@@ -58,6 +58,8 @@ PHP NEWS
5858- CGI:
5959 . Fixed buffer limit on Windows, replacing read call usage by _read.
6060 (David Carlier)
61+ . Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection
62+ in PHP-CGI). (CVE-2024-4577) (nielsdos)
6163
6264- CLI:
6365 . Fixed bug GH-14189 (PHP Interactive shell input state incorrectly handles
@@ -76,6 +78,10 @@ PHP NEWS
7678 . Fix crash in ParentNode::append() when dealing with a fragment
7779 containing text nodes. (nielsdos)
7880
81+ - Filter:
82+ . Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL).
83+ (CVE-2024-5458) (nielsdos)
84+
7985- FPM:
8086 . Fix bug GH-14175 (Show decimal number instead of scientific notation in
8187 systemd status). (Benjamin Cremer)
@@ -96,6 +102,20 @@ PHP NEWS
96102 . Fixed bug GH-14109 (Fix accidental persisting of internal class constant in
97103 shm). (ilutov)
98104
105+ - OpenSSL:
106+ . The openssl_private_decrypt function in PHP, when using PKCS1 padding
107+ (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack
108+ unless it is used with an OpenSSL version that includes the changes from this pull
109+ request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection).
110+ These changes are part of OpenSSL 3.2 and have also been backported to stable
111+ versions of various Linux distributions, as well as to the PHP builds provided for
112+ Windows since the previous release. All distributors and builders should ensure that
113+ this version is used to prevent PHP from being vulnerable. (CVE-2024-2408)
114+
115+ - Standard:
116+ . Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874).
117+ (CVE-2024-5585) (nielsdos)
118+
99119- XML:
100120 . Fixed bug GH-14124 (Segmentation fault with XML extension under certain
101121 memory limit). (nielsdos)
0 commit comments