PHP 5 ChangeLog

8/18/2019 PHP 5 ChangeLog

1/206

SearchCakeFest 2016 - The CakePHP ConferencePHP 5 ChangeLog

Version 5.6.20

31 Mar 2016CLI Server:Fixed bug #69953 (Support MKCALENDAR request method).Core:Fixed bug #71596 (Segmentation fault on ZTS with date function (setlocale)).Curl:Fixed bug #71694 (Support constant CURLM_ADDED_ALREADY).Date:Fixed bug #71635 (DatePeriod::getEndDate segfault).Fileinfo:Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic file).Mbstring:Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in mbfl_strcut).ODBC:Fixed bug #47803, #69526 (Executing prepared statements is succesfull only for the first two statements).

Fixed bug #71860 (Invalid memory write in phar on filename with \0 in name).PDO_DBlib:Fixed bug #54648 (PDO::MSSQL forces format of datetime fields).Phar:Fixed bug #71625 (Crash in php7.dll with bad phar filename).Fixed bug #71504 (Parsing of tar file with duplicate filenames causes memory leak).SNMP:Fixed bug #71704 (php_snmp_error() Format String Vulnerability).Standard:Fixed bug #71798 (Integer Overflow in php_raw_url_encode).Version 5.5.34

31 Mar 2016Fileinfo:Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic file).Mbstring:Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in mbfl_strcut).ODBC:Fixed bug #71860 (Invalid memory write in phar on filename with \0 in name).SNMP:Fixed bug #71704 (php_snmp_error() Format String Vulnerability).Standard:Fixed bug #71798 (Integer Overflow in php_raw_url_encode).Version 5.6.19

03 Mar 2016CLI server:Fixed bug #71559 (Built-in HTTP server, we can download file in web by bug).CURL:Fixed bug #71523 (Copied handle with new option CURLOPT_HTTPHEADER crashes while curl_multi_exec).Date:Fixed bug #68078 (Datetime comparisons ignore microseconds).Fixed bug #71525 (Calls to date_modify will mutate timelib_rel_time, causing date_date_set issues).


2/206

Fileinfo:Fixed bug #71434 (finfo throws notice for specific python file).FPM:Fixed bug #62172 (FPM not working with Apache httpd 2.4 balancer/fcgi setup).Opcache:Fixed bug #71584 (Possible use-after-free of ZCG(cwd) in Zend Opcache).PDO MySQL:Fixed bug #71569 (#70389 fix causes segmentation fault).Phar:Fixed bug #71498 (Out-of-Bound Read in phar_parse_zipfile()).Standard:Fixed bug #70720 (strip_tags improper php code parsing).WDDX:Fixed bug #71587 (Use-After-Free / Double-Free in WDDX Deserialize).XSL:Fixed bug #71540 (NULL pointer dereference in xsl_ext_function_php()).Zip:Fixed bug #71561 (NULL pointer dereference in Zip::ExtractTo).Version 5.5.33

03 Mar 2016Phar:Fixed bug #71498 (Out-of-Bound Read in phar_parse_zipfile()).WDDX:

Fixed bug #71587 (Use-After-Free / Double-Free in WDDX Deserialize).Version 5.6.18

04 Feb 2016Core:Added support for new HTTP 451 code.Fixed bug #71039 (exec functions ignore length but look for NULL termination).Fixed bug #71089 (No check to duplicate zend_extension).Fixed bug #71201 (round() segfault on 64-bit builds).Fixed bug #71273 (A wrong ext directory setup in php.ini leads to crash).Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input).Fixed bug #71459 (Integer overflow in iptcembed()).Apache2handler:

Fix >2G Content-Length headers in apache2handler.FTP:Implemented FR #55651 (Option to ignore the returned FTP PASV address).GD:Improved fix for bug #70976.Opcache:Fixed bug #71127 (Define in auto_prepend_file is overwrite).Fixed bug #71024 (Unable to use PHP 7.0 x64 side-by-side with PHP 5.6 x32 on the same server).PCRE:Upgraded bundled PCRE library to 8.38. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)Phar:

Fixed bug #71354 (Heap corruption in tar/zip/phar parser).Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()).Fixed bug #71488 (Stack overflow when decompressing tar archives). (CVE-2016-2554)Session:Fixed bug #69111 (Crash in SessionHandler::read()).SOAP:Fixed bug #70979 (crash with bad soap request).SPL:Fixed bug #71204 (segfault if clean spl_autoload_funcs while autoloading).


3/206

WDDX:Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization).Version 5.5.32

04 Feb 2016Core:Fixed bug #71039 (exec functions ignore length but look for NULL termination).Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input).Fixed bug #71459 (Integer overflow in iptcembed()).GD:Improved fix for bug #70976.PCRE:Upgraded bundled PCRE library to 8.38. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)Phar:Fixed bug #71354 (Heap corruption in tar/zip/phar parser).Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()).Fixed bug #71488 (Stack overflow when decompressing tar archives). (CVE-2016-2554)WDDX:Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization).Version 5.6.17

07 Jan 2016

Core:Fixed bug #66909 (configure fails utf8_to_mutf7 test).Fixed bug #70958 (Invalid opcode while using ::class as trait method paramater default value).Fixed bug #70957 (self::class can not be resolved with reflection for abstract class).Fixed bug #70944 (try{ } finally{} can create infinite chains of exceptions).Fixed bug #61751 (SAPI build problem on AIX: Undefined symbol: php_register_internal_extensions).FPM:Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).GD:Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of B

ounds). (CVE-2016-1903)Mysqlnd:Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction).SOAP:Fixed bug #70900 (SoapClient systematic out of memory error).Standard:Fixed bug #70960 (ReflectionFunction for array_unique returns wrong number of parameters).PDO_Firebird:Fixed bug #60052 (Integer returned as a 64bit integer on X64_86).WDDX:Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerabili

ty).XMLRPC:Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()).Version 5.5.31

07 Jan 2016FPM:Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).GD:Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of B


4/206

ounds). (CVE-2016-1903)WDDX:Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability).XMLRPC:Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()).Version 5.6.16

26 Nov 2015Core:Fixed bug #70828 (php-fpm 5.6 with opcache crashes when referencing a non-existent constant).Fixed bug #70748 (Segfault in ini_lex () at Zend/zend_ini_scanner.l).Mysqlnd:Fixed bug #68344 (MySQLi does not provide way to disable peer certificate validation) by introducing MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT connection flag.OCI8:Fixed bug #68298 (OCI int overflow).PDO_DBlib:Fixed bug #69757 (Segmentation fault on nextRowset).SOAP:Fixed bug #70875 (Segmentation fault if wsdl has no targetNamespace attribute).SPL:

Fixed bug #70852 (Segfault getting NULL offset of an ArrayObject).Version 5.6.15

29 Oct 2015Core:Fixed bug #70681 (Segfault when binding $this of internal instance method to null).Fixed bug #70685 (Segfault for getClosure() internal method rebind with invalid$this).Date:Fixed bug #70619 (DateTimeImmutable segfault).Mcrypt:Fixed bug #70625 (mcrypt_encrypt() won't return data when no IV was specified un

der RC4).Mysqlnd:Fixed bug #70384 (mysqli_real_query():Unknown type 245 sent by the server).Fixed bug #70572 segfault in mysqlnd_connect.Opcache:Fixed bug #70632 (Third one of segfault in gc_remove_from_buffer).Fixed bug #70631 (Another Segfault in gc_remove_from_buffer()).Fixed bug #70601 (Segfault in gc_remove_from_buffer()).Fixed compatibility with Windows 10 (see also #70652).Version 5.6.14

01 Oct 2015Core:

Fixed bug #70370 (Bundled libtool.m4 doesn't handle FreeBSD 10 when building extensions).CLI server:Fixed bug #68291 (404 on urls with '+').DOM:Fixed bug #70001 (Assigning to DOMNode::textContent does additional entity encoding).ldap:Fixed bug #70465 (Bug in ldap_search() modifies LDAP_OPT_TIMELIMIT/DEREF's values). (Tyson Andre).


5/206

Fixed bug #69574 (ldap timeouts not enforced). (Côme Bernigaud).Mysqlnd:Fixed bug #70456 (mysqlnd doesn't activate TCP keep-alive when connecting to a server).OpenSSL:Fixed bug #55259 (openssl extension does not get the DH parameters from DH key resource).Fixed bug #70395 (Missing ARG_INFO for openssl_seal()).Fixed bug #60632 (openssl_seal fails with AES).Fixed bug #68312 (Lookup for openssl.cnf causes a message box).PDO:Fixed bug #70389 (PDO constructor changes unrelated variables).Phar:Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). (CVE-2015-7803)Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). (CVE-2015-7804)Phpdbg:Fix phpdbg_break_next() sometimes not breaking.Standard:Fixed bug #67131 (setcookie() conditional for empty values not met).Streams:Fixed bug #70361 (HTTP stream wrapper doesn't close keep-alive connections).Zip:

Fixed bug #70322 (ZipArchive::close() doesn't indicate errors).Version 5.5.30

01 Oct 2015Phar:Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). (CVE-2015-7803)Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). (CVE-2015-7804)Version 5.6.13

03 Sep 2015Core:

Fixed bug #69900 (Too long timeout on pipes).Fixed bug #69487 (SAPI may truncate POST data).Fixed bug #70198 (Checking liveness does not work as expected).Fixed bug #70172 (Use After Free Vulnerability in unserialize()). (CVE-2015-6834)Fixed bug #70219 (Use after free vulnerability in session deserializer). (CVE-2015-6835)CLI server:Fixed bug #66606 (Sets HTTP_CONTENT_TYPE but not CONTENT_TYPE).Fixed bug #70264 (CLI server directory traversal).Date:Fixed bug #70266 (DateInterval::__construct.interval_spec is not supposed to beoptional).

Fixed bug #70277 (new DateTimeZone($foo) is ignoring text after null byte).EXIF:Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).GMP:Fixed bug #70284 (Use after free vulnerability in unserialize() with GMP).hash:Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).MCrypt:Fixed bug #69833 (mcrypt fd caching not working).


6/206

Opcache:Fixed bug #70237 (Empty while and do-while segmentation fault with opcode on CLI enabled).PCRE:Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string match).Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).SOAP:Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). (CVE-2015-6836)SPL:Fixed bug #70290 (Null pointer deref (segfault) in spl_autoload via ob_start).Fixed bug #70303 (Incorrect constructor reflection for ArrayObject).Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6834)Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6834)Standard:Fixed bug #70052 (getimagesize() fails for very large and very small WBMP).Fixed bug #70157 (parse_ini_string() segmentation fault with INI_SCANNER_TYPED).XSLT:Fixed bug #69782 (NULL pointer dereference). (CVE-2015-6837, CVE-2015-6838)ZIP:Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories). (CVE-2014-9767)

Version 5.5.29

03 Sep 2015Core:Fixed bug #70172 (Use After Free Vulnerability in unserialize()). (CVE-2015-6834)Fixed bug #70219 (Use after free vulnerability in session deserializer). (CVE-2015-6835)EXIF:Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).hash:Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).

PCRE:Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).SOAP:Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). (CVE-2015-6836)SPL:Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6834)Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6834)XSLT:Fixed bug #69782 (NULL pointer dereference). (CVE-2015-6837, CVE-2015-6838)ZIP:

Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories). (CVE-2014-9767)Version 5.4.45

03 Sep 2015Core:Fixed bug #70172 (Use After Free Vulnerability in unserialize()). (CVE-2015-6834)Fixed bug #70219 (Use after free vulnerability in session deserializer). (CVE-2015-6835)


7/206

EXIF:Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).hash:Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).PCRE:Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).SOAP:Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). (CVE-2015-6836)SPL:Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6834)Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6834)XSLT:Fixed bug #69782 (NULL pointer dereference). (CVE-2015-6837, CVE-2015-6838)ZIP:Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories). (CVE-2014-9767)Version 5.6.12

06 Aug 2015Core:

Fixed bug #70012 (Exception lost with nested finally block).Fixed bug #70002 (TS issues with temporary dir handling).Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls).Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref).CLI server:Fixed bug #69655 (php -S changes MKCALENDAR request method to MKCOL).Fixed bug #64878 (304 responses return Content-Type header).GD:Fixed bug #53156 (imagerectangle problem with point ordering).

Fixed bug #66387 (Stack overflow with imagefilltoborder).Fixed bug #70102 (imagecreatefromwebm() shifts colors).Fixed bug #66590 (imagewebp() doesn't pad to even length).Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px).Fixed bug #70064 (imagescale(..., IMG_BICUBIC) leaks memory).Fixed bug #69024 (imagescale segfault with palette based image).Fixed bug #53154 (Zero-height rectangle has whiskers).Fixed bug #67447 (imagecrop() add a black line when cropping).Fixed bug #68714 (copy 'n paste error).Fixed bug #66339 (PHP segfaults in imagexbm).Fixed bug #70047 (gd_info() doesn't report WebP support).ODBC:Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns).

OpenSSL:Fixed bug #69882 (OpenSSL error "key values mismatch" after openssl_pkcs12_readwith extra cert).Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure).Phar:Improved fix for bug #69441.Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). (CVE-2015-6833)SOAP:


8/206


9/206

SOAP:Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions).SPL:Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). (CVE-2015-6832)Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). (CVE-2015-6831)Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6831)Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6831)Version 5.6.11

10 Jul 2015Core:Fixed bug #69768 (escapeshell*() doesn't cater to !).Fixed bug #69703 (Use __builtin_clzl on PowerPC).Fixed bug #69732 (can induce segmentation fault with basic php code).Fixed bug #69642 (Windows 10 reported as Windows 8).Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault).Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10as "Business").Fixed bug #69740 (finally in generator (yield) swallows exception in iteration).

Fixed bug #69835 (phpinfo() does not report many Windows SKUs).Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776.GD:Fixed bug #61221 (imagegammacorrect function loses alpha channel).GMP:Fixed bug #69803 (gmp_random_range() modifies second parameter if GMP number).Mysqlnd:Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM). (CVE-2015-3152)PCRE:Fixed bug #53823 (preg_replace: * qualifier on unicode replace garbles the strin

g).Fixed bug #69864 (Segfault in preg_replace_callback).PDO_pgsql:Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements whencloseCuror() is u).Fixed bug #69362 (PDO-pgsql fails to connect if password contains a leading single quote).Fixed bug #69344 (PDO PgSQL Incorrect binding numeric array with gaps).Phar:Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). (CVE-2015-5589)Fixed bug #69923 (Buffer overflow and stack smashing error in phar_fix_filepath). (CVE-2015-5590)

SimpleXML:Refactored the fix for bug #66084 (simplexml_load_string() mangles empty node name).SPL:Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error).Fixed bug #67805 (SplFileObject setMaxLineLength).Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ ex()).Sqlite3:Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()).


10/206

Version 5.5.27

09-Jul-2015Core:Fixed bug #69768 (escapeshell*() doesn't cater to !).Fixed bug #69703 (Use __builtin_clzl on PowerPC).Fixed bug #69732 (can induce segmentation fault with basic php code).Fixed bug #69642 (Windows 10 reported as Windows 8).Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault).Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10as "Business").Fixed bug #69835 (phpinfo() does not report many Windows SKUs).Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776.GD:Fixed bug #61221 (imagegammacorrect function loses alpha channel).Mysqlnd:Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM). (CVE-2015-3152)PCRE:Fixed Bug #53823 (preg_replace: * qualifier on unicode replace garbles the string).Fixed bug #69864 (Segfault in preg_replace_callback).

PDO_pgsql:Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements whencloseCuror() is u).Fixed bug #69362 (PDO-pgsql fails to connect if password contains a leading single quote).Fixed bug #69344 (PDO PgSQL Incorrect binding numeric array with gaps).Phar:Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). (CVE-2015-5589)Fixed bug #69923 (Buffer overflow and stack smashing error in phar_fix_filepath). (CVE-2015-5590)SimpleXML:Refactored the fix for bug #66084 (simplexml_load_string() mangles empty node na

me).SPL:Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error).Fixed bug #67805 (SplFileObject setMaxLineLength).Version 5.4.43

09-Jul-2015Core:Fixed bug #69768 (escapeshell*() doesn't cater to !).Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776.Mysqlnd:Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM). (CVE-2015-3152)

Phar:Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). (CVE-2015-5589)Fixed bug #69923 (Buffer overflow and stack smashing error in phar_fix_filepath). (CVE-2015-5590)Version 5.6.10

11 Jun 2015Core:Fixed bug #66048 (temp. directory is cached during multiple requests).


11/206

Fixed bug #69566 (Conditional jump or move depends on uninitialised value in extension trait).Fixed bug #69599 (Strange generator+exception+variadic crash).Fixed bug #69628 (complex GLOB_BRACE fails on Windows).Fixed POST data processing slowdown due to small input buffer size on Windows.Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). (CVE-2015-4642)Fixed bug #69719 (Incorrect handling of paths with NULs). (CVE-2015-4598)FTP:Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4643)GD:Fixed bug #69479 (GD fails to build with newer libvpx).Iconv:Fixed bug #48147 (iconv with //IGNORE cuts the string).Litespeed SAPI:Fixed bug #68812 (Unchecked return value).Mail:Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers).MCrypt:Added file descriptor caching to mcrypt_create_iv().Opcache:Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF).

PCRE:Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)Phar:Fixed bug #69680 (phar symlink in binary directory broken).Postgres:Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644)Sqlite3:Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416)Version 5.5.26

11-Jun-2015Core:

Fixed bug #69566 (Conditional jump or move depends on uninitialised value in extension trait).Fixed bug #66048 (temp. directory is cached during multiple requests).Fixed bug #69628 (complex GLOB_BRACE fails on Windows).Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). (CVE-2015-4642)Fixed bug #69719 (Incorrect handling of paths with NULs). (CVE-2015-4598)FTP:Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4643)GD:Fixed bug #69479 (GD fails to build with newer libvpx).Iconv:

Fixed bug #48147 (iconv with //IGNORE cuts the string).Litespeed SAPI:Fixed bug #68812 (Unchecked return value).Mail:Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers).MCrypt:Added file descriptor caching to mcrypt_create_iv().Opcache:Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF).


12/206

PCRE:Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)Phar:Fixed bug #69680 (phar symlink in binary directory broken).Postgres:Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644)Sqlite3:Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416)Version 5.4.42

11-Jun-2015Core:Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4643)Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). (CVE-2015-4642)Fixed bug #69719 (Incorrect handling of paths with NULs). (CVE-2015-4598)Litespeed SAPI:Fixed bug #68812 (Unchecked return value).Mail:Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers).Postgres:

Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644)Sqlite3:Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416)Version 5.6.9

14 May 2015Core:Fixed bug #69467 (Wrong checked for the interface by using Trait).Fixed bug #69420 (Invalid read in zend_std_get_method).Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash).Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer).

Fixed bug #68652 (segmentation fault in destructor).Fixed bug #69419 (Returning compatible sub generator produces a warning).Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA).Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (CVE-2015-4024)Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025)Fixed bug #69522 (heap buffer overflow in unpack()).FTP:Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4022)ODBC:

Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0).Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result).Fixed bug #69381 (out of memory with sage odbc driver).OpenSSL:Fixed bug #69402 (Reading empty SSL stream hangs until timeout).PCNTL:Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026)PCRE:Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)


13/206

Phar:Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (CVE-2015-4021)Version 5.5.25

14-May-2015Core:Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (CVE-2015-4024)Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025)Fixed bug #69522 (heap buffer overflow in unpack()).Fixed bug #69467 (Wrong checked for the interface by using Trait).Fixed bug #69420 (Invalid read in zend_std_get_method).Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash).Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer).Fixed bug #68652 (segmentation fault in destructor).Fixed bug #69419 (Returning compatible sub generator produces a warning).Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA).FTP:Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4022)

ODBC:Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0).Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result).Fixed bug #69381 (out of memory with sage odbc driver).OpenSSL:Fixed bug #69402 (Reading empty SSL stream hangs until timeout).PCNTL:Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026)Phar:Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (CVE-2015-4021)Version 5.4.41

14-May-2015Core:Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (CVE-2015-4024)Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025)Fixed bug #69522 (heap buffer overflow in unpack()).FTP:Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4022)PCNTL:Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026)

PCRE:Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)Phar:Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (CVE-2015-4021)Version 5.6.8

16 Apr 2015Core:Fixed bug #66609 (php crashes with __get() and ++ operator in some cases).


14/206

Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters).Fixed bug #68917 (parse_url fails on some partial urls).Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString).Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values).Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing).Fixed bug #69221 (Segmentation fault when using a generator in combination withan Iterator).Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability).Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (CVE-2015-3411, CVE-2015-3412)Apache2handler:Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (CVE-2015-3330)cURL:Implemented FR #69278 (HTTP2 support).Fixed bug #68739 (Missing break / control flow).Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER).

Date:Fixed bug #69336 (Issues with "last day of ").Enchant:Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds).Ereg:Fixed bug #68740 (NULL Pointer Dereference).Fileinfo:Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (CVE-2015-4604, CVE-2015-4605)Filter:Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used).

Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127).Mbstring:Fixed bug #68846 (False detection of CJK Unified Ideographs Extension E).OPCache:Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function).Fixed bug #69281 (opcache_is_script_cached no longer works).Fixed bug #68677 (Use After Free). (CVE-2015-1351)OpenSSL:Fixed bug #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts).Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly).Fixed bug #69215 (Crypto servers should send client CA list).

Add a check for RAND_egd to allow compiling against LibreSSL.Phar:Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).Fixed bug #64931 (phar_add_file is too restrictive on filename).Fixed bug #65467 (Call to undefined method cli_arg_typ_string).Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar").Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783, CVE-2015-3307)Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode).


15/206

(CVE-2015-3329)Postgres:Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352)SOAP:Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault). (CVE-2015-4599)Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)).SPL:Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc).Sqlite3:Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception).Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3).Fixed bug #66550 (SQLite prepared statement use-after-free).Version 5.5.24

16 Apr 2015Apache2handler:Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (CVE-2015-3330)Core:Fixed bug #66609 (php crashes with __get() and ++ operator in some cases).Fixed bug #67626 (User exceptions not properly handled in streams).

Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters).Fixed bug #68917 (parse_url fails on some partial urls).Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString).Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing).Fixed bug #69221 (Segmentation fault when using a generator in combination withan Iterator).Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability).Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions).

(CVE-2015-3411, CVE-2015-3412)cURL:Implemented FR #69278 (HTTP2 support).Fixed bug #68739 (Missing break / control flow).Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER).Date:Export date_get_immutable_ce so that it can be used by extensions.Fixed bug #69336 (Issues with "last day of ").Enchant:Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds).Ereg:

Fixed bug #68740 (NULL Pointer Dereference).Fileinfo:Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (CVE-2015-4604, CVE-2015-4605)Filter:Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used).Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127).Mbstring:Fixed bug #68846 (False detection of CJK Unified Ideographs Extension E).


16/206

ODBC:Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0).OPCache:Fixed bug #69281 (opcache_is_script_cached no longer works).Fixed bug #68677 (Use After Free). (CVE-2015-1351)OpenSSL:Fixed bug #67403 (Add signatureType to openssl_x509_parse).Add a check for RAND_egd to allow compiling against LibreSSL.Phar:Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).Fixed bug #64931 (phar_add_file is too restrictive on filename).Fixed bug #65467 (Call to undefined method cli_arg_typ_string).Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar").Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783, CVE-2015-3307)Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode).(CVE-2015-3329)Postgres:Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352)SOAP:Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault). (CVE-2015-4599)Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected,

regression)).SPL:Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc).SQLITE:Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception).Fixed bug #69287 (Upgrade bundled sqlite to 3.8.8.3).Fixed bug #66550 (SQLite prepared statement use-after-free).Version 5.4.40

16 Apr 2015Apache2handler:Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler

). (CVE-2015-3330)Core:Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString).Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability).Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (CVE-2015-3411, CVE-2015-3412)cURL:Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER).Ereg:Fixed bug #68740 (NULL Pointer Dereference).Fileinfo:

Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (CVE-2015-4604, CVE-2015-4605)GD:Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (CVE-2014-9709)Phar:Fixed bug #68901 (use after free). (CVE-2015-2301)Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783, CVE-2015-3307)Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode).(CVE-2015-3329)


17/206

Postgres:Fixed bug #68741 (Null pointer deference). (CVE-2015-1352)SOAP:Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault). (CVE-2015-4599)Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)).Sqlite3:Fixed bug #66550 (SQLite prepared statement use-after-free).Version 5.6.7

19 Mar 2015Core:Fixed bug #69174 (leaks when unused inner class use traits precedence).Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize).Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build).Fixed bug #65593 (Segfault when calling ob_start from output buffering callback).Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c).Fixed bug #68166 (Exception with invalid character causes segv).Fixed bug #69141 (Missing arguments in reflection info for some builtin functions).

Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (CVE-2015-2787)Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).Fixed bug #69207 (move_uploaded_file allows nulls in path). (CVE-2015-2348)CGI:Fixed bug #69015 (php-cgi's getopt does not see $argv).CLI:Fixed bug #67741 (auto_prepend_file messes up __LINE__).cURL:Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on Win32).Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl.

Ereg:Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (CVE-2015-2305)FPM:Fixed bug #68822 (request time is reset too early).ODBC:Fixed bug #68964 (Allowed memory size exhausted with odbc_exec).Opcache:Fixed bug #69159 (Opcache causes problem when passing a variable variable to a function).Fixed bug #69125 (Array numeric string as key).Fixed bug #69038 (switch(SOMECONSTANT) misbehaves).OpenSSL:Fixed bug #68912 (Segmentation fault at openssl_spki_new).

Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't observe socket timeouts).Fixed bug #68920 (use strict peer_fingerprint input checks) (Daniel Lowrey)Fixed bug #68879 (IP Address fields in subjectAltNames not used) (Daniel Lowrey)Fixed bug #68265 (SAN match fails with trailing DNS dot) (Daniel Lowrey)Fixed bug #67403 (Add signatureType to openssl_x509_parse) (Daniel Lowrey)Fixed bug #69195 (Inconsistent stream crypto values across versions) (Daniel Lowrey)pgsql:Fixed bug #68638 (pg_update() fails to store infinite values).


18/206

Readline:Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters).SOAP:Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (CVE-2015-4147, CVE-2015-4148)SPL:Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage).Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after calling getChildren()).ZIP:Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary). (CVE-2015-2331)Version 5.5.23

19 Mar 2015Core:Fixed bug #69174 (leaks when unused inner class use traits precedence).Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize).Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build).Fixed bug #65593 (Segfault when calling ob_start from output buffering callback).Fixed bug #69017 (Fail to push to the empty array with the constant value define

d in class scope).Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c).Fixed bug #68166 (Exception with invalid character causes segv).Fixed bug #69141 (Missing arguments in reflection info for some builtin functions).Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (CVE-2015-2787)Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).Fixed bug #69207 (move_uploaded_file allows nulls in path). (CVE-2015-2348)CGI:Fixed bug #69015 (php-cgi's getopt does not see $argv).

CLI:Fixed bug #67741 (auto_prepend_file messes up __LINE__).cURL:Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on Win32).Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl.Ereg:Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (CVE-2015-2305)FPM:Fixed bug #68822 (request time is reset too early).JSON :Fixed bug #64695 (JSON_NUMERIC_CHECK has issues with strings that are numbers plus the letter e).

ODBC:Fixed bug #68964 (Allowed memory size exhausted with odbc_exec).Opcache:Fixed bug #69125 (Array numeric string as key).Fixed bug #69038 (switch(SOMECONSTANT) misbehaves).OpenSSL:Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't observe socket timeouts).pgsql:Fixed bug #68638 (pg_update() fails to store infinite values).


19/206

Readline:Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters).SOAP:Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (CVE-2015-4147, CVE-2015-4148)SPL:Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage).Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after calling getChildren()).ZIP:Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary). (CVE-2015-2331)Version 5.4.39

19 Mar 2015Core:Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (CVE-2015-2787)Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).Fixed bug #69207 (move_uploaded_file allows nulls in path). (CVE-2015-2348)Ereg:Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (CVE-2015-2305)

SOAP:Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (CVE-2015-4147, CVE-2015-4148)ZIP:Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary). (CVE-2015-2331)Version 5.6.6

19 Feb 2015Core:Removed support for multi-line headers, as they are deprecated by RFC 7230.Fixed bug #67068 (getClosure returns somethings that's not a closure).Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZon

e). (CVE-2015-0273)Fixed bug #68925 (Mitigation for CVE-2015-0235 GHOST: glibc gethostbyname buffer overflow).Fixed bug #67988 (htmlspecialchars() does not respect default_charset specifiedby ini_set).Added NULL byte protection to exec, system and passthru.Dba:Fixed bug #68711 (useless comparisons).Enchant:Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). (CVE-2014-9705)Fileinfo:Fixed bug #68827 (Double free with disabled ZMM).

Fixed bug #67647 (Bundled libmagic 5.17 does not detect quicktime files correctly).Fixed bug #68731 (finfo_buffer doesn't extract the correct mime with some gifs).FPM:Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).Fixed bug #68571 (core dump when webserver close the socket).JSON:Fixed bug #50224 (json_encode() does not always encode a float as a float) by adding JSON_PRESERVE_ZERO_FRACTION.LIBXML:


20/206

Fixed bug #64938 (libxml_disable_entity_loader setting is shared between threads).Mysqli:Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors).Opcache:Fixed bug with try blocks being removed when extended_info opcode generation isturned on.PDO_mysql:Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of named pipes).Phar:Fixed bug #68901 (use after free). (CVE-2015-2301)Pgsql:Fixed bug #65199 (pg_copy_from() modifies input array variable).Session:Fixed bug #68941 (mod_files.sh is a bash-script).Fixed bug #66623 (no EINTR check on flock).Fixed bug #68063 (Empty session IDs do still start sessions).Sqlite3:Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args).Standard:

Fixed bug #65272 (flock() out parameter not set correctly in windows).Fixed bug #69033 (Request may get env. variables from previous requests if PHP works as FastCGI).Streams:Fixed bug which caused call after final close on streams filter.Version 5.5.22

19 Feb 2015Core:Fixed bug #67068 (getClosure returns somethings that's not a closure).Fixed bug #68925 (Mitigation for CVE-2015-0235 GHOST: glibc gethostbyname buffer overflow).Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZon

e). (CVE-2015-0273)Added NULL byte protection to exec, system and passthru.Removed support for multi-line headers, as they are deprecated by RFC 7230.Date:Fixed bug #45081 (strtotime incorrectly interprets SGT time zone).Dba:Fixed bug #68711 (useless comparisons).Enchant:Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). (CVE-2014-9705)Fileinfo:Fixed bug #68827 (Double free with disabled ZMM).FPM:

Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).Fixed bug #68571 (core dump when webserver close the socket).Libxml:Fixed bug #64938 (libxml_disable_entity_loader setting is shared between threads).PDO_mysql:Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of named pipes).Phar:Fixed bug #68901 (use after free). (CVE-2015-2301)


21/206

Pgsql:Fixed bug #65199 (pg_copy_from() modifies input array variable).Sqlite3:Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args).Mysqli:Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors).Session:Fixed bug #68941 (mod_files.sh is a bash-script).Fixed bug #66623 (no EINTR check on flock).Fixed bug #68063 (Empty session IDs do still start sessions).Standard:Fixed bug #65272 (flock() out parameter not set correctly in windows).Fixed bug #69033 (Request may get env. variables from previous requests if PHP works as FastCGI).Streams:Fixed bug which caused call after final close on streams filter.Version 5.4.38

19 Feb 2015Core:Removed support for multi-line headers, as they are deprecated by RFC 7230.

Added NULL byte protection to exec, system and passthru.Fixed bug #68925 (Mitigation for CVE-2015-0235 GHOST: glibc gethostbyname buffer overflow).Fixed bug #67827 (broken detection of system crypt sha256/sha512 support).Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273)Enchant:Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). (CVE-2014-9705)SOAP:Fixed bug #67427 (SoapServer cannot handle large messages).Version 5.6.5

22 Jan 2015Core:Upgraded crypt_blowfish to version 1.3.Fixed bug #60704 (unlink() bug with some files path).Fixed bug #65419 (Inside trait, self::class != __CLASS__).Fixed bug #68536 (pack for 64bits integer is broken on bigendian).Fixed bug #55541 (errors spawn MessageBox, which blocks test automation).Fixed bug #68297 (Application Popup provides too few information).Fixed bug #65769 (localeconv() broken in TS builds).Fixed bug #65230 (setting locale randomly broken).Fixed bug #66764 (configure doesn't define EXPANDED_DATADIR / PHP_DATADIR correctly).Fixed bug #68583 (Crash in timeout thread).

Fixed bug #65576 (Constructor from trait conflicts with inherited constructor).Fixed bug #68676 (Explicit Double Free). (CVE-2014-9425)Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231)CGI:Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427)CLI server:Fixed bug #68745 (Invalid HTTP requests make web server segfault).cURL:Fixed bug #67643 (curl_multi_getcontent returns '' when CURLOPT_RETURNTRANSFER i


22/206

sn't set).Date:Implemented FR #68268 (DatePeriod: Getter for start date, end date and interval).EXIF:Fixed bug #68799 (Free called on uninitialized pointer). (CVE-2015-0232)Fileinfo:Fixed bug #68398 (msooxml matches too many archives).Fixed bug #68665 (invalid free in libmagic).Fixed bug #68671 (incorrect expression in libmagic).Removed readelf.c and related code from libmagic sources.Fixed bug #68735 (fileinfo out-of-bounds memory access). (CVE-2014-9652)FPM:Implemented FR #68526 (Implement POSIX Access Control List for UDS).Fixed bug #68751 (listen.allowed_clients is broken).GD:Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (CVE-2014-9709)Implemented FR #68656 (Report gd library version).mbstring:Fixed bug #68504 (--with-libmbfl configure option not present on Windows).Opcache:Fixed bug #68644 (strlen incorrect : mbstring + func_overload=2 +UTF-8 + Opcache).Fixed bug #67111 (Memory leak when using "continue 2" inside two foreach loops).

OpenSSL:Improved handling of OPENSSL_KEYTYPE_EC keys.pcntl:Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL).PCRE:Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream).pgsql:Fixed bug #68697 (lo_export return -1 on failure).PDO:Fixed bug #68371 (PDO#getAttribute() cannot be called with platform-specifi attribute names).PDO_mysql:

Fixed bug #68424 (Add new PDO mysql connection attr to control multi statementsoption).SPL:Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator).Fixed bug #68479 (Added escape parameter to SplFileObject::fputcsv).SQLite:Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2).Streams:Fixed bug #68532 (convert.base64-encode omits padding bytes).Version 5.5.21

22 Jan 2015

Core:Upgraded crypt_blowfish to version 1.3.Fixed bug #60704 (unlink() bug with some files path).Fixed bug #65419 (Inside trait, self::class != __CLASS__).Fixed bug #65576 (Constructor from trait conflicts with inherited constructor).Fixed bug #55541 (errors spawn MessageBox, which blocks test automation).Fixed bug #68297 (Application Popup provides too few information).Fixed bug #65769 (localeconv() broken in TS builds).Fixed bug #65230 (setting locale randomly broken).Fixed bug #66764 (configure doesn't define EXPANDED_DATADIR / PHP_DATADIR correc


23/206

tly).Fixed bug #68583 (Crash in timeout thread).Fixed bug #68676 (Explicit Double Free). (CVE-2014-9425)Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231)CGI:Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427)CLI server:Fixed bug #68745 (Invalid HTTP requests make web server segfault).cURL:Fixed bug #67643 (curl_multi_getcontent returns '' when CURLOPT_RETURNTRANSFER isn't set).EXIF:Fixed bug #68799 (Free called on uninitialized pointer). (CVE-2015-0232)Fileinfo:Fixed bug #68671 (incorrect expression in libmagic).Fixed bug #68735 (fileinfo out-of-bounds memory access). (CVE-2014-9652)Removed readelf.c and related code from libmagic sources.FPM:Fixed bug #68751 (listen.allowed_clients is broken).GD:Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (CVE-2014-9709)Mbstring:Fixed bug #68504 (--with-libmbfl configure option not present on Windows).

Mcrypt:Fixed possible read after end of buffer and use after free.Opcache:Fixed bug #67111 (Memory leak when using "continue 2" inside two foreach loops).OpenSSL:Fixed bug #55618 (use case-insensitive cert name matching).Pcntl:Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL).PCRE:Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream).pgsql:Fixed bug #68697 (lo_export return -1 on failure).

PDO:Fixed bug #68371 (PDO#getAttribute() cannot be called with platform-specific attribute names).PDO_mysql:Fixed bug #68424 (Add new PDO mysql connection attr to control multi statementsoption).SPL:Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator).Fixed bug #65213 (cannot cast SplFileInfo to boolean).Fixed bug #68479 (Added escape parameter to SplFileObject::fputcsv).SQLite:Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2).

Streams:Fixed bug #68532 (convert.base64-encode omits padding bytes).Version 5.4.37

22 Jan 2015Core:Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231)CGI:Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427)


24/206

EXIF:Fixed bug #68799 (Free called on uninitialized pointer). (CVE-2015-0232)Fileinfo:Removed readelf.c and related code from libmagic sources.Fixed bug #68735 (fileinfo out-of-bounds memory access). (CVE-2014-9652)OpenSSL:Fixed bug #55618 (use case-insensitive cert name matching).Version 5.6.4

18 Dec 2014Core:Fixed bug #68091 (Some Zend headers lack appropriate extern "C" blocks).Fixed bug #68104 (Segfault while pre-evaluating a disabled function).Fixed bug #68185 ("Inconsistent insteadof definition."- incorrectly triggered).Fixed bug #68355 (Inconsistency in example php.ini comments).Fixed bug #68370 ("unset($this)" can make the program crash).Fixed bug #68422 (Incorrect argument reflection info for array_multisort()).Fixed bug #68545 (NULL pointer dereference in unserialize.c).Fixed bug #68446 (Array constant not accepted for array parameter default).Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142)Date:Fixed day_of_week function as it could sometimes return negative values internally.

FPM:Fixed bug #68381 (fpm_unix_init_main ignores log_level).Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all addresses).Fixed bug #68421 (access.format='%R' doesn't log ipv6 address).Fixed bug #68423 (PHP-FPM will no longer load all pools).Fixed bug #68428 (listen.allowed_clients is IPv4 only).Fixed bug #68452 (php-fpm man page is oudated).Implemented FR #68458 (Change pm.start_servers default warning to notice).Fixed bug #68463 (listen.allowed_clients can silently result in no allowed access).Implemented FR #68391 (php-fpm conf files loading order).Fixed bug #68478 (access.log don't use prefix).

Mcrypt:Fixed possible read after end of buffer and use after free.GMP:Fixed bug #68419 (build error with gmp 4.1).PDO_pgsql:Fixed bug #67462 (PDO_PGSQL::beginTransaction() wrongly throws exception when not in transaction).Fixed bug #68351 (PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving).Session:Fixed bug #68331 (Session custom storage callable functions not being called).SOAP:Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes).zlib:

Fixed bug #53829 (Compiling PHP with large file support will replace function gzopen by gzopen64).Version 5.5.20

18 Dec 2014Core:Fixed bug #68091 (Some Zend headers lack appropriate extern "C" blocks).Fixed bug #68185 ("Inconsistent insteadof definition."- incorrectly triggered).Fixed bug #68370 ("unset($this)" can make the program crash).Fixed bug #68545 (NULL pointer dereference in unserialize.c).


25/206

Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142)Date:Fixed day_of_week function as it could sometimes return negative values internally.FPM:Fixed bug #68381 (fpm_unix_init_main ignores log_level).Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all addresses).Fixed bug #68421 (access.format='%R' doesn't log ipv6 address).Fixed bug #68423 (PHP-FPM will no longer load all pools).Fixed bug #68428 (listen.allowed_clients is IPv4 only).Fixed bug #68452 (php-fpm man page is oudated).Fixed bug #68458 (Change pm.start_servers default warning to notice).Fixed bug #68463 (listen.allowed_clients can silently result in no allowed access).Fixed bug #68391 (php-fpm conf files loading order).Fixed bug #68478 (access.log don't use prefix).Mcrypt:Fixed possible read after end of buffer and use after free.PDO_pgsql:Fixed bug #66584 (Segmentation fault on statement deallocation).Fixed bug #67462 (PDO_PGSQL::beginTransaction() wrongly throws exception when not in transaction).

Fixed bug #68351 (PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving).SOAP:Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes).zlib:Fixed bug #53829 (Compiling PHP with large file support will replace function gzopen by gzopen64).Version 5.4.36

18 Dec 2014Core:Upgraded crypt_blowfish to version 1.3.Fixed bug #68545 (NULL pointer dereference in unserialize.c).Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142

)Mcrypt:Fixed possible read after end of buffer and use after free.Version 5.6.3

13 Nov 2014Core:Implemented 64-bit format codes for pack() and unpack().Fixed bug #51800 (proc_open on Windows hangs forever).Fixed bug #67633 (A foreach on an array returned from a function not doing copy-on-write).Fixed bug #67739 (Windows 8.1/Server 2012 R2 OS build number reported as 6.2 (instead of 6.3)).

Fixed bug #67949 (DOMNodeList elements should be accessible through array notation).Fixed bug #68095 (AddressSanitizer reports a heap buffer overflow in php_getopt()).Fixed bug #68118 ($a->foo .= 'test'; can leave $a->foo undefined).Fixed bug #68129 (parse_url() - incomplete support for empty usernames and passwords).Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).CURL:


26/206

Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, and CURL_SSLVERSION_TLSv1_ 2 constants if supported by libcurl.Fileinfo:Fixed bug #66242 (libmagic: don't assume char is signed).Fixed bug #68224 (buffer-overflow in libmagic/readcdf.c caught by AddressSanitizer).Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers). (CVE-2014-3710)FPM:Fixed bug #65641 (PHP-FPM incorrectly defines the SCRIPT_NAME variable when using Apache, mod_proxy-fcgi and ProxyPass).Implemented FR #55508 (listen and listen.allowed_clients should take IPv6 addresses).GD:Fixed bug #65171 (imagescale() fails without height param).GMP:Implemented gmp_random_range() and gmp_random_bits().Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).Mysqli:Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).ODBC:Fixed bug #68087 (ODBC not correctly reading DATE column when preceded by a VARC

HAR column).OpenSSL:Fixed bug #68074 (Allow to use system cipher list instead of hardcoded value).PDO_pgsql:Fixed bug #68199 (PDO::pgsqlGetNotify doesn't support NOTIFY payloads).Fixed bug #66584 (Segmentation fault on statement deallocation).Reflection:Fixed bug #68103 (Duplicate entry in Reflection for class alias).SPL:Fixed bug #68128 (Regression in RecursiveRegexIterator).Version 5.5.19

13 Nov 2014

Core:Fixed bug #68095 (AddressSanitizer reports a heap buffer overflow in php_getopt()).Fixed bug #68118 ($a->foo .= 'test'; can leave $a->foo undefined).Fixed bug #68129 (parse_url() - incomplete support for empty usernames and passwords).Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).cURL:Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, and CURL_SSLVERSION_TLSv1_ 2 constants if supported by libcurl.Fileinfo:Fixed bug #66242 (libmagic: don't assume char is signed).

Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers). (CVE-2014-3710)FPM:Implemented FR #55508 (listen and listen.allowed_clients should take IPv6 addresses.GD:Fixed bug #65171imagescale() fails without height paramGMP:Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).


27/206

Mysqli:Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).ODBC:Fixed bug #68087 (ODBC not correctly reading DATE column when preceded by a VARCHAR column)SPL:Fixed bug #68128 (Regression in RecursiveRegexIterator)Version 5.4.35

13 Nov 2014Core:Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).Fileinfo:Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers). (CVE-2014-3710)GMP:Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).PDO_pgsql:Fixed bug #66584 (Segmentation fault on statement deallocation).Version 5.6.2

16 Oct 2014Core:Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669)cURL:Fixed bug #68089 (NULL byte injection - cURL lib).EXIF:Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)XMLRPC:Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668)Version 5.5.18

16 Oct 2014Core:Fixed bug #67985 (Incorrect last used array index copied to new array after unset).Fixed bug #67739 (Windows 8.1/Server 2012 R2 OS build number reported as 6.2 (instead of 6.3)).Fixed bug #67633 (A foreach on an array returned from a function not doing copy-on-write).Fixed bug #51800 (proc_open on Windows hangs forever).Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669)cURL:Fixed bug #68089 (NULL byte injection - cURL lib).

Exif:Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)FPM:Fixed bug #65641 (PHP-FPM incorrectly defines the SCRIPT_NAME variable when using Apache, mod_proxy-fcgi and ProxyPass).OpenSSL:Revert regression introduced by fix of bug #41631.Reflection:Fixed bug #68103 (Duplicate entry in Reflection for class alias).Session:


28/206

Fixed bug #67972 (SessionHandler Invalid memory read create_sid()).XMLRPC:Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668)Version 5.4.34

16 Oct 2014Fileinfo:Fixed bug #66242 (libmagic: don't assume char is signed).Core:Fixed bug #67985 (Incorrect last used array index copied to new array after unset).Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669)cURL:Fixed bug #68089 (NULL byte injection - cURL lib).EXIF:Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)OpenSSL:Reverted fixes for bug #41631, due to regressions.XMLRPC:Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668)Version 5.6.1

02 Oct 2014Core:Implemented FR #38409 (parse_ini_file() loses the type of booleans).Fixed bug #65463 (SIGSEGV during zend_shutdown()).Fixed bug #66036 (Crash on SIGTERM in apache process).Fixed bug #67878 (program_prefix not honoured in man pages).Fixed bug #67938 (Segfault when extending interface method with variadic).Fixed bug #67985 (Incorrect last used array index copied to new array after unset).Fixed bug #68088 (New Posthandler Potential Illegal efree() vulnerability). (CVE-2014-3622)DOM:

Made DOMNode::textContent writeable.Fileinfo:Fixed bug #67731 (finfo::file() returns invalid mime type for binary files).GD:Made fontFetch's path parser thread-safe.GMP:Fixed bug #67917 (Using GMP objects with overloaded operators can cause memory exhaustion).Fixed bug #50175 (gmp_init() results 0 on given base and number starting with 0x or 0b).Implemented gmp_import() and gmp_export().MySQLi:Fixed bug #67839 (mysqli does not handle 4-byte floats correctly).

OpenSSL:Fixed bug #67850 (extension won't build if openssl compiled without SSLv3).phpdbg:Fixed issue #111 (compile error without ZEND_SIGNALS).SOAP:Fixed bug #67955 (SoapClient prepends 0-byte to cookie names).Session:Fixed bug #67972 (SessionHandler Invalid memory read create_sid()).Sysvsem:Implemented FR #67990 (Add optional nowait argument to sem_acquire).


29/206

Version 5.5.17

18 Sep 2014Core:Fixed bug #47358 (glob returns error, should be empty array()).Fixed bug #65463 (SIGSEGV during zend_shutdown()).Fixed bug #66036 (Crash on SIGTERM in apache process).Fixed bug #67878 (program_prefix not honoured in man pages).COM:Fixed bug #41577 (DOTNET is successful once per server run).Date:Fixed bug #66091 (memory leaks in DateTime constructor).Fixed bug #66985 (Some timezones are no longer valid in PHP 5.5.10).Fixed bug #67109 (First uppercase letter breaks date string parsing).FPM:Fixed bug #67606 (FPM with mod_fastcgi/apache2.4 is broken).GD:Made fontFetch's path parser thread-safe.MySQLi:Fixed bug #67839 (mysqli does not handle 4-byte floats correctly).OpenSSL:Fixed bug #41631 (socket timeouts not honored in blocking SSL reads).Fixed bug #67850 (extension won't build if openssl compiled without SSLv3).SPL:

Fixed bug #67813 (CachingIterator::__construct InvalidArgumentException wrong message).Zlib:Fixed bug #67724 (chained zlib filters silently fail with large amounts of data).Fixed bug #67865 (internal corruption phar error).Version 5.4.33

18 Sep 2014Core:Fixed bug #47358 (glob returns error, should be empty array()).Fixed bug #65463 (SIGSEGV during zend_shutdown()).Fixed bug #66036 (Crash on SIGTERM in apache process).

OpenSSL:Fixed bug #41631 (socket timeouts not honored in blocking SSL reads).Date:Fixed bug #66091 (memory leaks in DateTime constructor).FPM:Fixed bug #67606 (FPM with mod_fastcgi/apache2.4 is broken).GD:Made fontFetch's path parser thread-safe.Wddx:Fixed bug #67873 (Segfaults in php_wddx_serialize_var).Zlib:Fixed bug #67724 (chained zlib filters silently fail with large amounts of data).

Fixed bug #67865 (internal corruption phar error).Version 5.6.0

28 Aug 2014General improvements:Added constant scalar expressions syntax.Added dedicated syntax for variadic functions.Added support for argument unpacking to complement the variadic syntax.Added an exponentiation operator (**).Added phpdbg SAPI.


30/206

Added unified default encoding.The php://input stream is now re-usable and can be used concurrently with enable

_post_data_reading=0.Added use function and use const..Added a function for timing attack safe string comparison.Added the __debugInfo() magic method to allow userland classes to implement theget_debug_info API previously available only to extensions.Added gost-crypto (CryptoPro S-box) hash algorithm.Stream wrappers verify peer certificates and host names by default in encryptedclient streams.Uploads equal or greater than 2GB in size are now accepted.Core:Fixed bug #67693 (incorrect push to the empty array).Removed inconsistency regarding behaviour of array in constants at run-time.Fixed bug #67497 (eval with parse error causes segmentation fault in generator).Fixed bug #67151 (strtr with empty array crashes).Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012).Fixed bug #66608 (Incorrect behavior with nested "finally" blocks).Implemented FR #34407 (ucwords and Title Case).Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0).Fixed bug #67368 (Memory leak with immediately dereferenced array in class constant).Fixed bug #67468 (Segfault in highlight_file()/highlight_string()).Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability).

Fixed bug #67551 (php://input temp file will be located in sys_temp_dir insteadof upload_tmp_dir).Fixed bug #67169 (array_splice all elements, then []= gives wrong index).Fixed bug #67198 (php://input regression).Fixed bug #67247 (spl_fixedarray_resize integer overflow).Fixed bug #67250 (iptcparse out-of-bounds read).Fixed bug #67252 (convert_uudecode out-of-bounds read).Fixed bug #67249 (printf out-of-bounds read).Implemented FR #64744 (Differentiate between member function call on a null andnon-null, non-objects).Fixed bug #67436 (Autoloader isn't called if two method definitions don't match).Fixed bug #66622 (Closures do not correctly capture the late bound class (static

::) in some cases).Fixed bug #67390 (insecure temporary file use in the configure script). (CVE-2014-3981)Fixed bug #67392 (dtrace breaks argument unpack).Fixed bug #67428 (header('Location: foo') will override a 308-399 response code).Fixed bug #67433 (SIGSEGV when using count() on an object implementing Countable).Fixed bug #67399 (putenv with empty variable may lead to crash).Expose get_debug_info class hook as __debugInfo() magic method.Implemented unified default encoding (RFC: https://wiki.php.net/rfc/default_encoding).Added T_POW (**) operator (RFC: https://wiki.php.net/rfc/pow-operator).

Improved IS_VAR operands fetching.Improved empty string handling. Now ZE uses an interned string instead of allocation new empty string each time.Implemented internal operator overloading (RFC: https://wiki.php.net/rfc/operator_overloading_gmp).Made calls from incompatible context issue an E_DEPRECATED warning instead of E_ STRICT (phase 1 of RFC: https://wiki.php.net/rfc/incompat_ctx).Uploads equal or greater than 2GB in size are now accepted.Reduced POST data memory usage by 200-300%. Changed INI setting always_populate_ raw_post_data to throw a deprecation warning when enabling and to accept -1 for


31/206

never populating the $HTTP_RAW_POST_DATA global variable, which will be the default in future PHP versions.Implemented dedicated syntax for variadic functions (RFC: https://wiki.php.net/rfc/variadics).Fixed bug #50333 Improving multi-threaded scalability by using emalloc/efree/estrdup (Anatol, Dmitry)Implemented constant scalar expressions (with support for constants) (RFC: https://wiki.php.net/rfc/const_scalar_exprs).Fixed bug #65784 (Segfault with finally).Fixed bug #66509 (copy() arginfo has changed starting from 5.4).Allow zero length comparison in substr_compare() (Tjerk)Fixed bug #60602 (proc_open() changes environment array) (Tjerk)Fixed bug #61019 (Out of memory on command stream_get_contents).Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).Fixed bug #66182 (exit in stream filter produces segfault).Fixed bug #66736 (fpassthru broken).Fixed bug #66822 (Cannot use T_POW in const expression) (Tjerk)Fixed bug #67043 (substr_compare broke by previous change) (Tjerk)Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()).Fixed bug #66015 (Unexpected array indexing in class's static property).Added (constant) string/array dereferencing to static scalar expressions to complete the set; now possible thanks to #66015 being fixed.

Fixed bug #66568 (Update reflection information for unserialize() function).Fixed bug #66660 (Composer.phar install/update fails).Fixed bug #67024 (getimagesize should recognize BMP files with negative height).Fixed bug #67064 (Countable interface prevents using 2nd parameter ($mode) of count() function).Fixed bug #67072 (Echoing unserialized "SplFileObject" crash).Fixed bug #67033 (Remove reference to Windows 95).Apache2 Handler SAPI:Fixed Apache log issue caused by APR's lack of support for %zu (APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120).CLI server:Added some MIME types to the CLI web server.Fixed bug #67079 (Missing MIME types for XML/XSL files).

Fixed bug #66830 (Empty header causes PHP built-in web server to hang).Fixed bug #67594 (Unable to access to apache_request_headers() elements).Implemented FR #67429 (CLI server is missing some new HTTP response codes).Fixed bug #67406 (built-in web-server segfaults on startup).COM:Fixed bug #41577 (DOTNET is successful once per server run) (Aidas Kasparas)Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas).Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)).Curl:Implemented FR #65646 (re-enable CURLOPT_FOLLOWLOCATION with open_basedir or safe_mode).Check for openssl.cafile ini directive when loading CA certs.Remove cURL close policy related constants as these have no effect and are no lo

nger used in libcurl.Fixed bug #66109 (Can't reset CURLOPT_CUSTOMREQUEST to default behaviour) (Tjerk)Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive.Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset).Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).Date:Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712)Fixed bug #66091 (memory leaks in DateTime constructor) (Tjerk).Fixed bug #67308 (Serialize of DateTime truncates fractions of second).


32/206

Fixed regression in fix for #67118 (constructor can't be called twice).Fixed bug #67251 (date_parse_from_format out-of-bounds read).Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read).Added DateTimeImmutable::createFromMutable to create a DateTimeImmutable objectfrom an existing DateTime (mutable) object (Derick)Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).Fixed bug #67118 (DateTime constructor crash with invalid data).DOM:Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset).Embed:Fixed bug #65715 (php5embed.lib isn't provided anymore). (Anatol).Fileinfo:Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587)Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538)Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). (CVE-2014-0238)Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in performance degradation). (CVE-2014-0237)Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check).(CVE-2014-0207)Fixed bug #67329 (fileinfo: NULL pointer deference flaw by processing certain CDF files). (CVE-2014-0236)

Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size). (CVE-2014-3478)Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary check). (CVE-2014-3479)Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check). (CVE-2014-3480)Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check). (CVE-2014-3487)Upgraded to libmagic-5.17 (Anatol)Fixed bug #66731 (file: infinite recursion). (CVE-2014-1943)Fixed bug #66820 (out-of-bounds memory access in fileinfo). (CVE-2014-2270)Fixed bug #66946 (fileinfo: extensive backtracking in awk rule regular expression). (CVE-2013-7345)

Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).Fixed bug #66907 (Solaris 10 is missing strcasestr and needs substitute).Fixed bug #66307 (Fileinfo crashes with powerpoint files).FPM:Fixed bug #67606 (revised fix 67541, broke mod_fastcgi BC).Fixed bug #67530 (error_log=syslog ignored).Fixed bug #67635 (php links to systemd libraries without using pkg-config).Fixed bug #67531 (syslog cannot be set in pool configuration).Fixed bug #67541 (Fix Apache 2.4.10+ SetHandler proxy:fcgi:// incompatibilities).Included apparmor support in fpm (RFC: https://wiki.php.net/rfc/fpm_change_hat).Added clear_env configuration directive to disable clearenv() call.Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).

Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure default configuration). (CVE-2014-0185)GD:Fixed bug #67730 (Null byte injection possible with imagexxx functions). (CVE-2014-5120)Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). (CVE-2014-2497)Fixed bug #67248 (imageaffinematrixget missing check of parameters).Fixed imagettftext to load the correct character map rather than the last one.Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop()). (CVE-2013-7226)


33/206

Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer). (CVE-2013-7327)Fixed bug #66869 (Invalid 2nd argument crashes imageaffinematrixget).Fixed bug #66887 (imagescale - poor quality of scaled image).Fixed bug #66890 (imagescale segfault).Fixed bug #66893 (imagescale ignore method argument).GMP:Fixed bug #66872 (invalid argument crashes gmp_testbit) (Pierre)Fixed crashes in serialize/unserialize.Moved GMP to use object as the underlying structure and implemented various improvements based on this.Added gmp_root() and gmp_rootrem() functions for calculating nth roots.Hash:Added gost-crypto (CryptoPro S-box) GOST hash algo.Fixed bug #66698 (Missing FNV1a32 and FNV1a64 hash functions). (Michael M Slusarz).Implemented timing attack safe string comparison function (RFC: https://wiki.php.net/rfc/timing_attack).hash_pbkdf2() now works correctly if the $length argument is not specified.Intl:Fixed bug #66873 (A reproductible crash in UConverter when given invalid encoding) (Stas)Fixed bug #66921 (Wrong argument type hint for function intltz_from_date_time_zone).Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).

Fixed bug #67349 (Locale::parseLocale Double Free).Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)).JSON:Fixed case part of bug #64874 ("json_decode handles whitespace and case-sensitivity incorrectly")Fixed bug #65753 (JsonSerializeable couldn't implement on module extension) ([email protected])Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).ldap:Added new function ldap_modify_batch().Fixed issue with null bytes in LDAP bindings.

litespeed:Fixed bug #63228 (-Werror=format-security error in lsapi code).Mail:Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script) (Tjerk)Mcrypt:No longer allow invalid key sizes, invalid IV sizes or missing required IV in mcrypt_encrypt, mcrypt_decrypt and the deprecated mode functions.Use /dev/urandom as the default source for mcrypt_create_iv().Mbstring:Upgraded to oniguruma 5.9.5 (Anatol)Fixed bug #67199 (mb_regex_encoding mismatch).Milter:Fixed bug #67715 (php-milter does not build and crashes randomly).

mysqli:Added new function mysqli_get_links_stats() as well as new INI variable mysqli.rollback_on_cached_plink of type bool (Andrey)Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed) (Remi)Fixed building against an external libmysqlclient.mysqlnd:Disabled flag for SP OUT variables for 5.5+ servers as they are not natively supported by the overlying APIs.Added a new fetching mode to mysqlnd.


34/206

Added support for gb18030 from MySQL 5.7.Network:Fixed bug #67717 (segfault in dns_get_record). (CVE-2014-3597)Fixed bug #67432 (Fix potential segfault in dns_get_record()). (CVE-2014-4049)OCI8:Fixed bug #66875 (Improve performance of multi-row OCI_RETURN_LOB queries) (Perrier, Chris Jones)ODBC:Fixed bug #60616 (odbc_fetch_into returns junk at end of multi-byte char fields).OpenSSL:Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas).Fixed bug #67609 (TLS connections fail behind HTTP proxy).Fixed broken build against OpenSSL older than 0.9.8 where ECDH unavailable.Fixed bug #67666 (Subject altNames doesn't support wildcard matching).Fixed bug #67224 (Fall back to crypto_type from context if not specified explicitly in stream_socket_enable_crypto).Fixed bug #65698 (certificates validity parsing does not work past 2050).Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME).Peer certificates now verified by default in client socket operations (RFC: https://wiki.php.net/rfc/tls-peer-verification).New openssl.cafile and openssl.capath ini directives.Added crypto_method option for the ssl stream context.Added certificate fingerprint support.

Added explicit TLSv1.1 and TLSv1.2 stream transports.Fixed bug #65729 (CN_match gives false positive).Peer name verification matches SAN DNS names for certs using the Subject Alternative Name x509 extension.Fixed segfault when built against OpenSSL>=1.0.1 (Daniel Lowrey)Added SPKAC support.Fallback to Windows CA cert store for peer verification if no openssl.cafile ini directive or "cafile" SSL context option specified in Windows.The openssl.cafile and openssl.capath ini directives introduced in alpha2 now have PHP_INI_PERDIR accessibility (was PHP_INI_ALL).New "peer_name" SSL context option replaces "CN_match" (which still works as before but triggers E_DEPRECATED).Fixed segfault when accessing non-existent context for client SNI use (Daniel Lo

wrey)Fixed bug #66501 (Add EC key support to php_openssl_is_private_key).Fixed bug #47030 (add new boolean "verify_peer_name" SSL context option allowing clients to verify cert names separately from the cert itself). "verify_peer_name" is enabled by default for client streams.Fixed bug #65538 ("cafile" SSL context option now supports stream wrappers).New openssl_get_cert_locations() function to aid CA file and peer verification debugging.Encrypted stream wrappers now disable TLS compression by default.New "capture_session_meta" SSL context option allows encrypted client and server streams access to negotiated protocol/cipher information.New "honor_cipher_order" SSL context option allows servers to prioritize ciphersuites of their choosing when negotiating SSL/TLS handshakes.

New "single_ecdh_use" and "single_dh_use" SSL context options allow for improved forward secrecy in encrypted stream servers.New "dh_param" SSL context option allows stream servers control over the parameters when negotiating DHE cipher suites.New "ecdh_curve" SSL context option allowing stream servers to specify the curve to use when negotiating ephemeral ECDHE ciphers (defaults to NIST P-256).New "rsa_key_size" SSL context option gives stream servers control over the keysize (in bits) used for RSA key agreements.Crypto methods for encrypted client and server streams now use bitwise flags for fine-grained protocol support.


35/206

Added new tlsv1.0 stream wrapper to specify TLSv1 client/server method. tls wrapper now negotiates TLSv1, TLSv1.1 or TLSv1.2.Encrypted client streams now enable SNI by default.Encrypted streams now prioritize ephemeral key agreement and high strength ciphers by default.New OPENSSL_DEFAULT_STREAM_CIPHERS constant exposes default cipher list.New STREAM_CRYPTO_METHOD_* constants for enhanced control over the crypto methods negotiated encrypted server/client sessions.Encrypted stream servers now automatically mitigate potential DoS vector arising from client-initiated TLS renegotiation. New "reneg_limit", "reneg_window" and"reneg_limit_callback" SSL context options for custom renegotiation limiting control.Fixed memory leak in windows cert verification on verify failure.Peer certificate capturing via SSL context options now functions even if peer verification fails.Encrypted TLS servers now support the server name indication TLS extension via the new "SNI_server_certs" SSL context option.Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1).Fixed bug #66942 (memory leak in openssl_seal()).Fixed bug #66952 (memory leak in openssl_open()).Fixed bug #66840 (Fix broken build when extension built separately).OPcache:Added an optimization of class constants and constant calls to some internal functions (Laruence, Dmitry)

Added an optimization pass to convert FCALL_BY_NAME into DO_FCALL.Added an optimization pass to merged identical constants (and related cache_slots) in op_array->literals table.Added script level constant replacement optimization pass.Added function opcache_is_script_cached().Added information about interned strings usage.Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault happen) (Dmitry, Laruence)PCRE:Fixed bug #67238 (Ungreedy and min/max quantifier bug, applied patch from the upstream).Upgraded to PCRE 8.34.Added support for (*MARK) backtracking verbs.

pgsql:Fixed bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756), which affected builds against libpq < 7.3.pg_insert()/pg_select()/pg_update()/pg_delete() are no longer EXPERIMENTAL.Implemented FR #25854 (Return value for pg_insert should be resource instead ofbool).Implemented FR #41146 (Add "description" with exteneded flag pg_meta_data(). pg_ meta_data(resource $conn, string $table [, bool extended]) It also made pg_meta_ data() return "is enum" always).Read-only access to the socket stream underlying database connections is exposed via a new pg_socket() function to allow read/write polling when establishing asynchronous connections and executing queries in non-blocking applications.Asynchronous connections are now possible using the PGSQL_CONNECT_ASYNC flag in

conjunction with a new pg_connect_poll() function and connection polling statusconstants.New pg_flush() and pg_consume_input() functions added to manually complete non-blocking reads/writes to underlying connection sockets.pg_version() returns full report which obtained by PQparameterStatus().Added pg_lo_truncate().Added 64bit large object support for PostgreSQL 9.3 and later.Fixed bug #67555 (Cannot build against libpq 7.3).phpdbg:Fixed bug #67575 (Compilation fails for phpdbg when the build directory != src d


36/206

irectory).Fixed bug #67499 (readline feature not enabled when build with libedit).Fixed issue #94 (List behavior is inconsistent).Fixed issue #97 (The prompt should always ensure it is on a newline).Fixed issue #98 (break if does not seem to work).Fixed issue #99 (register function has the same behavior as run).Fixed issue #100 (No way to list the current stack/frames) (Help entry was missing).Fixed bug which caused phpdbg to fail immediately on startup in non-debug builds.Fixed bug #67212 (phpdbg uses non-standard TIOCGWINSZ).Included phpdbg sapi (RFC: https://wiki.php.net/rfc/phpdbg).Added watchpoints (watch command).Renamed some commands (next => continue and how to step).Fixed issue #85 (Added stdin/stdout/stderr constants and their php:// wrappers).PDO:Fixed bug #66604 ('pdo/php_pdo_error.h' not copied to the include dir).PDO-ODBC:Fixed bug #50444 (PDO-ODBC changes for 64-bit).PDO_pgsql:Fixed bug #42614 (PDO_pgsql: add pg_get_notify support).Fixed bug #63657 (pgsqlCopyFromFile, pgsqlCopyToArray use Postgres < 7.3 syntax).Cleaned up code by increasing the requirements to libpq versions providing PQexe

cParams, PQprepare, PQescapeStringConn, PQescapeByteaConn. According to the release notes that means 8.0.8+ or 8.1.4+.Deprecated PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT, an undocument constant effectively equivalent to PDO::ATTR_EMULATE_PREPARES.Added PDO::PGSQL_ATTR_DISABLE_PREPARES constant to execute the queries without preparing them, while still passing parameters separately from the command text using PQexecParams.PDO_firebird:Fixed bug #66071 (memory corruption in error handling) (Popa)Phar:Fixed bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name).Fixed bug #67587 (Redirection loop on nginx with FPM).

readline:Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt).Fixed bug #67496 (Save command history when exiting interactive shell with control-c).Reflection:Implemented FR #67713 (loosen the restrictions on ReflectionClass::newInstanceWithoutConstructor()).Session:Fixed bug #67694 (Regression in session_regenerate_id()).Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas).Fixed bug #66827 (Session raises E_NOTICE when session name variable is array).Fixed bug #65315 (session.hash_function silently fallback to default md5) (Yasuo)

Implemented FR #17860 (Session write short circuit).Implemented FR #20421 (session_abort() and session_reset() function).Remove session_gc() and session_serializer_name() wich were introduced in the first 5.6.0 alpha.SimpleXML:Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol)SQLite:Updated the bundled libsqlite to the version 3.8.3.1 (Anatol)Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3).SOAP:


37/206

Implemented FR #49898 (Add SoapClient::__getCookies()).SPL:Revert fix for #67064 (BC issues).Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting). (CVE-2014-4698)Fixed bug #67538 (SPL Iterators use-after-free). (CVE-2014-4670)Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion). (CVE-2014-3515)Fixed bug #67359 (Segfault in recursiveDirectoryIterator).Fixed bug #66127 (Segmentation fault with ArrayObject unset).Implemented FR #67453 (Allow to unserialize empty data).Fixed bug #66834 (empty() does not work on classes that extend ArrayObject) (Tjerk)Fixed bug #66702 (RegexIterator::INVERT_MATCH does not invert).Standard:Implemented FR #65634 (HTTP wrapper is very slow with protocol_version 1.1).Implemented Change crypt() behavior w/o salt RFC. (Yasuo) https://wiki.php.net/rfc/crypt_function_saltImplemented FR #49824 (Change array_fill() to allow creating empty array).Streams:Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects).Tokenizer:Fixed bug #67395 (token_name() does not return name for T_POW and T_POW_EQUAL token).

XMLReader:Fixed bug #55285 (XMLReader::getAttribute/No/Ns methods inconsistency).XSL:Fixed bug #53965 ( cannot find files with relative paths when loaded with "file://").Zip:update libzip to version 1.11.2. PHP don't use any ilibzip private symbol anymore.new method ZipArchive::setPassword($password).add --with-libzip option to build with system libzip.new methods: ZipArchive::setExternalAttributesName($name, $opsys, $attr [, $flags]) ZipArchive::setExternalAttributesIndex($idx, $opsys, $attr [, $flags]) ZipArchive::getExternalAttributesName($name, &$opsys, &$attr [, $flags]) ZipArchive::

getExternalAttributesIndex($idx, &$opsys, &$attr [, $flags])Zlib:Fixed bug #67865 (internal corruption phar error). MikeFixed bug #67724 (chained zlib filters silently fail with large amounts of data).Version 5.5.16

21 Aug 2014COM:Fixed missing type checks in com_event_sink.Core:Fixed bug #67693 (incorrect push to the empty array).Fileinfo:

Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538).Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587).FPM:Fixed bug #67635 (php links to systemd libraries without using pkg-config).GD:Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). (CVE-2014-2497).Fixed bug #67730 (Null byte injection possible with imagexxx functions). (CVE-2014-5120).Milter:

Date post:	07-Jul-2018
Category:	Documents
Upload:	amit-kumar
View:	225 times
Download:	0 times

PHP 5 ChangeLog

Documents