/ Register

Welcome to Centmin Mod Community
Become a Member

Security PHP 8.5.1, 8.4.16, 8.3.29, 8.2.30, 8.1.34 Security Updates

Discussion in 'Centmin Mod News' started by eva2000, Dec 21, 2025.

Tags:
Thread Status:
Not open for further replies.
Previous Thread Next Thread
Loading...
  1. Dec 21, 2025 #1
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    12:07 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    PHP has released security updates for PHP 8.5.1, 8.4.16, 8.3.29, 8.2.30, and 8.1.34 (CVE-2025-14177, CVE-2025-14178, GHSA-www2-q4fc-65wf). Centmin Mod has backported relevant security fixes for EOL PHP 7.4/8.0 versions. For Centmin Mod 132.00stable, 140.00beta01 and 141.00beta01, you can update to those versions if you haven't already. And if you're already on Centmin Mod 132.00stable, 140.00beta01 or 141.00beta01, you can pull this latest update to your server via cmupdate command. Note, 141.00beta01 is currently for EL10 - AlmaLinux 10 development tests right now.

    Ensure that you run cmupdate command to update your Centmin Mod local server code BEFORE you run the centmin.sh menu option 5 to update their PHP versions.

    Security Vulnerabilities Fixed
    CVE/Advisory Severity Component Description
    • CVE-2025-14178 High array_merge() Heap buffer overflow when merging arrays with combined element count exceeding 32-bit limit. Could cause crashes or potentially allow code execution.
    • CVE-2025-14177 Medium getimagesize() Information leak of uninitialized heap memory when reading JPEG APP segments via stream wrappers. Could expose sensitive server memory contents.
    • GHSA-www2-q4fc-65wf Medium DNS functions Null byte injection in dns_get_record(), dns_check_record(), dns_get_mx(), ip2long(), inet_pton() and related functions. Could bypass hostname validation checks.
    PHP Releases
    • PHP 8.5.1 - latest newest PHP 8.5 minor version. Only supported in Centmin Mod 141.00beta01.
    • PHP 8.4.16 - latest newest PHP 8.4 minor version. Supported in Centmin Mod 140.00beta01 and 141.00beta01.
    • PHP 8.3.29 - latest newest PHP 8.3 minor version. Supported in Centmin Mod 132.00stable, 140.00beta01 and 141.00beta01.
    • PHP 8.2.30 - latest newest PHP 8.2 minor version.
    • PHP 8.1.34 - latest newest PHP 8.1 minor version.
    • PHP 8.0.30 - last release in PHP 8.0 branch which is now end of life - no more bug fixes or security updates. If you're still using PHP 8.0.30, run cmupdate and re-run centmin.sh menu option 5 to recompile PHP 8.0.30 with backported security patch fixes.
    • PHP 7.4.33 - last release in PHP 7.4 branch which is now end of life - no more bug fixes or security updates. If you're still using PHP 7.4.33, run cmupdate and re-run centmin.sh menu option 5 to recompile PHP 7.4.33 with backported security patch fixes.
    • PHP 8.0.30 and 7.4.33 are EOL as security and maintenance updates have ended. However, I have backported PHP 8.1.34+ security fixes to PHP 7.4 and 8.0 branches for Centmin Mod 132.00stable, 140.00beta01 and 141.00beta01 branches.
    Who Is Affected?
    You need to take action if you are running any PHP version older than the patched releases:

    PHP Branch | Vulnerable Versions | Patched Version
    • PHP 7.4 | All 7.4.x (EOL) | 7.4.33 + Centmin Mod backport
    • PHP 8.0 | All 8.0.x (EOL) | 8.0.30 + Centmin Mod backport
    • PHP 8.1 | 8.1.33 and earlier | 8.1.34
    • PHP 8.2 | 8.2.29 and earlier | 8.2.30
    • PHP 8.3 | 8.3.28 and earlier | 8.3.29
    • PHP 8.4 | 8.4.15 and earlier | 8.4.16
    • PHP 8.5 | 8.5.0 | 8.5.1
    PHP Change logs
    Updating PHP On Centmin Mod LEMP Stacks
    • If you're on Centmin Mod 130.00beta01 or older and want PHP 7.4, 8.0, 8.1, 8.2, or 8.3 support, you will need to update your server from Centmin Mod 130.00beta01 to either 132.00stable, 140.00beta01 or 141.00beta01 first.
    • For Centmin Mod 132.00stable, 140.00beta01 or 141.00beta01, first update to latest version code via SSH command = cmupdate (same equivalent to centmin.sh menu option 23 submenu option 2 method). Then run centmin.sh menu option 5 to update to either PHP versions 8.5.1, 8.4.16, 8.3.29, 8.2.30, 8.1.34 or recompile PHP 8.0.30/7.4.33 with backported security patches.
    Centmin Mod Branch PHP Version Support
    Centmin Mod Branch Maximum PHP Version Supported
    • 132.00stable PHP 8.3.29
    • 140.00beta01 PHP 8.4.16
    • 141.00beta01 PHP 8.5.1
    Recommended Actions
    Option 1: Recompile Current PHP Version (Minimum)

    If your web applications require PHP 7.4 or 8.0:
    Code (Text):
    cmupdate
centmin

    Select menu option 5 to recompile PHP 7.4.33 or 8.0.30 with the security patches applied.

    Option 2: Upgrade to a Supported PHP Version (Recommended)

    PHP 7.4 and 8.0 are end of life and will continue to accumulate unpatched vulnerabilities. Upgrading to a supported version is strongly recommended if your applications support it.
    Code (Text):
    cmupdate
centmin

    Select menu option 5 and choose a newer PHP version. Before upgrading, verify your web applications (WordPress, Xenforo, Laravel, etc.) support your target PHP version.

    Security Advisory References
    PHP-FPM Upgrade Issues
    If you have issues with PHP-FPM upgrades via Centmin Mod centmin.sh menu option 5, check your PHP upgrade logs for details https://community.centminmod.com/threads/how-to-troubleshoot-php-installs-upgrades.17857/
     
Previous Thread Next Thread
Loading...
Thread Status:
Not open for further replies.

.