-
Notifications
You must be signed in to change notification settings - Fork 7.7k
/
NEWS
9887 lines (9058 loc) · 472 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
16 Oct 2014, PHP 5.6.2
- Core:
. Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)).
(CVE-2014-3669) (Stas)
- cURL:
. Fixed bug #68089 (NULL byte injection - cURL lib). (Stas)
- EXIF:
. Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)
(Stas)
- XMLRPC:
. Fixed bug #68027 (Global buffer overflow in mkgmtime() function).
(CVE-2014-3668) (Stas)
02 Oct 2014, PHP 5.6.1
- Core:
. Implemented FR #38409 (parse_ini_file() looses the type of booleans). (Tjerk)
. Fixed bug #65463 (SIGSEGV during zend_shutdown()). (Keyur Govande)
. Fixed bug #66036 (Crash on SIGTERM in apache process). (Keyur Govande)
. Fixed bug #67878 (program_prefix not honoured in man pages). (Remi)
. Fixed bug #67938 (Segfault when extending interface method with variadic).
(Nikita)
. Fixed bug #67985 (Incorrect last used array index copied to new array after
unset). (Tjerk)
. Fixed bug #68088 (New Posthandler Potential Illegal efree() vulnerability).
(Mike) (CVE-2014-3622)
- DOM:
. Made DOMNode::textContent writeable. (Tjerk)
- Fileinfo:
. Fixed bug #67731 (finfo::file() returns invalid mime type
for binary files). (Anatol)
- GD:
. Made fontFetch's path parser thread-safe. (Sara)
- GMP:
. Fixed bug #67917 (Using GMP objects with overloaded operators can cause
memory exhaustion). (Nikita)
. Fixed bug #50175 (gmp_init() results 0 on given base and number starting
with 0x or 0b). (Nikita)
. Implemented gmp_import() and gmp_export(). (Leigh, Nikita)
- MySQLi:
. Fixed bug #67839 (mysqli does not handle 4-byte floats correctly). (Keyur)
- OpenSSL:
. Fixed bug #67850 (extension won't build if openssl compiled without SSLv3).
(Daniel Lowrey)
- phpdbg:
. Fixed issue krakjoe/phpdbg#111 (compile error without ZEND_SIGNALS). (Bob)
- SOAP:
. Fixed bug #67955 (SoapClient prepends 0-byte to cookie names). (Philip Hofstetter)
- Session:
. Fixed bug #67972 (SessionHandler Invalid memory read create_sid()). (Adam)
- Sysvsem:
. Implemented FR #67990 (Add optional nowait argument to sem_acquire).
(Matteo)
28 Aug 2014, PHP 5.6.0
- Apache2 Handler SAPI:
. Fixed Apache log issue caused by APR's lack of support for %zu
(APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120).
(Jeff Trawick)
- CLI server:
. Added some MIME types to the CLI web server. (Chris Jones)
. Fixed bug #67079 (Missing MIME types for XML/XSL files). (Anatol)
. Fixed bug #66830 (Empty header causes PHP built-in web server to hang).
(Adam)
. Fixed bug #67594 (Unable to access to apache_request_headers() elements).
(Tjerk)
. Implemented FR #67429 (CLI server is missing some new HTTP response codes).
(Adam)
. Fixed Bug #67406 (built-in web-server segfaults on startup). (Remi)
- COM:
. Fixed bug #41577 (DOTNET is successful once per server run)
(Aidas Kasparas)
. Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas).
. Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)). (Anatol)
- Core:
. Improved phpinfo() stylesheets. (Colin Viebrock)
. Fixed bug #67693 (incorrect push to the empty array). (Tjerk)
. Removed inconsistency regarding behaviour of array in constants at
run-time. (Bob)
. Fixed bug #67497 (eval with parse error causes segmentation fault in
generator). (Nikita)
. Fixed bug #67151 (strtr with empty array crashes). (Nikita)
. Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server
2012). (Christian Wenz)
. Fixed bug #66608 (Incorrect behavior with nested "finally" blocks).
(Laruence, Dmitry)
. Implemented FR #34407 (ucwords and Title Case). (Tjerk)
. Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0).
(Ferenc)
. Fixed bug #67368 (Memory leak with immediately dereferenced array in class
constant). (Laruence)
. Fixed bug #67468 (Segfault in highlight_file()/highlight_string()).
(Andreas Ferber)
. Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability).
(Stefan Esser)
. Fixed bug #67551 (php://input temp file will be located in sys_temp_dir
instead of upload_tmp_dir). (Mike)
. Fixed bug #67169 (array_splice all elements, then []= gives wrong index).
(Nikita)
. Fixed bug #67198 (php://input regression). (Mike)
. Fixed bug #67247 (spl_fixedarray_resize integer overflow). (Stas)
. Fixed bug #67250 (iptcparse out-of-bounds read). (Stas)
. Fixed bug #67252 (convert_uudecode out-of-bounds read). (Stas)
. Fixed bug #67249 (printf out-of-bounds read). (Stas)
. Implemented FR #64744 (Differentiate between member function call on a null
and non-null, non-objects). (Boro Sitnikovski)
. Fixed bug #67436 (Autoloader isn't called if two method definitions don't
match). (Bob)
. Fixed bug #66622 (Closures do not correctly capture the late bound class
(static::) in some cases). (Levi Morrison)
. Fixed bug #67390 (insecure temporary file use in the configure script).
(Remi) (CVE-2014-3981)
. Fixed bug #67392 (dtrace breaks argument unpack). (Nikita)
. Fixed bug #67428 (header('Location: foo') will override a 308-399 response
code). (Adam)
. Fixed bug #67433 (SIGSEGV when using count() on an object implementing
Countable). (Matteo)
. Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas)
. Expose get_debug_info class hook as __debugInfo() magic method. (Sara)
. Implemented unified default encoding
(RFC: https://wiki.php.net/rfc/default_encoding). (Yasuo Ohgaki)
. Added T_POW (**) operator
(RFC: https://wiki.php.net/rfc/pow-operator). (Tjerk Meesters)
. Improved IS_VAR operands fetching. (Laruence, Dmitry)
. Improved empty string handling. Now ZE uses an interned string instead of
allocation new empty string each time. (Laruence, Dmitry)
. Implemented internal operator overloading
(RFC: https://wiki.php.net/rfc/operator_overloading_gmp). (Nikita)
. Made calls from incompatible context issue an E_DEPRECATED warning instead
of E_STRICT (phase 1 of RFC: https://wiki.php.net/rfc/incompat_ctx).
(Gustavo)
. Uploads equal or greater than 2GB in size are now accepted.
(Ralf Lang, Mike)
. Reduced POST data memory usage by 200-300%. Changed INI setting
always_populate_raw_post_data to throw a deprecation warning when enabling
and to accept -1 for never populating the $HTTP_RAW_POST_DATA global
variable, which will be the default in future PHP versions. (Mike)
. Implemented dedicated syntax for variadic functions
(RFC: https://wiki.php.net/rfc/variadics). (Nikita)
. Fixed bug #50333 Improving multi-threaded scalability by using
emalloc/efree/estrdup (Anatol, Dmitry)
. Implemented constant scalar expressions (with support for constants)
(RFC: https://wiki.php.net/rfc/const_scalar_exprs). (Bob)
. Fixed bug #65784 (Segfault with finally). (Laruence, Dmitry)
. Fixed bug #66509 (copy() arginfo has changed starting from 5.4). (willfitch)
. Allow zero length comparison in substr_compare() (Tjerk)
. Fixed bug #60602 (proc_open() changes environment array) (Tjerk)
. Fixed bug #61019 (Out of memory on command stream_get_contents). (Mike)
. Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace
UNIX sockets). (Mike)
. Fixed bug #66182 (exit in stream filter produces segfault). (Mike)
. Fixed bug #66736 (fpassthru broken). (Mike)
. Fixed bug #66822 (Cannot use T_POW in const expression) (Tjerk)
. Fixed bug #67043 (substr_compare broke by previous change) (Tjerk)
. Fixed bug #65701 (copy() doesn't work when destination filename is created
by tempnam()). (Boro Sitnikovski)
. Fixed bug #66015 (Unexpected array indexing in class's static property). (Bob)
. Added (constant) string/array dereferencing to static scalar expressions
to complete the set; now possible thanks to bug #66015 being fixed. (Bob)
. Fixed bug #66568 (Update reflection information for unserialize() function).
(Ferenc)
. Fixed bug #66660 (Composer.phar install/update fails). (Ferenc)
. Fixed bug #67024 (getimagesize should recognize BMP files with negative
height). (Gabor Buella)
. Fixed bug #67064 (Countable interface prevents using 2nd parameter
($mode) of count() function). (Bob)
. Fixed bug #67072 (Echoing unserialized "SplFileObject" crash). (Anatol)
. Fixed bug #67033 (Remove reference to Windows 95). (Anatol)
- Curl:
. Implemented FR #65646 (re-enable CURLOPT_FOLLOWLOCATION with open_basedir
or safe_mode). (Adam)
. Check for openssl.cafile ini directive when loading CA certs. (Daniel Lowrey)
. Remove cURL close policy related constants as these have no effect and are
no longer used in libcurl. (Chris Wright)
. Fixed bug #66109 (Can't reset CURLOPT_CUSTOMREQUEST to default behaviour)
(Tjerk)
. Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive.
(Adam)
. Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset). (Mike)
. Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
(Freek Lijten)
- Date:
. Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712)
(Remi)
. Fixed bug #66091 (memory leaks in DateTime constructor) (Tjerk).
. Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
(Adam)
. Fixed regression in fix for bug #67118 (constructor can't be called twice).
(Remi)
. Fixed bug #67251 (date_parse_from_format out-of-bounds read). (Stas)
. Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read). (Stas)
. Added DateTimeImmutable::createFromMutable to create a DateTimeImmutable
object from an existing DateTime (mutable) object (Derick)
. Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is
supplied). (Boro Sitnikovski)
. Fixed bug #67118 (DateTime constructor crash with invalid data). (Anatol)
- DOM:
. Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag,
not only the subset). (Anatol)
- Embed:
. Fixed bug #65715 (php5embed.lib isn't provided anymore). (Anatol).
- Fileinfo:
. Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587) (Remi)
. Fixed bug #67705 (extensive backtracking in rule regular expression).
(CVE-2014-3538) (Remi)
. Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS).
(CVE-2014-0238)
. Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in
performance degradation). (CVE-2014-0237)
. Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check).
(CVE-2014-0207)
. Fixed bug #67329 (fileinfo: NULL pointer deference flaw by processing certain
CDF files). (CVE-2014-0236)
. Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal
string size). (CVE-2014-3478) (Francisco Alonso, Jan Kaluza, Remi)
. Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary
check). (CVE-2014-3479) (Francisco Alonso, Jan Kaluza, Remi)
. Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check).
(CVE-2014-3480) (Francisco Alonso, Jan Kaluza, Remi)
. Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary
check). (CVE-2014-3487) (Francisco Alonso, Jan Kaluza, Remi)
. Upgraded to libmagic-5.17 (Anatol)
. Fixed bug #66731 (file: infinite recursion). (CVE-2014-1943) (Remi)
. Fixed bug #66820 (out-of-bounds memory access in fileinfo).
(CVE-2014-2270). (Remi)
. Fixed bug #66946 (fileinfo: extensive backtracking in awk rule regular
expression). (CVE-2013-7345) (Remi)
. Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
(Remi)
. Fixed bug #66907 (Solaris 10 is missing strcasestr and needs substitute).
(Anatol)
. Fixed bug #66307 (Fileinfo crashes with powerpoint files). (Anatol)
- FPM:
. Fixed bug #67606 (revised fix 67541, broke mod_fastcgi BC). (David Zuelke)
. Fixed bug #67530 (error_log=syslog ignored). (Remi)
. Fixed bug #67635 (php links to systemd libraries without using pkg-config).
(pacho@gentoo.org, Remi)
. Fixed bug #67531 (syslog cannot be set in pool configuration). (Remi)
. Fixed bug #67541 (Fix Apache 2.4.10+ SetHandler proxy:fcgi://
incompatibilities). (David Zuelke)
. Included apparmor support in fpm
(RFC: https://wiki.php.net/rfc/fpm_change_hat). (Gernot Vormayr)
. Added clear_env configuration directive to disable clearenv() call.
(Github PR# 598, Paul Annesley)
. Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
. Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
(Julio Pintos)
. Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure
default configuration) (CVE-2014-0185). (Stas)
- GD
. Fixed bug #67730 (Null byte injection possible with imagexxx functions).
(CVE-2014-5120) (Ryan Mauger)
. Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference).
(CVE-2014-2497) (Remi)
. Fixed bug #67248 (imageaffinematrixget missing check of parameters). (Stas)
. Fixed imagettftext to load the correct character map rather than the last one.
(Scott)
. Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop()).
(CVE-2013-7226)
. Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer).
(CVE-2013-7327). (Tomas Hoger, Remi).
. Fixed bug #66869 (Invalid 2nd argument crashes imageaffinematrixget) (Pierre)
. Fixed bug #66887 (imagescale - poor quality of scaled image). (Remi)
. Fixed bug #66890 (imagescale segfault). (Remi)
. Fixed bug #66893 (imagescale ignore method argument). (Remi)
- GMP:
. Fixed bug #66872 (invalid argument crashes gmp_testbit) (Pierre)
. Fixed crashes in serialize/unserialize. (Stas)
. Moved GMP to use object as the underlying structure and implemented various
improvements based on this.
(RFC: https://wiki.php.net/rfc/operator_overloading_gmp). (Nikita)
. Added gmp_root() and gmp_rootrem() functions for calculating nth roots.
(Nikita)
- Hash:
. Added gost-crypto (CryptoPro S-box) GOST hash algo. (Manuel Mausz)
. Fixed bug #66698 (Missing FNV1a32 and FNV1a64 hash functions).
(Michael M Slusarz).
. Implemented timing attack safe string comparison function
(RFC: https://wiki.php.net/rfc/timing_attack). (Rouven Weßling)
. hash_pbkdf2() now works correctly if the $length argument is not specified.
(Nikita)
- Intl:
. Fixed bug #66873 (A reproductible crash in UConverter when given invalid
encoding) (Stas)
. Fixed bug #66921 (Wrong argument type hint for function
intltz_from_date_time_zone). (Stas)
. Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).
(Stas)
. Fixed bug #67349 (Locale::parseLocale Double Free). (Stas)
. Fixed bug #67397 (Buffer overflow in locale_get_display_name and
uloc_getDisplayName (libicu 4.8.1)). (Stas)
- JSON:
. Fixed case part of bug #64874 ("json_decode handles whitespace and
case-sensitivity incorrectly")
. Fixed bug #65753 (JsonSerializeable couldn't implement on module extension)
(chobieeee@php.net)
. Fixed bug #66021 (Blank line inside empty array/object when
JSON_PRETTY_PRINT is set). (Kevin Israel)
- ldap
. Added new function ldap_modify_batch(). (Ondrej Hosek)
. Fixed issue with null bytes in LDAP bindings. (Matthew Daley)
- litespeed
. Fixed bug #63228 (-Werror=format-security error in lsapi code).
(Elan Ruusamäe, George)
- Mail:
. Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script) (Tjerk)
- Mcrypt:
. No longer allow invalid key sizes, invalid IV sizes or missing required IV
in mcrypt_encrypt, mcrypt_decrypt and the deprecated mode functions.
(Nikita)
. Use /dev/urandom as the default source for mcrypt_create_iv(). (Nikita)
- Mbstring:
. Upgraded to oniguruma 5.9.5 (Anatol)
. Fixed bug #67199 (mb_regex_encoding mismatch). (Yasuo)
- Milter:
. Fixed bug #67715 (php-milter does not build and crashes randomly). (Mike)
- mysqli
. Added new function mysqli_get_links_stats() as well as new INI variable
mysqli.rollback_on_cached_plink of type bool (Andrey)
. Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed)
(Remi)
. Fixed building against an external libmysqlclient. (Adam)
- mysqlnd:
. Disabled flag for SP OUT variables for 5.5+ servers as they are not natively
supported by the overlying APIs. (Andrey)
. Added a new fetching mode to mysqlnd. (Andrey)
. Added support for gb18030 from MySQL 5.7. (Andrey)
- Network:
. Fixed bug #67717 (segfault in dns_get_record). (CVE-2014-3597) (Remi)
. Fixed bug #67432 (Fix potential segfault in dns_get_record()).
(CVE-2014-4049). (Sara)
- OCI8
. Fixed Bug #66875 (Improve performance of multi-row OCI_RETURN_LOB queries)
(Perrier, Chris Jones)
- ODBC:
. Fixed bug #60616 (odbc_fetch_into returns junk at end of multi-byte char
fields). (Keyur Govande)
- OpenSSL:
. Fixed bug #41631 (socket timeouts not honored in blocking SSL reads)
(Daniel Lowrey).
. Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas).
. Fixed bug #67609 (TLS connections fail behind HTTP proxy). (Daniel Lowrey)
. Fixed broken build against OpenSSL older than 0.9.8 where ECDH unavailable.
(Lior Kaplan)
. Fixed bug #67666 (Subject altNames doesn't support wildcard matching). (Tjerk)
. Fixed bug #67224 (Fall back to crypto_type from context if not specified
explicitly in stream_socket_enable_crypto). (Chris Wright)
. Fixed bug #65698 (certificates validity parsing does not work past 2050).
(Paul Oehler)
. Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME).
(Paul Oehler)
. Peer certificates now verified by default in client socket operations
(RFC: https://wiki.php.net/rfc/tls-peer-verification). (Daniel Lowrey)
. New openssl.cafile and openssl.capath ini directives. (Daniel Lowrey)
. Added crypto_method option for the ssl stream context. (Martin Jansen)
. Added certificate fingerprint support. (Tjerk Meesters)
. Added explicit TLSv1.1 and TLSv1.2 stream transports. (Daniel Lowrey)
. Fixed bug #65729 (CN_match gives false positive). (Tjerk Meesters)
. Peer name verification matches SAN DNS names for certs using
the Subject Alternative Name x509 extension. (Daniel Lowrey)
. Fixed segfault when built against OpenSSL>=1.0.1 (Daniel Lowrey)
. Added SPKAC support. (Jason Gerfen)
. Fallback to Windows CA cert store for peer verification if no openssl.cafile
ini directive or "cafile" SSL context option specified in Windows.
(Chris Wright)
. The openssl.cafile and openssl.capath ini directives introduced in alpha2
now have PHP_INI_PERDIR accessibility (was PHP_INI_ALL). (Daniel Lowrey)
. New "peer_name" SSL context option replaces "CN_match" (which still works
as before but triggers E_DEPRECATED). (Daniel Lowrey)
. Fixed segfault when accessing non-existent context for client SNI use
(Daniel Lowrey)
. Fixed bug #66501 (Add EC key support to php_openssl_is_private_key).
(Mark Zedwood)
. Fixed Bug #47030 (add new boolean "verify_peer_name" SSL context option
allowing clients to verify cert names separately from the cert itself).
"verify_peer_name" is enabled by default for client streams.
(Daniel Lowrey)
. Fixed Bug #65538 ("cafile" SSL context option now supports stream
wrappers). (Daniel Lowrey)
. New openssl_get_cert_locations() function to aid CA file and peer
verification debugging. (Daniel Lowrey)
. Encrypted stream wrappers now disable TLS compression by default.
(Daniel Lowrey)
. New "capture_session_meta" SSL context option allows encrypted client and
server streams access to negotiated protocol/cipher information.
(Daniel Lowrey)
. New "honor_cipher_order" SSL context option allows servers to prioritize
cipher suites of their choosing when negotiating SSL/TLS handshakes.
(Daniel Lowrey)
. New "single_ecdh_use" and "single_dh_use" SSL context options allow for
improved forward secrecy in encrypted stream servers. (Daniel Lowrey)
. New "dh_param" SSL context option allows stream servers control over
the parameters when negotiating DHE cipher suites. (Daniel Lowrey)
. New "ecdh_curve" SSL context option allowing stream servers to specify
the curve to use when negotiating ephemeral ECDHE ciphers (defaults to
NIST P-256). (Daniel Lowrey)
. New "rsa_key_size" SSL context option gives stream servers control
over the key size (in bits) used for RSA key agreements. (Daniel Lowrey)
. Crypto methods for encrypted client and server streams now use
bitwise flags for fine-grained protocol support. (Daniel Lowrey)
. Added new tlsv1.0 stream wrapper to specify TLSv1 client/server method.
tls wrapper now negotiates TLSv1, TLSv1.1 or TLSv1.2. (Daniel Lowrey)
. Encrypted client streams now enable SNI by default. (Daniel Lowrey)
. Encrypted streams now prioritize ephemeral key agreement and high strength
ciphers by default. (Daniel Lowrey)
. New OPENSSL_DEFAULT_STREAM_CIPHERS constant exposes default cipher
list. (Daniel Lowrey)
. New STREAM_CRYPTO_METHOD_* constants for enhanced control over the crypto
methods negotiated encrypted server/client sessions. (Daniel Lowrey)
. Encrypted stream servers now automatically mitigate potential DoS vector
arising from client-initiated TLS renegotiation. New "reneg_limit",
"reneg_window" and "reneg_limit_callback" SSL context options for custom
renegotiation limiting control. (Daniel Lowrey)
. Fixed memory leak in windows cert verification on verify failure.
(Chris Wright)
. Peer certificate capturing via SSL context options now functions even if
peer verification fails. (Daniel Lowrey)
. Encrypted TLS servers now support the server name indication TLS extension
via the new "SNI_server_certs" SSL context option. (Daniel Lowrey)
. Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1). (Remi)
. Fixed bug #66942 (memory leak in openssl_seal()). (Chuan Ma)
. Fixed bug #66952 (memory leak in openssl_open()). (Chuan Ma)
. Fixed bug #66840 (Fix broken build when extension built separately).
(Daniel Lowrey)
- OPcache:
. Added an optimization of class constants and constant calls to some
internal functions (Laruence, Dmitry)
. Added an optimization pass to convert FCALL_BY_NAME into DO_FCALL.
(Laruence, Dmitry)
. Added an optimization pass to merged identical constants (and related
cache_slots) in op_array->literals table. (Laruence, Dmitry)
. Added script level constant replacement optimization pass. (Dmitry)
. Added function opcache_is_script_cached(). (Danack)
. Added information about interned strings usage. (Terry, Julien, Dmitry)
. Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault
happen) (Dmitry, Laruence)
- PCRE:
. Fixed bug #67238 (Ungreedy and min/max quantifier bug, applied patch
from the upstream). (Anatol)
. Upgraded to PCRE 8.34. (Anatol)
. Added support for (*MARK) backtracking verbs. (Nikita)
- pgsql:
. Fixed bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756),
which affected builds against libpq < 7.3. (Adam)
. pg_insert()/pg_select()/pg_update()/pg_delete() are no longer EXPERIMENTAL.
(Yasuo)
. Impremented FR #25854 Return value for pg_insert should be resource instead of bool.
(Yasuo)
. Implemented FR #41146 - Add "description" with exteneded flag pg_meta_data().
pg_meta_data(resource $conn, string $table [, bool extended])
It also made pg_meta_data() return "is enum" always.
(Yasuo)
. Read-only access to the socket stream underlying database connections is
exposed via a new pg_socket() function to allow read/write polling when
establishing asynchronous connections and executing queries in non-blocking
applications. (Daniel Lowrey)
. Asynchronous connections are now possible using the PGSQL_CONNECT_ASYNC
flag in conjunction with a new pg_connect_poll() function and connection
polling status constants. (Daniel Lowrey)
. New pg_flush() and pg_consume_input() functions added to manually complete
non-blocking reads/writes to underlying connection sockets. (Daniel Lowrey)
. pg_version() returns full report which obtained by PQparameterStatus().
(Yasuo)
. Added pg_lo_truncate(). (Yasuo)
. Added 64bit large object support for PostgreSQL 9.3 and later. (Yasuo)
. Fixed bug #67555 (Cannot build against libpq 7.3). (Adam)
- phpdbg
. Fixed bug #67575 (Compilation fails for phpdbg when the
build directory != src directory). (Andy Thompson)
. Fixed Bug #67499 (readline feature not enabled when build with libedit). (Remi)
. Fix issue krakjoe/phpdbg#94 (List behavior is inconsistent). (Bob)
. Fix issue krakjoe/phpdbg#97 (The prompt should always ensure it is on a
newline). (Bob)
. Fix issue krakjoe/phpdbg#98 (break if does not seem to work). (Bob)
. Fix issue krakjoe/phpdbg#99 (register function has the same behavior as
run). (Bob)
. Fix issue krakjoe/phpdbg#100 (No way to list the current stack/frames)
(Help entry was missing). (Bob)
. Fixed bug which caused phpdbg to fail immediately on startup in non-debug
builds. (Bob)
. Fixed bug #67212 (phpdbg uses non-standard TIOCGWINSZ). (Ferenc)
. Included phpdbg sapi (RFC: https://wiki.php.net/rfc/phpdbg).
(Felipe Pena, Joe Watkins and Bob Weinand)
. Added watchpoints (watch command). (Bob)
. Renamed some commands (next => continue and how to step). (Joe)
. Fixed issue #85 (https://github.com/krakjoe/phpdbg/issues/85)
(Added stdin/stdout/stderr constants and their php:// wrappers). (Bob)
- PDO:
. Fixed bug #66604 ('pdo/php_pdo_error.h' not copied to the include dir).
(Matteo)
- PDO-ODBC:
. Fixed bug #50444 (PDO-ODBC changes for 64-bit).
- PDO_pgsql:
. Fixed Bug #42614 (PDO_pgsql: add pg_get_notify support). (Matteo)
. Fixed Bug #63657 (pgsqlCopyFromFile, pgsqlCopyToArray use Postgres < 7.3
syntax). (Matteo)
. Cleaned up code by increasing the requirements to libpq versions providing
PQexecParams, PQprepare, PQescapeStringConn, PQescapeByteaConn. According
to the release notes that means 8.0.8+ or 8.1.4+. (Matteo)
. Deprecated PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT, an
undocument constant effectively equivalent to PDO::ATTR_EMULATE_PREPARES.
(Matteo)
. Added PDO::PGSQL_ATTR_DISABLE_PREPARES constant to execute the queries
without preparing them, while still passing parameters separately from
the command text using PQexecParams. (Matteo)
- PDO_firebird:
. Fixed Bug #66071 (memory corruption in error handling) (Popa)
- Phar:
. Fixed bug #64498 ($phar->buildFromDirectory can't compress file with an accent
in its name). (PR #588)
. Fixed bug #67587 (Redirection loop on nginx with FPM). (Christian Weiske)
- readline:
. Fixed bug #55496 (Interactive mode doesn't force a newline before the
prompt). (Bob, Johannes)
. Fixed bug #67496 (Save command history when exiting interactive shell
with control-c). (Dmitry Saprykin, Johannes)
- Reflection:
. Implemented FR #67713 (loosen the restrictions on
ReflectionClass::newInstanceWithoutConstructor()). (Ferenc)
- Session:
. Fixed bug #67694 (Regression in session_regenerate_id()). (Tjerk)
. Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas).
. Fixed bug #66827 (Session raises E_NOTICE when session name variable is array).
(Yasuo)
. Fixed Bug #65315 (session.hash_function silently fallback to default md5)
(Yasuo)
. Implemented Request #17860 (Session write short circuit). (Yasuo)
. Implemented Request #20421 (session_abort() and session_reset() function).
(Yasuo)
. Remove session_gc() and session_serializer_name() wich were introduced in the first 5.6.0 alpha.
- SimpleXML:
. Fixed bug #66084 (simplexml_load_string() mangles empty node name)
(Anatol)
- SQLite:
. Updated the bundled libsqlite to the version 3.8.3.1 (Anatol)
. Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3). (Anatol)
- SOAP:
. Implemented FR #49898 (Add SoapClient::__getCookies()). (Boro Sitnikovski)
- SPL:
. Revert fix for bug #67064 (BC issues). (Bob)
. Fixed bug #67539 (ArrayIterator use-after-free due to object change during
sorting). (CVE-2014-4698) (research at insighti dot org, Laruence)
. Fixed bug #67538 (SPL Iterators use-after-free). (CVE-2014-4670) (Laruence)
. Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type
Confusion) (CVE-2014-3515). (Stefan Esser)
. Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence)
. Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas)
. Fixed request #67453 (Allow to unserialize empty data). (Remi)
. Added feature #65545 (SplFileObject::fread()) (Tjerk)
. Fixed bug #66834 (empty() does not work on classes that extend ArrayObject) (Tjerk)
. Fixed bug #66702 (RegexIterator::INVERT_MATCH does not invert). (Joshua
Thijssen)
- Standard:
. Implemented FR #65634 (HTTP wrapper is very slow with protocol_version
1.1). (Adam)
. Implemented Change crypt() behavior w/o salt RFC. (Yasuo)
https://wiki.php.net/rfc/crypt_function_salt
. Implemented request #49824 (Change array_fill() to allow creating empty
array). (Nikita)
- Streams:
. Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects). (Adam)
- Tokenizer:
. Fixed bug #67395 (token_name() does not return name for T_POW and T_POW_EQUAL
token). (Ferenc)
- XMLReader:
. Fixed bug #55285 (XMLReader::getAttribute/No/Ns methods inconsistency).
(Mike)
- XSL:
. Fixed bug #53965 (<xsl:include> cannot find files with relative paths
when loaded with "file://"). (Anatol)
- Zip:
. update libzip to version 1.11.2.
PHP don't use any ilibzip private symbol anymore. (Pierre, Remi)
. new method ZipArchive::setPassword($password). (Pierre)
. add --with-libzip option to build with system libzip. (Remi)
. new methods:
ZipArchive::setExternalAttributesName($name, $opsys, $attr [, $flags])
ZipArchive::setExternalAttributesIndex($idx, $opsys, $attr [, $flags])
ZipArchive::getExternalAttributesName($name, &$opsys, &$attr [, $flags])
ZipArchive::getExternalAttributesIndex($idx, &$opsys, &$attr [, $flags])
- Zlib:
. Fixed bug #67865 (internal corruption phar error). Mike
. Fixed bug #67724 (chained zlib filters silently fail with large amounts of
data). (Mike)
21 Aug 2014, PHP 5.5.16
- COM:
. Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas).
- Fileinfo:
. Fixed bug #67705 (extensive backtracking in rule regular expression).
(CVE-2014-3538) (Remi)
. Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587) (Remi)
- FPM:
. Fixed bug #67635 (php links to systemd libraries without using pkg-config).
(pacho@gentoo.org, Remi)
- GD:
. Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference).
(CVE-2014-2497) (Remi)
. Fixed bug #67730 (Null byte injection possible with imagexxx functions).
(CVE-2014-5120) (Ryan Mauger)
- Milter:
. Fixed bug #67715 (php-milter does not build and crashes randomly). (Mike)
- Network:
. Fixed bug #67717 (segfault in dns_get_record). (CVE-2014-3597) (Remi)
- OpenSSL:
. Fixed missing type checks in OpenSSL options. (Yussuf Khalil, Stas)
- readline:
. Fixed bug #55496 (Interactive mode doesn't force a newline before the
prompt). (Bob, Johannes)
. Fixed bug #67496 (Save command history when exiting interactive shell
with control-c). (Dmitry Saprykin, Johannes)
- Sessions:
. Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas).
- Core:
. Fixed bug #67693 (incorrect push to the empty array) (Tjerk)
- ODBC:
. Fixed bug #60616 (odbc_fetch_into returns junk data at end of multi-byte
char fields). (Keyur)
24 Jul 2014, PHP 5.5.15
- Core:
. Fixed bug #67428 (header('Location: foo') will override a 308-399 response
code). (Adam)
. Fixed bug #67436 (Autoloader isn't called if two method definitions don't
match). (Bob)
. Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0).
(Ferenc)
. Fixed bug #67497 (eval with parse error causes segmentation fault in
generator). (Nikita)
. Fixed bug #67151 (strtr with empty array crashes). (Nikita)
. Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server
2012). (Christian Wenz)
. Fixed bug #66608 (Incorrect behavior with nested "finally" blocks).
(Laruence, Dmitry)
. Implemented FR #34407 (ucwords and Title Case). (Tjerk)
- CLI server:
. Implemented FR #67429 (CLI server is missing some new HTTP response codes).
(Adam)
. Fixed bug #66830 (Empty header causes PHP built-in web server to hang).
(Adam)
. Fixed bug #67594 (Unable to access to apache_request_headers() elements).
(Tjerk)
- FPM:
. Fixed bug #67530 (error_log=syslog ignored). (Remi)
. Fixed bug #67531 (syslog cannot be set in pool configuration). (Remi)
- Intl:
. Fixed bug #66921 (Wrong argument type hint for function
intltz_from_date_time_zone). (Stas)
. Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).
(Stas)
- OPCache:
. Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault
happen) (Dmitry, Laruence)
- pgsql:
. Fixed bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756),
which affected builds against libpq < 7.3. (Adam)
- Phar:
. Fixed bug #67587 (Redirection loop on nginx with FPM). (Christian Weiske)
- SPL:
. Fixed bug #67539 (ArrayIterator use-after-free due to object change during
sorting). (CVE-2014-4698) (research at insighti dot org, Laruence)
. Fixed bug #67538 (SPL Iterators use-after-free). (CVE-2014-4670) (Laruence)
- Streams:
. Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects). (Adam)
- Session:
. Fixed bug #66827 (Session raises E_NOTICE when session name variable is array).
(Yasuo)
27 Jun 2014, PHP 5.5.14
- Core:
. Fixed BC break introduced by patch for bug #67072. (Anatol, Stas)
. Fixed bug #66622 (Closures do not correctly capture the late bound class
(static::) in some cases). (Levi Morrison)
. Fixed bug #67390 (insecure temporary file use in the configure script).
(Remi) (CVE-2014-3981)
. Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas)
- CLI server:
. Fixed Bug #67406 (built-in web-server segfaults on startup). (Remi)
- Date:
. Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
(Adam)
. Fixed regression in fix for bug #67118 (constructor can't be called twice).
(Remi)
- Fileinfo:
. Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check).
. Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal
string size). (Francisco Alonso, Jan Kaluza, Remi)
. Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary
check). (Francisco Alonso, Jan Kaluza, Remi)
. Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check).
(Francisco Alonso, Jan Kaluza, Remi)
. Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary
check). (Francisco Alonso, Jan Kaluza, Remi)
- Network:
. Fixed bug #67432 (Fix potential segfault in dns_get_record()).
(CVE-2014-4049). (Sara)
- OPCache:
. Fixed issue #183 (TMP_VAR is not only used once). (Dmitry, Laruence)
- OpenSSL:
. Fixed bug #65698 (certificates validity parsing does not work past 2050).
(Paul Oehler)
. Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME).
(Paul Oehler)
- PDO-ODBC:
. Fixed bug #50444 (PDO-ODBC changes for 64-bit).
- SOAP:
. Implemented FR #49898 (Add SoapClient::__getCookies()). (Boro Sitnikovski)
- SPL:
. Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas)
. Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence)
. Fixed bug #67360 (Missing element after ArrayObject::getIterator). (Adam)
. Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type
Confusion). (CVE-2014-3515) (Stefan Esser)
29 May 2014, PHP 5.5.13
- CLI server:
. Fixed bug #67079 (Missing MIME types for XML/XSL files). (Anatol)
- COM:
. Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)). (Anatol)
- Core:
. Fixed bug #65701 (copy() doesn't work when destination filename is created
by tempnam()). (Boro Sitnikovski)
. Fixed bug #67072 (Echoing unserialized "SplFileObject" crash). (Anatol)
. Fixed bug #67245 (usage of memcpy() with overlapping src and dst in
zend_exceptions.c). (Bob)
. Fixed bug #67247 (spl_fixedarray_resize integer overflow). (Stas)
. Fixed bug #67249 (printf out-of-bounds read). (Stas)
. Fixed bug #67250 (iptcparse out-of-bounds read). (Stas)
. Fixed bug #67252 (convert_uudecode out-of-bounds read). (Stas)
- Curl:
. Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset). (Mike)
- Date:
. Fixed bug #67118 (DateTime constructor crash with invalid data). (Anatol)
. Fixed bug #67251 (date_parse_from_format out-of-bounds read). (Stas)
. Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read). (Stas)
- DOM:
. Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag,
not only the subset). (Anatol)
- Fileinfo:
. Fixed bug #66307 (Fileinfo crashes with powerpoint files). (Anatol)
. Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS) (CVE-2014-0238).
. Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in
performance degradation) (CVE-2014-0237).
- FPM:
. Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
(Julio Pintos)
- GD:
. Fixed bug #67248 (imageaffinematrixget missing check of parameters). (Stas)
- PCRE:
. Fixed bug #67238 (Ungreedy and min/max quantifier bug, applied patch
from the upstream). (Anatol)
- Phar:
. Fix bug #64498 ($phar->buildFromDirectory can't compress file with an accent
in its name). (PR #588)
30 Apr 2014, PHP 5.5.12
- Core:
. Fixed bug #61019 (Out of memory on command stream_get_contents). (Mike)
. Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace
UNIX sockets). (Mike)
. Fixed bug #66182 (exit in stream filter produces segfault). (Mike)
. Fixed bug #66736 (fpassthru broken). (Mike)
. Fixed bug #67024 (getimagesize should recognize BMP files with negative
height). (Gabor Buella)
. Fixed bug #67043 (substr_compare broke by previous change) (Tjerk)
. Fixed bug #67033 (Remove reference to Windows 95). (Anatol)
- cURL:
. Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
(Freek Lijten)
- Date:
. Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is
supplied). (Boro Sitnikovski)
- Embed:
. Fixed bug #65715 (php5embed.lib isn't provided anymore). (Anatol).
- Fileinfo:
. Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
(Remi)
- FPM:
. Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
. Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure
default configuration) (CVE-2014-0185). (Stas)
- JSON:
. Fixed bug #66021 (Blank line inside empty array/object when
JSON_PRETTY_PRINT is set). (Kevin Israel)
- LDAP:
. Fixed issue with null bytes in LDAP bindings. (Matthew Daley)
- mysqli:
. Fixed problem in mysqli_commit()/mysqli_rollback() with second parameter
(extra comma) and third parameters (lack of escaping). (Andrey)
- OpenSSL:
. Fix bug #66942 (memory leak in openssl_seal()). (Chuan Ma)
. Fix bug #66952 (memory leak in openssl_open()). (Chuan Ma)
- SimpleXML:
. Fixed bug #66084 (simplexml_load_string() mangles empty node name)
(Anatol)
- SQLite:
. Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3). (Anatol)
- XSL:
. Fixed bug #53965 (<xsl:include> cannot find files with relative paths
when loaded with "file://"). (Anatol)
- Apache2 Handler SAPI:
. Fixed Apache log issue caused by APR's lack of support for %zu
(APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120).
(Jeff Trawick)
03 Apr 2014, PHP 5.5.11
- Core:
. Allow zero length comparison in substr_compare() (Tjerk)
. Fixed bug #60602 (proc_open() changes environment array) (Tjerk)
- SPL:
. Added feature #65545 (SplFileObject::fread()) (Tjerk)
. Fixed bug #66702 (RegexIterator::INVERT_MATCH does not invert). (Joshua
Thijssen)
- cURL:
. Fixed bug #66109 (Can't reset CURLOPT_CUSTOMREQUEST to default behaviour) (Tjerk)
. Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive.
(Adam)
- Fileinfo:
. Fixed bug #66946i (fileinfo: extensive backtracking in awk rule regular
expression). (CVE-2013-7345) (Remi)
- FPM:
. Added clear_env configuration directive to disable clearenv() call.
(Github PR# 598, Paul Annesley)
- GD:
. Fixed bug #66714 (imageconvolution breakage). (Brad Daily)
. Fixed bug #66869 (Invalid 2nd argument crashes imageaffinematrixget) (Pierre)
. Fixed bug #66887 (imagescale - poor quality of scaled image). (Remi)
. Fixed bug #66890 (imagescale segfault). (Remi)
. Fixed bug #66893 (imagescale ignore method argument). (Remi)
- Hash:
. hash_pbkdf2() now works correctly if the $length argument is not specified.
(Nikita)
- Intl:
. Fixed bug #66873 (A reproductible crash in UConverter when given invalid
encoding) (Stas)
- Mail:
. Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script) (Tjerk)
- MySQLi:
. Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed)
(Remi)
- OPCache
. Added function opcache_is_script_cached(). (Danack)
. Added information about interned strings usage. (Terry, Julien, Dmitry)
- Openssl:
. Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1). (Remi)
- GMP
. Fixed bug #66872 (invalid argument crashes gmp_testbit) (Pierre)
- SQLite:
. Updated bundled libsqlite to 3.8.3.1 (Anatol)
06 Mar 2014, PHP 5.5.10
- Core:
. Fixed Request #66574i (Allow multiple paths in php_ini_scanned_path). (Remi)
- Date:
. Fixed bug #45528 (Allow the DateTimeZone constructor to accept timezones
per offset too). (Derick)
- Fileinfo:
. Bug #66731 (file: infinite recursion) (CVE-2014-1943). (Remi)
. Fixed bug #66820 (out-of-bounds memory access in fileinfo)
(CVE-2014-2270). (Remi)
- GD