PHP Security Release 7.3.11 – 7.2.24 – 7.1.33

Das Entwicklerteam der Programmiersprache PHP, haben Aktualisierungen der Hauptversionen 7.3, 7.2 und 7.1 veröffentlicht. Die Updates sind Security und Bugfix Releases und sollten umgehend installiert werden. Die Sicherheitslücke ist in CVE-2019-11043 beschrieben und ermöglicht den Remoteangriff auf nginx PHP-FPM Systeme.

PHP 7.3.11 Release Notes

• Core:
  • Fixed bug #78535 (auto_detect_line_endings value not parsed as bool).
  • Fixed bug #78620 (Out of memory error).
• Exif:
  • Fixed bug #78442 (‚Illegal component‘ on exif_read_data since PHP7) (Kalle)
• FPM:
  • Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE). (CVE-2019-11043)
  • Fixed bug #78413 (request_terminate_timeout does not take effect after fastcgi_finish_request).
• MBString:
  • Fixed bug #78633 (Heap buffer overflow (read) in mb_eregi).
  • Fixed bug #78579 (mb_decode_numericentity: args number inconsistency).
  • Fixed bug #78609 (mb_check_encoding() no longer supports stringable objects).
• MySQLi:
  • Fixed bug #76809 (SSL settings aren’t respected when persistent connections are used).
• Mysqlnd:
  • Fixed bug #78525 (Memory leak in pdo when reusing native prepared statements).
• PCRE:
  • Fixed bug #78272 (calling preg_match() before pcntl_fork() will freeze child process).
• PDO_MySQL:
  • Fixed bug #78623 (Regression caused by „SP call yields additional empty result set“).
• Session:
  • Fixed bug #78624 (session_gc return value for user defined session handlers).
• Standard:
  • Fixed bug #76342 (file_get_contents waits twice specified timeout).
  • Fixed bug #78612 (strtr leaks memory when integer keys are used and the subject string shorter).
  • Fixed bug #76859 (stream_get_line skips data if used with data-generating filter).
• Zip:
  • Fixed bug #78641 (addGlob can modify given remove_path value).

PHP 7.2.24 Release Notes

• Core:
  • Fixed bug #78535 (auto_detect_line_endings value not parsed as bool).
  • Fixed bug #78620 (Out of memory error).
• Exif:
  • Fixed bug #78442 (‚Illegal component‘ on exif_read_data since PHP7) (Kalle)
• FPM:
  • Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE). (CVE-2019-11043)
• MBString:
  • Fixed bug #78579 (mb_decode_numericentity: args number inconsistency).
  • Fixed bug #78609 (mb_check_encoding() no longer supports stringable objects).
• MySQLi:
  • Fixed bug #76809 (SSL settings aren’t respected when persistent connections are used).
• PDO_MySQL:
  • Fixed bug #78623 (Regression caused by „SP call yields additional empty result set“).
• Session:
  • Fixed bug #78624 (session_gc return value for user defined session handlers).
• Standard:
  • Fixed bug #76342 (file_get_contents waits twice specified timeout).
  • Fixed bug #78612 (strtr leaks memory when integer keys are used and the subject string shorter).
  • Fixed bug #76859 (stream_get_line skips data if used with data-generating filter).
• Zip:
  • Fixed bug #78641 (addGlob can modify given remove_path value).

PHP 7.1.33 Release Notes

FPM:

• Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE). (CVE-2019-11043)