====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN339

_____________________________________________________________________

DATE                : 25/10/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PHP versions prior to 7.1.33,
                                   7.3.11, 7.2.24.

=====================================================================
https://www.php.net/archive/2019.php#2019-10-24-3
http://www.php.net/ChangeLog-7.php#7.1.33
http://www.php.net/ChangeLog-7.php#7.3.11
http://www.php.net/ChangeLog-7.php#7.2.24
_____________________________________________________________________

PHP 7.1.33 Released

24 Oct 2019

The PHP development team announces the immediate availability
of PHP 7.1.33. This is a security release.

All PHP 7.1 users are encouraged to upgrade to this version.

For source downloads of PHP 7.1.33 please visit our downloads
page, Windows source and binaries can be found on
windows.php.net/download/. The list of changes is recorded
in the ChangeLog.


PHP 7.3.11 Released
24 Oct 2019

The PHP development team announces the immediate availability
of PHP 7.3.11. This is a security release which also contains
several bug fixes.

All PHP 7.3 users are encouraged to upgrade to this version.

For source downloads of PHP 7.3.11 please visit our downloads
page, Windows source and binaries can be found on
windows.php.net/download/. The list of changes is recorded
in the ChangeLog.


PHP 7.2.24 Released
24 Oct 2019

The PHP development team announces the immediate availability
of PHP 7.2.24. This is a security release which also contains
several minor bug fixes.

All PHP 7.2 users are encouraged to upgrade to this version.

For source downloads of PHP 7.2.247 please visit our downloads
page, Windows source and binaries can be found on
windows.php.net/download/. The list of changes is recorded in
the ChangeLog.

_____________________________________________________________________


Version 7.1.33
24 Oct 2019

    FPM:
        Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead
to RCE). (CVE-2019-11043)

_____________________________________________________________________

24 Oct 2019

    Core:
        Fixed bug #78535 (auto_detect_line_endings value not parsed as
bool).
        Fixed bug #78620 (Out of memory error).
    Exif:
        Fixed bug #78442 ('Illegal component' on exif_read_data since
PHP7) (Kalle)
    FPM:
        Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead
to RCE). (CVE-2019-11043)
        Fixed bug #78413 (request_terminate_timeout does not take effect
after fastcgi_finish_request).
    MBString:
        Fixed bug #78633 (Heap buffer overflow (read) in mb_eregi).
        Fixed bug #78579 (mb_decode_numericentity: args number
inconsistency).
        Fixed bug #78609 (mb_check_encoding() no longer supports
stringable objects).
    MySQLi:
        Fixed bug #76809 (SSL settings aren't respected when persistent
connections are used).
    Mysqlnd:
        Fixed bug #78525 (Memory leak in pdo when reusing native
prepared statements).
    PCRE:
        Fixed bug #78272 (calling preg_match() before pcntl_fork() will
freeze child process).
    PDO_MySQL:
        Fixed bug #78623 (Regression caused by "SP call yields
additional empty result set").
    Session:
        Fixed bug #78624 (session_gc return value for user defined
session handlers).
    Standard:
        Fixed bug #76342 (file_get_contents waits twice specified timeout).
        Fixed bug #78612 (strtr leaks memory when integer keys are used
and the subject string shorter).
        Fixed bug #76859 (stream_get_line skips data if used with
data-generating filter).
    Zip:
        Fixed bug #78641 (addGlob can modify given remove_path value).

_____________________________________________________________________

24 Oct 2019

    Core:
        Fixed bug #78535 (auto_detect_line_endings value not parsed as
bool).
        Fixed bug #78620 (Out of memory error).
    Exif:
        Fixed bug #78442 ('Illegal component' on exif_read_data since
PHP7) (Kalle)
    FPM:
        Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead
to RCE). (CVE-2019-11043)
    MBString:
        Fixed bug #78579 (mb_decode_numericentity: args number
inconsistency).
        Fixed bug #78609 (mb_check_encoding() no longer supports
stringable objects).
    MySQLi:
        Fixed bug #76809 (SSL settings aren't respected when persistent
connections are used).
    PDO_MySQL:
        Fixed bug #78623 (Regression caused by "SP call yields
additional empty result set").
    Session:
        Fixed bug #78624 (session_gc return value for user defined
session handlers).
    Standard:
        Fixed bug #76342 (file_get_contents waits twice specified timeout).
        Fixed bug #78612 (strtr leaks memory when integer keys are used
and the subject string shorter).
        Fixed bug #76859 (stream_get_line skips data if used with
data-generating filter).
    Zip:
        Fixed bug #78641 (addGlob can modify given remove_path value).


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================