Skip to content

Commit 78c201a

Browse files
committed
Update NEWS with security fixes info
1 parent f18d429 commit 78c201a

File tree

1 file changed

+26
-2
lines changed

1 file changed

+26
-2
lines changed

NEWS

Lines changed: 26 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -46,9 +46,11 @@ PHP NEWS
4646

4747
21 Nov 2024, PHP 8.2.26
4848

49-
- Cli:
49+
- CLI:
5050
. Fixed bug GH-16373 (Shebang is not skipped for router script in cli-server
5151
started through shebang). (ilutov)
52+
. Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data
53+
Processing in CLI SAPI Interface). (nielsdos)
5254

5355
- COM:
5456
. Fixed out of bound writes to SafeArray data. (cmb)
@@ -123,10 +125,18 @@ PHP NEWS
123125
. Fixed segfaults and other issues related to operator overloading with
124126
GMP objects. (Girgias)
125127

128+
- LDAP:
129+
. Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932)
130+
(nielsdos)
131+
126132
- MBstring:
127133
. Fixed bug GH-16361 (mb_substr overflow on start/length arguments).
128134
(David Carlier)
129135

136+
- MySQLnd:
137+
. Fixed bug GHSA-h35g-vwh6-m678 (Leak partial content of the heap through
138+
heap buffer over-read). (CVE-2024-8929) (Jakub Zelenka)
139+
130140
- OpenSSL:
131141
. Fixed bug GH-16357 (openssl may modify member types of certificate arrays).
132142
(cmb)
@@ -135,7 +145,15 @@ PHP NEWS
135145
. Fix various memory leaks on error conditions in openssl_x509_parse().
136146
(nielsdos)
137147

138-
- PDO_ODBC:
148+
- PDO DBLIB:
149+
. Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing
150+
OOB writes). (CVE-2024-11236) (nielsdos)
151+
152+
- PDO Firebird:
153+
. Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter
154+
causing OOB writes). (CVE-2024-11236) (nielsdos)
155+
156+
- PDO ODBC:
139157
. Fixed bug GH-16450 (PDO_ODBC can inject garbage into field values). (cmb)
140158

141159
- Phar:
@@ -180,6 +198,12 @@ PHP NEWS
180198
. Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with
181199
bail enabled). (ilutov)
182200

201+
- Streams:
202+
. Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context
203+
might allow for CRLF injection in URIs). (CVE-2024-11234) (Jakub Zelenka)
204+
. Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with
205+
convert.quoted-printable-decode filter). (CVE-2024-11233) (nielsdos)
206+
183207
- SysVMsg:
184208
. Fixed bug GH-16592 (msg_send() crashes when a type does not properly
185209
serialized). (David Carlier / cmb)

0 commit comments

Comments
 (0)