ZendPHP Release Notes

ZendPHP Changes

PHP version 8.4.1

Community dropped some extensions from the PHP main sources, extensions are now built from PECL sources, therefore the packaging changes on Linux and IBM i:

• oci8
  • have different packaging names for RPM based releases

Community Fixes

PHP version 8.3.13 fixes

• Calendar

  • Fixed GH-16240: jdtounix overflow on argument value.
  • Fixed GH-16241: easter_days/easter_date overflow on year argument.
  • Fixed GH-16263: jddayofweek overflow.
  • Fixed GH-16234: jewishtojd overflow.

• CLI

ZendPHP Changes

• Support ended for IBM i = V7R2
  • PHP is now built with OpenSSL v3. OpenSSL 3 is available from IBM i v7r3 OpenSource base rpm repositories.
  • NOTE FOR USERS ON IBM i : due to packaging issues by IBM, postgresql12-libpq package upgrade may not complete properly (missing symbolic links for libraries) and causes PHP postgreql extensions to not load. Fix: yum reinstall postgresql12-libpq

Community CVE Fixes

PHP version 8.3.12, 8.2.24, 8.1.30 CVE fixes

• CGI

  • Fixed bug GHSA-p99j-rfp4-xqvq: Bypass of CVE-2024-4577, Parameter Injection Vulnerability. (CVE-2024-8926)
  • Fixed bug GHSA-94p6-54jq-9mwp: cgi.force_redirect configuration is bypassable due to the environment variable collision. (CVE-2024-8927)

• FPM

  • Fixed bug GHSA-865w-9rf3-2wh5: Logs from childrens may be altered. (CVE-2024-9026)

• SAPI

  • Fixed bug GHSA-9pqp-7h25-4f32: Erroneous parsing of multipart form data. (CVE-2024-8925)

Backported PHP CVE Fixes

PHP version 7.2.34.20, 7.3.33.12, 7.4.33.7, 8.0.30.3 CVE fixes

• CGI

  • Fixed bug GHSA-p99j-rfp4-xqvq: Bypass of CVE-2024-4577, Parameter Injection Vulnerability. (CVE-2024-8926)
  • Fixed bug GHSA-94p6-54jq-9mwp: cgi.force_redirect configuration is bypassable due to the environment variable collision. (CVE-2024-8927)

• SAPI

  • Fixed bug GHSA-9pqp-7h25-4f32: Erroneous parsing of multipart form data. (CVE-2024-8925)

PHP version 7.4.33.7, 8.0.30.3 CVE fixes

• FPM
  • Fixed bug GHSA-865w-9rf3-2wh5: Logs from childrens may be altered. (CVE-2024-9026)

Community Fixes

PHP version 8.3.12 fixes

• Core

  • Fixed bug GH-15408: MSan false-positve on zend_max_execution_timer.
  • Fixed bug GH-15515: Configure error grep illegal option q.
  • Fixed bug GH-15514: Configure error: genif.sh: syntax error.
  • Fixed bug GH-15565: --disable-ipv6 during compilation produces error EAI_SYSTEM not found.
  • Fixed bug GH-15587: CRC32 API build error on arm 32-bit.
  • Fixed bug GH-15330: Do not scan generator frames more than once.
  • Fixed uninitialized lineno in constant AST of internal enums.

• Curl

  • FIxed bug GH-15547: curl_multi_select overflow on timeout argument.

• DOM

  • Fixed bug GH-15551: Segmentation fault (access null pointer) in ext/dom/xml_common.h.
  • Fixed bug GH-15654: Signed integer overflow in ext/dom/nodelist.c.

• Fileinfo

  • Fixed bug GH-15752: Incorrect error message for finfo_file with an empty filename argument.

• MySQLnd

  • Fixed bug GH-15432: Heap corruption when querying a vector.

• Opcache

  • Fixed bug GH-15661: Access null pointer in Zend/Optimizer/zend_inference.c.
  • Fixed bug GH-15658: Segmentation fault in Zend/zend_vm_execute.h.

• Standard

  • Fixed bug GH-15552: Signed integer overflow in ext/standard/scanf.c.

• Streams

  • Fixed bug GH-15628: php_stream_memory_get_buffer() not zero-terminated.

PHP version 8.2.24 fixes

• Core

  • Fixed bug GH-15408: MSan false-positve on zend_max_execution_timer.
  • Fixed bug GH-15515: Configure error grep illegal option q.
  • Fixed bug GH-15514: Configure error: genif.sh: syntax error.
  • Fixed bug GH-15565: --disable-ipv6 during compilation produces error EAI_SYSTEM not found.
  • Fixed bug GH-15587: CRC32 API build error on arm 32-bit.
  • Fixed bug GH-15330: Do not scan generator frames more than once.
  • Fixed uninitialized lineno in constant AST of internal enums.

• Curl

  • FIxed bug GH-15547: curl_multi_select overflow on timeout argument.

• DOM

  • Fixed bug GH-15551: Segmentation fault (access null pointer) in ext/dom/xml_common.h.

• Fileinfo

  • Fixed bug GH-15752: Incorrect error message for finfo_file with an empty filename argument.

• MySQLnd

  • Fixed bug GH-15432: Heap corruption when querying a vector.

• Opcache

  • Fixed bug GH-15661: Access null pointer in Zend/Optimizer/zend_inference.c.
  • Fixed bug GH-15658: Segmentation fault in Zend/zend_vm_execute.h.

• SOAP

  • Fixed bug #73182: PHP SOAPClient does not support stream context HTTP headers in array form.

• Standard

  • Fixed bug GH-15552: Signed integer overflow in ext/standard/scanf.c.

• Streams

  • Fixed bug GH-15628: php_stream_memory_get_buffer() not zero-terminated.

August 29, 2024

Community Fixes

PHP version 8.3.11 fixes

• Core

  • Fixed bug GH-15020: Memory leak in Zend/Optimizer/escape_analysis.c
  • Fixed bug GH-15023: Memory leak in Zend/zend_ini.c
  • Fixed bug GH-13330: Append -Wno-implicit-fallthrough flag

Community Fixes

PHP version 8.3.9 fixes

• Core
  • Fixed bug GH-14510: memleak due to missing pthread_attr_destroy()-call

PHP version 8.3.9, 8.2.21 fixes

• Core

  • Fixed bug GH-14315: Incompatible pointer type warnings
  • Fixed bug GH-12814: max_execution_time

ZendPHP Changes

• Added

  • Alpine 3.20 support
  • Ubuntu 24.04 support

• Removed

  • Alpine 3.16 support
  • Ubuntu 18.04 support

PHP version 7.2.34.19, 7.3.33.11, 7.4.33.6, 8.0.30.2 changes

• Functionality improvements for upgrading IBM i

Community CVE Fixes

PHP

ZendPHP Fixes

• PHP version 8.3.7, 8.2.19 fixes
  • intl extension build fix. Community change required c++17 to be able to build. ZendPHP patches such irrelevant requirement for older OS versions.

Community Fixes

• PHP version 8.3.7 fixes

  • Core

    • Fixed ze

ZendPHP Changes

• PHP version 8.3.6, 8.2.18, 8.1.28, 8.0.30.1, 7.4.33.5, 7.3.33.10, 7.2.34.18

  • IBM i PHP error log is stored as /www/zendphp/logs/php_errors.log by default for new installations

  • Windows build:

    • OpenSSL v3.2.1
    • Fixed PostrgreSQL drivers

Community fixes for 8.2.17

• Core:

  • Fix ZTS persistent resource crashes on shutdown.

• Curl:

  • Fix failing tests due to string changes in libcurl 8.6.0.

• DOM:

  • Fix reference access in dimensions for DOMNodeList and DOMNodeMap.

• Fileinfo:

  • Fixed bug GH

ZendPHP changes on Windows for 8.1.27.2, 8.2.16 and 8.3.3

• Windows opcache jit fix
• Windows mbstring with oniguruma, enabling mbstring regex

Community fixes for 8.2.16

• Core:

  • Fixed timer leak in zend-max-execution-timers builds.
  • Fixed bug GH-12349