php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update NEWS

Browse Source 
Co-authored-by: Eric Mann <ericmann@php.net>
This commit is contained in:
Ben Ramsey
2024-06-05 00:39:47 -05:00
parent 5c6d47372c
commit 6150156d3a
1 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
NEWS
View File

@@ -1,8 +1,28 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.1.29
06 Jun 2024, PHP 8.1.29
- CGI:
. Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection
in PHP-CGI). (CVE-2024-4577) (nielsdos)
- Filter:
. Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL).
(CVE-2024-5458) (nielsdos)
- OpenSSL:
. The openssl_private_decrypt function in PHP, when using PKCS1 padding
(OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack
unless it is used with an OpenSSL version that includes the changes from this pull
request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection).
These changes are part of OpenSSL 3.2 and have also been backported to stable
versions of various Linux distributions, as well as to the PHP builds provided for
Windows since the previous release. All distributors and builders should ensure that
this version is used to prevent PHP from being vulnerable. (CVE-2024-2408)
- Standard:
. Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874).
(CVE-2024-5585) (nielsdos)
11 Apr 2024, PHP 8.1.28
@@ -31,7 +51,7 @@ PHP NEWS
- FPM:
. Fixed bug GH-12705 (Segmentation fault in fpm_status_export_to_zval).
(Patrick Prasse)
- Intl:
. Fixed bug GH-12635 (Test bug69398.phpt fails with ICU 74.1). (nielsdos)