PHP Security Release 7.4.9 -7.3.21 und 7.2.33

Vor wenigen Tagen wurden die PHP Releases 7.4.9, 7.3.21 und 7.2.33 veröffentlicht. Dies ist ein Security Release das umgehend installiert werden sollte.

PHP 7.4.9 Release Notes

• Apache:
  • Fixed bug #79030 (Upgrade apache2handler’s php_apache_sapi_get_request_time to return usec).
• COM:
  • Fixed bug #63208 (BSTR to PHP string conversion not binary safe).
  • Fixed bug #63527 (DCOM does not work with Username, Password parameter).
• Core:
  • Fixed bug #79740 (serialize() and unserialize() methods can not be called statically).
  • Fixed bug #79783 (Segfault in php_str_replace_common).
  • Fixed bug #79778 (Assertion failure if dumping closure with unresolved static variable).
  • Fixed bug #79779 (Assertion failure when assigning property of string offset by reference).
  • Fixed bug #79792 (HT iterators not removed if empty array is destroyed).
  • Fixed bug #78598 (Changing array during undef index RW error segfaults).
  • Fixed bug #79784 (Use after free if changing array during undef var during array write fetch).
  • Fixed bug #79793 (Use after free if string used in undefined index warning is changed).
  • Fixed bug #79862 (Public non-static property in child should take priority over private static).
  • Fixed bug #79877 (getimagesize function silently truncates after a null byte) (cmb)
• Fileinfo:
  • Fixed bug #79756 (finfo_file crash (FILEINFO_MIME)).
• FTP:
  • Fixed bug #55857 (ftp_size on large files).
• Mbstring:
  • Fixed bug #79787 (mb_strimwidth does not trim string).
• Phar:
  • Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile function). (CVE-2020-7068)
• Reflection:
  • Fixed bug #79487 (::getStaticProperties() ignores property modifications).
  • Fixed bug #69804 (::getStaticPropertyValue() throws on protected props).
  • Fixed bug #79820 (Use after free when type duplicated into ReflectionProperty gets resolved).
• Standard:
  • Fixed bug #70362 (Can’t copy() large ‘data://’ with open_basedir).
  • Fixed bug #78008 (dns_check_record() always return true on Alpine).
  • Fixed bug #79839 (array_walk() does not respect property types).

PHP 7.3.21 Release Notes

• Apache:
  • Fixed bug #79030 (Upgrade apache2handler’s php_apache_sapi_get_request_time to return usec).
• Core:
  • Fixed bug #79877 (getimagesize function silently truncates after a null byte).
  • Fixed bug #79778 (Assertion failure if dumping closure with unresolved static variable).
  • Fixed bug #79792 (HT iterators not removed if empty array is destroyed).
• COM:
  • Fixed bug #63208 (BSTR to PHP string conversion not binary safe).
  • Fixed bug #63527 (DCOM does not work with Username, Password parameter).
• Curl:
  • Fixed bug #79741 (curl_setopt CURLOPT_POSTFIELDS asserts on object with declared properties).
• Fileinfo:
  • Fixed bug #79756 (finfo_file crash (FILEINFO_MIME)).
• FTP:
  • Fixed bug #55857 (ftp_size on large files).
• Mbstring:
  • Fixed bug #79787 (mb_strimwidth does not trim string).
• Phar:
  • Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile function). (CVE-2020-7068)
• Standard:
  • Fixed bug #70362 (Can’t copy() large ‘data://’ with open_basedir).
  • Fixed bug #79817 (str_replace() does not handle INDIRECT elements).
  • Fixed bug #78008 (dns_check_record() always return true on Alpine).

PHP 7.2.33 Release Notes

• Core:
  • Fixed bug #79877 (getimagesize function silently truncates after a null byte) (cmb)
• Phar:
  • Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile function). (CVE-2020-7068)