004cb827 | 31-Oct-2022 |
Derick Rethans |
Bumb versions |
2669ed7d | 24-Oct-2022 |
Stanislav Malyshev |
Update NEWS |
d50532be | 18-Oct-2022 |
Christoph M. Becker |
Fix #81739: OOB read due to insufficient validation in imageloadfont() If we swap the byte order of the relevant header bytes, we need to make sure again that the following multiplicatio
Fix #81739: OOB read due to insufficient validation in imageloadfont() If we swap the byte order of the relevant header bytes, we need to make sure again that the following multiplication does not overflow.
show more ...
|
8b919c31 | 21-Oct-2022 |
Ilija Tovilo |
Revert incorrect PHP-7.4 version constants |
248f6477 | 21-Oct-2022 |
Stanislav Malyshev |
Fix bug #81738 (buffer overflow in hash_update() on long parameter) |
ad8d00b4 | 28-Sep-2022 |
Derick Rethans |
Prepare for next release |
0b4e1533 | 28-Sep-2022 |
Derick Rethans |
Prepare for 7.4.32 |
432bf196 | 27-Sep-2022 |
Christoph M. Becker |
Fix regression introduced by fixing bug 81726 When a tar phar is created, `phar_open_from_fp()` is also called, but since the file has just been created, none of the format checks can
Fix regression introduced by fixing bug 81726 When a tar phar is created, `phar_open_from_fp()` is also called, but since the file has just been created, none of the format checks can succeed, so we continue to loop, but must not check again for the format. Therefore, we bring back the old `test` variable. Closes GH-9620.
show more ...
|
6f586ef9 | 27-Sep-2022 |
Derick Rethans |
Add CVEs |
404e8bdb | 25-Jul-2022 |
Christoph M. Becker |
Fix #81726: phar wrapper: DOS when using quine gzip file The phar wrapper needs to uncompress the file; the uncompressed file might be compressed, so the wrapper implementation loops. Th
Fix #81726: phar wrapper: DOS when using quine gzip file The phar wrapper needs to uncompress the file; the uncompressed file might be compressed, so the wrapper implementation loops. This raises potential DOS issues regarding too deep or even infinite recursion (the latter are called compressed file quines[1]). We avoid that by introducing a recursion limit; we choose the somewhat arbitrary limit `3`. This issue has been reported by real_as3617 and gPayl0ad. [1] <https://honno.dev/gzip-quine/>
show more ...
|
0611be4e | 09-Sep-2022 |
Derick Rethans |
Fix #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. |
198f3f50 | 10-Jun-2022 |
Remi Collet |
[ci skip] missing CVE |
8fbeadcd | 07-Jun-2022 |
Derick Rethans |
Bump version in 7.4 to 7.4.31-dev |
d1be9369 | 06-Jun-2022 |
Stanislav Malyshev |
Update NEWS |
58006537 | 06-Jun-2022 |
Stanislav Malyshev |
Fix bug #81719: mysqlnd/pdo password buffer overflow |
55f6895f | 17-May-2022 |
Christoph M. Becker |
Fix #81720: Uninitialized array in pg_query_params() leading to RCE We must not free parameters which we haven't initialized yet. We also fix the not directly related issue, that we
Fix #81720: Uninitialized array in pg_query_params() leading to RCE We must not free parameters which we haven't initialized yet. We also fix the not directly related issue, that we checked for the wrong value being `NULL`, potentially causing a segfault.
show more ...
|
fbee73df | 12-Apr-2022 |
Derick Rethans |
Prepare for 7.4.30 |
c14e2e4f | 12-Apr-2022 |
Derick Rethans |
Add tz update into NEWS |
1a051499 | 12-Apr-2022 |
Derick Rethans |
Prep NEWS for 7.4.29 release |
341bea37 | 07-Apr-2022 |
Derick Rethans |
Updated to version 2022.1 (2022a) |
325bcf9f | 15-Feb-2022 |
Derick Rethans |
Prepare for 7.4.29 |
d13ceb74 | 14-Feb-2022 |
Derick Rethans |
Add fix to NEWS |
dce5e561 | 31-Jan-2022 |
Christoph M. Becker |
Fix #81708: UAF due to php_filter_float() failing for ints We must only release the zval, if we actually assign a new zval. |
6d5f2ba7 | 12-Dec-2021 |
Christoph M. Becker |
macOS 10.14 runners are no longer available via Azure Pipeline These images have already been deprecated for two months[1]. Thus, we upgrade to macOS 10.15. Since clang 12 is picky abo
macOS 10.14 runners are no longer available via Azure Pipeline These images have already been deprecated for two months[1]. Thus, we upgrade to macOS 10.15. Since clang 12 is picky about `int-in-bool-context` warning, we disable `-Werror`. [1] <https://devblogs.microsoft.com/devops/hosted-pipelines-image-deprecation/>
show more ...
|
98175fc7 | 12-Dec-2021 |
Christoph M. Becker |
Fix openssl_x509_checkpurpose_basic.phpt This test fails because san-cert.pem and san-ca.pem have expired. We fix that by using the CertificateGenerator to generate temporary certs
Fix openssl_x509_checkpurpose_basic.phpt This test fails because san-cert.pem and san-ca.pem have expired. We fix that by using the CertificateGenerator to generate temporary certs during the test run. Since san-cert.pem and san-ca.pem have been identical, we only generate one certificate. Closes GH-7763.
show more ...
|