==================================================================== CERT-Renater Note d'Information No. 2019/VULN241 _____________________________________________________________________ DATE : 01/08/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running PHP versions prior to 7.3.8, 7.2.21. ===================================================================== https://www.php.net/archive/2019.php#2019-08-01-2 https://www.php.net/archive/2019.php#2019-08-01-1 https://www.php.net/ChangeLog-7.php#7.3.8 https://www.php.net/ChangeLog-7.php#7.2.21 _____________________________________________________________________ PHP 7.2.21 Released 01 Aug 2019 The PHP development team announces the immediate availability of PHP 7.2.21. This is a security release which also contains several minor b ug fixes. All PHP 7.2 users are encouraged to upgrade to this version. For source downloads of PHP 7.2.21 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog. _____________________________________________________________________ PHP 7.3.8 Release Announcement 01 Aug 2019 The PHP development team announces the immediate availability of PHP 7.3.8. This is a security release which also contains several bug fixes. All PHP 7.3 users are encouraged to upgrade to this version. For source downloads of PHP 7.3.8 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog. ______________________________________________________________________ Version 7.3.8 01 Aug 2019 Core: Added syslog.filter=raw option. Fixed bug #78212 (Segfault in built-in webserver). Date: Fixed bug #69044 (discrepency between time and microtime). Updated timelib to 2018.02. EXIF: Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042) Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041) FTP: Fixed bug #78039 (FTP with SSL memory leak). Libxml: Fixed bug #78279 (libxml_disable_entity_loader settings is shared between requests (cgi-fcgi)). LiteSpeed: Updated to LiteSpeed SAPI V7.4.3 (increased response header count limit from 100 to 1000, added crash handler to cleanly shutdown PHP request, added CloudLinux mod_lsapi mode). Fixed bug #76058 (After "POST data can't be buffered", using php://input makes huge tmp files). Openssl: Fixed bug #78231 (Segmentation fault upon stream_socket_accept of exported socket-to-stream). Opcache: Fixed bug #78341 (Failure to detect smart branch in DFA pass). Fixed bug #78189 (file cache strips last character of uname hash). Fixed bug #78202 (Opcache stats for cache hits are capped at 32bit NUM). Fixed bug #78271 (Invalid result of if-else). Fixed bug #78291 (opcache_get_configuration doesn't list all directives). PCRE: Fixed bug #78338 (Array cross-border reading in PCRE). Fixed bug #78197 (PCRE2 version check in configure fails for "##.##-xxx" version strings). PDO_Sqlite: Fixed bug #78192 (SegFault when reuse statement after schema has changed). Phar: Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). Phpdbg: Fixed bug #78297 (Include unexistent file memory leak). SQLite: Upgraded to SQLite 3.28.0. Standard: Fixed bug #78241 (touch() does not handle dates after 2038 in PHP 64-bit). Fixed bug #78269 (password_hash uses weak options for argon2). _____________________________________________________________________ Version 7.2.21 01 Aug 2019 Date: Fixed bug #69044 (discrepency between time and microtime). EXIF: Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042) Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041) Fileinfo: Fixed bug #78183 (finfo_file shows wrong mime-type for .tga file). FTP: Fixed bug #77124 (FTP with SSL memory leak). Libxml: Fixed bug #78279 (libxml_disable_entity_loader settings is shared between requests (cgi-fcgi)). LiteSpeed: Updated to LiteSpeed SAPI V7.4.3 (increased response header count limit from 100 to 1000, added crash handler to cleanly shutdown PHP request, added CloudLinux mod_lsapi mode). Fixed bug #76058 (After "POST data can't be buffered", using php://input makes huge tmp files). Openssl: Fixed bug #78231 (Segmentation fault upon stream_socket_accept of exported socket-to-stream). OPcache: Fixed bug #78189 (file cache strips last character of uname hash). Fixed bug #78202 (Opcache stats for cache hits are capped at 32bit NUM). Fixed bug #78291 (opcache_get_configuration doesn't list all directives). Phar: Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). Phpdbg: Fixed bug #78297 (Include unexistent file memory leak). PDO_Sqlite: Fixed bug #78192 (SegFault when reuse statement after schema has changed). SQLite: Upgraded to SQLite 3.28.0. Standard: Fixed bug #78241 (touch() does not handle dates after 2038 in PHP 64-bit). Fixed bug #78269 (password_hash uses weak options for argon2). XMLRPC: Fixed bug #78173 (XML-RPC mutates immutable objects during encoding). ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================