@@ -58,6 +58,8 @@ PHP NEWS
5858- CGI:
5959 . Fixed buffer limit on Windows, replacing read call usage by _read.
6060 (David Carlier)
61+ . Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection
62+ in PHP-CGI). (CVE-2024-4577) (nielsdos)
6163
6264- CLI:
6365 . Fixed bug GH-14189 (PHP Interactive shell input state incorrectly handles
@@ -82,6 +84,10 @@ PHP NEWS
8284 . Fixed bug GH-14215 (Cannot use FFI::load on CRLF header file with
8385 apache2handler). (nielsdos)
8486
87+ - Filter:
88+ . Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL).
89+ (CVE-2024-5458) (nielsdos)
90+
8591- FPM:
8692 . Fix bug GH-14175 (Show decimal number instead of scientific notation in
8793 systemd status). (Benjamin Cremer)
@@ -106,6 +112,20 @@ PHP NEWS
106112 . Fixed bug GH-14109 (Fix accidental persisting of internal class constant in
107113 shm). (ilutov)
108114
115+ - OpenSSL:
116+ . The openssl_private_decrypt function in PHP, when using PKCS1 padding
117+ (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack
118+ unless it is used with an OpenSSL version that includes the changes from this pull
119+ request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection).
120+ These changes are part of OpenSSL 3.2 and have also been backported to stable
121+ versions of various Linux distributions, as well as to the PHP builds provided for
122+ Windows since the previous release. All distributors and builders should ensure that
123+ this version is used to prevent PHP from being vulnerable. (CVE-2024-2408)
124+
125+ - Standard:
126+ . Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874).
127+ (CVE-2024-5585) (nielsdos)
128+
109129- XML:
110130 . Fixed bug GH-14124 (Segmentation fault with XML extension under certain
111131 memory limit). (nielsdos)
0 commit comments