The PHP development team announced today the immediate availability of PHP 5.6.28 and 7.0.13. two security releases with several bugs fixed and you are encouraged to upgrade.

Packages of PHP 7.0.13 are already available for Debian 8 “Jessie” on amd64 and i386 architectures, along with the following PECL extensions : APCu, APCu_bc, geoip, igbinary, imagick, memcached, mongodb, msgpack, redis, ssh2 and xdebug (Careful, PHP 7 support from some of them is still very young!).

Changes in 5.6.28 :

  • Core:
    • Fixed bug #73337 (try/catch not working with two exceptions inside a same operation).
  • Bz2:
    • Fixed bug #73356 (crash in bzcompress function).
  • GD:
    • Fixed bug #73213 (Integer overflow in imageline() with antialiasing).
    • Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()).
    • Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()).
    • Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf).
    • Fixed bug #72482 (Illegal write/read access caused by gdImageAALine overflow).
    • Fixed bug #72696 (imagefilltoborder stackoverflow on truecolor images).
  • Imap:
    • Fixed bug #73418 (Integer Overflow in “_php_imap_mail” leads Heap Overflow).
  • SPL:
    • Fixed bug #73144 (Use-after-free in ArrayObject Deserialization).
  • SOAP:
    • Fixed bug #73037 (SoapServer reports Bad Request when gzipped).
  • SQLite3:
    • Fixed bug #73333 (2147483647 is fetched as string).
  • Standard:
    • Fixed bug #73203 (passing additional_parameters causes mail to fail).
    • Fixed bug #73188 (use after free in userspace streams).
    • Fixed bug #73192 (parse_url return wrong hostname).
  • Wddx:
    • Fixed bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow).

And below changes in 7.0.13 :

  • Core:
    • Fixed bug #73350 (Exception::__toString() cause circular references).
    • Fixed bug #73181 (parse_str() without a second argument leads to crash).
    • Fixed bug #66773 (Autoload with Opcache allows importing conflicting class name to namespace).
    • Fixed bug #66862 ((Sub-)Namespaces unexpected behaviour).
    • Fix pthreads detection when cross-compiling.
    • Fixed bug #73337 (try/catch not working with two exceptions inside a same operation).
    • Fixed bug #73338 (Exception thrown from error handler causes valgrind warnings (and crashes)).
    • Fixed bug #73329 ((Float)”Nano” == NAN).
  • GD:
    • Fixed bug #73213 (Integer overflow in imageline() with antialiasing).
    • Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()).
    • Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()).
    • Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf).
    • Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow).
    • Fixed bug #72696 (imagefilltoborder stackoverflow on truecolor images).
  • IMAP:
    • Fixed bug #73418 (Integer Overflow in “_php_imap_mail” leads to crash).
  • OCI8:
    • Fixed bug #71148 (Bind reference overwritten on PHP 7).
  • phpdbg:
    • Properly allow for stdin input from a file.
    • Add -s command line option / stdin command for reading script from stdin.
    • Ignore non-executable opcodes in line mode of phpdbg_end_oplog().
    • Fixed bug #70776 (Simple SIGINT does not have any effect with -rr).
    • Fixed bug #71234 (INI files are loaded even invoked as -n –version).
  • Session:
    • Fixed bug #73273 (session_unset() empties values from all variables in which is $_session stored).
  • SOAP:
    • Fixed bug #73037 (SoapServer reports Bad Request when gzipped).
    • Fixed bug #73237 (Nested object in “any” element overwrites other fields).
    • Fixed bug #69137 (Peer verification fails when using a proxy with SoapClient)
  • SQLite3:
    • Fixed bug #73333 (2147483647 is fetched as string).
  • Standard:
    • Fixed bug #73203 (passing additional_parameters causes mail to fail).
    • Fixed bug #71241 (array_replace_recursive sometimes mutates its parameters).
    • Fixed bug #73192 (parse_url return wrong hostname).
  • Wddx:
    • Fixed bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow).

It’s also notable that these two releases are marked by the latest release candidate RC6 for PHP 7.1.0 that you are encouraged to download and test. PHP 5.6 which support end by December 31th 2018, is entering soon to its end of life and will get only security updates after January 2017. While PHP 7.0 will keep getting active support until December 2017.

php-supported-versions

There is no fixed date now for the availability of the 7.1.0, however there should be something around 2? November according to the release timetable.

LEAVE A REPLY

Please enter your comment!
Please enter your name here