PHP Logo

PHP 7.4.3 – 7.3.15 und 7.2.28 Security und Bugfix Release

Die freie Skript- / Programmiersprache, PHP, erhielt gestern für die Zweige 7.4, 7.3 und 7.2 Updates. Es handelt sich hierbei um Security und Bugfix Releases.

PHP Security Release Notes

  • When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7059
  • When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7060

PHP 7.4.3 Release Notes

  • Core:
    • Fixed bug #79146 (cscript can fail to run on some systems).
    • Fixed bug #79155 (Property nullability lost when using multiple property definition).
    • Fixed bug #78323 (Code 0 is returned on invalid options).
    • Fixed bug #78989 (Delayed variance check involving trait segfaults).
    • Fixed bug #79174 (cookie values with spaces fail to round-trip).
    • Fixed bug #76047 (Use-after-free when accessing already destructed backtrace arguments).
  • COM:
    • Fixed bug #79247 (Garbage collecting variant objects segfaults).
  • CURL:
    • Fixed bug #79078 (Hypothetical use-after-free in curl_multi_add_handle()).
  • FFI:
    • Fixed bug #79096 (FFI Struct Segfault).
  • IMAP:
    • Fixed bug #79112 (IMAP extension can’t find OpenSSL libraries at configure time).
  • Intl:
    • Fixed bug #79212 (NumberFormatter::format() may detect wrong type).
  • Libxml:
    • Fixed bug #79191 (Error in SoapClient ctor disables DOMDocument::save()).
  • MBString:
    • Fixed bug #79149 (SEGV in mb_convert_encoding with non-string encodings).
  • MySQLi:
    • Fixed bug #78666 (Properties may emit a warning on var_dump()).
  • MySQLnd:
    • Fixed bug #79084 (mysqlnd may fetch wrong column indexes with MYSQLI_BOTH).
    • Fixed bug #79011 (MySQL caching_sha2_password Access denied for password with more than 20 chars).
  • Opcache:
    • Fixed bug #79114 (Eval class during preload causes class to be only half available).
    • Fixed bug #79128 (Preloading segfaults if preload_user is used).
    • Fixed bug #79193 (Incorrect type inference for self::$field =& $field).
  • OpenSSL:
    • Fixed bug #79145 (openssl memory leak).
  • Phar:
    • Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have all-access permissions). (CVE-2020-7063)
    • Fixed bug #79171 (heap-buffer-overflow in phar_extract_file). (CVE-2020-7061)
    • Fixed bug #76584 (PharFileInfo::decompress not working).
  • Reflection:
    • Fixed bug #79115 (ReflectionClass::isCloneable call reflected class __destruct).
  • Session:
    • Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress). (CVE-2020-7062)
  • Standard:
    • Fixed bug #78902 (Memory leak when using stream_filter_append).
    • Fixed bug #78969 (PASSWORD_DEFAULT should match PASSWORD_BCRYPT instead of being null).
  • Testing:
    • Fixed bug #78090 (bug45161.phpt takes forever to finish).
  • XSL:
    • Fixed bug #70078 (XSL callbacks with nodes as parameter leak memory).
  • Zip:
    • Add ZipArchive::CM_LZMA2 and ZipArchive::CM_XZ constants (since libzip 1.6.0).
    • Add ZipArchive::RDONLY (since libzip 1.0.0).
    • Add ZipArchive::ER_* missing constants.
    • Add ZipArchive::LIBZIP_VERSION constant.
    • Fixed bug #73119 (Wrong return for ZipArchive::addEmptyDir Method).

PHP 7.3.15 Release Notes

  • Core:
    • Fixed bug #71876 (Memory corruption htmlspecialchars(): charset `*’ not supported).
    • Fixed bug #79146 (cscript can fail to run on some systems).
    • Fixed bug #78323 (Code 0 is returned on invalid options).
    • Fixed bug #76047 (Use-after-free when accessing already destructed backtrace arguments).
  • CURL:
    • Fixed bug #79078 (Hypothetical use-after-free in curl_multi_add_handle()).
  • Intl:
    • Fixed bug #79212 (NumberFormatter::format() may detect wrong type).
  • Libxml:
    • Fixed bug #79191 (Error in SoapClient ctor disables DOMDocument::save()).
  • MBString:
    • Fixed bug #79154 (mb_convert_encoding() can modify $from_encoding).
  • MySQLnd:
    • Fixed bug #79084 (mysqlnd may fetch wrong column indexes with MYSQLI_BOTH).
  • OpenSSL:
    • Fixed bug #79145 (openssl memory leak).
  • Phar:
    • Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have all-access permissions). (CVE-2020-7063)
    • Fixed bug #79171 (heap-buffer-overflow in phar_extract_file). (CVE-2020-7061)
    • Fixed bug #76584 (PharFileInfo::decompress not working).
  • Reflection:
    • Fixed bug #79115 (ReflectionClass::isCloneable call reflected class __destruct).
  • Session:
    • Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress). (CVE-2020-7062)
  • SPL:
    • Fixed bug #79151 (heap use after free caused by spl_dllist_it_helper_move_forward).
  • Standard:
    • Fixed bug #78902 (Memory leak when using stream_filter_append).
  • Testing:
    • Fixed bug #78090 (bug45161.phpt takes forever to finish).
  • XSL:
    • Fixed bug #70078 (XSL callbacks with nodes as parameter leak memory).

PHP 7.2.28 Release Notes

  • DOM:
    • Fixed bug #77569: (Write Access Violation in DomImplementation).
  • Phar:
    • Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have all-access permissions). (CVE-2020-7063)
  • Session:
    • Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress). (CVE-2020-7062)

Quelle: https://www.php.net/ChangeLog-7.php

Schreibe einen Kommentar

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.