55- CGI:
66 . Fixed buffer limit on Windows, replacing read call usage by _read.
77 (David Carlier)
8+ . Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection
9+ in PHP-CGI). (CVE-2024-4577) (nielsdos)
810
911- CLI:
1012 . Fixed bug GH-14189 (PHP Interactive shell input state incorrectly handles
@@ -23,6 +25,10 @@ PHP NEWS
2325 . Fix crash in ParentNode::append() when dealing with a fragment
2426 containing text nodes. (nielsdos)
2527
28+ - Filter:
29+ . Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL).
30+ (CVE-2024-5458) (nielsdos)
31+
2632- FPM:
2733 . Fix bug GH-14175 (Show decimal number instead of scientific notation in
2834 systemd status). (Benjamin Cremer)
@@ -43,6 +49,20 @@ PHP NEWS
4349 . Fixed bug GH-14109 (Fix accidental persisting of internal class constant in
4450 shm). (ilutov)
4551
52+ - OpenSSL:
53+ . The openssl_private_decrypt function in PHP, when using PKCS1 padding
54+ (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack
55+ unless it is used with an OpenSSL version that includes the changes from this pull
56+ request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection).
57+ These changes are part of OpenSSL 3.2 and have also been backported to stable
58+ versions of various Linux distributions, as well as to the PHP builds provided for
59+ Windows since the previous release. All distributors and builders should ensure that
60+ this version is used to prevent PHP from being vulnerable. (CVE-2024-2408)
61+
62+ - Standard:
63+ . Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874).
64+ (CVE-2024-5585) (nielsdos)
65+
4666- XML:
4767 . Fixed bug GH-14124 (Segmentation fault with XML extension under certain
4868 memory limit). (nielsdos)
0 commit comments