Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN147 _____________________________________________________________________ DATE : 18/03/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running PHP versions prior to 8.1.32, 8.2.28, 8.3.19, 8.4.5. ===================================================================== https://www.php.net/ChangeLog-8.php#8.1.32 https://www.php.net/ChangeLog-8.php#8.2.28 https://www.php.net/ChangeLog-8.php#8.3.19 https://www.php.net/ChangeLog-8.php#8.4.5 _____________________________________________________________________ Version 8.1.32 13 Mar 2025 LibXML: Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714). Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource). (CVE-2025-1219) Streams: Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736) Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861) Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734) Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers). (CVE-2025-1217) Windows: Fixed phpize for Windows 11 (24H2). _____________________________________________________________________ Version 8.2.28 13 Mar 2025 Core: Fixed bug GH-17211 (observer segfault on function loaded with dl()). LibXML: Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714). Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource). (CVE-2025-1219) Streams: Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736) Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861) Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734) Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers). (CVE-2025-1217) Windows: Fixed phpize for Windows 11 (24H2). _____________________________________________________________________ Version 8.3.19 13 Mar 2025 BCMath: Fixed bug GH-17398 (bcmul memory leak). Core: Fixed bug GH-17623 (Broken stack overflow detection for variable compilation). Fixed bug GH-17618 (UnhandledMatchError does not take zend.exception_ignore_args=1 into account). Fix fallback paths in fast_long_{add,sub}_function. Fixed bug GH-17718 (Calling static methods on an interface that has `__callStatic` is allowed). Fixed bug GH-17797 (zend_test_compile_string crash on invalid script path). Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes Use-After-Free). (CVE-2024-11235) DOM: Fixed bug GH-17847 (xinclude destroys live node). FFI: Fix FFI Parsing of Pointer Declaration Lists. FPM: Fixed bug GH-17643 (FPM with httpd ProxyPass encoded PATH_INFO env). GD: Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M). LDAP: Fixed bug GH-17704 (ldap_search fails when $attributes contains a non-packed array with numerical keys). LibXML: Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714). Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource). (CVE-2025-1219) MBString: Fixed bug GH-17503 (Undefined float conversion in mb_convert_variables). Opcache: Fixed bug GH-17654 (Multiple classes using same trait causes function JIT crash). Fixed bug GH-17577 (JIT packed type guard crash). Fixed bug GH-17899 (zend_test_compile_string with invalid path when opcache is enabled). Fixed bug GH-17868 (Cannot allocate memory with tracing JIT). PDO_SQLite: Fixed GH-17837 ()::getColumnMeta() on unexecuted statement segfaults). Fix cycle leak in sqlite3 setAuthorizer(). Phar: Fixed bug GH-17808: PharFileInfo refcount bug. PHPDBG: Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer). Fix memory leak in phpdbg calling registered function. Reflection: Fixed bug GH-15902 (Core dumped in ext/reflection/php_reflection.c). Standard: Fixed bug #72666 (stat cache clearing inconsistent between file:// paths and plain paths). Streams: Fixed bug GH-17650 (realloc with size 0 in user_filters.c). Fix memory leak on overflow in _php_stream_scandir(). Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736) Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861) Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734) Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers). (CVE-2025-1217) Windows: Fixed phpize for Windows 11 (24H2). Fixed GH-17855 (CURL_STATICLIB flag set even if linked with shared lib). Zlib: Fixed bug GH-17745 (zlib extension incorrectly handles object arguments). Fix memory leak when encoding check fails. Fix zlib support for large files. _____________________________________________________________________ Version 8.4.5 13 Mar 2025 BCMath: Fixed bug GH-17398 (bcmul memory leak). Core: Fixed bug GH-17623 (Broken stack overflow detection for variable compilation). Fixed bug GH-17618 (UnhandledMatchError does not take zend.exception_ignore_args=1 into account). Fix fallback paths in fast_long_{add,sub}_function. Fixed bug OSS-Fuzz #391975641 (Crash when accessing property backing value by reference). Fixed bug GH-17718 (Calling static methods on an interface that has `__callStatic` is allowed). Fixed bug GH-17713 (ReflectionProperty::getRawValue() and related methods may call hooks of overridden properties). Fixed bug GH-17916 (Final abstract properties should error). Fixed bug GH-17866 (zend_mm_heap corrupted error after upgrading from 8.4.3 to 8.4.4). Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes Use-After-Free). (CVE-2024-11235) DOM: Fixed bug GH-17609 (Typo in error message: Dom\NO_DEFAULT_NS instead of Dom\HTML_NO_DEFAULT_NS). Fixed bug GH-17802 (\Dom\HTMLDocument querySelector attribute name is case sensitive in HTML). Fixed bug GH-17847 (xinclude destroys live node). Fix using Dom\Node with Dom\XPath callbacks. GD: Fixed bug GH-17703 (imagescale with both width and height negative values triggers only an Exception on width). Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M). FFI: Fix FFI Parsing of Pointer Declaration Lists. FPM: Fixed bug GH-17643 (FPM with httpd ProxyPass encoded PATH_INFO env). LDAP: Fixed bug GH-17704 (ldap_search fails when $attributes contains a non-packed array with numerical keys). LibXML: Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714). Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource). (CVE-2025-1219) MBString: Fixed bug GH-17503 (Undefined float conversion in mb_convert_variables). Opcache: Fixed bug GH-17654 (Multiple classes using same trait causes function JIT crash). Fixed bug GH-17577 (JIT packed type guard crash). Fixed bug GH-17747 (Exception on reading property in register-based FETCH_OBJ_R breaks JIT). Fixed bug GH-17715 (Null pointer deref in observer API when calling cases() method on preloaded enum). Fixed bug GH-17868 (Cannot allocate memory with tracing JIT on 8.4.4). PDO_SQLite: Fixed GH-17837 ()::getColumnMeta() on unexecuted statement segfaults). Fix cycle leak in sqlite3 setAuthorizer(). Fix memory leaks in pdo_sqlite callback registration. Phar: Fixed bug GH-17808: PharFileInfo refcount bug. PHPDBG: Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer). Fix memory leak in phpdbg calling registered function. Reflection: Fixed bug GH-15902 (Core dumped in ext/reflection/php_reflection.c). Fixed missing final and abstract flags when dumping properties. Standard: Fixed bug #72666 (stat cache clearing inconsistent between file:// paths and plain paths). Streams: Fixed bug GH-17650 (realloc with size 0 in user_filters.c). Fix memory leak on overflow in _php_stream_scandir(). Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736) Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861) Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734) Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers). (CVE-2025-1217) Windows: Fixed phpize for Windows 11 (24H2). Fixed GH-17855 (CURL_STATICLIB flag set even if linked with shared lib). Zlib: Fixed bug GH-17745 (zlib extension incorrectly handles object arguments). Fix memory leak when encoding check fails. Fi zlib support for large files. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================