Learn about Centmin Mod LEMP Stack today
Register Now

Security PHP 7.3.1, 7.2.14, 7.1.26 & 5.6.40 Security Releases

Discussion in 'Centmin Mod News' started by eva2000, Jan 10, 2019.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    3:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    PHP folks has released new versions for PHP security and bug fixes related releases today for PHP versions, 7.3.1, 7.2.14, 7.1.26 and 5.6.40. PHP 7.0 branch is EOL so no PHP 7.0.34 released, folks would need to update to PHP 7.1.26 instead (for Centmin Mod users that means using Centmin Mod 123.09beta01 or higher branch).

    Please read carefully the details below for Centmin Mod compatibility and how to use centmin.sh menu option 5 to upgrade or downgrade PHP versions.

    PHP Releases


    Updating PHP On Centmin Mod LEMP Stacks


    • For Centmin Mod 123.08stable, first update to latest version code via centmin.sh menu option 23 submenu option 2, exit centmin.sh and re-run centmin.sh menu option 5 to update to PHP 5.6.40 or 7.0.34 version numbers.
    • For Centmin Mod 123.09beta01 and newer, first update to latest version code via SSH command = cmupdate (same equivalent to centmin.sh menu option 23 submenu option 2 method). Then run centmin.sh menu option 5 to update to either PHP versions 5.6.40, 7.1.26, 7.2.14 or if your web apps support it, to PHP 7.3.1. Example output from cmupdate SSH command run:
      Code (Text):
      cmupdate
      No local changes to save
      Updating 6a58b0e..72b1bb0
      Fast-forward
       addons/geoip.sh             |  4 ++--
       inc/geoip.inc               |  8 ++++----
       inc/phpsededit.inc          | 12 ++++++++++--
       inc/zendopcache_tweaks.inc  | 12 ++++++++++--
       stackscripts/stackscript.sh | 16 +++++++++++++++-
       tools/geoipdb-update.sh     |  8 ++++----
       tools/hptweaks.sh           | 18 +++++++++++++++---
       7 files changed, 60 insertions(+), 18 deletions(-)
      
    • If you're on Centmin Mod 123.08stable and want PHP 7.1, 7.2, or 7.3 support, you will need to update your server from Centmin Mod 123.08stable to 123.09beta01 first. This can be done via centmin.sh menu option 23 submenu option 3 to switch Centmin Mod branches as outlined in 1st post under heading of How to switch to 123.09beta01 branch ? at Centmin Mod .09 beta branch Testing as well as official update page.
      Code (Text):
      --------------------------------------------------------
             Centmin Mod Updater Sub-Menu           
      --------------------------------------------------------
      1). Setup Centmin Mod Github Environment
      2). Update Centmin Mod Current Branch
      3). Update Centmin Mod Newer Branch
      4). Exit
      --------------------------------------------------------
      Enter option [ 1 - 4 ] 3
      --------------------------------------------------------
      
    • If you are on Centmin Mod 123.08stable and concerned about losing customisations when you upgrade to Centmin Mod 123.09beta01, read this guide on how to upgrade and keep most of your customisations at How to upgrade Centmin Mod + backing up customisations.
    Centmin Mod 123.09beta01 PHP 7.3.1 update

    Code (Text):
    --------------------------------------------------------
         Centmin Mod Menu 123.09beta01 centminmod.com
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB MySQL Upgrade & Management
    12). Zend OpCache Install/Re-install
    13). Install/Reinstall Redis PHP Extension
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Install/Re-Install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 5
    --------------------------------------------------------
    

    Code (Text):
    Do you want to run YUM install checks ?  [y/n]
    
    This will increase your upgrade duration time wise.
    Check the change log centminmod.com/changelog.html
    to see if any Nginx or PHP related new additions
    which require checking YUM prequisites are met.
    If no new additions made, you can skip the
    YUM install check to speed up upgrade time.
    
     [y/n]: n
    

    Code (Text):
    ----------------------------------------------------------------
    Install which version of PHP? (version i.e. 5.6.40, 7.0.34, NGDEBUG)
    PHP 7.x/7.1.x/7.2.x/7.3.x is GA Stable but still may have broken PHP extensions.
    NGDEBUG is PHP 7.4.0 dev builds minus incompatible PHP extensions
    ----------------------------------------------------------------
    Enter PHP Version number you want to upgrade/downgrade to: 7.3.1
    ----------------------------------------------------------------
    existing php.ini will be backed up at /usr/local/lib/php.ini-oldversion_090119-180326
    ----------------------------------------------------------------
    

    Code (Text):
    -----------------------------------------------------------------------------------------
    Detected PHP 7.3 branch.
    You can compile Zend OPcache (Zend Optimizer Plus+) support
    as an alternative to using APC Cache or Xcache cache.
    But Zend OPcache only provides PHP opcode cache and
    DOESN'T do data caching, so if your web apps such as Wordpress,
    Drupal or vBulletin require data caching to APC or Xcache,
    it won't work with Zend OPcache.
    
    -----------------------------------------------------------------------------------------
    Do you want to use Zend OPcache [y/n] ? y
    
    *************************************************
    * Zend Optimizer Plus OPcache configured
    *************************************************
    
    PHP 7+ detected which uses newer mysqlnd
    or PDO MySQL extensions and removed the
    legacy mysql extension. You can optionally
    re-add the removed legacy mysql extension
    to PHP 7+ by answering yes to next question
    Only answer yes if you know for sure you
    have very old web scripts which need mysql
    legacy extension re-added. Otherwise answer
    no which is recommended for best stability
    
    Re-add legacy mysql extension to PHP 7+ [y/n] ? n
    

    Code (Text):
    php -v
    PHP 7.3.1 (cli) (built: Jan  9 2019 18:06:10) ( NTS )
    Copyright (c) 1997-2018 The PHP Group
    Zend Engine v3.3.1, Copyright (c) 1998-2018 Zend Technologies
        with Zend OPcache v7.3.1, Copyright (c) 1999-2018, by Zend Technologies
    

    PHP 7.3.1 with Argon2 hash algorithm support and libsodium PHP extension
    Code (Text):
    php -r 'print_r(get_defined_constants());' | grep -i argon
        [PASSWORD_ARGON2I] => 2
        [PASSWORD_ARGON2ID] => 3
        [PASSWORD_ARGON2_DEFAULT_MEMORY_COST] => 1024
        [PASSWORD_ARGON2_DEFAULT_TIME_COST] => 2
        [PASSWORD_ARGON2_DEFAULT_THREADS] => 2
        [SODIUM_CRYPTO_PWHASH_ALG_ARGON2I13] => 1
        [SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13] => 2
        [SODIUM_CRYPTO_PWHASH_STRPREFIX] => $argon2id$
    

    Code (Text):
    php --ri sodium
    
    sodium
    
    sodium support => enabled
    libsodium headers version => 1.0.16
    libsodium library version => 1.0.16
    


    Troubleshooting PHP Upgrades



    Most common issue between major PHP branch upgrades like PHP 7.1 to 7.2 or PHP 7.2 to 7.3 is having to recompile some PHP extensions which may not be compatible between major PHP versions. Usually, you will encounter PHP Startup/Warning errors mentioning Unable to load dynamic library and then name the PHP extension that isn't working. Example for memcached and redis PHP extensions, memcached.so and redis.so respectively.
    Code (Text):
    PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-zts-20180731/memcached.so' (tried: /usr/local/lib/php/extensions/no-debug-zts-20180731/memcached.so (/usr/local/lib/php/extensions/no-debug-zts-20180731/memcached.so: undefined symbol: executor_globals_id), /usr/local/lib/php/extensions/no-debug-non-zts-20180731//usr/local/lib/php/extensions/no-debug-zts-20180731/memcached.so.so (/usr/local/lib/php/extensions/no-debug-non-zts-20180731//usr/local/lib/php/extensions/no-debug-zts-20180731/memcached.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
    
    PHP Warning:  PHP Startup: Unable to load dynamic library 'redis.so' (tried: /usr/local/lib/php/extensions/no-debug-non-zts-20180731/redis.so (/usr/local/lib/php/extensions/no-debug-non-zts-20180731/redis.so: cannot open shared object file: No such file or directory), /usr/local/lib/php/extensions/no-debug-non-zts-20180731/redis.so.so (/usr/local/lib/php/extensions/no-debug-non-zts-20180731/redis.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
    

    For 123.09beta01 branch, just re-run centmin.sh menu option 10 to reinstall memcached PHP extension and centmin.sh menu option 13 submenu option 2 to reinstall redis PHP extension.
    Code (Text):
    --------------------------------------------------------
         Centmin Mod Menu 123.09beta01 centminmod.com
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB MySQL Upgrade & Management
    12). Zend OpCache Install/Re-install
    13). Install/Reinstall Redis PHP Extension
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Install/Re-Install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 10
    --------------------------------------------------------
    

    checking to see if memcached PHP extension is now loaded
    Code (Text):
    php --ri memcached
    
    memcached
    
    memcached support => enabled
    Version => 3.1.0-dev
    libmemcached version => 1.0.16
    SASL support => yes
    Session support => yes
    igbinary support => no
    json support => yes
    msgpack support => no
    
    Directive => Local Value => Master Value
    memcached.sess_locking => On => On
    memcached.sess_lock_wait_min => 150 => 150
    memcached.sess_lock_wait_max => 150 => 150
    memcached.sess_lock_retries => 5 => 5
    memcached.sess_lock_expire => 0 => 0
    memcached.sess_binary_protocol => Off => Off
    memcached.sess_consistent_hash => Off => Off
    memcached.sess_consistent_hash_type => ketama => ketama
    memcached.sess_number_of_replicas => 0 => 0
    memcached.sess_randomize_replica_read => Off => Off
    memcached.sess_remove_failed_servers => Off => Off
    memcached.sess_server_failure_limit => 0 => 0
    memcached.sess_connect_timeout => 3000 => 3000
    memcached.sess_sasl_username => no value => no value
    memcached.sess_sasl_password => no value => no value
    memcached.sess_persistent => Off => Off
    memcached.sess_prefix => memc.sess.key. => memc.sess.key.
    memcached.sess_lock_wait => not set => not set
    memcached.sess_lock_max_wait => not set => not set
    memcached.compression_type => fastlz => fastlz
    memcached.compression_factor => 1.3 => 1.3
    memcached.compression_threshold => 2000 => 2000
    memcached.serializer => php => php
    memcached.store_retry_count => 2 => 2
    memcached.default_consistent_hash => Off => Off
    memcached.default_binary_protocol => Off => Off
    memcached.default_connect_timeout => 0 => 0
    

    Code (Text):
    --------------------------------------------------------
             Redis PHP Extension Sub-Menu
    --------------------------------------------------------
    1). Install Redis PHP Extension
    2). Reinstall Redis PHP Extension
    3). Back to Main menu
    --------------------------------------------------------
    Enter option [ 1 - 3 ] 2
    

    Checking to see if redis PHP extension is now loaded
    Code (Text):
    php --ri redis
    
    redis
    
    Redis Support => enabled
    Redis Version => 4.2.0
    Available serializers => php, igbinary
    
    Directive => Local Value => Master Value
    redis.arrays.autorehash => 0 => 0
    redis.arrays.connecttimeout => 0 => 0
    redis.arrays.distributor => no value => no value
    redis.arrays.functions => no value => no value
    redis.arrays.hosts => no value => no value
    redis.arrays.index => 0 => 0
    redis.arrays.lazyconnect => 0 => 0
    redis.arrays.names => no value => no value
    redis.arrays.pconnect => 0 => 0
    redis.arrays.previous => no value => no value
    redis.arrays.readtimeout => 0 => 0
    redis.arrays.retryinterval => 0 => 0
    redis.clusters.persistent => 0 => 0
    redis.clusters.read_timeout => 0 => 0
    redis.clusters.seeds => no value => no value
    redis.clusters.timeout => 0 => 0
    redis.session.locking_enabled => 0 => 0
    redis.session.lock_expire => 0 => 0
    redis.session.lock_retries => 10 => 10
    redis.session.lock_wait_time => 2000 => 2000
    


    PHP 7.3.0 doesn't support memcache PHP extension, only memcached PHP extension so you will encounter - As at Dec 21, 2018, memcache PHP extension now supports PHP 7.3.0 as I backported a patch so no longer need to remove memcache.ini :)
    Code (Text):
    PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20180731/memcache.so' (tried: /usr/local/lib/php/extensions/no-debug-non-zts-20180731/memcache.so (/usr/local/lib/php/extensions/no-debug-non-zts-20180731/memcache.so: cannot open shared object file: No such file or directory), /usr/local/lib/php/extensions/no-debug-non-zts-20180731//usr/local/lib/php/extensions/no-debug-non-zts-20180731/memcache.so.so (/usr/local/lib/php/extensions/no-debug-non-zts-20180731//usr/local/lib/php/extensions/no-debug-non-zts-20180731/memcache.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
    

    To fix, just remove memcache.ini located at /etc/centminmod/php.d/memcache.ini
    Code (Text):
    cd /etc/centminmod/php.d/
    rm -rf /etc/centminmod/php.d/memcache.ini
    fpmrestart
    

    mailparse PHP extension error
    Code (Text):
    Starting php-fpm [05-Dec-2018 18:06:21] NOTICE: PHP message: PHP Warning:  PHP Startup: Unable to load dynamic library 'mailparse.so' (tried: /usr/local/lib/php/extensions/no-debug-non-zts-20180731/mailparse.so (/usr/local/lib/php/extensions/no-debug-non-zts-20180731/mailparse.so: cannot open shared object file: No such file or directory), /usr/local/lib/php/extensions/no-debug-non-zts-20180731/mailparse.so.so (/usr/local/lib/php/extensions/no-debug-non-zts-20180731/mailparse.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
     done
    

    To fix, just remove mailparse.ini located at /etc/centminmod/php.d/mailparse.ini
    Code (Text):
    cd /etc/centminmod/php.d/
    rm -rf /etc/centminmod/php.d/mailparse.ini
    fpmrestart
    

    Then usually, if you re-run centmin.sh menu option 5, mailparse is reinstalled again. If you still get an error unable to load mailparse.so, then it could be that the specific PHP version hasn't got mailparse PHP extension support yet.

    On centmin.sh menu option 5 recompile, mailparse PHP extension is now loaded
    Code (Text):
    php --ri mailparse
    
    mailparse
    
    mailparse support => enabled
    Extension Version => 3.0.3-dev
    Revision => $Revision$
    
    Directive => Local Value => Master Value
    mailparse.def_charset => us-ascii => us-ascii
    


    You can see a list of custom Centmin Mod installed PHP extensions' ini settings files via command, php --ini
    Code (Text):
    php --ini
    Configuration File (php.ini) Path: /usr/local/lib
    Loaded Configuration File:         /usr/local/lib/php-cli.ini
    Scan for additional .ini files in: /etc/centminmod/php.d
    Additional .ini files parsed:      /etc/centminmod/php.d/a_customphp.ini,
    /etc/centminmod/php.d/curlcainfo.ini,
    /etc/centminmod/php.d/geoip.ini,
    /etc/centminmod/php.d/igbinary.ini,
    /etc/centminmod/php.d/imagick.ini,
    /etc/centminmod/php.d/mailparse.ini,
    /etc/centminmod/php.d/mcrypt.ini,
    /etc/centminmod/php.d/memcache.ini,
    /etc/centminmod/php.d/memcached.ini,
    /etc/centminmod/php.d/redis.ini,
    /etc/centminmod/php.d/zendopcache.ini
    

    And list of all PHP extensions loaded
    Code (Text):
    php -m
    

    output
    Code (Text):
    php -m
    [PHP Modules]
    bcmath
    bz2
    calendar
    Core
    ctype
    curl
    date
    dom
    enchant
    exif
    fileinfo
    filter
    ftp
    gd
    geoip
    gettext
    gmp
    hash
    iconv
    igbinary
    imagick
    imap
    intl
    json
    ldap
    libxml
    mailparse
    mbstring
    mcrypt
    memcached
    mysqli
    mysqlnd
    openssl
    pcntl
    pcre
    PDO
    pdo_mysql
    pdo_sqlite
    Phar
    posix
    pspell
    readline
    redis
    Reflection
    session
    shmop
    SimpleXML
    snmp
    soap
    sockets
    sodium
    SPL
    sqlite3
    standard
    sysvmsg
    sysvsem
    sysvshm
    tidy
    tokenizer
    xml
    xmlreader
    xmlrpc
    xmlwriter
    xsl
    Zend OPcache
    zip
    zlib
    
    [Zend Modules]
    Zend OPcache
    


     
  2. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    3:30 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    PHP 7.3.1 Change Log

    Code:
    10 Jan 2019, PHP 7.3.1
    
    - Core:
      . Fixed bug #76654 (Build failure on Mac OS X on 32-bit Intel). (Ryandesign)
      . Fixed bug #71041 (zend_signal_startup() needs ZEND_API).
        (Valentin V. Bartenev)
      . Fixed bug #76046 (PHP generates "FE_FREE" opcode on the wrong line).
        (Nikita)
      . Fixed bug #77291 (magic methods inherited from a trait may be ignored).
        (cmb)
    
    - CURL:
      . Fixed bug #77264 (curl_getinfo returning microseconds, not seconds).
        (Pierrick)
    
    - COM:
      . Fixed bug #77177 (Serializing or unserializing COM objects crashes). (cmb)
    
    - Exif:
      . Fixed bug #77184 (Unsigned rational numbers are written out as signed
        rationals). (Colin Basnett)
    
    - GD:
      . Fixed bug #77195 (Incorrect error handling of imagecreatefromjpeg()). (cmb)
      . Fixed bug #77198 (auto cropping has insufficient precision). (cmb)
      . Fixed bug #77200 (imagecropauto(…, GD_CROP_SIDES) crops left but not right).
        (cmb)
      . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
        use-after-free). (cmb)
      . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
    
    - MBString:
      . Fixed bug #77367 (Negative size parameter in mb_split). (Stas)
      . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token).
        (Stas)
      . Fixed bug #77371 (heap buffer overflow in mb regex functions -
        compile_string_node). (Stas)
      . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
      . Fixed bug #77382 (heap buffer overflow due to incorrect length in
        expand_case_fold_string). (Stas)
      . Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
      . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode).
        (Stas)
      . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)
    
    - OCI8:
      . Fixed bug #76804 (oci_pconnect with OCI_CRED_EXT not working). (KoenigsKind)
      . Added oci_set_call_timeout() for call timeouts.
      . Added oci_set_db_operation() for the DBOP end-to-end-tracing attribute.
    
    - Opcache:
      . Fixed bug #77215 (CFG assertion failure on multiple finalizing switch
        frees in one block). (Nikita)
      . Fixed bug #77275 (OPcache optimization problem for ArrayAccess->offsetGet).
        (Nikita)
    
    - PCRE:
      . Fixed bug #77193 (Infinite loop in preg_replace_callback). (Anatol)
    
    - PDO:
      . Handle invalid index passed to PDOStatement::fetchColumn() as error. (Sergei
        Morozov)
    
    - Phar:
      . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
        (Stas)
    
    - Soap:
      . Fixed bug #77088 (Segfault when using SoapClient with null options).
        (Laruence)
    
    - Sockets:
      . Fixed bug #77136 (Unsupported IPV6_RECVPKTINFO constants on macOS).
        (Mizunashi Mana)
    
    - Sodium:
      . Fixed bug #77297 (SodiumException segfaults on PHP 7.3). (Nikita, Scott)
    
    - SPL:
      . Fixed bug #77359 (spl_autoload causes segfault). (Lauri Kenttä)
      . Fixed bug #77360 (class_uses causes segfault). (Lauri Kenttä)
    
    - SQLite3:
      . Fixed bug #77051 (Issue with re-binding on SQLite3). (BohwaZ)
    
    - Xmlrpc:
      . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb)
      . Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
    PHP 7.2.14 Change Log

    Code:
    10 Jan 2019, PHP 7.2.14
    
    - Core:
      . Fixed bug #77369 (memcpy with negative length via crafted DNS response). (Stas)
      . Fixed bug #71041 (zend_signal_startup() needs ZEND_API).
        (Valentin V. Bartenev)
      . Fixed bug #76046 (PHP generates "FE_FREE" opcode on the wrong line).
        (Nikita)
    
    - COM:
      . Fixed bug #77177 (Serializing or unserializing COM objects crashes). (cmb)
    
    - Date:
      . Fixed bug #77097 (DateTime::diff gives wrong diff when the actual diff is
        less than 1 second). (Derick)
    
    - Exif:
      . Fixed bug #77184 (Unsigned rational numbers are written out as signed
        rationals). (Colin Basnett)
    
    - GD:
      . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
        use-after-free). (cmb)
      . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
      . Fixed bug #77195 (Incorrect error handling of imagecreatefromjpeg()). (cmb)
      . Fixed bug #77198 (auto cropping has insufficient precision). (cmb)
      . Fixed bug #77200 (imagecropauto(…, GD_CROP_SIDES) crops left but not right).
        (cmb)
    
    - IMAP:
      . Fixed bug #77020 (null pointer dereference in imap_mail). (cmb)
    
    - Mbstring:
      . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas)
      . Fixed bug #77371 (heap buffer overflow in mb regex functions
        - compile_string_node). (Stas)
      . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
      . Fixed bug #77382 (heap buffer overflow due to incorrect length in
        expand_case_fold_string). (Stas)
      . Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
      . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
      . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)
    
    - OCI8:
      . Fixed bug #76804 (oci_pconnect with OCI_CRED_EXT not working). (KoenigsKind)
      . Added oci_set_call_timeout() for call timeouts.
      . Added oci_set_db_operation() for the DBOP end-to-end-tracing attribute.
    
    - Opcache:
      . Fixed bug #77215 (CFG assertion failure on multiple finalizing switch
        frees in one block). (Nikita)
    
    - PDO:
      . Handle invalid index passed to PDOStatement::fetchColumn() as error. (Sergei
        Morozov)
    
    - Phar:
      . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas)
    
    - Sockets:
      . Fixed bug #77136 (Unsupported IPV6_RECVPKTINFO constants on macOS).
        (Mizunashi Mana)
    
    - SQLite3:
      . Fixed bug #77051 (Issue with re-binding on SQLite3). (BohwaZ)
    
    - Xmlrpc:
      . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb)
      . Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
    PHP 7.1.26 Change Log

    Code:
    10 Jan 2019, PHP 7.1.26
    
    - Core:
      . Fixed bug #77369 (memcpy with negative length via crafted DNS response). (Stas)
    
    - GD:
      . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
        use-after-free). (cmb)
      . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
    
    - IMAP:
      . Fixed bug #77020 (null pointer dereference in imap_mail). (cmb)
    
    - Mbstring:
      . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas)
      . Fixed bug #77371 (heap buffer overflow in mb regex functions
        - compile_string_node). (Stas)
      . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
      . Fixed bug #77382 (heap buffer overflow due to incorrect length in
        expand_case_fold_string). (Stas)
      . Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
      . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
      . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)
    
    - Phar:
      . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas)
    
    - Xmlrpc:
      . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb)
      . Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
    PHP 5.6.40 Change Log
    Code:
    10 Jan 2019, PHP 5.6.40
    
    - GD:
      . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
        use-after-free). (cmb)
      . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
    
    - Mbstring:
      . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas)
      . Fixed bug #77371 (heap buffer overflow in mb regex functions
        - compile_string_node). (Stas)
      . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
      . Fixed bug #77382 (heap buffer overflow due to incorrect length in
        expand_case_fold_string). (Stas)
      . Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
      . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
      . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)
    
    - Phar:
      . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas)
    
    - Xmlrpc:
      . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb)
      . Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
     
Thread Status:
Not open for further replies.