PHP 5 ChangeLog
5.6 | 5.5 | 5.4 | 5.3 | 5.2 | 5.1 | 5.0
Version 5.6.40
10 Jan 2019 GD:
Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
use-after-free). (CVE-2016-10166)
Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (CVE-2019-6977)
Mbstring:
Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (CVE-2019-9023)
Fixed bug #77371 (heap buffer overflow in mb regex functions - compile_string_node). (CVE-2019-9023)
Fixed bug #77381 (heap buffer overflow in multibyte match_at). (CVE-2019-9023)
Fixed bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string). (CVE-2019-9023)
Fixed bug #77385 (buffer overflow in fetch_token). (CVE-2019-9023)
Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (CVE-2019-9023)
Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (CVE-2019-9023)
Phar:
Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (CVE-2019-9021)
Xmlrpc:
Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (CVE-2019-9020)
Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (CVE-2019-9024)
Version 5.6.39
06 Dec 2018 Core:
Fixed bug #77231 (Segfault when using convert.quoted-printable-encode filter).
IMAP:
Fixed bug #77020 (null pointer dereference in imap_mail).
Fixed bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter). (CVE-2018-19518)
Phar:
Fixed bug #77022 (PharData always creates new files with mode 0666).
Fixed bug #77143 (Heap Buffer Overflow (READ: 4) in phar_parse_pharfile). (CVE-2018-20783)
Version 5.6.38
13 Sep 2018 Apache2:
Fixed bug #76582 (XSS due to the header Transfer-Encoding: chunked). (CVE-2018-17082)
Version 5.6.37
19 Jul 2018 Exif:
Fixed bug #76423 (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c). (CVE-2018-14883)
Fixed bug #76557 (heap-buffer-overflow (READ of size 48) while reading exif data). (CVE-2018-14851)
Win32:
Fixed bug #76459 (windows linkinfo lacks openbasedir check). (CVE-2018-15132)
Version 5.6.36
26 Apr 2018 Exif:
Fixed bug #76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value). (CVE-2018-10549)
iconv:
Fixed bug #76249 (stream filter convert.iconv leads to infinite loop on invalid sequence). (CVE-2018-10546)
LDAP:
Fixed bug #76248 (Malicious LDAP-Server Response causes Crash). (CVE-2018-10548)
Phar:
Fixed bug #76129 (fix for CVE-2018-5712 may not be complete). (CVE-2018-10547)
Version 5.6.35
29 Mar 2018 FPM:
Fixed bug #75605 (Dumpable FPM child processes allow bypassing opcache access controls). (CVE-2018-10545)
Version 5.6.34
01 Mar 2018 Standard:
Fixed bug #75981 (stack-buffer-overflow while parsing HTTP response). (CVE-2018-7584)
Version 5.6.33
04 Jan 2018 GD:
Fixed bug #75571 (Potential infinite loop in gdImageCreateFromGifCtx). (CVE-2018-5711)
Phar:
Fixed bug #74782 (Reflected XSS in .phar 404 page). (CVE-2018-5712)
Version 5.6.32
26 Oct 2017 Date:
Fixed bug #75055 (Out-Of-Bounds Read in timelib_meridian()). (CVE-2017-16642)
mcrypt:
Fixed bug #72535 (arcfour encryption stream filter crashes php).
PCRE:
Fixed bug #75207 (applied upstream patch for CVE-2016-1283).
Version 5.6.31
06 Jul 2017 Core:
Fixed bug #73807 (Performance problem with processing large post request). (CVE-2017-11142)
Fixed bug #74111 (Heap buffer overread (READ: 1) finish_nested_data from unserialize). (CVE-2017-12933)
Fixed bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability). (CVE-2017-11628)
Fixed bug #74819 (wddx_deserialize() heap out-of-bound read via php_parse_date()). (CVE-2017-11145)
GD:
Fixed bug #74435 (Buffer over-read into uninitialized memory). (CVE-2017-7890)
mbstring:
Add oniguruma upstream fix (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229)
OpenSSL:
Fixed bug #74651 (negative-size-param (-1) in memcpy in zif_openssl_seal()). (CVE-2017-11144)
PCRE:
Fixed bug #74087 (Segmentation fault in PHP7.1.1(compiled using the bundled PCRE library)).
WDDX:
Fixed bug #74145 (wddx parsing empty boolean tag leads to SIGSEGV). (CVE-2017-11143)
Version 5.6.30
19 Jan 2017 EXIF:
Fixed bug #73737 (FPE when parsing a tag format). (CVE-2016-10158)
GD:
Fixed bug #73549 (Use after free when stream is passed to imagepng).
Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (CVE-2016-10167)
Fixed bug #73869 (Signed Integer Overflow gd_io.c). (CVE-2016-10168)
Intl:
Fixed bug #68447 (grapheme_extract take an extra trailing character).
Phar:
Fixed bug #73764 (Crash while loading hostile phar archive). (CVE-2016-10159)
Fixed bug #73768 (Memory corruption when loading hostile phar). (CVE-2016-10160)
Fixed bug #73773 (Seg fault when loading hostile phar). (CVE-2017-11147)
SQLite3:
Reverted fix for bug #73530 (Unsetting result set may reset other result set).
Standard:
Fixed bug #70213 (Unserialize context shared on double class lookup).
Fixed bug #73825 (Heap out of bounds read on unserialize in finish_nested_data()). (CVE-2016-10161)
Version 5.6.29
08 Dec 2016 Mysqlnd:
Fixed bug #64526 (Add missing mysqlnd.* parameters to php.ini-*).
Opcache:
Fixed bug #73402 (Opcache segfault when using class constant to call a method).
Fixed bug #69090 (check cached files permissions)
OpenSSL:
Fixed bug #72776 (Invalid parameter in memcpy function trough openssl_pbkdf2).
Postgres:
Fixed bug #73498 (Incorrect SQL generated for pg_copy_to()).
SOAP:
SQLite3:
Fixed bug #73530 (Unsetting result set may reset other result set).
Standard:
Fixed bug #73297 (HTTP stream wrapper should ignore HTTP 100 Continue).
WDDX:
Fixed bug #73631 (Invalid read when wddx decodes empty boolean element). (CVE-2016-9935)
Version 5.6.28
10 Nov 2016 Core:
Fixed bug #73337 (try/catch not working with two exceptions inside a same operation).
Bz2:
Fixed bug #73356 (crash in bzcompress function).
GD:
Fixed bug #73213 (Integer overflow in imageline() with antialiasing).
Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()).
Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()).
Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf).
Fixed bug #72482 (Illegal write/read access caused by gdImageAALine overflow).
Fixed bug #72696 (imagefilltoborder stackoverflow on truecolor images). (CVE-2016-9933)
Imap:
Fixed bug #73418 (Integer Overflow in "_php_imap_mail" leads Heap Overflow).
SPL:
Fixed bug #73144 (Use-after-free in ArrayObject Deserialization).
SOAP:
Fixed bug #73037 (SoapServer reports Bad Request when gzipped).
SQLite3:
Fixed bug #73333 (2147483647 is fetched as string).
Standard:
Fixed bug #73203 (passing additional_parameters causes mail to fail).
Fixed bug #73188 (use after free in userspace streams).
Fixed bug #73192 (parse_url return wrong hostname).
Wddx:
Fixed bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow). (CVE-2016-9934)
Version 5.6.27
13 Oct 2016 Core:
Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c).
Fixed bug #73058 (crypt broken when salt is 'too' long).
Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by
password_verify).
Fixed bug #73189 (Memcpy negative size parameter php_resolve_path).
Fixed bug #73147 (Use After Free in unserialize()).
BCmath:
Fixed bug #73190 (memcpy negative parameter _bc_new_num_ex).
DOM:
Fixed bug #73150 (missing NULL check in dom_document_save_html).
Ereg:
Fixed bug #73284 (heap overflow in php_ereg_replace function).
Filter:
Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and
FILTER_FLAG_NO_PRIV_RANGE).
Fixed bug #67167 (Wrong return value from FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE).
Fixed bug #73054 (default option ignored when object passed to int filter).
GD:
Fixed bug #67325 (imagetruecolortopalette: white is duplicated in palette).
Fixed bug #50194 (imagettftext broken on transparent background w/o alphablending).
Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c).
Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box).
Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given).
Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries).
Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted files).
Fixed bug #73161 (imagecreatefromgd2() may leak memory).
Intl:
Fixed bug #73218 (add mitigation for ICU int overflow).
Imap:
Fixed bug #73208 (integer overflow in imap_8bit caused heap corruption).
Mbstring:
Fixed bug #72994 (mbc_to_code() out of bounds read).
Fixed bug #66964 (mb_convert_variables() cannot detect recursion).
Fixed bug #72992 (mbstring.internal_encoding doesn't inherit default_charset).
Fixed bug #73082 (string length overflow in mb_encode_* function).
PCRE:
Fixed bug #73174 (heap overflow in php_pcre_replace_impl).
Opcache:
Fixed bug #72590 (Opcache restart with kill_all_lockers does not work).
OpenSSL:
Fixed bug #73072 (Invalid path SNI_server_certs causes segfault).
Fixed bug #73275 (crash in openssl_encrypt function).
Fixed bug #73276 (crash in openssl_random_pseudo_bytes function).
Session:
Fixed bug #68015 (Session does not report invalid uid for files save handler).
Fixed bug #73100 (session_destroy null dereference in ps_files_path_create).
SimpleXML:
Fixed bug #73293 (NULL pointer dereference in SimpleXMLElement::asXML()).
SPL:
Fixed bug #73073 (CachingIterator null dereference when convert to string).
Standard:
Fixed bug #73240 (Write out of bounds at number_format).
Fixed bug #73017 (memory corruption in wordwrap function).
Stream:
Fixed bug #73069 (readfile() mangles files larger than 2G).
Zip:
Fixed bug #70752 (Depacking with wrong password leaves 0 length files).
Version 5.6.26
15 Sep 2016 Core:
Fixed bug #72907 (null pointer deref, segfault in gc_remove_zval_from_buffer (zend_gc.c:260)).
Dba:
Fixed bug #71514 (Bad dba_replace condition because of wrong API usage).
Fixed bug #70825 (Cannot fetch multiple values with group in ini file).
EXIF:
Fixed bug #72926 (Uninitialized Thumbail Data Leads To Memory Leakage in exif_process_IFD_in_TIFF).
FTP:
Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with require_ssl_reuse).
GD:
Fixed bug #66005 (imagecopy does not support 1bit transparency on truecolor images).
Fixed bug #72913 (imagecopy() loses single-color transparency on palette images).
Fixed bug #68716 (possible resource leaks in _php_image_convert()).
Intl:
Fixed bug #73007 (add locale length check). (CVE-2016-7416)
JSON:
Fixed bug #72787 (json_decode reads out of bounds).
mbstring:
Fixed bug #66797 (mb_substr only takes 32-bit signed integer).
Fixed bug #72910 (Out of bounds heap read in mbc_to_code() / triggered by mb_ereg_match()).
MSSQL:
Fixed bug #72039 (Use of uninitialised value on mssql_guid_string).
Mysqlnd:
Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields). (CVE-2016-7412)
PDO:
Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY returns false).
PDO_pgsql:
Implemented FR #72633 (Postgres PDO lastInsertId() should work without specifying a sequence).
Fixed bug #72759 (Regression in pgo_pgsql).
Phar:
Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile). (CVE-2016-7414)
Fixed bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile).
SPL:
Fixed bug #73029 (Missing type check when unserializing SplArray). (CVE-2016-7417)
Standard:
Fixed bug #72823 (strtr out-of-bound access).
Fixed bug #72278 (getimagesize returning FALSE on valid jpg).
Fixed bug #65550 (get_browser() incorrectly parses entries with "+" sign).
Fixed bug #71882 (Negative ftruncate() on php://memory exhausts memory).
Fixed bug #73011 (integer overflow in fgets cause heap corruption).
Fixed bug #73017 (memory corruption in wordwrap function).
Fixed bug #73045 (integer overflow in fgetcsv caused heap corruption).
Fixed bug #73052 (Memory Corruption in During Deserialized-object Destruction). (CVE-2016-7411)
Streams:
Fixed bug #72853 (stream_set_blocking doesn't work).
Wddx:
Fixed bug #72860 (wddx_deserialize use-after-free). (CVE-2016-7413)
Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element). (CVE-2016-7418)
XML:
Fixed bug #72085 (SEGV on unknown address zif_xml_parse).
Fixed bug #72927 (integer overflow in xml_utf8_encode).
ZIP:
Fixed bug #68302 (impossible to compile php with zip support).
Version 5.6.25
18 Aug 2016 Core:
Fixed bug #70436 (Use After Free Vulnerability in unserialize()).
Fixed bug #72024 (microtime() leaks memory).
Fixed bug #72581 (previous property undefined in Exception after deserialization).
Implemented FR #72614 (Support "nmake test" on building extensions by phpize).
Fixed bug #72641 (phpize (on Windows) ignores PHP_PREFIX).
Fixed bug #72663 (Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization). (CVE-2016-7124)
Fixed bug #72681 (PHP Session Data Injection Vulnerability). (CVE-2016-7125)
Bz2:
Fixed bug #72837 (integer overflow in bzdecompress caused heap corruption).
Calendar:
Fixed bug #67976 (cal_days_month() fails for final month of the French calendar).
Fixed bug #71894 (AddressSanitizer: global-buffer-overflow in zif_cal_from_jd).
Curl:
Fixed bug #71144 (Segmentation fault when using cURL with ZTS).
Fixed bug #71929 (Certification information (CERTINFO) data parsing error).
Fixed bug #72807 (integer overflow in curl_escape caused heap corruption).
DOM:
Fixed bug #66502 (DOM document dangling reference).
Ereg:
Fixed bug #72838 (Integer overflow lead to heap corruption in sql_regcase).
EXIF:
Fixed bug #72627 (Memory Leakage In exif_process_IFD_in_TIFF). (CVE-2016-7128)
Fixed bug #72735 (Samsung picture thumb not read (zero size)).
Filter:
Fixed bug #71745 (FILTER_FLAG_NO_RES_RANGE does not cover whole 127.0.0.0/8 range).
FPM:
Fixed bug #72575 (using --allow-to-run-as-root should ignore missing user).
GD:
Fixed bug #43828 (broken transparency of imagearc for truecolor in blendingmode).
Fixed bug #66555 (Always false condition in ext/gd/libgd/gdkanji.c).
Fixed bug #68712 (suspicious if-else statements).
Fixed bug #70315 (500 Server Error but page is fully rendered).
Fixed bug #72596 (imagetypes function won't advertise WEBP support).
Fixed bug #72604 (imagearc() ignores thickness for full arcs).
Fixed bug #72697 (select_colors write out-of-bounds). (CVE-2016-7126)
Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles).
Fixed bug #72730 (imagegammacorrect allows arbitrary write access). (CVE-2016-7127)
Fixed bug #72494 (imagecropauto out-of-bounds access)
Intl:
Partially fixed #72506 (idn_to_ascii for UTS #46 incorrect for long domain names).
mbstring:
Fixed bug #72691 (mb_ereg_search raises a warning if a match zero-width).
Fixed bug #72693 (mb_ereg_search increments search position when a match zero-width).
Fixed bug #72694 (mb_ereg_search_setpos does not accept a string's last position).
Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error).
PCRE:
Fixed bug #72688 (preg_match missing group names in matches).
PDO_pgsql:
Fixed bug #70313 (PDO statement fails to throw exception).
Reflection:
Fixed bug #72222 (ReflectionClass::export doesn't handle array constants).
SNMP:
Fixed bug #72708 (php_snmp_parse_oid integer overflow in memory allocation).
Standard:
Fixed bug #72330 (CSV fields incorrectly split if escape char followed by UTF chars).
Fixed bug #72836 (integer overflow in base64_decode).
Fixed bug #72848 (integer overflow in quoted_printable_encode).
Fixed bug #72849 (integer overflow in urlencode).
Fixed bug #72850 (integer overflow in php_uuencode).
Fixed bug #72716 (initialize buffer before read).
Streams:
Fixed bug #41021 (Problems with the ftps wrapper).
Fixed bug #54431 (opendir() does not work with ftps:// wrapper).
Fixed bug #72667 (opendir() with ftp:// attempts to open data stream for non-existent directories).
Fixed bug #72764 (ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5).
Fixed bug #72771 (ftps:// wrapper is vulnerable to protocol downgrade attack).
SPL:
Fixed bug #72122 (IteratorIterator breaks '@' error suppression).
Fixed bug #72646 (SplFileObject::getCsvControl does not return the escape character).
Fixed bug #72684 (AppendIterator segfault with closed generator).
SQLite3:
Implemented FR #72653 (SQLite should allow opening with empty filename).
Wddx:
Fixed bug #72142 (WDDX Packet Injection Vulnerability in wddx_serialize_value()).
Fixed bug #72749 (wddx_deserialize allows illegal memory access). (CVE-2016-7129)
Fixed bug #72750 (wddx_deserialize null dereference). (CVE-2016-7130)
Fixed bug #72790 (wddx_deserialize null dereference with invalid xml). (CVE-2016-7131)
Fixed bug #72799 (wddx_deserialize null dereference in php_wddx_pop_element). (CVE-2016-7132)
Version 5.6.24
21 Jul 2016 Core:
Fixed bug #71936 (Segmentation fault destroying HTTP_RAW_POST_DATA).
Fixed bug #72496 (Cannot declare public method with signature incompatible with parent private method).
Fixed bug #72138 (Integer Overflow in Length of String-typed ZVAL).
Fixed bug #72513 (Stack-based buffer overflow vulnerability in virtual_file_ex). (CVE-2016-6289)
Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session Deserialization). (CVE-2016-6290)
Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications). (CVE-2016-5385)
bz2:
Fixed bug #72447 (Type Confusion in php_bz2_filter_create()).
Fixed bug #72613 (Inadequate error handling in bzread()). (CVE-2016-5399)
Date:
Fixed bug #66836 (DateTime::createFromFormat 'U' with pre 1970 dates fails parsing).
EXIF:
Fixed bug #50845 (exif_read_data() returns corrupted exif headers).
Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE). (CVE-2016-6291)
Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment). (CVE-2016-6292)
GD:
Fixed bug #43475 (Thick styled lines have scrambled patterns).
Fixed bug #53640 (XBM images require width to be multiple of 8).
Fixed bug #64641 (imagefilledpolygon doesn't draw horizontal line).
Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).
Fixed bug #72519 (imagegif/output out-of-bounds access).
Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()). (CVE-2016-6207)
Intl:
Fixed bug #72533 (locale_accept_from_http out-of-bounds access). (CVE-2016-6294)
OpenSSL:
Fixed bug #71915 (openssl_random_pseudo_bytes is not fork-safe).
Fixed bug #72336 (openssl_pkey_new does not fail for invalid DSA params).
SNMP:
Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()). (CVE-2016-6295)
SPL:
Fixed bug #55701 (GlobIterator throws LogicException).
SQLite3:
Fixed bug #70628 (Clearing bindings on an SQLite3 statement doesn't work).
Streams:
Fixed bug #72439 (Stream socket with remote address leads to a segmentation fault).
Xmlrpc:
Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c). (CVE-2016-6296)
Zip:
Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener). (CVE-2016-6297)
Version 5.6.23
23 Jun 2016 Core:
Fixed bug #72268 (Integer Overflow in nl2br()).
Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/ json_utf8_to_utf16()).
Fixed bug #72400 (Integer Overflow in addcslashes/addslashes).
Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL).
Date:
Fixed bug #63740 (strtotime seems to use both sunday and monday as start of week).
GD:
Fixed bug #72298 (pass2_no_dither out-of-bounds access).
Fixed bug #72337 (invalid dimensions can lead to crash).
Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in heap overflow). (CVE-2016-5766)
Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert).
Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow). (CVE-2016-5767)
Intl:
Fixed bug #70484 (selectordinal doesn't work with named parameters).
mbstring:
Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (CVE-2016-5768)
mcrypt:
Fixed bug #72455 (Heap Overflow due to integer overflows). (CVE-2016-5769)
OpenSSL:
Fixed bug #72140 (segfault after calling ERR_free_strings()).
Phar:
Fixed bug #72321 (invalid free in phar_extract_file()). (CVE-2016-4473)
SPL:
Fixed bug #72262 (int/size_t confusion in SplFileObject::fread). (CVE-2016-5770)
Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and unserialize). (CVE-2016-5771)
WDDX:
Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (CVE-2016-5772)
zip:
Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize). (CVE-2016-5773)
Version 5.6.22
26 May 2016 Core:
Fixed bug #72172 (zend_hex_strtod should not use strlen).
Fixed bug #72114 (Integer underflow / arbitrary null write in fread/gzread). (CVE-2016-5096)
Fixed bug #72135 (Integer Overflow in php_html_entities). (CVE-2016-5094)
GD:
Fixed bug #72227 (imagescale out-of-bounds read). (CVE-2013-7456)
Intl:
Fixed bug #64524 (Add intl.use_exceptions to php.ini-*).
Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (CVE-2016-5093)
Postgres:
Fixed bug #72151 (mysqli_fetch_object changed behaviour). Patch to #71820 is reverted.
Version 5.6.21
28 Apr 2016 Core:
Fixed bug #69537 (__debugInfo with empty string for key gives error).
Fixed bug #71841 (EG(error_zval) is not handled well).
BCmath:
Fixed bug #72093 (bcpowmod accepts negative scale and corrupts _one_ definition). (CVE-2016-4537, CVE-2016-4538)
Curl:
Fixed bug #71831 (CURLOPT_NOPROXY applied as long instead of string).
Date:
Fixed bug #71889 (DateInterval::format Segmentation fault).
EXIF:
Fixed bug #72094 (Out of bounds heap read access in exif header processing). (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544)
GD:
Fixed bug #71952 (Corruption inside imageaffinematrixget).
Fixed bug #71912 (libgd: signedness vulnerability). (CVE-2016-3074)
Intl:
Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative offset). (CVE-2016-4540, CVE-2016-4541)
OCI8:
Fixed bug #71422 (Fix ORA-01438: value larger than specified precision allowed for this column).
ODBC:
Fixed bug #63171 (Script hangs after max_execution_time).
Opcache:
Fixed bug #71843 (null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER).
PDO:
Fixed bug #52098 (Own PDOStatement implementation ignore __call()).
Fixed bug #71447 (Quotes inside comments not properly handled).
Postgres:
Fixed bug #71820 (pg_fetch_object binds parameters before call constructor).
SPL:
Fixed bug #67582 (Cloned SplObjectStorage with overwritten getHash fails offsetExists()).
Standard:
Fixed bug #71840 (Unserialize accepts wrongly data).
Fixed bug #67512 (php_crypt() crashes if crypt_r() does not exist or _REENTRANT is not defined).
XML:
Fixed bug #72099 (xml_parse_into_struct segmentation fault). (CVE-2016-4539)
Version 5.6.20
31 Mar 2016 CLI Server:
Fixed bug #69953 (Support MKCALENDAR request method).
Core:
Fixed bug #71596 (Segmentation fault on ZTS with date function (setlocale)).
Curl:
Fixed bug #71694 (Support constant CURLM_ADDED_ALREADY).
Date:
Fixed bug #71635 (DatePeriod::getEndDate segfault).
Fileinfo:
Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic file). (CVE-2015-8865)
Mbstring:
Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in mbfl_strcut). (CVE-2016-4073)
ODBC:
Fixed bug #47803 , #69526 (Executing prepared statements is succesfull only for the first two statements).
Fixed bug #71860 (Invalid memory write in phar on filename with \0 in name). (CVE-2016-4072)
PDO_DBlib:
Fixed bug #54648 (PDO::MSSQL forces format of datetime fields).
Phar:
Fixed bug #71625 (Crash in php7.dll with bad phar filename).
Fixed bug #71504 (Parsing of tar file with duplicate filenames causes memory leak).
SNMP:
Fixed bug #71704 (php_snmp_error() Format String Vulnerability). (CVE-2016-4071)
Standard:
Fixed bug #71798 (Integer Overflow in php_raw_url_encode). (CVE-2016-4070)
Version 5.6.19
03 Mar 2016 CLI server:
Fixed bug #71559 (Built-in HTTP server, we can download file in web by bug).
CURL:
Fixed bug #71523 (Copied handle with new option CURLOPT_HTTPHEADER crashes while curl_multi_exec).
Date:
Fixed bug #68078 (Datetime comparisons ignore microseconds).
Fixed bug #71525 (Calls to date_modify will mutate timelib_rel_time, causing date_date_set issues).
Fileinfo:
Fixed bug #71434 (finfo throws notice for specific python file).
FPM:
Fixed bug #62172 (FPM not working with Apache httpd 2.4 balancer/fcgi setup).
Opcache:
Fixed bug #71584 (Possible use-after-free of ZCG(cwd) in Zend Opcache).
PDO MySQL:
Phar:
Fixed bug #71498 (Out-of-Bound Read in phar_parse_zipfile()).
Standard:
Fixed bug #70720 (strip_tags improper php code parsing).
WDDX:
Fixed bug #71587 (Use-After-Free / Double-Free in WDDX Deserialize).
XSL:
Fixed bug #71540 (NULL pointer dereference in xsl_ext_function_php()).
Zip:
Fixed bug #71561 (NULL pointer dereference in Zip::ExtractTo).
Version 5.6.18
04 Feb 2016 Core:
Added support for new HTTP 451 code.
Fixed bug #71039 (exec functions ignore length but look for NULL termination).
Fixed bug #71089 (No check to duplicate zend_extension).
Fixed bug #71201 (round() segfault on 64-bit builds).
Fixed bug #71273 (A wrong ext directory setup in php.ini leads to crash).
Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input).
Fixed bug #71459 (Integer overflow in iptcembed()).
Apache2handler:
Fix >2G Content-Length headers in apache2handler.
FTP:
Implemented FR #55651 (Option to ignore the returned FTP PASV address).
GD:
Opcache:
Fixed bug #71127 (Define in auto_prepend_file is overwrite).
Fixed bug #71024 (Unable to use PHP 7.0 x64 side-by-side with PHP 5.6 x32 on the same server).
PCRE:
Upgraded bundled PCRE library to 8.38. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)
Phar:
Fixed bug #71354 (Heap corruption in tar/zip/phar parser). (CVE-2016-4342)
Fixed bug #71331 (Uninitialized pointer in phar_make_dirstream()). (CVE-2016-4343)
Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()).
Fixed bug #71488 (Stack overflow when decompressing tar archives). (CVE-2016-2554)
Session:
Fixed bug #69111 (Crash in SessionHandler::read()).
SOAP:
Fixed bug #70979 (crash with bad soap request).
SPL:
Fixed bug #71204 (segfault if clean spl_autoload_funcs while autoloading).
WDDX:
Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization).
Version 5.6.17
07 Jan 2016 Core:
Fixed bug #66909 (configure fails utf8_to_mutf7 test).
Fixed bug #70958 (Invalid opcode while using ::class as trait method paramater default value).
Fixed bug #70957 (self::class can not be resolved with reflection for abstract class).
Fixed bug #70944 (try{ } finally{} can create infinite chains of exceptions).
Fixed bug #61751 (SAPI build problem on AIX: Undefined symbol: php_register_internal_extensions).
FPM:
Fixed bug #70755 (fpm_log.c memory leak and buffer overflow). (CVE-2016-5114)
GD:
Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds). (CVE-2016-1903)
Mysqlnd:
Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction).
SOAP:
Fixed bug #70900 (SoapClient systematic out of memory error).
Standard:
Fixed bug #70960 (ReflectionFunction for array_unique returns wrong number of parameters).
PDO_Firebird:
Fixed bug #60052 (Integer returned as a 64bit integer on X64_86).
WDDX:
Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).
Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability).
XMLRPC:
Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()).
Version 5.6.16
26 Nov 2015 Core:
Fixed bug #70828 (php-fpm 5.6 with opcache crashes when referencing a non-existent constant).
Fixed bug #70748 (Segfault in ini_lex () at Zend/zend_ini_scanner.l).
Mysqlnd:
Fixed bug #68344 (MySQLi does not provide way to disable peer certificate validation) by introducing MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT connection flag.
OCI8:
Fixed bug #68298 (OCI int overflow).
PDO_DBlib:
Fixed bug #69757 (Segmentation fault on nextRowset).
SOAP:
Fixed bug #70875 (Segmentation fault if wsdl has no targetNamespace attribute).
SPL:
Fixed bug #70852 (Segfault getting NULL offset of an ArrayObject).
Version 5.6.15
29 Oct 2015 Core:
Fixed bug #70681 (Segfault when binding $this of internal instance method to null).
Fixed bug #70685 (Segfault for getClosure() internal method rebind with invalid $this).
Date:
Fixed bug #70619 (DateTimeImmutable segfault).
Mcrypt:
Fixed bug #70625 (mcrypt_encrypt() won't return data when no IV was specified under RC4).
Mysqlnd:
Fixed bug #70384 (mysqli_real_query():Unknown type 245 sent by the server).
Fixed bug #70572 segfault in mysqlnd_connect.
Opcache:
Fixed bug #70632 (Third one of segfault in gc_remove_from_buffer).
Fixed bug #70631 (Another Segfault in gc_remove_from_buffer()).
Fixed bug #70601 (Segfault in gc_remove_from_buffer()).
Fixed compatibility with Windows 10 (see also #70652 ).
Version 5.6.14
01 Oct 2015 Core:
Fixed bug #70370 (Bundled libtool.m4 doesn't handle FreeBSD 10 when building extensions).
CLI server:
Fixed bug #68291 (404 on urls with '+').
DOM:
Fixed bug #70001 (Assigning to DOMNode::textContent does additional entity encoding).
ldap:
Fixed bug #70465 (Bug in ldap_search() modifies LDAP_OPT_TIMELIMIT/DEREF's values). (Tyson Andre).
Fixed bug #69574 (ldap timeouts not enforced). (Côme Bernigaud).
Mysqlnd:
Fixed bug #70456 (mysqlnd doesn't activate TCP keep-alive when connecting to a server).
OpenSSL:
Fixed bug #55259 (openssl extension does not get the DH parameters from DH key resource).
Fixed bug #70395 (Missing ARG_INFO for openssl_seal()).
Fixed bug #60632 (openssl_seal fails with AES).
Fixed bug #68312 (Lookup for openssl.cnf causes a message box).
PDO:
Fixed bug #70389 (PDO constructor changes unrelated variables).
Phar:
Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). (CVE-2015-7803)
Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). (CVE-2015-7804)
Phpdbg:
Fix phpdbg_break_next() sometimes not breaking.
Standard:
Fixed bug #67131 (setcookie() conditional for empty values not met).
Streams:
Fixed bug #70361 (HTTP stream wrapper doesn't close keep-alive connections).
Zip:
Fixed bug #70322 (ZipArchive::close() doesn't indicate errors).
Version 5.6.13
03 Sep 2015 Core:
Fixed bug #69900 (Too long timeout on pipes).
Fixed bug #69487 (SAPI may truncate POST data).
Fixed bug #70198 (Checking liveness does not work as expected).
Fixed bug #70172 (Use After Free Vulnerability in unserialize()). (CVE-2015-6834)
Fixed bug #70219 (Use after free vulnerability in session deserializer). (CVE-2015-6835)
CLI server:
Fixed bug #66606 (Sets HTTP_CONTENT_TYPE but not CONTENT_TYPE).
Fixed bug #70264 (CLI server directory traversal).
Date:
Fixed bug #70266 (DateInterval::__construct.interval_spec is not supposed to be optional).
Fixed bug #70277 (new DateTimeZone($foo) is ignoring text after null byte).
EXIF:
Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).
GMP:
Fixed bug #70284 (Use after free vulnerability in unserialize() with GMP).
hash:
Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).
MCrypt:
Fixed bug #69833 (mcrypt fd caching not working).
Opcache:
Fixed bug #70237 (Empty while and do-while segmentation fault with opcode on CLI enabled).
PCRE:
Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string match).
Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).
SOAP:
Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). (CVE-2015-6836)
SPL:
Fixed bug #70290 (Null pointer deref (segfault) in spl_autoload via ob_start).
Fixed bug #70303 (Incorrect constructor reflection for ArrayObject).
Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6834)
Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6834)
Standard:
Fixed bug #70052 (getimagesize() fails for very large and very small WBMP).
Fixed bug #70157 (parse_ini_string() segmentation fault with INI_SCANNER_TYPED).
XSLT:
Fixed bug #69782 (NULL pointer dereference). (CVE-2015-6837, CVE-2015-6838)
ZIP:
Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories). (CVE-2014-9767)
Version 5.6.12
06 Aug 2015 Core:
Fixed bug #70012 (Exception lost with nested finally block).
Fixed bug #70002 (TS issues with temporary dir handling).
Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls).
Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref).
CLI server:
Fixed bug #69655 (php -S changes MKCALENDAR request method to MKCOL).
Fixed bug #64878 (304 responses return Content-Type header).
GD:
Fixed bug #53156 (imagerectangle problem with point ordering).
Fixed bug #66387 (Stack overflow with imagefilltoborder). (CVE-2015-8874)
Fixed bug #70102 (imagecreatefromwebm() shifts colors).
Fixed bug #66590 (imagewebp() doesn't pad to even length).
Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px).
Fixed bug #70064 (imagescale(..., IMG_BICUBIC) leaks memory).
Fixed bug #69024 (imagescale segfault with palette based image).
Fixed bug #53154 (Zero-height rectangle has whiskers).
Fixed bug #67447 (imagecrop() add a black line when cropping).
Fixed bug #68714 (copy 'n paste error).
Fixed bug #66339 (PHP segfaults in imagexbm).
Fixed bug #70047 (gd_info() doesn't report WebP support).
ODBC:
Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns). (CVE-2015-8879)
OpenSSL:
Fixed bug #69882 (OpenSSL error "key values mismatch" after openssl_pkcs12_read with extra cert).
Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). (CVE-2015-8867)
Phar:
Improved fix for bug #69441 .
Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). (CVE-2015-6833)
SOAP:
Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions).
SPL:
Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). (CVE-2015-6832)
Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). (CVE-2015-6831)
Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6831)
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6831)
Standard:
Fixed bug #70096 (Repeated iptcembed() adds superfluous FF bytes).
Version 5.6.11
10 Jul 2015 Core:
Fixed bug #69768 (escapeshell*() doesn't cater to !).
Fixed bug #69703 (Use __builtin_clzl on PowerPC).
Fixed bug #69732 (can induce segmentation fault with basic php code).
Fixed bug #69642 (Windows 10 reported as Windows 8).
Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault).
Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10 as "Business").
Fixed bug #69740 (finally in generator (yield) swallows exception in iteration).
Fixed bug #69835 (phpinfo() does not report many Windows SKUs).
Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776 .
GD:
Fixed bug #61221 (imagegammacorrect function loses alpha channel).
GMP:
Fixed bug #69803 (gmp_random_range() modifies second parameter if GMP number).
Mysqlnd:
Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM). (CVE-2015-3152)
PCRE:
Fixed bug #53823 (preg_replace: * qualifier on unicode replace garbles the string).
Fixed bug #69864 (Segfault in preg_replace_callback).
PDO_pgsql:
Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements when closeCuror() is u).
Fixed bug #69362 (PDO-pgsql fails to connect if password contains a leading single quote).
Fixed bug #69344 (PDO PgSQL Incorrect binding numeric array with gaps).
Phar:
Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). (CVE-2015-5589)
Fixed bug #69923 (Buffer overflow and stack smashing error in phar_fix_filepath). (CVE-2015-5590)
SimpleXML:
Refactored the fix for bug #66084 (simplexml_load_string() mangles empty node name).
SPL:
Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error).
Fixed bug #67805 (SplFileObject setMaxLineLength).
Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()).
Sqlite3:
Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()).
Version 5.6.10
11 Jun 2015 Core:
Fixed bug #66048 (temp. directory is cached during multiple requests).
Fixed bug #69566 (Conditional jump or move depends on uninitialised value in extension trait).
Fixed bug #69599 (Strange generator+exception+variadic crash).
Fixed bug #69628 (complex GLOB_BRACE fails on Windows).
Fixed POST data processing slowdown due to small input buffer size on Windows.
Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). (CVE-2015-4642)
Fixed bug #69719 (Incorrect handling of paths with NULs). (CVE-2015-4598)
FTP:
Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4643)
GD:
Fixed bug #69479 (GD fails to build with newer libvpx).
Iconv:
Fixed bug #48147 (iconv with //IGNORE cuts the string).
Litespeed SAPI:
Fixed bug #68812 (Unchecked return value).
Mail:
Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers).
MCrypt:
Added file descriptor caching to mcrypt_create_iv().
Opcache:
Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF).
Phar:
Fixed bug #69680 (phar symlink in binary directory broken).
Postgres:
Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644)
Sqlite3:
Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415,
CVE-2015-3416)
Version 5.6.9
14 May 2015 Core:
Fixed bug #69467 (Wrong checked for the interface by using Trait).
Fixed bug #69420 (Invalid read in zend_std_get_method).
Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash).
Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer).
Fixed bug #68652 (segmentation fault in destructor).
Fixed bug #69419 (Returning compatible sub generator produces a warning).
Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA).
Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (CVE-2015-4024)
Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).
Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025)
Fixed bug #69522 (heap buffer overflow in unpack()).
FTP:
Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4022)
ODBC:
Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0).
Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result).
Fixed bug #69381 (out of memory with sage odbc driver).
OpenSSL:
Fixed bug #69402 (Reading empty SSL stream hangs until timeout).
PCNTL:
Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026)
PCRE:
Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)
Phar:
Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (CVE-2015-4021)
Version 5.6.8
16 Apr 2015 Core:
Fixed bug #66609 (php crashes with __get() and ++ operator in some cases).
Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters).
Fixed bug #68917 (parse_url fails on some partial urls).
Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString).
Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values).
Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing).
Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator).
Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability).
Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (CVE-2015-3411, CVE-2015-3412)
Apache2handler:
Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (CVE-2015-3330)
cURL:
Implemented FR #69278 (HTTP2 support).
Fixed bug #68739 (Missing break / control flow).
Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER).
Date:
Fixed bug #69336 (Issues with "last day of <monthname>").
Enchant:
Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds).
Ereg:
Fixed bug #68740 (NULL Pointer Dereference).
Fileinfo:
Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (CVE-2015-4604, CVE-2015-4605)
Filter:
Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used).
Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127).
Mbstring:
Fixed bug #68846 (False detection of CJK Unified Ideographs Extension E).
OPCache:
Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function).
Fixed bug #69281 (opcache_is_script_cached no longer works).
Fixed bug #68677 (Use After Free). (CVE-2015-1351)
OpenSSL:
Fixed bug #68853 , #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts).
Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly).
Fixed bug #69215 (Crypto servers should send client CA list).
Add a check for RAND_egd to allow compiling against LibreSSL.
Phar:
Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).
Fixed bug #64931 (phar_add_file is too restrictive on filename).
Fixed bug #65467 (Call to undefined method cli_arg_typ_string).
Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar").
Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783, CVE-2015-3307)
Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (CVE-2015-3329)
Postgres:
Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352)
SOAP:
Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault). (CVE-2015-4599)
Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)).
SPL:
Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc).
Sqlite3:
Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception).
Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3).
Fixed bug #66550 (SQLite prepared statement use-after-free).
Version 5.6.7
19 Mar 2015 Core:
Fixed bug #69174 (leaks when unused inner class use traits precedence).
Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize).
Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build).
Fixed bug #65593 (Segfault when calling ob_start from output buffering callback).
Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c).
Fixed bug #68166 (Exception with invalid character causes segv).
Fixed bug #69141 (Missing arguments in reflection info for some builtin functions).
Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (CVE-2015-2787)
Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
Fixed bug #69207 (move_uploaded_file allows nulls in path). (CVE-2015-2348)
CGI:
Fixed bug #69015 (php-cgi's getopt does not see $argv).
CLI:
Fixed bug #67741 (auto_prepend_file messes up __LINE__).
cURL:
Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on Win32).
Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl.
Ereg:
Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (CVE-2015-2305)
FPM:
Fixed bug #68822 (request time is reset too early).
ODBC:
Fixed bug #68964 (Allowed memory size exhausted with odbc_exec).
Opcache:
Fixed bug #69159 (Opcache causes problem when passing a variable variable to a function).
Fixed bug #69125 (Array numeric string as key).
Fixed bug #69038 (switch(SOMECONSTANT) misbehaves).
OpenSSL:
Fixed bug #68912 (Segmentation fault at openssl_spki_new).
Fixed bug #61285 , #68329 , #68046 , #41631 (encrypted streams don't observe socket timeouts).
Fixed bug #68920 (use strict peer_fingerprint input checks) (Daniel Lowrey)
Fixed bug #68879 (IP Address fields in subjectAltNames not used) (Daniel Lowrey)
Fixed bug #68265 (SAN match fails with trailing DNS dot) (Daniel Lowrey)
Fixed bug #67403 (Add signatureType to openssl_x509_parse) (Daniel Lowrey)
Fixed bug #69195 (Inconsistent stream crypto values across versions) (Daniel Lowrey)
pgsql:
Fixed bug #68638 (pg_update() fails to store infinite values).
Readline:
Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters).
SOAP:
Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (CVE-2015-4147, CVE-2015-4148)
SPL:
Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage).
Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after calling getChildren()).
ZIP:
Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary). (CVE-2015-2331)
Version 5.6.6
19 Feb 2015 Core:
Removed support for multi-line headers, as they are deprecated by RFC 7230.
Fixed bug #67068 (getClosure returns somethings that's not a closure).
Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273)
Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow).
Fixed bug #67988 (htmlspecialchars() does not respect default_charset specified by ini_set).
Added NULL byte protection to exec, system and passthru.
Dba:
Fixed bug #68711 (useless comparisons).
Enchant:
Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). (CVE-2014-9705)
Fileinfo:
Fixed bug #68827 (Double free with disabled ZMM).
Fixed bug #67647 (Bundled libmagic 5.17 does not detect quicktime files correctly).
Fixed bug #68731 (finfo_buffer doesn't extract the correct mime with some gifs).
FPM:
Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).
Fixed bug #68571 (core dump when webserver close the socket).
JSON:
Fixed bug #50224 (json_encode() does not always encode a float as a float) by adding JSON_PRESERVE_ZERO_FRACTION.
LIBXML:
Fixed bug #64938 (libxml_disable_entity_loader setting is shared between threads). (CVE-2015-8866)
Mysqli:
Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).
Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors).
Opcache:
Fixed bug with try blocks being removed when extended_info opcode generation is turned on.
PDO_mysql:
Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of named pipes).
Phar:
Fixed bug #68901 (use after free). (CVE-2015-2301)
Pgsql:
Fixed bug #65199 (pg_copy_from() modifies input array variable).
Session:
Fixed bug #68941 (mod_files.sh is a bash-script).
Fixed bug #66623 (no EINTR check on flock).
Fixed bug #68063 (Empty session IDs do still start sessions).
Sqlite3:
Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args).
Standard:
Fixed bug #65272 (flock() out parameter not set correctly in windows).
Fixed bug #69033 (Request may get env. variables from previous requests if PHP works as FastCGI).
Streams:
Fixed bug which caused call after final close on streams filter.
Version 5.6.5
22 Jan 2015 Core:
Upgraded crypt_blowfish to version 1.3.
Fixed bug #60704 (unlink() bug with some files path).
Fixed bug #65419 (Inside trait, self::class != __CLASS__).
Fixed bug #68536 (pack for 64bits integer is broken on bigendian).
Fixed bug #55541 (errors spawn MessageBox, which blocks test automation).
Fixed bug #68297 (Application Popup provides too few information).
Fixed bug #65769 (localeconv() broken in TS builds).
Fixed bug #65230 (setting locale randomly broken).
Fixed bug #66764 (configure doesn't define EXPANDED_DATADIR / PHP_DATADIR correctly).
Fixed bug #68583 (Crash in timeout thread).
Fixed bug #65576 (Constructor from trait conflicts with inherited constructor).
Fixed bug #68676 (Explicit Double Free). (CVE-2014-9425)
Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231)
CGI:
Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427)
CLI server:
Fixed bug #68745 (Invalid HTTP requests make web server segfault).
cURL:
Fixed bug #67643 (curl_multi_getcontent returns '' when CURLOPT_RETURNTRANSFER isn't set).
Date:
Implemented FR #68268 (DatePeriod: Getter for start date, end date and interval).
EXIF:
Fixed bug #68799 (Free called on uninitialized pointer). (CVE-2015-0232)
Fileinfo:
Fixed bug #68398 (msooxml matches too many archives).
Fixed bug #68665 (invalid free in libmagic).
Fixed bug #68671 (incorrect expression in libmagic).
Removed readelf.c and related code from libmagic sources.
Fixed bug #68735 (fileinfo out-of-bounds memory access). (CVE-2014-9652)
FPM:
Implemented FR #68526 (Implement POSIX Access Control List for UDS).
Fixed bug #68751 (listen.allowed_clients is broken).
GD:
Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (CVE-2014-9709)
Implemented FR #68656 (Report gd library version).
mbstring:
Fixed bug #68504 (--with-libmbfl configure option not present on Windows).
Opcache:
Fixed bug #68644 (strlen incorrect : mbstring + func_overload=2 +UTF-8 + Opcache).
Fixed bug #67111 (Memory leak when using "continue 2" inside two foreach loops).
OpenSSL:
Improved handling of OPENSSL_KEYTYPE_EC keys.
pcntl:
Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL).
PCRE:
Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream).
pgsql:
Fixed bug #68697 (lo_export return -1 on failure).
PDO:
Fixed bug #68371 (PDO#getAttribute() cannot be called with platform-specifi attribute names).
PDO_mysql:
Fixed bug #68424 (Add new PDO mysql connection attr to control multi statements option).
SPL:
Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator).
Fixed bug #68479 (Added escape parameter to SplFileObject::fputcsv).
SQLite:
Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2).
Streams:
Fixed bug #68532 (convert.base64-encode omits padding bytes).
Version 5.6.4
18 Dec 2014 Core:
Fixed bug #68091 (Some Zend headers lack appropriate extern "C" blocks).
Fixed bug #68104 (Segfault while pre-evaluating a disabled function).
Fixed bug #68185 ("Inconsistent insteadof definition."- incorrectly triggered).
Fixed bug #68355 (Inconsistency in example php.ini comments).
Fixed bug #68370 ("unset($this)" can make the program crash).
Fixed bug #68422 (Incorrect argument reflection info for array_multisort()).
Fixed bug #68545 (NULL pointer dereference in unserialize.c).
Fixed bug #68446 (Array constant not accepted for array parameter default).
Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142)
Date:
Fixed day_of_week function as it could sometimes return negative values internally.
FPM:
Fixed bug #68381 (fpm_unix_init_main ignores log_level).
Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all addresses).
Fixed bug #68421 (access.format='%R' doesn't log ipv6 address).
Fixed bug #68423 (PHP-FPM will no longer load all pools).
Fixed bug #68428 (listen.allowed_clients is IPv4 only).
Fixed bug #68452 (php-fpm man page is oudated).
Implemented FR #68458 (Change pm.start_servers default warning to notice).
Fixed bug #68463 (listen.allowed_clients can silently result in no allowed access).
Implemented FR #68391 (php-fpm conf files loading order).
Fixed bug #68478 (access.log don't use prefix).
Mcrypt:
Fixed possible read after end of buffer and use after free.
GMP:
Fixed bug #68419 (build error with gmp 4.1).
PDO_pgsql:
Fixed bug #67462 (PDO_PGSQL::beginTransaction() wrongly throws exception when not in transaction).
Fixed bug #68351 (PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving).
Session:
Fixed bug #68331 (Session custom storage callable functions not being called).
SOAP:
Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes).
zlib:
Fixed bug #53829 (Compiling PHP with large file support will replace function gzopen by gzopen64).
Version 5.6.3
13 Nov 2014 Core:
Implemented 64-bit format codes for pack() and unpack().
Fixed bug #51800 (proc_open on Windows hangs forever).
Fixed bug #67633 (A foreach on an array returned from a function not doing copy-on-write).
Fixed bug #67739 (Windows 8.1/Server 2012 R2 OS build number reported as 6.2 (instead of 6.3)).
Fixed bug #67949 (DOMNodeList elements should be accessible through array notation).
Fixed bug #68095 (AddressSanitizer reports a heap buffer overflow in php_getopt()).
Fixed bug #68118 ($a->foo .= 'test'; can leave $a->foo undefined).
Fixed bug #68129 (parse_url() - incomplete support for empty usernames and passwords).
Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).
CURL:
Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, and CURL_SSLVERSION_TLSv1_2 constants if supported by libcurl.
Fileinfo:
Fixed bug #66242 (libmagic: don't assume char is signed).
Fixed bug #68224 (buffer-overflow in libmagic/readcdf.c caught by AddressSanitizer).
Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers). (CVE-2014-3710)
FPM:
Fixed bug #65641 (PHP-FPM incorrectly defines the SCRIPT_NAME variable when using Apache, mod_proxy-fcgi and ProxyPass).
Implemented FR #55508 (listen and listen.allowed_clients should take IPv6 addresses).
GD:
Fixed bug #65171 (imagescale() fails without height param).
GMP:
Implemented gmp_random_range() and gmp_random_bits().
Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).
Mysqli:
Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).
ODBC:
Fixed bug #68087 (ODBC not correctly reading DATE column when preceded by a VARCHAR column).
OpenSSL:
Fixed bug #68074 (Allow to use system cipher list instead of hardcoded value).
PDO_pgsql:
Fixed bug #68199 (PDO::pgsqlGetNotify doesn't support NOTIFY payloads).
Fixed bug #66584 (Segmentation fault on statement deallocation).
Reflection:
Fixed bug #68103 (Duplicate entry in Reflection for class alias).
SPL:
Fixed bug #68128 (Regression in RecursiveRegexIterator).
Version 5.6.2
16 Oct 2014 Core:
Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669)
cURL:
Fixed bug #68089 (NULL byte injection - cURL lib).
EXIF: