Opened 6 months ago

Closed 5 months ago

#17385 closed enhancement (fixed)


Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: normal Milestone: 11.3
Component: BOOK Version: git
Severity: normal Keywords:


New minor version.

Change History (3)

comment:1 by Bruce Dubbs, 5 months ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 5 months ago

08 Dec 2022, PHP 8.2.0

CVE Fixes: CVE-2022-31630 and CVE-2022-37454 (see below)

  • CLI:
    • Fixed bug 81496 (Server logs incorrect request method).
    • Updated the mime-type table for the builtin-server.
    • Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS environment variable-
    • Fixed GH-8575 by changing STDOUT, STDERR and STDIN to not close on resource destruction-
    • Implement built-in web server responding without body to HEAD request on a static resource-
    • Implement built-in web server responding with HTTP status 405 to DELETE/PUT/PATCH request on a static resource-
    • Fixed bug GH-9709 (Null pointer dereference with -w/-s options).

  • COM:
    • Fixed bug GH-8750 (Can not create VT_ERROR variant type).

  • Core:
    • Fixed bug 81380 (Observer may not be initialized properly).
    • Fixed bug GH-7771 (Fix filename/lineno of constant expressions).
    • Fixed bug GH-7792 (Improve class type in error messages).
    • Support huge pages on MacOS.
    • Fixed bug GH-8655 (Casting an object to array does not unwrap refcount=1 references)-
    • Fixed bug GH-8661 (Nullsafe in coalesce triggers undefined variable warning)-
    • Fixed bug GH-7821 and GH-8418 (Allow arbitrary const expressions in backed enums)-
    • Fixed bug GH-8810 (Incorrect lineno in backtrace of multi-line function calls)-
    • Optimised code path for newly created file with the stream plain wrapper.
    • Uses safe_perealloc instead of perealloc for the ZEND_PTR_STACK_RESIZE_IF_NEEDED to avoid possible overflows-
    • Reduced the memory footprint of strings returned by var_export(), json_encode(), serialize(), iconv_*(), mb_ereg*(), session_create_id(), http_build_query(), strstr(), Reflection*::toString()-
    • Fixed bug GH-8995 (WeakMap object reference offset causing TypeError).
    • Added error_log_mode ini setting.
    • Updated request startup messages.
    • Fixed bug GH-7900 (Arrow function with never return type compile-time errors)-
    • Fixed incorrect double to long casting in latest clang.
    • Added support for defining constants in traits.
    • Stop incorrectly emitting false positive deprecation notice alongside unsupported syntax fatal error for "{$g{'h'}}"-
    • Fix unexpected deprecated dynamic property warning, which occurred when exit() in finally block after an exception was thrown without catching-
    • Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
    • Fixed bug GH-9227 (Trailing dots and spaces in filenames are ignored).
    • Fixed bug GH-9285 (Traits cannot be used in readonly classes).
    • Fixed bug GH-9186 (@strict-properties can be bypassed using unserialization)-
    • Fixed bug GH-9500 (Using dnf type with parentheses after readonly keyword results in a parse error)-
    • Fixed bug GH-9516 ((A&B)|D as a param should allow AB or D. Not just A).
    • Fixed observer class notify with Opcache file_cache_only=1.
    • Fixes segfault with Fiber on FreeBSD i386 architecture.
    • Fixed bug GH-9655 (Pure intersection types cannot be implicitly nullable)
    • Fixed bug GH-9589 (dl() segfaults when module is already loaded).
    • Fixed bug GH-9752 (Generator crashes when interrupted during argument evaluation with extra named params)-
    • Fixed bug GH-9801 (Generator crashes when memory limit is exceeded during initialization)-
    • Fixed a bug with preloaded enums possibly segfaulting.
    • Fixed bug GH-9823 (Don’t reset func in zend_closure_internal_handler).
    • Fixed potential NULL pointer dereference Windows shm*() functions.
    • Fix target validation for internal attributes with constructor property promotion-
    • Fixed bug GH-9750 (Generator memory leak when interrupted during argument evaluation-
    • Move observer_declared_function_notify until after pass_two().
    • Do not report MINIT stage internal class aliases in extensions.
  • Curl:
    • Added support for CURLOPT_XFERINFOFUNCTION.
    • Added support for CURLOPT_MAXFILESIZE_LARGE.
    • Added new constants from cURL 7.62 to 7.80.
    • New function curl_upkeep().
  • Date:
    • Fixed GH-8458 (DateInterval::createFromDateString does not throw if non-relative items are present)-
    • Fixed bug 52015 (Allow including end date in DatePeriod iterations)
    • idate() now accepts format specifiers "N" (ISO Day-of-Week) and "o" (ISO Year)-
    • Fixed bug GH-8730 (DateTime::diff miscalculation is same time zone of different type)-
    • Fixed bug GH-8964 (DateTime object comparison after applying delta less than 1 second)-
    • Fixed bug GH-9106: (DateInterval 1.5s added to DateTimeInterface is rounded down since PHP 8-1.0).
    • Fixed bug 75035 (Datetime fails to unserialize "extreme" dates).
    • Fixed bug 80483 (DateTime Object with 5-digit year can't unserialized).
    • Fixed bug 81263 (Wrong result from DateTimeImmutable::diff).
    • Fixed bug GH-9431 (DateTime::getLastErrors() not returning false when no errors/warnings)-
    • Fixed bug with parsing large negative numbers with the @ notation.
  • DBA:
    • Fixed LMDB driver hanging when attempting to delete a non-existing key
    • Fixed LMDB driver memory leak on DB creation failure
    • Fixed GH-8856 (dba: lmdb: allow to override the MDB_NOSUBDIR flag).
  • FFI:
    • Fixed bug GH-9090 (Support assigning function pointers in FFI).
  • Fileinfo:
    • Fixed bug GH-8805 (finfo returns wrong mime type for woff/woff2 files).
  • Filter:
    • Added FILTER_FLAG_GLOBAL_RANGE to filter Global IPs.
  • FPM:
    • Emit error for invalid port setting.
    • Added extra check for FPM proc dumpable on SELinux based systems.
    • Added support for listening queue on macOS.
    • Changed default for listen.backlog on Linux to -1.
    • Added listen.setfib pool option to set route FIB on FreeBSD.
    • Added access.suppress_path pool option to filter access log entries.
    • Fixed on fpm scoreboard occasional warning on acquisition failure.
    • Fixed bug GH-9754 (SaltStack (using Python subprocess) hangs when running php-fpm 8-1.11).
  • FTP:
    • Fix datetime format string to follow POSIX spec in ftp_mdtm().
  • GD:
    • Fixed bug 81739: OOB read due to insufficient input validation in imageloadfont()- (CVE-2022-31630)
  • GMP:
    • Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init())-
  • Hash:
    • Fixed bug 81738: buffer overflow in hash_update() on long parameter. (CVE-2022-37454)
  • Intl:
    • Update all grandfathered language tags with preferred values
    • Fixed GH-7939 (Cannot unserialize IntlTimeZone objects).
    • Fixed build for ICU 69.x and onwards.
    • Declared Transliterator::$id as readonly to unlock subclassing it.
    • Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter).
  • MBString:
    • Fixed bug GH-9248 (Segmentation fault in mb_strimwidth()).
  • mysqli:
    • Fixed bug GH-9841 (mysqli_query throws warning despite using silenced error mode)-
  • MySQLnd:
    • Fixed potential heap corruption due to alignment mismatch.
  • OCI8:
    • Added oci8.prefetch_lob_size directive to tune LOB query performance
    • Support for building against Oracle Client libraries 10.1 and 10.2 has been dropped- Oracle Client libraries 11.2 or newer are now required.
  • OCI8:
    • Added oci8.prefetch_lob_size directive to tune LOB query performance
    • Support for building against Oracle Client libraries 10.1 and 10.2 has been dropped- Oracle Client libraries 11.2 or newer are now required.
  • ODBC:
    • Fixed bug GH-8300 (User input not escaped when building connection string).
    • Fixed bug GH-9347 (Current ODBC liveness checks may be inadequate).
  • Opcache:
    • Allocate JIT buffer close to PHP .text segemnt to allow using direct IP-relative calls and jumps-
    • Added initial support for JIT performance profiling generation for macOs Instrument-
    • Fixed bug GH-8030 (Segfault with JIT and large match/switch statements).
    • Added JIT support improvement for macOs for segments and executable permission bit handling-
    • Added JIT buffer allocation near the .text section on FreeNSD.
    • Fixed bug GH-9371 (Crash with JIT on mac arm64)
    • Fixed bug GH-9259 (opcache.interned_strings_buffer setting integer overflow)-
    • Added indirect call reduction for jit on x86 architectures.
    • Fixed bug GH-9164 (Segfault in zend_accel_class_hash_copy).
    • Fix opcache preload with observers enabled.
  • OpenSSL:
    • Discard poll calls on socket when no timeout/non blocking/MSG_DONTWAIT.
    • Fixed bug GH-9310 (SSL local_cert and local_pk do not respect open_basedir)-
    • Implement FR #76935 ("chacha20-poly1305" is an AEAD but does not work like AEAD)-
    • Added openssl_cipher_key_length function.
    • Fixed bug GH-9517 (Compilation error openssl extension related to PR GH-9366)-
    • Fixed missing clean up of OpenSSL engine list - attempt to fix GH-8620.
    • Fixed bug GH-8430 (OpenSSL compiled with no-md2, no-md4 or no-rmd160 does not build)-
  • PCNTL:
    • Fixed pcntl_(get|set)priority error handling for MacOS.
  • PCRE:
    • Implemented FR #77726 (Allow null character in regex patterns).
    • Updated bundled libpcre to 10.40.
  • PDO:
    • Fixed bug GH-9818 (Initialize run time cache in PDO methods).
  • PDO_Firebird:
    • Fixed bug GH-8576 (Bad interpretation of length when char is UTF-8).
    • Fixed bug 80909 (crash with persistent connections in PDO_ODBC).
    • Fixed bug GH-8300 (User input not escaped when building connection string).
    • Fixed bug GH-9347 (Current ODBC liveness checks may be inadequate).
    • Fixed bug GH-9372 (HY010 when binding overlong parameter).
    • Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed).
  • Random:
    • Added new random extension.
    • Fixed bug GH-9067 (random extension is not thread safe).
    • Fixed bug GH-9055 (segmentation fault if user engine throws).
    • Fixed bug GH-9066 (signed integer overflow).
    • Fixed bug GH-9083 (undefined behavior during shifting).
    • Fixed bug GH-9088, GH-9056 (incorrect expansion of bytes when generating uniform integers within a given range)-
    • Fixed bug GH-9089 (Fix memory leak on Randomizer::construct() call twice)-
    • Fixed bug GH-9212 (PcgOneseq128XslRr64::jump() should not allow negative $advance)-
    • Changed Mt19937 to throw a ValueError instead of InvalidArgumentException for invalid $mode-
    • Splitted Random\Randomizer::getInt() (without arguments) to Random\Randomizer::nextInt()-
    • Fixed bug GH-9235 (non-existant $sequence parameter in stub for PcgOneseq128XslRr64::construct())-
    • Fixed bug GH-9190, GH-9191 (undefined behavior for MT_RAND_PHP when handling large ranges)-
    • Fixed bug GH-9249 (Xoshiro256StarStar does not reject the invalid all-zero state)-
    • Removed redundant RuntimeExceptions from Randomizer methods. The exceptions thrown by the engines will be exposed directly-
    • Added extension specific Exceptions/Errors (RandomException, RandomError, BrokenRandomEngineError)-
    • Fixed bug GH-9415 (Randomizer::getInt(0, 232 - 1) with Mt19937 always returns 1)-
    • Fixed Randomizer::getInt() consistency for 32-bit engines.
    • Fixed bug GH-9464 (build on older macOs releases).
    • Fixed bug GH-9839 (Pre-PHP 8.2 output compatibility for non-mt_rand()
  • Reflection:
    • Added ReflectionFunction::isAnonymous().
    • Added ReflectionMethod::hasPrototype().
    • Narrow ReflectionEnum::getBackingType() return type to ReflectionNamedType.
    • Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure)-
  • Session:
    • Fixed bug GH-7787 (Improve session write failure message for user error handlers)-
    • Fixed GH-9200 (setcookie has an obsolete expires date format).
    • Fixed GH-9584 (Avoid memory corruption when not unregistering custom session handler)-
    • Fixed bug GH-9583 (session_create_id() fails with user defined save handler that doesn't have a validateId() method)-
  • SOAP:
    • Fixed bug GH-9720 (Null pointer dereference while serializing the response).
  • Sockets:
    • Added TCP_NOTSENT_LOWAT socket option.
    • Added SO_MEMINFO socket option.
    • Added SO_RTABLE socket option (OpenBSD), equivalent of SO_MARK (Linux).
    • Added ancillary data support for FreeBSD.
    • Added ancillary data support for NetBSD.
    • Added SO_BPF_EXTENSIONS socket option.
    • Added SO_SETFIB socket option.
    • Added TCP_CONGESTION socket option.
    • Added SO_ZEROCOPY/MSG_ZEROCOPY options.
    • Added SOL_FILTER socket option for Solaris.
    • Fixed socket constants regression as of PHP 8.2.0beta3.
  • Sodium:
    • Added sodium_crypto_stream_xchacha20_xor_ic().
  • SPL:
    • Uses safe_erealloc instead of erealloc to handle heap growth for the SplHeap::insert method to avoid possible overflows-
    • Widen iterator_to_array() and iterator_count()'s $iterator parameter to iterable-
    • Fixed bug 69181 (READ_CSV|DROP_NEW_LINE drops newlines within fields).
    • Fixed bug 65069 (GlobIterator incorrect handling of open_basedir check).
  • SQLite3:
    • Changed sqlite3.defensive from PHP_INI_SYSTEM to PHP_INI_USER.
  • Standard:
    • net_get_interfaces() also reports wireless network interfaces on Windows.
    • Finished AVIF support in getimagesize().
    • Fixed bug GH-7847 (stripos with large haystack has bad performance).
    • New function memory_reset_peak_usage().
    • Fixed parse_url(): can not recognize port without scheme.
    • Deprecated utf8_encode() and utf8_decode().
    • Fixed the crypt_sha256/512 api build with clang > 12.
    • Uses safe_erealloc instead of erealloc to handle options in getopt to avoid possible overflows-
    • Implemented FR GH-8924 (str_split should return empty array for empty string)-
    • Added ini_parse_quantity function to convert ini quantities shorthand notation to int-
    • Enable arc4random_buf for Linux glibc 2.36 and onwards for the random_bytes-
    • Uses CCRandomGenerateBytes instead of arc4random_buf on macOs.
    • Fixed bug #65489 (glob() basedir check is inconsistent).
    • Fixed GH-9200 (setcookie has an obsolete expires date format).
    • Fixed GH-9244 (Segfault with array_multisort + array_shift).
    • Fixed bug GH-9296 (ksort behaves incorrectly on arrays with mixed keys).
    • Marked crypt()'s $string parameter as #[\SensitiveParameter].
    • Fixed bug GH-9464 (build on older macOs releases).
    • Fixed bug GH-9518 (Disabling IPv6 support disables unrelated constants).
    • Revert "Fixed parse_url(): can not recognize port without scheme."
    • Fix crash reading module_entry after DL_UNLOAD() when module already loaded-
  • Streams:
    • Set IP_BIND_ADDRESS_NO_PORT if available when connecting to remote host.
    • Fixed bug GH-8548 (stream_wrapper_unregister() leaks memory).
    • Discard poll calls on socket when no timeout/non blocking/MSG_DONTWAIT.
    • Fixed bug GH-9316 ($http_response_header is wrong for long status line).
    • Fixed bug GH-9590 (stream_select does not abort upon exception or empty valid fd set)-
    • Fixed bug GH-9653 (file copy between different filesystems).
    • Fixed bug GH-9779 (stream_copy_to_stream fails if dest in append mode).
  • Windows:
    • Added preliminary support for (cross-)building for ARM64.
  • XML:
    • Added libxml_get_external_entity_loader() function.
  • Zip:
    • add ZipArchive::clearError() method
    • add ZipArchive::getStreamName() method
    • add ZipArchive::getStreamIndex() method
    • On Windows, the Zip extension is now built as shared library (DLL) by default-
    • Implement fseek for zip stream when possible with libzip 1.9.1.

comment:3 by Bruce Dubbs, 5 months ago

Resolution: fixed
Status: assignedclosed

Fixed at commits

ec886f9ab0 Update to php-8.2.0.
c8cce20f7b Update to pipewire-0.3.62.
96041b528d Update to vim-9.0.1060.
209472f4a5 Update to dash-0.5.12.
bd199a674c Update to tcsh-6.24.06.
Note: See TracTickets for help on using tickets.