PHP Security und Bugfix Release 8.0.1 – 7.4.14 und 7.3.26

Die Programmiersprache PHP, erhielt vor wenigen Tagen die Updates 8.0.1, 7.4.14 und 7.3.26. Die Updates schließen Sicherheitslücken und beheben Fehler.

PHP 8.0.1 Release Notes

• Core:
  • Fixed bug #80345 (PHPIZE configuration has outdated PHP_RELEASE_VERSION).
  • Fixed bug #72964 (White space not unfolded for CC/Bcc headers).
  • Fixed bug #80391 (Iterable not covariant to mixed).
  • Fixed bug #80393 (Build of PHP extension fails due to configuration gap with libtool).
  • Fixed bug #77069 (stream filter loses final block of data).
• Fileinfo:
  • Fixed bug #77961 (finfo_open crafted magic parsing SIGABRT).
• FPM:
  • Fixed bug #69625 (FPM returns 200 status on request without SCRIPT_FILENAME env).
• IMAP:
  • Fixed bug #80438 (imap_msgno() incorrectly warns and return false on valid UIDs in PHP 8).
  • Fix a regression with valid UIDs in imap_savebody().
  • Make warnings for invalid message numbers/UIDs between functions consistent.
• Intl:
  • Fixed bug #80425 (MessageFormatAdapter::getArgTypeList redefined).
• Opcache:
  • Fixed bug #80404 (Incorrect range inference result when division results in float).
  • Fixed bug #80377 (Opcache misses executor_globals).
  • Fixed bug #80433 (Unable to disable the use of the AVX command when using JIT).
  • Fixed bug #80447 (Strange out of memory error when running with JIT).
  • Fixed bug #80480 (Segmentation fault with JIT enabled).
  • Fixed bug #80506 (Immediate SIGSEGV upon ini_set(“opcache.jit_debug”, 1)).
• OpenSSL:
  • Fixed bug #80368 (OpenSSL extension fails to build against LibreSSL due to lack of OCB support).
• PDO MySQL:
  • Fixed bug #80458 (PDOStatement::fetchAll() throws for upsert queries).
  • Fixed bug #63185 (nextRowset() ignores MySQL errors with native prepared statements).
  • Fixed bug #78152 (PDO::exec() – Bad error handling with multiple commands).
  • Fixed bug #66878 (Multiple rowsets not returned unless PDO statement object is unset()).
  • Fixed bug #70066 (Unexpected “Cannot execute queries while other unbuffered queries”).
  • Fixed bug #71145 (Multiple statements in init command triggers unbuffered query error).
  • Fixed bug #76815 (PDOStatement cannot be GCed/closeCursor-ed when a PROCEDURE resultset SIGNAL).
  • Fixed bug #79872 (Can’t execute query with pending result sets).
  • Fixed bug #79131 (PDO does not throw an exception when parameter values are missing).
  • Fixed bug #72368 (PdoStatement->execute() fails but does not throw an exception).
  • Fixed bug #62889 (LOAD DATA INFILE broken).
  • Fixed bug #67004 (Executing PDOStatement::fetch() more than once prevents releasing resultset).
  • Fixed bug #79132 (PDO re-uses parameter values from earlier calls to execute()).
• Phar:
  • Fixed bug #73809 (Phar Zip parse crash – mmap fail).
  • Fixed bug #75102 (`PharData` says invalid checksum for valid tar).
  • Fixed bug #77322 (PharData::addEmptyDir(‘/’) Possible integer overflow).
• Phpdbg:
  • Fixed bug #76813 (Access violation near NULL on source operand).
• SPL:
  • Fixed bug #62004 (SplFileObject: fgets after seek returns wrong line).
• Standard:
  • Fixed bug #80366 (Return Value of zend_fstat() not Checked).
  • Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071)
• Tidy:
  • Fixed bug #77594 (ob_tidyhandler is never reset).
• Tokenizer:
  • Fixed bug #80462 (Nullsafe operator tokenize with TOKEN_PARSE flag fails).
• XML:
  • XmlParser opaque object renamed to XMLParser for consistency with other XML objects.
• Zlib:
  • Fixed bug #48725 (Support for flushing in zlib stream).

Quelle: PHP: PHP 8 ChangeLog

PHP 7.4.14 Release Notes

• Core:
  • Fixed bug #74558 (Can’t rebind closure returned by Closure::fromCallable()).
  • Fixed bug #80345 (PHPIZE configuration has outdated PHP_RELEASE_VERSION).
  • Fixed bug #72964 (White space not unfolded for CC/Bcc headers).
  • Fixed bug #80362 (Running dtrace scripts can cause php to crash).
  • Fixed bug #80393 (Build of PHP extension fails due to configuration gap with libtool).
  • Fixed bug #80402 (configure filtering out -lpthread).
  • Fixed bug #77069 (stream filter loses final block of data).
• Fileinfo:
  • Fixed bug #77961 (finfo_open crafted magic parsing SIGABRT).
• FPM:
  • Fixed bug #69625 (FPM returns 200 status on request without SCRIPT_FILENAME env).
• Intl:
  • Fixed bug #80425 (MessageFormatAdapter::getArgTypeList redefined).
• OpenSSL:
  • Fixed bug #80368 (OpenSSL extension fails to build against LibreSSL due to lack of OCB support).
• Phar:
  • Fixed bug #73809 (Phar Zip parse crash – mmap fail).
  • Fixed bug #75102 (`PharData` says invalid checksum for valid tar).
  • Fixed bug #77322 (PharData::addEmptyDir(‘/’) Possible integer overflow).
• PDO MySQL:
  • Fixed bug #80458 (PDOStatement::fetchAll() throws for upsert queries).
  • Fixed bug #63185 (nextRowset() ignores MySQL errors with native prepared statements).
  • Fixed bug #78152 (PDO::exec() – Bad error handling with multiple commands).
  • Fixed bug #70066 (Unexpected “Cannot execute queries while other unbuffered queries”).
  • Fixed bug #71145 (Multiple statements in init command triggers unbuffered query error).
  • Fixed bug #76815 (PDOStatement cannot be GCed/closeCursor-ed when a PROCEDURE resultset SIGNAL).
• Standard:
  • Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071)
  • Fixed bug #80366 (Return Value of zend_fstat() not Checked).
  • Fixed bug #80411 (References to null-serialized object break serialize()).
• Tidy:
  • Fixed bug #77594 (ob_tidyhandler is never reset).
• Zlib:
  • Fixed #48725 (Support for flushing in zlib stream).

Quelle: PHP: PHP 7 ChangeLog

PHP 7.3.26 Release Notes

Standard:

• Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071)
• Fixed bug #80457 (stream_get_contents() fails with maxlength=-1 or default).

Quelle: PHP: PHP 7 ChangeLog