PHP 7.4.3 – 7.3.16 und 7.2.29 Security und Bugfix Release

Die freie Skript- / Programmiersprache, PHP, erhielt für die Zweige 7.4, 7.3 und 7.2 Security und Bugfix Updates.

PHP 7.4.3 Release Notes

• Core:
  • Fixed bug #79146 (cscript can fail to run on some systems).
  • Fixed bug #79155 (Property nullability lost when using multiple property definition).
  • Fixed bug #78323 (Code 0 is returned on invalid options).
  • Fixed bug #78989 (Delayed variance check involving trait segfaults).
  • Fixed bug #79174 (cookie values with spaces fail to round-trip).
  • Fixed bug #76047 (Use-after-free when accessing already destructed backtrace arguments).
• COM:
  • Fixed bug #79247 (Garbage collecting variant objects segfaults).
• CURL:
  • Fixed bug #79078 (Hypothetical use-after-free in curl_multi_add_handle()).
• FFI:
  • Fixed bug #79096 (FFI Struct Segfault).
• IMAP:
  • Fixed bug #79112 (IMAP extension can’t find OpenSSL libraries at configure time).
• Intl:
  • Fixed bug #79212 (NumberFormatter::format() may detect wrong type).
• Libxml:
  • Fixed bug #79191 (Error in SoapClient ctor disables DOMDocument::save()).
• MBString:
  • Fixed bug #79149 (SEGV in mb_convert_encoding with non-string encodings).
• MySQLi:
  • Fixed bug #78666 (Properties may emit a warning on var_dump()).
• MySQLnd:
  • Fixed bug #79084 (mysqlnd may fetch wrong column indexes with MYSQLI_BOTH).
  • Fixed bug #79011 (MySQL caching_sha2_password Access denied for password with more than 20 chars).
• Opcache:
  • Fixed bug #79114 (Eval class during preload causes class to be only half available).
  • Fixed bug #79128 (Preloading segfaults if preload_user is used).
  • Fixed bug #79193 (Incorrect type inference for self::$field =& $field).
• OpenSSL:
  • Fixed bug #79145 (openssl memory leak).
• Phar:
  • Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have all-access permissions). (CVE-2020-7063)
  • Fixed bug #79171 (heap-buffer-overflow in phar_extract_file). (CVE-2020-7061)
  • Fixed bug #76584 (PharFileInfo::decompress not working).
• Reflection:
  • Fixed bug #79115 (ReflectionClass::isCloneable call reflected class __destruct).
• Session:
  • Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress). (CVE-2020-7062)
• Standard:
  • Fixed bug #78902 (Memory leak when using stream_filter_append).
  • Fixed bug #78969 (PASSWORD_DEFAULT should match PASSWORD_BCRYPT instead of being null).
• Testing:
  • Fixed bug #78090 (bug45161.phpt takes forever to finish).
• XSL:
  • Fixed bug #70078 (XSL callbacks with nodes as parameter leak memory).
• Zip:
  • Add ZipArchive::CM_LZMA2 and ZipArchive::CM_XZ constants (since libzip 1.6.0).
  • Add ZipArchive::RDONLY (since libzip 1.0.0).
  • Add ZipArchive::ER_* missing constants.
  • Add ZipArchive::LIBZIP_VERSION constant.
  • Fixed bug #73119 (Wrong return for ZipArchive::addEmptyDir Method).

PHP 7.3.16 Release Notes

• Core:
  • Fixed bug #63206 (restore_error_handler does not restore previous errors mask).
• COM:
  • Fixed bug #66322 (COMPersistHelper::SaveToFile can save to wrong location).
  • Fixed bug #79242 (COM error constants don’t match com_exception codes on x86).
  • Fixed bug #79248 (Traversing empty VT_ARRAY throws com_exception).
  • Fixed bug #79299 (com_print_typeinfo prints duplicate variables).
  • Fixed bug #79332 (php_istreams are never freed).
  • Fixed bug #79333 (com_print_typeinfo() leaks memory).
• DOM:
  • Fixed bug #77569: (Write Access Violation in DomImplementation).
  • Fixed bug #79271 (DOMDocumentType::$childNodes is NULL).
• Enchant:
  • Fixed bug #79311 (enchant_dict_suggest() fails on big endian architecture).
• EXIF:
  • Fixed bug #79282 (Use-of-uninitialized-value in exif). (CVE-2020-7064)
• MBstring:
  • Fixed bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full). (CVE-2020-7065)
• MySQLi:
  • Fixed bug #64032 (mysqli reports different client_version).
• PCRE:
  • Fixed bug #79188 (Memory corruption in preg_replace/preg_replace_callback and unicode).
• PDO_ODBC:
  • Fixed bug #79038 (PDOStatement::nextRowset() leaks column values).
• Reflection:
  • Fixed bug #79062 (Property with heredoc default value returns false for getDocComment).
• SQLite3:
  • Fixed bug #79294 (::columnType() may fail after SQLite3Stmt::reset()).
• Standard:
  • Fixed bug #79329 (get_headers() silently truncates after a null byte). (CVE-2020-7066)
  • Fixed bug #79254 (getenv() w/o arguments not showing changes).
  • Fixed bug #79265 (Improper injection of Host header when using fopen for http requests).

PHP 7.2.29 Release Notes

• Core:
  • Fixed bug #79329 (get_headers() silently truncates after a null byte) (CVE-2020-7066) (cmb)
• EXIF:
  • Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064) (Nikita)

Quelle: https://www.php.net/ChangeLog-7.php