The PHP Team have just announced the availability of three versions of PHP 8.0.8, 7.4.21, and 7.3.29. Three security releases with lots of changes in the Core, Bzip2, Fileinfo, GMP, OCI8, Opcache, OpenSSL, MySQLnd, PDO_Firebird, readline, Standard and Windows.
All PHP 8.0, 7.3, and 7.4 users are encouraged to upgrade to the respective version.
Changes in PHP 8.0.8
- Core:
- Fixed bug #81076 (incorrect debug info on Closures with implicit binds).
- Fixed bug #81068 (Double free in realpath_cache_clean()).
- Fixed bug #76359 (open_basedir bypass through adding “..”).
- Fixed bug #81090 (Typed property performance degradation with .= operator).
- Fixed bug #81070 (Integer underflow in memory limit comparison).
- Fixed bug #81122 (SSRF bypass in FILTER_VALIDATE_URL). (CVE-2021-21705)
- Bzip2:
- Fixed bug #81092 (fflush before stream_filter_remove corrupts stream).
- Fileinfo:
- Fixed bug #80197 (implicit declaration of function ‘magic_stream’ is invalid).
- GMP:
- Fixed bug #81119 (GMP operators throw errors with wrong parameter names).
- OCI8:
- Fixed bug #81088 (error in regression test for oci_fetch_object() and oci_fetch_array()).
- Opcache:
- OpenSSL:
- Fixed bug #76694 (native Windows cert verification uses CN as sever name).
- MySQLnd:
- Fixed bug #80761 (PDO uses too much memory).
- PDO_Firebird:
- Fixed bug #76448 (Stack buffer overflow in firebird_info_cb). (CVE-2021-21704)
- Fixed bug #76449 (SIGSEGV in firebird_handle_doer). (CVE-2021-21704)
- Fixed bug #76450 (SIGSEGV in firebird_stmt_execute). (CVE-2021-21704)
- Fixed bug #76452 (Crash while parsing blob data in firebird_fetch_blob). (CVE-2021-21704)
- readline:
- Fixed bug #72998 (invalid read in readline completion).
- Standard:
- Windows:
- Fixed bug #81120 (PGO data for main PHP DLL are not used).
