-
Notifications
You must be signed in to change notification settings - Fork 542
/
ChangeLog-5.php
15956 lines (15251 loc) · 796 KB
/
ChangeLog-5.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?php
$_SERVER['BASE_PAGE'] = 'ChangeLog-5.php';
include_once __DIR__ . '/include/prepend.inc';
include_once __DIR__ . '/include/changelogs.inc';
$MINOR_VERSIONS = ['5.6', '5.5', '5.4', '5.3', '5.2', '5.1', '5.0'];
changelog_header(5, $MINOR_VERSIONS);
?>
<a id="PHP_5_6"></a>
<section class="version" id="5.6.40"><!-- {{{ 5.6.40 -->
<h3>Version 5.6.40</h3>
<b><?php release_date('10-Jan-2019'); ?></b>
<ul><li>GD:
<ul>
<li><?php bugfix(77269); ?> (efree() on uninitialized Heap data in imagescale leads to
use-after-free). (CVE-2016-10166)</li>
<li><?php bugfix(77270); ?> (imagecolormatch Out Of Bounds Write on Heap). (CVE-2019-6977)</li>
</ul></li>
<li>Mbstring:
<ul>
<li><?php bugfix(77370); ?> (Buffer overflow on mb regex functions - fetch_token). (CVE-2019-9023)</li>
<li><?php bugfix(77371); ?> (heap buffer overflow in mb regex functions - compile_string_node). (CVE-2019-9023)</li>
<li><?php bugfix(77381); ?> (heap buffer overflow in multibyte match_at). (CVE-2019-9023)</li>
<li><?php bugfix(77382); ?> (heap buffer overflow due to incorrect length in expand_case_fold_string). (CVE-2019-9023)</li>
<li><?php bugfix(77385); ?> (buffer overflow in fetch_token). (CVE-2019-9023)</li>
<li><?php bugfix(77394); ?> (Buffer overflow in multibyte case folding - unicode). (CVE-2019-9023)</li>
<li><?php bugfix(77418); ?> (Heap overflow in utf32be_mbc_to_code). (CVE-2019-9023)</li>
</ul></li>
<li>Phar:
<ul>
<li><?php bugfix(77247); ?> (heap buffer overflow in phar_detect_phar_fname_ext). (CVE-2019-9021)</li>
</ul></li>
<li>Xmlrpc:
<ul>
<li><?php bugfix(77242); ?> (heap out of bounds read in xmlrpc_decode()). (CVE-2019-9020)</li>
<li><?php bugfix(77380); ?> (Global out of bounds read in xmlrpc base64 code). (CVE-2019-9024)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.39"><!-- {{{ 5.6.39 -->
<h3>Version 5.6.39</h3>
<b><?php release_date('06-Dec-2018'); ?></b>
<ul><li>Core:
<ul>
<li><?php bugfix(77231); ?> (Segfault when using convert.quoted-printable-encode filter).</li>
</ul></li>
<li>IMAP:
<ul>
<li><?php bugfix(77020); ?> (null pointer dereference in imap_mail).</li>
<li><?php bugfix(77153); ?> (imap_open allows to run arbitrary shell commands via mailbox parameter). (CVE-2018-19518)</li>
</ul></li>
<li>Phar:
<ul>
<li><?php bugfix(77022); ?> (PharData always creates new files with mode 0666).</li>
<li><?php bugfix(77143); ?> (Heap Buffer Overflow (READ: 4) in phar_parse_pharfile). (CVE-2018-20783)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.38"><!-- {{{ 5.6.38 -->
<h3>Version 5.6.38</h3>
<b><?php release_date('13-Sep-2018'); ?></b>
<ul><li>Apache2:
<ul>
<li><?php bugfix(76582); ?> (XSS due to the header Transfer-Encoding: chunked). (CVE-2018-17082)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.37"><!-- {{{ 5.6.37 -->
<h3>Version 5.6.37</h3>
<b><?php release_date('19-Jul-2018'); ?></b>
<ul><li>Exif:
<ul>
<li><?php bugfix(76423); ?> (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c). (CVE-2018-14883)</li>
<li><?php bugfix(76557); ?> (heap-buffer-overflow (READ of size 48) while reading exif data). (CVE-2018-14851)</li>
</ul></li>
<li>Win32:
<ul>
<li><?php bugfix(76459); ?> (windows linkinfo lacks openbasedir check). (CVE-2018-15132)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.36"><!-- {{{ 5.6.36 -->
<h3>Version 5.6.36</h3>
<b><?php release_date('26-Apr-2018'); ?></b>
<ul><li>Exif:
<ul>
<li><?php bugfix(76130); ?> (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value). (CVE-2018-10549)</li>
</ul></li>
<li>iconv:
<ul>
<li><?php bugfix(76249); ?> (stream filter convert.iconv leads to infinite loop on invalid sequence). (CVE-2018-10546)</li>
</ul></li>
<li>LDAP:
<ul>
<li><?php bugfix(76248); ?> (Malicious LDAP-Server Response causes Crash). (CVE-2018-10548)</li>
</ul></li>
<li>Phar:
<ul>
<li><?php bugfix(76129); ?> (fix for CVE-2018-5712 may not be complete). (CVE-2018-10547)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.35"><!-- {{{ 5.6.35 -->
<h3>Version 5.6.35</h3>
<b><?php release_date('29-Mar-2018'); ?></b>
<ul><li>FPM:
<ul>
<li><?php bugfix(75605); ?> (Dumpable FPM child processes allow bypassing opcache access controls). (CVE-2018-10545)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.34"><!-- {{{ 5.6.34 -->
<h3>Version 5.6.34</h3>
<b><?php release_date('01-Mar-2018'); ?></b>
<ul><li>Standard:
<ul>
<li><?php bugfix(75981); ?> (stack-buffer-overflow while parsing HTTP response). (CVE-2018-7584)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.33"><!-- {{{ 5.6.33 -->
<h3>Version 5.6.33</h3>
<b><?php release_date('04-Jan-2018'); ?></b>
<ul><li>GD:
<ul>
<li><?php bugfix(75571); ?> (Potential infinite loop in gdImageCreateFromGifCtx). (CVE-2018-5711)</li>
</ul></li>
<li>Phar:
<ul>
<li><?php bugfix(74782); ?> (Reflected XSS in .phar 404 page). (CVE-2018-5712)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.32"><!-- {{{ 5.6.32 -->
<h3>Version 5.6.32</h3>
<b><?php release_date('26-Oct-2017'); ?></b>
<ul><li>Date:
<ul>
<li><?php bugfix(75055); ?> (Out-Of-Bounds Read in timelib_meridian()). (CVE-2017-16642)</li>
</ul></li>
<li>mcrypt:
<ul>
<li><?php bugfix(72535); ?> (arcfour encryption stream filter crashes php).</li>
</ul></li>
<li>PCRE:
<ul>
<li><?php bugfix(75207); ?> (applied upstream patch for CVE-2016-1283).</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.31"><!-- {{{ 5.6.31 -->
<h3>Version 5.6.31</h3>
<b><?php release_date('06-Jul-2017'); ?></b>
<ul><li>Core:
<ul>
<li><?php bugfix(73807); ?> (Performance problem with processing large post request). (CVE-2017-11142)</li>
<li><?php bugfix(74111); ?> (Heap buffer overread (READ: 1) finish_nested_data from unserialize). (CVE-2017-12933)</li>
<li><?php bugfix(74603); ?> (PHP INI Parsing Stack Buffer Overflow Vulnerability). (CVE-2017-11628)</li>
<li><?php bugfix(74819); ?> (wddx_deserialize() heap out-of-bound read via php_parse_date()). (CVE-2017-11145)</li>
</ul></li>
<li>GD:
<ul>
<li><?php bugfix(74435); ?> (Buffer over-read into uninitialized memory). (CVE-2017-7890)</li>
</ul></li>
<li>mbstring:
<ul>
<li>Add oniguruma upstream fix (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229)</li>
</ul></li>
<li>OpenSSL:
<ul>
<li><?php bugfix(74651); ?> (negative-size-param (-1) in memcpy in zif_openssl_seal()). (CVE-2017-11144)</li>
</ul></li>
<li>PCRE:
<ul>
<li><?php bugfix(74087); ?> (Segmentation fault in PHP7.1.1(compiled using the bundled PCRE library)).</li>
</ul></li>
<li>WDDX:
<ul>
<li><?php bugfix(74145); ?> (wddx parsing empty boolean tag leads to SIGSEGV). (CVE-2017-11143)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.30"><!-- {{{ 5.6.30 -->
<h3>Version 5.6.30</h3>
<b><?php release_date('19-Jan-2017'); ?></b>
<ul><li>EXIF:
<ul>
<li><?php bugfix(73737); ?> (FPE when parsing a tag format). (CVE-2016-10158)</li>
</ul></li>
<li>GD:
<ul>
<li><?php bugfix(73549); ?> (Use after free when stream is passed to imagepng).</li>
<li><?php bugfix(73868); ?> (DOS vulnerability in gdImageCreateFromGd2Ctx()). (CVE-2016-10167)</li>
<li><?php bugfix(73869); ?> (Signed Integer Overflow gd_io.c). (CVE-2016-10168)</li>
</ul></li>
<li>Intl:
<ul>
<li><?php bugfix(68447); ?> (grapheme_extract take an extra trailing character).</li>
</ul></li>
<li>Phar:
<ul>
<li><?php bugfix(73764); ?> (Crash while loading hostile phar archive). (CVE-2016-10159)</li>
<li><?php bugfix(73768); ?> (Memory corruption when loading hostile phar). (CVE-2016-10160)</li>
<li><?php bugfix(73773); ?> (Seg fault when loading hostile phar). (CVE-2017-11147)</li>
</ul></li>
<li>SQLite3:
<ul>
<li>Reverted fix for bug <?php bugl(73530); ?> (Unsetting result set may reset other result set).</li>
</ul></li>
<li>Standard:
<ul>
<li><?php bugfix(70213); ?> (Unserialize context shared on double class lookup).</li>
<li><?php bugfix(73825); ?> (Heap out of bounds read on unserialize in finish_nested_data()). (CVE-2016-10161)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.29"><!-- {{{ 5.6.29 -->
<h3>Version 5.6.29</h3>
<b><?php release_date('08-Dec-2016'); ?></b>
<ul><li>Mysqlnd:
<ul>
<li><?php bugfix(64526); ?> (Add missing mysqlnd.* parameters to php.ini-*).</li>
</ul></li>
<li>Opcache:
<ul>
<li><?php bugfix(73402); ?> (Opcache segfault when using class constant to call a method).</li>
<li><?php bugfix(69090); ?> (check cached files permissions)</li>
</ul></li>
<li>OpenSSL:
<ul>
<li><?php bugfix(72776); ?> (Invalid parameter in memcpy function trough openssl_pbkdf2).</li>
</ul></li>
<li>Postgres:
<ul>
<li><?php bugfix(73498); ?> (Incorrect SQL generated for pg_copy_to()).</li>
</ul></li>
<li>SOAP:
<ul>
<li><?php bugfix(73452); ?> (Segfault (Regression for <?php bugl(69152); ?>)).</li>
</ul></li>
<li>SQLite3:
<ul>
<li><?php bugfix(73530); ?> (Unsetting result set may reset other result set).</li>
</ul></li>
<li>Standard:
<ul>
<li><?php bugfix(73297); ?> (HTTP stream wrapper should ignore HTTP 100 Continue).</li>
</ul></li>
<li>WDDX:
<ul>
<li><?php bugfix(73631); ?> (Invalid read when wddx decodes empty boolean element). (CVE-2016-9935)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.28"><!-- {{{ 5.6.28 -->
<h3>Version 5.6.28</h3>
<b><?php release_date('10-Nov-2016'); ?></b>
<ul><li>Core:
<ul>
<li><?php bugfix(73337); ?> (try/catch not working with two exceptions inside a same operation).</li>
</ul></li>
<li>Bz2:
<ul>
<li><?php bugfix(73356); ?> (crash in bzcompress function).</li>
</ul></li>
<li>GD:
<ul>
<li><?php bugfix(73213); ?> (Integer overflow in imageline() with antialiasing).</li>
<li><?php bugfix(73272); ?> (imagescale() is not affected by, but affects imagesetinterpolation()).</li>
<li><?php bugfix(73279); ?> (Integer overflow in gdImageScaleBilinearPalette()).</li>
<li><?php bugfix(73280); ?> (Stack Buffer Overflow in GD dynamicGetbuf).</li>
<li><?php bugfix(72482); ?> (Illegal write/read access caused by gdImageAALine overflow).</li>
<li><?php bugfix(72696); ?> (imagefilltoborder stackoverflow on truecolor images). (CVE-2016-9933)</li>
</ul></li>
<li>Imap:
<ul>
<li><?php bugfix(73418); ?> (Integer Overflow in "_php_imap_mail" leads Heap Overflow).</li>
</ul></li>
<li>SPL:
<ul>
<li><?php bugfix(73144); ?> (Use-after-free in ArrayObject Deserialization).</li>
</ul></li>
<li>SOAP:
<ul>
<li><?php bugfix(73037); ?> (SoapServer reports Bad Request when gzipped).</li>
</ul></li>
<li>SQLite3:
<ul>
<li><?php bugfix(73333); ?> (2147483647 is fetched as string).</li>
</ul></li>
<li>Standard:
<ul>
<li><?php bugfix(73203); ?> (passing additional_parameters causes mail to fail).</li>
<li><?php bugfix(73188); ?> (use after free in userspace streams).</li>
<li><?php bugfix(73192); ?> (parse_url return wrong hostname).</li>
</ul></li>
<li>Wddx:
<ul>
<li><?php bugfix(73331); ?> (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow). (CVE-2016-9934)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.27"><!-- {{{ 5.6.27 -->
<h3>Version 5.6.27</h3>
<?php release_date('13-Oct-2016'); ?>
<ul><li>Core:
<ul>
<li><?php bugfix(73025); ?> (Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c).</li>
<li><?php bugfix(73058); ?> (crypt broken when salt is 'too' long).</li>
<li><?php bugfix(72703); ?> (Out of bounds global memory read in BF_crypt triggered by
password_verify).</li>
<li><?php bugfix(73189); ?> (Memcpy negative size parameter php_resolve_path).</li>
<li><?php bugfix(73147); ?> (Use After Free in unserialize()).</li>
</ul></li>
<li>BCmath:
<ul>
<li><?php bugfix(73190); ?> (memcpy negative parameter _bc_new_num_ex).</li>
</ul></li>
<li>DOM:
<ul>
<li><?php bugfix(73150); ?> (missing NULL check in dom_document_save_html).</li>
</ul></li>
<li>Ereg:
<ul>
<li><?php bugfix(73284); ?> (heap overflow in php_ereg_replace function).</li>
</ul></li>
<li>Filter:
<ul>
<li><?php bugfix(72972); ?> (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and
FILTER_FLAG_NO_PRIV_RANGE).</li>
<li><?php bugfix(67167); ?> (Wrong return value from FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE).</li>
<li><?php bugfix(73054); ?> (default option ignored when object passed to int filter).</li>
</ul></li>
<li>GD:
<ul>
<li><?php bugfix(67325); ?> (imagetruecolortopalette: white is duplicated in palette).</li>
<li><?php bugfix(50194); ?> (imagettftext broken on transparent background w/o alphablending).</li>
<li><?php bugfix(73003); ?> (Integer Overflow in gdImageWebpCtx of gd_webp.c).</li>
<li><?php bugfix(53504); ?> (imagettfbbox gives incorrect values for bounding box).</li>
<li><?php bugfix(73157); ?> (imagegd2() ignores 3rd param if 4 are given).</li>
<li><?php bugfix(73155); ?> (imagegd2() writes wrong chunk sizes on boundaries).</li>
<li><?php bugfix(73159); ?> (imagegd2(): unrecognized formats may result in corrupted files).</li>
<li><?php bugfix(73161); ?> (imagecreatefromgd2() may leak memory).</li>
</ul></li>
<li>Intl:
<ul>
<li><?php bugfix(73218); ?> (add mitigation for ICU int overflow).</li>
</ul></li>
<li>Imap:
<ul>
<li><?php bugfix(73208); ?> (integer overflow in imap_8bit caused heap corruption).</li>
</ul></li>
<li>Mbstring:
<ul>
<li><?php bugfix(72994); ?> (mbc_to_code() out of bounds read).</li>
<li><?php bugfix(66964); ?> (mb_convert_variables() cannot detect recursion).</li>
<li><?php bugfix(72992); ?> (mbstring.internal_encoding doesn't inherit default_charset).</li>
<li><?php bugfix(73082); ?> (string length overflow in mb_encode_* function).</li>
</ul></li>
<li>PCRE:
<ul>
<li><?php bugfix(73174); ?> (heap overflow in php_pcre_replace_impl).</li>
</ul></li>
<li>Opcache:
<ul>
<li><?php bugfix(72590); ?> (Opcache restart with kill_all_lockers does not work).</li>
</ul></li>
<li>OpenSSL:
<ul>
<li><?php bugfix(73072); ?> (Invalid path SNI_server_certs causes segfault).</li>
<li><?php bugfix(73275); ?> (crash in openssl_encrypt function).</li>
<li><?php bugfix(73276); ?> (crash in openssl_random_pseudo_bytes function).</li>
</ul></li>
<li>Session:
<ul>
<li><?php bugfix(68015); ?> (Session does not report invalid uid for files save handler).</li>
<li><?php bugfix(73100); ?> (session_destroy null dereference in ps_files_path_create).</li>
</ul></li>
<li>SimpleXML:
<ul>
<li><?php bugfix(73293); ?> (NULL pointer dereference in SimpleXMLElement::asXML()).</li>
</ul></li>
<li>SPL:
<ul>
<li><?php bugfix(73073); ?> (CachingIterator null dereference when convert to string).</li>
</ul></li>
<li>Standard:
<ul>
<li><?php bugfix(73240); ?> (Write out of bounds at number_format).</li>
<li><?php bugfix(73017); ?> (memory corruption in wordwrap function).</li>
</ul></li>
<li>Stream:
<ul>
<li><?php bugfix(73069); ?> (readfile() mangles files larger than 2G).</li>
</ul></li>
<li>Zip:
<ul>
<li><?php bugfix(70752); ?> (Depacking with wrong password leaves 0 length files).</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.26"><!-- {{{ 5.6.26 -->
<h3>Version 5.6.26</h3>
<?php release_date('15-Sep-2016'); ?>
<ul><li>Core:
<ul>
<li><?php bugfix(72907); ?> (null pointer deref, segfault in gc_remove_zval_from_buffer (zend_gc.c:260)).</li>
</ul></li>
<li>Dba:
<ul>
<li><?php bugfix(71514); ?> (Bad dba_replace condition because of wrong API usage).</li>
<li><?php bugfix(70825); ?> (Cannot fetch multiple values with group in ini file).</li>
</ul></li>
<li>EXIF:
<ul>
<li><?php bugfix(72926); ?> (Uninitialized Thumbail Data Leads To Memory Leakage in exif_process_IFD_in_TIFF).</li>
</ul></li>
<li>FTP:
<ul>
<li><?php bugfix(70195); ?> (Cannot upload file using ftp_put to FTPES with require_ssl_reuse).</li>
</ul></li>
<li>GD:
<ul>
<li><?php bugfix(66005); ?> (imagecopy does not support 1bit transparency on truecolor images).</li>
<li><?php bugfix(72913); ?> (imagecopy() loses single-color transparency on palette images).</li>
<li><?php bugfix(68716); ?> (possible resource leaks in _php_image_convert()).</li>
</ul></li>
<li>Intl:
<ul>
<li><?php bugfix(73007); ?> (add locale length check). (CVE-2016-7416)</li>
</ul></li>
<li>JSON:
<ul>
<li><?php bugfix(72787); ?> (json_decode reads out of bounds).</li>
</ul></li>
<li>mbstring:
<ul>
<li><?php bugfix(66797); ?> (mb_substr only takes 32-bit signed integer).</li>
<li><?php bugfix(72910); ?> (Out of bounds heap read in mbc_to_code() / triggered by mb_ereg_match()).</li>
</ul></li>
<li>MSSQL:
<ul>
<li><?php bugfix(72039); ?> (Use of uninitialised value on mssql_guid_string).</li>
</ul></li>
<li>Mysqlnd:
<ul>
<li><?php bugfix(72293); ?> (Heap overflow in mysqlnd related to BIT fields). (CVE-2016-7412)</li>
</ul></li>
<li>PDO:
<ul>
<li><?php bugfix(60665); ?> (call to empty() on NULL result using PDO::FETCH_LAZY returns false).</li>
</ul></li>
<li>PDO_pgsql:
<ul>
<li>Implemented FR <?php bugl(72633); ?> (Postgres PDO lastInsertId() should work without specifying a sequence).</li>
<li><?php bugfix(72759); ?> (Regression in pgo_pgsql).</li>
</ul></li>
<li>Phar:
<ul>
<li><?php bugfix(72928); ?> (Out of bound when verify signature of zip phar in phar_parse_zipfile). (CVE-2016-7414)</li>
<li><?php bugfix(73035); ?> (Out of bound when verify signature of tar phar in phar_parse_tarfile).</li>
</ul></li>
<li>SPL:
<ul>
<li><?php bugfix(73029); ?> (Missing type check when unserializing SplArray). (CVE-2016-7417)</li>
</ul></li>
<li>Standard:
<ul>
<li><?php bugfix(72823); ?> (strtr out-of-bound access).</li>
<li><?php bugfix(72278); ?> (getimagesize returning FALSE on valid jpg).</li>
<li><?php bugfix(65550); ?> (get_browser() incorrectly parses entries with "+" sign).</li>
<li><?php bugfix(71882); ?> (Negative ftruncate() on php://memory exhausts memory).</li>
<li><?php bugfix(73011); ?> (integer overflow in fgets cause heap corruption).</li>
<li><?php bugfix(73017); ?> (memory corruption in wordwrap function).</li>
<li><?php bugfix(73045); ?> (integer overflow in fgetcsv caused heap corruption).</li>
<li><?php bugfix(73052); ?> (Memory Corruption in During Deserialized-object Destruction). (CVE-2016-7411)</li>
</ul></li>
<li>Streams:
<ul>
<li><?php bugfix(72853); ?> (stream_set_blocking doesn't work).</li>
</ul></li>
<li>Wddx:
<ul>
<li><?php bugfix(72860); ?> (wddx_deserialize use-after-free). (CVE-2016-7413)</li>
<li><?php bugfix(73065); ?> (Out-Of-Bounds Read in php_wddx_push_element). (CVE-2016-7418)</li>
</ul></li>
<li>XML:
<ul>
<li><?php bugfix(72085); ?> (SEGV on unknown address zif_xml_parse).</li>
<li><?php bugfix(72927); ?> (integer overflow in xml_utf8_encode).</li>
</ul></li>
<li>ZIP:
<ul>
<li><?php bugfix(68302); ?> (impossible to compile php with zip support).</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.25"><!-- {{{ 5.6.25 -->
<h3>Version 5.6.25</h3>
<?php release_date('18-Aug-2016'); ?>
<ul><li>Core:
<ul>
<li><?php bugfix(70436); ?> (Use After Free Vulnerability in unserialize()).</li>
<li><?php bugfix(72024); ?> (microtime() leaks memory).</li>
<li><?php bugfix(72581); ?> (previous property undefined in Exception after deserialization).</li>
<li>Implemented FR <?php bugl(72614); ?> (Support "nmake test" on building extensions by phpize).</li>
<li><?php bugfix(72641); ?> (phpize (on Windows) ignores PHP_PREFIX).</li>
<li><?php bugfix(72663); ?> (Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization). (CVE-2016-7124)</li>
<li><?php bugfix(72681); ?> (PHP Session Data Injection Vulnerability). (CVE-2016-7125)</li>
</ul></li>
<li>Bz2:
<ul>
<li><?php bugfix(72837); ?> (integer overflow in bzdecompress caused heap corruption).</li>
</ul></li>
<li>Calendar:
<ul>
<li><?php bugfix(67976); ?> (cal_days_month() fails for final month of the French calendar).</li>
<li><?php bugfix(71894); ?> (AddressSanitizer: global-buffer-overflow in zif_cal_from_jd).</li>
</ul></li>
<li>Curl:
<ul>
<li><?php bugfix(71144); ?> (Segmentation fault when using cURL with ZTS).</li>
<li><?php bugfix(71929); ?> (Certification information (CERTINFO) data parsing error).</li>
<li><?php bugfix(72807); ?> (integer overflow in curl_escape caused heap corruption).</li>
</ul></li>
<li>DOM:
<ul>
<li><?php bugfix(66502); ?> (DOM document dangling reference).</li>
</ul></li>
<li>Ereg:
<ul>
<li><?php bugfix(72838); ?> (Integer overflow lead to heap corruption in sql_regcase).</li>
</ul></li>
<li>EXIF:
<ul>
<li><?php bugfix(72627); ?> (Memory Leakage In exif_process_IFD_in_TIFF). (CVE-2016-7128)</li>
<li><?php bugfix(72735); ?> (Samsung picture thumb not read (zero size)).</li>
</ul></li>
<li>Filter:
<ul>
<li><?php bugfix(71745); ?> (FILTER_FLAG_NO_RES_RANGE does not cover whole 127.0.0.0/8 range).</li>
</ul></li>
<li>FPM:
<ul>
<li><?php bugfix(72575); ?> (using --allow-to-run-as-root should ignore missing user).</li>
</ul></li>
<li>GD:
<ul>
<li><?php bugfix(43828); ?> (broken transparency of imagearc for truecolor in blendingmode).</li>
<li><?php bugfix(66555); ?> (Always false condition in ext/gd/libgd/gdkanji.c).</li>
<li><?php bugfix(68712); ?> (suspicious if-else statements).</li>
<li><?php bugfix(70315); ?> (500 Server Error but page is fully rendered).</li>
<li><?php bugfix(72596); ?> (imagetypes function won't advertise WEBP support).</li>
<li><?php bugfix(72604); ?> (imagearc() ignores thickness for full arcs).</li>
<li><?php bugfix(72697); ?> (select_colors write out-of-bounds). (CVE-2016-7126)</li>
<li><?php bugfix(72709); ?> (imagesetstyle() causes OOB read for empty $styles).</li>
<li><?php bugfix(72730); ?> (imagegammacorrect allows arbitrary write access). (CVE-2016-7127)</li>
<li><?php bugfix(72494); ?> (imagecropauto out-of-bounds access)</li>
</ul></li>
<li>Intl:
<ul>
<li>Partially fixed <?php bugl(72506); ?> (idn_to_ascii for UTS #46 incorrect for long domain names).</li>
</ul></li>
<li>mbstring:
<ul>
<li><?php bugfix(72691); ?> (mb_ereg_search raises a warning if a match zero-width).</li>
<li><?php bugfix(72693); ?> (mb_ereg_search increments search position when a match zero-width).</li>
<li><?php bugfix(72694); ?> (mb_ereg_search_setpos does not accept a string's last position).</li>
<li><?php bugfix(72710); ?> (`mb_ereg` causes buffer overflow on regexp compile error).</li>
</ul></li>
<li>PCRE:
<ul>
<li><?php bugfix(72688); ?> (preg_match missing group names in matches).</li>
</ul></li>
<li>PDO_pgsql:
<ul>
<li><?php bugfix(70313); ?> (PDO statement fails to throw exception).</li>
</ul></li>
<li>Reflection:
<ul>
<li><?php bugfix(72222); ?> (ReflectionClass::export doesn't handle array constants).</li>
</ul></li>
<li>SNMP:
<ul>
<li><?php bugfix(72708); ?> (php_snmp_parse_oid integer overflow in memory allocation).</li>
</ul></li>
<li>Standard:
<ul>
<li><?php bugfix(72330); ?> (CSV fields incorrectly split if escape char followed by UTF chars).</li>
<li><?php bugfix(72836); ?> (integer overflow in base64_decode).</li>
<li><?php bugfix(72848); ?> (integer overflow in quoted_printable_encode).</li>
<li><?php bugfix(72849); ?> (integer overflow in urlencode).</li>
<li><?php bugfix(72850); ?> (integer overflow in php_uuencode).</li>
<li><?php bugfix(72716); ?> (initialize buffer before read).</li>
</ul></li>
<li>Streams:
<ul>
<li><?php bugfix(41021); ?> (Problems with the ftps wrapper).</li>
<li><?php bugfix(54431); ?> (opendir() does not work with ftps:// wrapper).</li>
<li><?php bugfix(72667); ?> (opendir() with ftp:// attempts to open data stream for non-existent directories).</li>
<li><?php bugfix(72764); ?> (ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5).</li>
<li><?php bugfix(72771); ?> (ftps:// wrapper is vulnerable to protocol downgrade attack).</li>
</ul></li>
<li>SPL:
<ul>
<li><?php bugfix(72122); ?> (IteratorIterator breaks '@' error suppression).</li>
<li><?php bugfix(72646); ?> (SplFileObject::getCsvControl does not return the escape character).</li>
<li><?php bugfix(72684); ?> (AppendIterator segfault with closed generator).</li>
</ul></li>
<li>SQLite3:
<ul>
<li>Implemented FR <?php bugl(72653); ?> (SQLite should allow opening with empty filename).</li>
</ul></li>
<li>Wddx:
<ul>
<li><?php bugfix(72142); ?> (WDDX Packet Injection Vulnerability in wddx_serialize_value()).</li>
<li><?php bugfix(72749); ?> (wddx_deserialize allows illegal memory access). (CVE-2016-7129)</li>
<li><?php bugfix(72750); ?> (wddx_deserialize null dereference). (CVE-2016-7130)</li>
<li><?php bugfix(72790); ?> (wddx_deserialize null dereference with invalid xml). (CVE-2016-7131)</li>
<li><?php bugfix(72799); ?> (wddx_deserialize null dereference in php_wddx_pop_element). (CVE-2016-7132)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.24"><!-- {{{ 5.6.24 -->
<h3>Version 5.6.24</h3>
<?php release_date('21-Jul-2016'); ?>
<ul><li>Core:
<ul>
<li><?php bugfix(71936); ?> (Segmentation fault destroying HTTP_RAW_POST_DATA).</li>
<li><?php bugfix(72496); ?> (Cannot declare public method with signature incompatible with parent private method).</li>
<li><?php bugfix(72138); ?> (Integer Overflow in Length of String-typed ZVAL).</li>
<li><?php bugfix(72513); ?> (Stack-based buffer overflow vulnerability in virtual_file_ex). (CVE-2016-6289)</li>
<li><?php bugfix(72562); ?> (Use After Free in unserialize() with Unexpected Session Deserialization). (CVE-2016-6290)</li>
<li><?php bugfix(72573); ?> (HTTP_PROXY is improperly trusted by some PHP libraries and applications). (CVE-2016-5385)</li>
</ul></li>
<li>bz2:
<ul>
<li><?php bugfix(72447); ?> (Type Confusion in php_bz2_filter_create()).</li>
<li><?php bugfix(72613); ?> (Inadequate error handling in bzread()). (CVE-2016-5399)</li>
</ul></li>
<li>Date:
<ul>
<li><?php bugfix(66836); ?> (DateTime::createFromFormat 'U' with pre 1970 dates fails parsing).</li>
</ul></li>
<li>EXIF:
<ul>
<li><?php bugfix(50845); ?> (exif_read_data() returns corrupted exif headers).</li>
<li><?php bugfix(72603); ?> (Out of bound read in exif_process_IFD_in_MAKERNOTE). (CVE-2016-6291)</li>
<li><?php bugfix(72618); ?> (NULL Pointer Dereference in exif_process_user_comment). (CVE-2016-6292)</li>
</ul></li>
<li>GD:
<ul>
<li><?php bugfix(43475); ?> (Thick styled lines have scrambled patterns).</li>
<li><?php bugfix(53640); ?> (XBM images require width to be multiple of 8).</li>
<li><?php bugfix(64641); ?> (imagefilledpolygon doesn't draw horizontal line).</li>
<li><?php bugfix(72512); ?> (gdImageTrueColorToPaletteBody allows arbitrary write/read access).</li>
<li><?php bugfix(72519); ?> (imagegif/output out-of-bounds access).</li>
<li><?php bugfix(72558); ?> (Integer overflow error within _gdContributionsAlloc()). (CVE-2016-6207)</li>
</ul></li>
<li>Intl:
<ul>
<li><?php bugfix(72533); ?> (locale_accept_from_http out-of-bounds access). (CVE-2016-6294)</li>
</ul></li>
<li>OpenSSL:
<ul>
<li><?php bugfix(71915); ?> (openssl_random_pseudo_bytes is not fork-safe).</li>
<li><?php bugfix(72336); ?> (openssl_pkey_new does not fail for invalid DSA params).</li>
</ul></li>
<li>SNMP:
<ul>
<li><?php bugfix(72479); ?> (Use After Free Vulnerability in SNMP with GC and unserialize()). (CVE-2016-6295)</li>
</ul></li>
<li>SPL:
<ul>
<li><?php bugfix(55701); ?> (GlobIterator throws LogicException).</li>
</ul></li>
<li>SQLite3:
<ul>
<li><?php bugfix(70628); ?> (Clearing bindings on an SQLite3 statement doesn't work).</li>
</ul></li>
<li>Streams:
<ul>
<li><?php bugfix(72439); ?> (Stream socket with remote address leads to a segmentation fault).</li>
</ul></li>
<li>Xmlrpc:
<ul>
<li><?php bugfix(72606); ?> (heap-buffer-overflow (write) simplestring_addn simplestring.c). (CVE-2016-6296)</li>
</ul></li>
<li>Zip:
<ul>
<li><?php bugfix(72520); ?> (Stack-based buffer overflow vulnerability in php_stream_zip_opener). (CVE-2016-6297)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.23"><!-- {{{ 5.6.23 -->
<h3>Version 5.6.23</h3>
<?php release_date('23-Jun-2016'); ?>
<ul><li>Core:
<ul>
<li><?php bugfix(72268); ?> (Integer Overflow in nl2br()).</li>
<li><?php bugfix(72275); ?> (Integer Overflow in json_encode()/json_decode()/ json_utf8_to_utf16()).</li>
<li><?php bugfix(72400); ?> (Integer Overflow in addcslashes/addslashes).</li>
<li><?php bugfix(72403); ?> (Integer Overflow in Length of String-typed ZVAL).</li>
</ul></li>
<li>Date:
<ul>
<li><?php bugfix(63740); ?> (strtotime seems to use both sunday and monday as start of week).</li>
</ul></li>
<li>GD:
<ul>
<li><?php bugfix(72298); ?> (pass2_no_dither out-of-bounds access).</li>
<li><?php bugfix(72337); ?> (invalid dimensions can lead to crash).</li>
<li><?php bugfix(72339); ?> (Integer Overflow in _gd2GetHeader() resulting in heap overflow). (CVE-2016-5766)</li>
<li><?php bugfix(72407); ?> (NULL Pointer Dereference at _gdScaleVert).</li>
<li><?php bugfix(72446); ?> (Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow). (CVE-2016-5767)</li>
</ul></li>
<li>Intl:
<ul>
<li><?php bugfix(70484); ?> (selectordinal doesn't work with named parameters).</li>
</ul></li>
<li>mbstring:
<ul>
<li><?php bugfix(72402); ?> (_php_mb_regex_ereg_replace_exec - double free). (CVE-2016-5768)</li>
</ul></li>
<li>mcrypt:
<ul>
<li><?php bugfix(72455); ?> (Heap Overflow due to integer overflows). (CVE-2016-5769)</li>
</ul></li>
<li>OpenSSL:
<ul>
<li><?php bugfix(72140); ?> (segfault after calling ERR_free_strings()).</li>
</ul></li>
<li>Phar:
<ul>
<li><?php bugfix(72321); ?> (invalid free in phar_extract_file()). (CVE-2016-4473)</li>
</ul></li>
<li>SPL:
<ul>
<li><?php bugfix(72262); ?> (int/size_t confusion in SplFileObject::fread). (CVE-2016-5770)</li>
<li><?php bugfix(72433); ?> (Use After Free Vulnerability in PHP's GC algorithm and unserialize). (CVE-2016-5771)</li>
</ul></li>
<li>WDDX:
<ul>
<li><?php bugfix(72340); ?> (Double Free Courruption in wddx_deserialize). (CVE-2016-5772)</li>
</ul></li>
<li>zip:
<ul>
<li><?php bugfix(72434); ?> (ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize). (CVE-2016-5773)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.22"><!-- {{{ 5.6.22 -->
<h3>Version 5.6.22</h3>
<?php release_date('26-May-2016'); ?>
<ul><li>Core:
<ul>
<li><?php bugfix(72172); ?> (zend_hex_strtod should not use strlen).</li>
<li><?php bugfix(72114); ?> (Integer underflow / arbitrary null write in fread/gzread). (CVE-2016-5096)</li>
<li><?php bugfix(72135); ?> (Integer Overflow in php_html_entities). (CVE-2016-5094)</li>
</ul></li>
<li>GD:
<ul>
<li><?php bugfix(72227); ?> (imagescale out-of-bounds read). (CVE-2013-7456)</li>
</ul></li>
<li>Intl:
<ul>
<li><?php bugfix(64524); ?> (Add intl.use_exceptions to php.ini-*).</li>
<li><?php bugfix(72241); ?> (get_icu_value_internal out-of-bounds read). (CVE-2016-5093)</li>
</ul></li>
<li>Postgres:
<ul>
<li><?php bugfix(72151); ?> (mysqli_fetch_object changed behaviour). Patch to <?php bugl(71820) ?> is reverted.</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.21"><!-- {{{ 5.6.21 -->
<h3>Version 5.6.21</h3>
<?php release_date('28-Apr-2016'); ?>
<ul><li>Core:
<ul>
<li><?php bugfix(69537); ?> (__debugInfo with empty string for key gives error).</li>
<li><?php bugfix(71841); ?> (EG(error_zval) is not handled well).</li>
</ul></li>
<li>BCmath:
<ul>
<li><?php bugfix(72093); ?> (bcpowmod accepts negative scale and corrupts _one_ definition). (CVE-2016-4537, CVE-2016-4538)</li>
</ul></li>
<li>Curl:
<ul>
<li><?php bugfix(71831); ?> (CURLOPT_NOPROXY applied as long instead of string).</li>
</ul></li>
<li>Date:
<ul>
<li><?php bugfix(71889); ?> (DateInterval::format Segmentation fault).</li>
</ul></li>
<li>EXIF:
<ul>
<li><?php bugfix(72094); ?> (Out of bounds heap read access in exif header processing). (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544)</li>
</ul></li>
<li>GD:
<ul>
<li><?php bugfix(71952); ?> (Corruption inside imageaffinematrixget).</li>
<li><?php bugfix(71912); ?> (libgd: signedness vulnerability). (CVE-2016-3074)</li>
</ul></li>
<li>Intl:
<ul>
<li><?php bugfix(72061); ?> (Out-of-bounds reads in zif_grapheme_stripos with negative offset). (CVE-2016-4540, CVE-2016-4541)</li>
</ul></li>
<li>OCI8:
<ul>
<li><?php bugfix(71422); ?> (Fix ORA-01438: value larger than specified precision allowed for this column).</li>
</ul></li>
<li>ODBC:
<ul>
<li><?php bugfix(63171); ?> (Script hangs after max_execution_time).</li>
</ul></li>
<li>Opcache:
<ul>
<li><?php bugfix(71843); ?> (null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER).</li>
</ul></li>
<li>PDO:
<ul>
<li><?php bugfix(52098); ?> (Own PDOStatement implementation ignore __call()).</li>
<li><?php bugfix(71447); ?> (Quotes inside comments not properly handled).</li>
</ul></li>
<li>Postgres:
<ul>
<li><?php bugfix(71820); ?> (pg_fetch_object binds parameters before call constructor).</li>
</ul></li>
<li>SPL:
<ul>
<li><?php bugfix(67582); ?> (Cloned SplObjectStorage with overwritten getHash fails offsetExists()).</li>
</ul></li>
<li>Standard:
<ul>
<li><?php bugfix(71840); ?> (Unserialize accepts wrongly data).</li>
<li><?php bugfix(67512); ?> (php_crypt() crashes if crypt_r() does not exist or _REENTRANT is not defined).</li>
</ul></li>
<li>XML:
<ul>
<li><?php bugfix(72099); ?> (xml_parse_into_struct segmentation fault). (CVE-2016-4539)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.20"><!-- {{{ 5.6.20 -->
<h3>Version 5.6.20</h3>
<?php release_date('31-Mar-2016'); ?>
<ul><li>CLI Server:
<ul>
<li><?php bugfix(69953); ?> (Support MKCALENDAR request method).</li>
</ul></li>
<li>Core:
<ul>
<li><?php bugfix(71596); ?> (Segmentation fault on ZTS with date function (setlocale)).</li>
</ul></li>
<li>Curl:
<ul>
<li><?php bugfix(71694); ?> (Support constant CURLM_ADDED_ALREADY).</li>
</ul></li>
<li>Date:
<ul>
<li><?php bugfix(71635); ?> (DatePeriod::getEndDate segfault).</li>
</ul></li>
<li>Fileinfo:
<ul>
<li><?php bugfix(71527); ?> (Buffer over-write in finfo_open with malformed magic file). (CVE-2015-8865)</li>
</ul></li>
<li>Mbstring:
<ul>
<li><?php bugfix(71906); ?> (AddressSanitizer: negative-size-param (-1) in mbfl_strcut). (CVE-2016-4073)</li>
</ul></li>
<li>ODBC:
<ul>
<li><?php bugfix(47803); ?>, <?php bugl(69526); ?> (Executing prepared statements is succesfull only for the first two statements).</li>
<li><?php bugfix(71860); ?> (Invalid memory write in phar on filename with \0 in name). (CVE-2016-4072)</li>
</ul></li>
<li>PDO_DBlib:
<ul>
<li><?php bugfix(54648); ?> (PDO::MSSQL forces format of datetime fields).</li>
</ul></li>
<li>Phar:
<ul>
<li><?php bugfix(71625); ?> (Crash in php7.dll with bad phar filename).</li>
<li><?php bugfix(71504); ?> (Parsing of tar file with duplicate filenames causes memory leak).</li>
</ul></li>
<li>SNMP:
<ul>
<li><?php bugfix(71704); ?> (php_snmp_error() Format String Vulnerability). (CVE-2016-4071)</li>
</ul></li>
<li>Standard:
<ul>
<li><?php bugfix(71798); ?> (Integer Overflow in php_raw_url_encode). (CVE-2016-4070)</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.19"><!-- {{{ 5.6.19 -->
<h3>Version 5.6.19</h3>
<?php release_date('03-Mar-2016'); ?>
<ul><li>CLI server:
<ul>
<li><?php bugfix(71559); ?> (Built-in HTTP server, we can download file in web by bug).</li>
</ul></li>
<li>CURL:
<ul>
<li><?php bugfix(71523); ?> (Copied handle with new option CURLOPT_HTTPHEADER crashes while curl_multi_exec).</li>
</ul></li>
<li>Date:
<ul>
<li><?php bugfix(68078); ?> (Datetime comparisons ignore microseconds).</li>
<li><?php bugfix(71525); ?> (Calls to date_modify will mutate timelib_rel_time, causing date_date_set issues).</li>
</ul></li>
<li>Fileinfo:
<ul>
<li><?php bugfix(71434); ?> (finfo throws notice for specific python file).</li>
</ul></li>
<li>FPM:
<ul>
<li><?php bugfix(62172); ?> (FPM not working with Apache httpd 2.4 balancer/fcgi setup).</li>
</ul></li>
<li>Opcache:
<ul>
<li><?php bugfix(71584); ?> (Possible use-after-free of ZCG(cwd) in Zend Opcache).</li>
</ul></li>
<li>PDO MySQL:
<ul>
<li><?php bugfix(71569); ?> (<?php bugl(70389); ?> fix causes segmentation fault).</li>
</ul></li>
<li>Phar:
<ul>
<li><?php bugfix(71498); ?> (Out-of-Bound Read in phar_parse_zipfile()).</li>
</ul></li>
<li>Standard:
<ul>
<li><?php bugfix(70720); ?> (strip_tags improper php code parsing).</li>
</ul></li>
<li>WDDX:
<ul>
<li><?php bugfix(71587); ?> (Use-After-Free / Double-Free in WDDX Deserialize).</li>
</ul></li>
<li>XSL:
<ul>
<li><?php bugfix(71540); ?> (NULL pointer dereference in xsl_ext_function_php()).</li>
</ul></li>
<li>Zip:
<ul>
<li><?php bugfix(71561); ?> (NULL pointer dereference in Zip::ExtractTo).</li>
</ul></li>
</ul>
<!-- }}} --></section>
<section class="version" id="5.6.18"><!-- {{{ 5.6.18 -->
<h3>Version 5.6.18</h3>
<?php release_date('04-Feb-2016'); ?>
<ul><li>Core:
<ul>
<li>Added support for new HTTP 451 code.</li>
<li><?php bugfix(71039); ?> (exec functions ignore length but look for NULL termination).</li>
<li><?php bugfix(71089); ?> (No check to duplicate zend_extension).</li>
<li><?php bugfix(71201); ?> (round() segfault on 64-bit builds).</li>
<li><?php bugfix(71273); ?> (A wrong ext directory setup in php.ini leads to crash).</li>
<li><?php bugfix(71323); ?> (Output of stream_get_meta_data can be falsified by its input).</li>
<li><?php bugfix(71459); ?> (Integer overflow in iptcembed()).</li>
</ul></li>
<li>Apache2handler:
<ul>
<li>Fix >2G Content-Length headers in apache2handler.</li>
</ul></li>
<li>FTP:
<ul>
<li>Implemented FR <?php bugl(55651); ?> (Option to ignore the returned FTP PASV address).</li>
</ul></li>
<li>GD:
<ul>
<li>Improved fix for bug <?php bugl(70976) ?>.</li>
</ul></li>
<li>Opcache:
<ul>
<li><?php bugfix(71127); ?> (Define in auto_prepend_file is overwrite).</li>
<li><?php bugfix(71024); ?> (Unable to use PHP 7.0 x64 side-by-side with PHP 5.6 x32 on the same server).</li>