bit.
  • Fixed bug GH-15330: Do not scan generator frames more than once.
  • Fixed uninitialized lineno in constant AST of internal enums.

• Curl

  • FIxed bug GH-15547: curl_multi_select overflow on timeout argument.

• DOM

  • Fixed bug GH-15551: Segmentation fault (access null pointer) in ext/dom/xml_common.h.
  • Fixed bug GH-15654: Signed integer overflow in ext/dom/nodelist.c.

• Fileinfo

  • Fixed bug GH-15752: Incorrect error message for finfo_file with an empty filename argument.

• MySQLnd

  • Fixed bug GH-15432: Heap corruption when querying a vector.

• Opcache

  • Fixed bug GH-15661: Access null pointer in Zend/Optimizer/zend_inference.c.
  • Fixed bug GH-15658: Segmentation fault in Zend/zend_vm_execute.h.

• Standard

  • Fixed bug GH-15552: Signed integer overflow in ext/standard/scanf.c.

• Streams

  • Fixed bug GH-15628: php_stream_memory_get_buffer() not zero-terminated.

PHP version 8.2.24 fixes

• Core

  • Fixed bug GH-15408: MSan false-positve on zend_max_execution_timer.
  • Fixed bug GH-15515: Configure error grep illegal option q.
  • Fixed bug GH-15514: Configure error: genif.sh: syntax error.
  • Fixed bug GH-15565: --disable-ipv6 during compilation produces error EAI_SYSTEM not found.
  • Fixed bug GH-15587: CRC32 API build error on arm 32-bit.
  • Fixed bug GH-15330: Do not scan generator frames more than once.
  • Fixed uninitialized lineno in constant AST of internal enums.

• Curl

  • FIxed bug GH-15547: curl_multi_select overflow on timeout argument.

• DOM

  • Fixed bug GH-15551: Segmentation fault (access null pointer) in ext/dom/xml_common.h.

• Fileinfo

  • Fixed bug GH-15752: Incorrect error message for finfo_file with an empty filename argument.

• MySQLnd

  • Fixed bug GH-15432: Heap corruption when querying a vector.

• Opcache

  • Fixed bug GH-15661: Access null pointer in Zend/Optimizer/zend_inference.c.
  • Fixed bug GH-15658: Segmentation fault in Zend/zend_vm_execute.h.

• SOAP

  • Fixed bug #73182: PHP SOAPClient does not support stream context HTTP headers in array form.

• Standard

  • Fixed bug GH-15552: Signed integer overflow in ext/standard/scanf.c.

• Streams

  • Fixed bug GH-15628: php_stream_memory_get_buffer() not zero-terminated.

August 29, 2024

Community Fixes

PHP version 8.3.11 fixes

• Core

  • Fixed bug GH-15020: Memory leak in Zend/Optimizer/escape_analysis.c
  • Fixed bug GH-15023: Memory leak in Zend/zend_ini.c
  • Fixed bug GH-13330: Append -Wno-implicit-fallthrough flag

Community Fixes

PHP version 8.3.9 fixes

• Core
  • Fixed bug GH-14510: memleak due to missing pthread_attr_destroy()-call

PHP version 8.3.9, 8.2.21 fixes

• Core

  • Fixed bug GH-14315: Incompatible pointer type warnings
  • Fixed bug GH-12814: max_execution_time

ZendPHP Changes

• Added

  • Alpine 3.20 support
  • Ubuntu 24.04 support

• Removed

  • Alpine 3.16 support
  • Ubuntu 18.04 support

PHP version 7.2.34.19, 7.3.33.11, 7.4.33.6, 8.0.30.2 changes

• Functionality improvements for upgrading IBM i

Community CVE Fixes

PHP

ZendPHP Fixes

• PHP version 8.3.7, 8.2.19 fixes
  • intl extension build fix. Community change required c++17 to be able to build. ZendPHP patches such irrelevant requirement for older OS versions.

Community Fixes

• PHP version 8.3.7 fixes

  • Core

    • Fixed ze

ZendPHP Changes

• PHP version 8.3.6, 8.2.18, 8.1.28, 8.0.30.1, 7.4.33.5, 7.3.33.10, 7.2.34.18

  • IBM i PHP error log is stored as /www/zendphp/logs/php_errors.log by default for new installations

  • Windows build:

    • OpenSSL v3.2.1
    • Fixed PostrgreSQL drivers

Community fixes for 8.2.17

• Core:

  • Fix ZTS persistent resource crashes on shutdown.

• Curl:

  • Fix failing tests due to string changes in libcurl 8.6.0.

• DOM:

  • Fix reference access in dimensions for DOMNodeList and DOMNodeMap.

• Fileinfo:

  • Fixed bug GH

ZendPHP changes on Windows for 8.1.27.2, 8.2.16 and 8.3.3

• Windows opcache jit fix
• Windows mbstring with oniguruma, enabling mbstring regex

Community fixes for 8.2.16

• Core:

  • Fixed timer leak in zend-max-execution-timers builds.
  • Fixed bug GH-12349

Community fixes for 8.2.15

• Core

  • Fixed bug GH-12953: false positive SSA integrity verification failed when loading composer classmaps with more than 11k elements.
  • Fixed bug GH-12966: missing cross-compiling 3rd argument so Autoconf doesn't emit warnings