PHP Security Release 8.3.6 und 8.2.18 und 8.1.28 veröffentlicht

Die Entwickler von PHP haben vor wenigen Tagen die Versionen 8.3.6, 8.2.18 und 8.1.28 veröffentlicht. Die Updates sind Security Releases und sollten umgehend installiert werden. Neben Fehlerkorrekturen, wurden 3 Sicherheitslücken die unter folgenden CVEs notiert sind, geschlossen:

• CVE-2024-1874
• CVE-2022-31629 und CVE-2024-2756
• CVE-2024-3096

PHP 8.3.6 Release Notes

• Core:
  • Fixed GH-13569 (GC buffer unnecessarily grows up to GC_MAX_BUF_SIZE when scanning WeakMaps).
  • Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
  • Fixed bug GH-13446 (Restore exception handler after it finishes).
  • Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure).
  • Fixed bug GH-13670 (GC does not scale well with a lot of objects created in destructor).
• DOM:
  • Add some missing ZPP checks.
  • Fix potential memory leak in XPath evaluation results.
• FPM:
  • Fixed GH-11086 (FPM: config test runs twice in daemonised mode).
  • Fix incorrect check in fpm_shm_free().
• GD:
  • Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests).
• Gettext:
  • Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5 with category set to LC_ALL.
• MySQLnd:
  • Fix GH-13452 (Fixed handshake response [mysqlnd]).
  • Fix incorrect charset length in check_mb_eucjpms().
• Opcache:
  • Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null).
  • Fixed GH-13712 (Segmentation fault for enabled observers when calling trait method of internal trait when opcache is loaded).
• Random:
  • Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown modes).
  • Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between requests when MT_RAND_PHP is used).
• Session:
  • Fixed bug GH-13680 (Segfault with session_decode and compilation error).
• SPL:
  • Fixed bug GH-13685 (Unexpected null pointer in zend_string.h).
• Standard:
  • Fixed bug GH-11808 (Live filesystem modified by tests).
  • Fixed GH-13402 (Added validation of `\n` in $additional_headers of mail()).
  • Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
  • Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874)
  • Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
  • Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)
  • Fixed bug GHSA-fjp9-9hwx-59fq (mb_encode_mimeheader runs endlessly for some inputs). (CVE-2024-2757)
  • Fix bug GH-13932 (Attempt to fix mbstring on windows build) (msvc).

PHP 8.2.18 Release Notes

• Core:
  • Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
  • Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure).
  • Fixed bug GH-13670 (GC does not scale well with a lot of objects created in destructor).
• DOM:
  • Add some missing ZPP checks.
  • Fix potential memory leak in XPath evaluation results.
  • Fix phpdoc for DOMDocument load methods.
• FPM:
  • Fix incorrect check in fpm_shm_free().
• GD:
  • Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests).
• Gettext:
  • Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5 with category set to LC_ALL.
• MySQLnd:
  • Fix GH-13452 (Fixed handshake response [mysqlnd]).
  • Fix incorrect charset length in check_mb_eucjpms().
• Opcache:
  • Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null).
  • Fixed GH-13712 (Segmentation fault for enabled observers when calling trait method of internal trait when opcache is loaded).
• PDO:
  • Fix various PDORow bugs.
• Random:
  • Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown modes).
  • Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between requests when MT_RAND_PHP is used).
• Session:
  • Fixed bug GH-13680 (Segfault with session_decode and compilation error).
• Sockets:
  • Fixed bug GH-13604 (socket_getsockname returns random characters in the end of the socket name).
• SPL:
  • Fixed bug GH-13531 (Unable to resize SplfixedArray after being unserialized in PHP 8.2.15).
  • Fixed bug GH-13685 (Unexpected null pointer in zend_string.h).
• Standard:
  • Fixed bug GH-11808 (Live filesystem modified by tests).
  • Fixed GH-13402 (Added validation of `\n` in $additional_headers of mail()).
  • Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
  • Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874)
  • Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
  • Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)
• XML:
  • Fixed bug GH-13517 (Multiple test failures when building with –with-expat).

PHP 8.1.28 Release Notes

Standard:

• Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874)
• Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
• Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)