PHP Security Release 8.0.8 – 7.4.21 und 7.3.29 veröffentlicht

Das PHP Team hat Security Releases für PHP in den Versionen 8.0.8, 7.4.21 und 7.3.29 veröffentlicht.

PHP 8.0.8 Release Notes

• Core:
  • Fixed bug #81076 (incorrect debug info on Closures with implicit binds).
  • Fixed bug #81068 (Double free in realpath_cache_clean()).
  • Fixed bug #76359 (open_basedir bypass through adding “..”).
  • Fixed bug #81090 (Typed property performance degradation with .= operator).
  • Fixed bug #81070 (Integer underflow in memory limit comparison).
  • Fixed bug #81122 (SSRF bypass in FILTER_VALIDATE_URL). (CVE-2021-21705)
• Bzip2:
  • Fixed bug #81092 (fflush before stream_filter_remove corrupts stream).
• Fileinfo:
  • Fixed bug #80197 (implicit declaration of function ‘magic_stream’ is invalid).
• GMP:
  • Fixed bug #81119 (GMP operators throw errors with wrong parameter names).
• OCI8:
  • Fixed bug #81088 (error in regression test for oci_fetch_object() and oci_fetch_array()).
• Opcache:
  • Fixed bug #81051 (Broken property type handling after incrementing reference).
  • Fixed bug #80968 (JIT segfault with return from required file).
• OpenSSL:
  • Fixed bug #76694 (native Windows cert verification uses CN as sever name).
• MySQLnd:
  • Fixed bug #80761 (PDO uses too much memory).
• PDO_Firebird:
  • Fixed bug #76448 (Stack buffer overflow in firebird_info_cb). (CVE-2021-21704)
  • Fixed bug #76449 (SIGSEGV in firebird_handle_doer). (CVE-2021-21704)
  • Fixed bug #76450 (SIGSEGV in firebird_stmt_execute). (CVE-2021-21704)
  • Fixed bug #76452 (Crash while parsing blob data in firebird_fetch_blob). (CVE-2021-21704)
• readline:
  • Fixed bug #72998 (invalid read in readline completion).
• Standard:
  • Fixed bug #81048 (phpinfo(INFO_VARIABLES) “Array to string conversion”).
  • Fixed bug #77627 (method_exists on Closure::__invoke inconsistency).
• Windows:
  • Fixed bug #81120 (PGO data for main PHP DLL are not used).

PHP 7.4.21 Release Notes

• Core:
  • Fixed bug #81068 (Double free in realpath_cache_clean()).
  • Fixed bug #76359 (open_basedir bypass through adding “..”).
  • Fixed bug #81090 (Typed property performance degradation with .= operator).
  • Fixed bug #81070 (Integer underflow in memory limit comparison).
  • Fixed bug #81122 (SSRF bypass in FILTER_VALIDATE_URL). (CVE-2021-21705)
• Bzip2:
  • Fixed bug #81092 (fflush before stream_filter_remove corrupts stream).
• OpenSSL:
  • Fixed bug #76694 (native Windows cert verification uses CN as sever name).
• PDO_Firebird:
  • Fixed bug #76448 (Stack buffer overflow in firebird_info_cb). (CVE-2021-21704)
  • Fixed bug #76449 (SIGSEGV in firebird_handle_doer). (CVE-2021-21704)
  • Fixed bug #76450 (SIGSEGV in firebird_stmt_execute). (CVE-2021-21704)
  • Fixed bug #76452 (Crash while parsing blob data in firebird_fetch_blob). (CVE-2021-21704)
• Standard:
  • Fixed bug #81048 (phpinfo(INFO_VARIABLES) “Array to string conversion”).

PHP 7.3.29 Release Notes

• Core:
  • Fixed bug #81122: SSRF bypass in FILTER_VALIDATE_URL. (CVE-2021-21705)
• PDO_Firebird:
  • Fixed bug #76448: Stack buffer overflow in firebird_info_cb. (CVE-2021-21704)
  • Fixed bug #76449: SIGSEGV in firebird_handle_doer. (CVE-2021-21704)
  • Fixed bug #76450: SIGSEGV in firebird_stmt_execute. (CVE-2021-21704)
  • Fixed bug #76452: Crash while parsing blob data in firebird_fetch_blob. (CVE-2021-21704)

Quelle: PHP: Hypertext Preprocessor