03 Sep 2015

• Core:
  • Fixed bug #70172 (Use After Free Vulnerability in unserialize()). (CVE-2015-6834)
  • Fixed bug #70219 (Use after free vulnerability in session deserializer). (CVE-2015-6835)
• EXIF:
  • Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).
• hash:
  • Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).
• PCRE:
  • Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).
• SOAP:
  • Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). (CVE-2015-6836)
• SPL:
  • Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6834)
  • Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6834)
• XSLT:
  • Fixed bug #69782 (NULL pointer dereference). (CVE-2015-6837, CVE-2015-6838)
• ZIP:
  • Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories). (CVE-2014-9767)

06 Aug 2015

• Core:
  • Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls).
  • Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
  • Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref).
• OpenSSL:
  • Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). (CVE-2015-8867)
• Phar:
  • Improved fix for bug #69441.
  • Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). (CVE-2015-6833)
• SOAP:
  • Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions).
• SPL:
  • Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). (CVE-2015-6832)
  • Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). (CVE-2015-6831)
  • Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6831)
  • Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6831)

09 Jul 2015

• Core:
  • Fixed bug #69768 (escapeshell*() doesn't cater to !).
  • Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776.
• Mysqlnd:
  • Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM). (CVE-2015-3152)
• Phar:
  • Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). (CVE-2015-5589)
  • Fixed bug #69923 (Buffer overflow and stack smashing error in phar_fix_filepath). (CVE-2015-5590)

11 Jun 2015

• Core:
  • Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4643)
  • Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). (CVE-2015-4642)
  • Fixed bug #69719 (Incorrect handling of paths with NULs). (CVE-2015-4598)
• Litespeed SAPI:
  • Fixed bug #68812 (Unchecked return value).
• Mail:
  • Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers).
• Postgres:
  • Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644)
• Sqlite3:
  • Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416)

14 May 2015

• Core:
  • Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (CVE-2015-4024)
  • Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).
  • Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025)
  • Fixed bug #69522 (heap buffer overflow in unpack()).
• FTP:
  • Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4022)
• PCNTL:
  • Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026)
• PCRE:
  • Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)
• Phar:
  • Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (CVE-2015-4021)

16 Apr 2015

• Apache2handler:
  • Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (CVE-2015-3330)
• Core:
  • Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString).
  • Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability).
  • Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (CVE-2015-3411, CVE-2015-3412)
• cURL:
  • Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER).
• Ereg:
  • Fixed bug #68740 (NULL Pointer Dereference).
• Fileinfo:
  • Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (CVE-2015-4604, CVE-2015-4605)
• GD:
  • Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (CVE-2014-9709)
• Phar:
  • Fixed bug #68901 (use after free). (CVE-2015-2301)
  • Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783, CVE-2015-3307)
  • Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (CVE-2015-3329)
• Postgres:
  • Fixed bug #68741 (Null pointer deference). (CVE-2015-1352)
• SOAP:
  • Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault). (CVE-2015-4599)
  • Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)).
• Sqlite3:
  • Fixed bug #66550 (SQLite prepared statement use-after-free).

19 Mar 2015

• Core:
  • Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (CVE-2015-2787)
  • Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
  • Fixed bug #69207 (move_uploaded_file allows nulls in path). (CVE-2015-2348)
• Ereg:
  • Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (CVE-2015-2305)
• SOAP:
  • Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (CVE-2015-4147, CVE-2015-4148)
• ZIP:
  • Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary). (CVE-2015-2331)

19 Feb 2015

• Core:
  • Removed support for multi-line headers, as they are deprecated by RFC 7230.
  • Added NULL byte protection to exec, system and passthru.
  • Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow).
  • Fixed bug #67827 (broken detection of system crypt sha256/sha512 support).
  • Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273)
• Enchant:
  • Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). (CVE-2014-9705)
• SOAP:
  • Fixed bug #67427 (SoapServer cannot handle large messages).

22 Jan 2015

• Core:
  • Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231)
• CGI:
  • Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427)
• EXIF:
  • Fixed bug #68799 (Free called on uninitialized pointer). (CVE-2015-0232)
• Fileinfo:
  • Removed readelf.c and related code from libmagic sources.
  • Fixed bug #68735 (fileinfo out-of-bounds memory access). (CVE-2014-9652)
• OpenSSL:
  • Fixed bug #55618 (use case-insensitive cert name matching).

18 Dec 2014

• Core:
  • Upgraded crypt_blowfish to version 1.3.
  • Fixed bug #68545 (NULL pointer dereference in unserialize.c).
  • Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142)
• Mcrypt:
  • Fixed possible read after end of buffer and use after free.

13 Nov 2014

• Core:
  • Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).
• Fileinfo:
  • Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers). (CVE-2014-3710)
• GMP:
  • Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).
• PDO_pgsql:
  • Fixed bug #66584 (Segmentation fault on statement deallocation).

16 Oct 2014

• Fileinfo:
  • Fixed bug #66242 (libmagic: don't assume char is signed).
• Core:
  • Fixed bug #67985 (Incorrect last used array index copied to new array after unset).
  • Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669)
• cURL:
  • Fixed bug #68089 (NULL byte injection - cURL lib).
• EXIF:
  • Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)
• OpenSSL:
  • Reverted fixes for bug #41631, due to regressions.
• XMLRPC:
  • Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668)

18 Sep 2014

• Core:
  • Fixed bug #47358 (glob returns error, should be empty array()).
  • Fixed bug #65463 (SIGSEGV during zend_shutdown()).
  • Fixed bug #66036 (Crash on SIGTERM in apache process).
• OpenSSL:
  • Fixed bug #41631 (socket timeouts not honored in blocking SSL reads).
• Date:
  • Fixed bug #66091 (memory leaks in DateTime constructor).
• FPM:
  • Fixed bug #67606 (FPM with mod_fastcgi/apache2.4 is broken).
• GD:
  • Made fontFetch's path parser thread-safe.
• Wddx:
  • Fixed bug #67873 (Segfaults in php_wddx_serialize_var).
• Zlib:
  • Fixed bug #67724 (chained zlib filters silently fail with large amounts of data).
  • Fixed bug #67865 (internal corruption phar error).

21 Aug 2014

• Core:
  • Fixed bug #67717 (segfault in dns_get_record) (CVE-2014-3597).
  • Fixed bug #67693 (incorrect push to the empty array)
• COM:
  • Fixed missing type checks in com_event_sink.
• Fileinfo:
  • Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538)
  • Fixed bug #67716 (Segfault in cdf.c) (CVE-2014-3587).
• GD:
  • Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). (CVE-2014-2497)
  • Fixed bug #67730 (Null byte injection possible with imagexxx functions) (CVE-2014-5120).
• Milter:
  • Fixed bug #67715 (php-milter does not build and crashes randomly).
• OpenSSL:
  • Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas).
• Readline:
  • Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt).
  • Fixed bug #67496 (Save command history when exiting interactive shell with control-c).
• Sessions:
  • Fixed missing type checks in php_session_create_id.
• SPL:
  • Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting) (CVE-2014-4698).
  • Fixed bug #67538 (SPL Iterators use-after-free) (CVE-2014-4670).
• ODBC:
  • Fixed bug #60616 (odbc_fetch_into returns junk data at end of multi-byte char fields).

24 Jul 2014

• Core:
  • Fixed bug #67428 (header('Location: foo') will override a 308-399 response code).
  • Fixed bug #67436 (Autoloader isn't called if two method definitions don't match).
  • Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0).
  • Fixed bug #67151 (strtr with empty array crashes).
  • Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012).
• CLI server:
  • Implemented FR #67429 (CLI server is missing some new HTTP response codes).
  • Fixed bug #66830 (Empty header causes PHP built-in web server to hang).
• FPM:
  • Fixed bug #67530 (error_log=syslog ignored).
  • Fixed bug #67531 (syslog cannot be set in pool configuration).
• Intl:
  • Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).
• pgsql:
  • Fixed bug #67550 (Error in code 'form' instead of 'from', pgsql.c, line 756), which affected builds against libpq
• Phar:
  • Fixed bug #67587 (Redirection loop on nginx with FPM).
• Streams:
  • Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects).

26 Jun 2014

• Core:
  • Fixed BC break introduced by patch for bug #67072.
  • Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases).
  • Fixed bug #67390 (insecure temporary file use in the configure script) (CVE-2014-3981).
  • Fixed bug #67399 (putenv with empty variable may lead to crash).
  • Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability). (CVE-2014-4721)
• CLI server:
  • Fixed bug #67406 (built-in web-server segfaults on startup).
• Date:
  • Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
  • Fixed regression in fix for bug #67118 (constructor can't be called twice).
• Fileinfo:
  • Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check) (CVE-2014-0207).
  • Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size) (CVE-2014-3478).
  • Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary check) (CVE-2014-3479).
  • Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check) (CVE-2014-3480).
  • Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check) (CVE-2014-3487).
• Intl:
  • Fixed bug #67349 (Locale::parseLocale Double Free).
  • Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)).
• Network:
  • Fixed bug #67432 (Fix potential segfault in dns_get_record()) (CVE-2014-4049).
• OpenSSL:
  • Fixed bug #65698 (certificates validity parsing does not work past 2050).
  • Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME).
• SOAP:
  • Implemented FR #49898 (Add SoapClient::__getCookies()).
• SPL:
  • Fixed bug #66127 (Segmentation fault with ArrayObject unset).
  • Fixed bug #67359 (Segfault in recursiveDirectoryIterator).
  • Fixed bug #67360 (Missing element after ArrayObject::getIterator).
  • Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion) (CVE-2014-3515).

29 May 2014

• COM:
  • Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)).
• Core:
  • Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()).
  • Fixed bug #67072 (Echoing unserialized 'SplFileObject' crash).
  • Fixed bug #67245 (usage of memcpy() with overlapping src and dst in zend_exceptions.c).
  • Fixed bug #67247 (spl_fixedarray_resize integer overflow).
  • Fixed bug #67249 (printf out-of-bounds read).
  • Fixed bug #67250 (iptcparse out-of-bounds read).
  • Fixed bug #67252 (convert_uudecode out-of-bounds read). (Stas)
• Fileinfo:
  • Fixed bug #66307 (Fileinfo crashes with powerpoint files).
  • Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). (CVE-2014-0238)
  • Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in performance degradation). (CVE-2014-0237)
• Date:
  • Fixed bug #67118 (DateTime constructor crash with invalid data).
  • Fixed bug #67251 (date_parse_from_format out-of-bounds read).
  • Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read).
• DOM:
  • Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset).
• FPM:
  • Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
• Phar:
  • Fixed bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name).

01 May 2014

• Core:
  • Fixed bug #61019 (Out of memory on command stream_get_contents).
  • Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).
  • Fixed bug #66171 (Symlinks and session handler allow open_basedir bypass).
  • Fixed bug #66182 (exit in stream filter produces segfault).
  • Fixed bug #66736 (fpassthru broken).
  • Fixed bug #67024 (getimagesize should recognize BMP files with negative height).
• cURL:
  • Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
• Date:
  • Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
• Embed:
  • Fixed bug #65715 (php5embed.lib isn't provided anymore).
• Fileinfo:
  • Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
• FPM:
  • Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
  • Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure default configuration) (CVE-2014-0185).
• JSON:
  • Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).
• LDAP:
  • Fixed issue with null bytes in LDAP bindings.
• OpenSSL:
  • Fixed bug #66942 (memory leak in openssl_seal()).
  • Fixed bug #66952 (memory leak in openssl_open()).
• SimpleXML:
  • Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol)
• XSL:
  • Fixed bug #53965 ( cannot find files with relative paths when loaded with 'file://').
• Apache2 Handler SAPI:
  • Fixed Apache log issue caused by APR's lack of support for %zu (APR issue 56120).

03 Apr 2014

• Core:
  • Fixed bug #60602 (proc_open() changes environment array)
• Fileinfo:
  • Fixed bug #66946 (fileinfo: extensive backtracking in awk rule regular expression). (CVE-2013-7345)
• FPM:
  • Added clear_env configuration directive to disable clearenv() call.
• GMP:
  • Fixed bug #66872 (invalid argument crashes gmp_testbit)
• Mail:
  • Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script)
• MySQLi:
  • Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed)
• Openssl:
  • Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1)

06 Mar 2014

• Date:
  • Fixed bug #44780 (some time zone offsets not recognized by timezone_name_from_abbr)
  • Fixed bug #45543 (DateTime::setTimezone can not set timezones without ID)
• JSON:
  • Fixed bug #65753 (JsonSerializeable couldn't implement on module extension)
• Fileinfo:
  • Fixed bug #66731 (file: infinite recursion) (CVE-2014-1943).
  • Fixed bug #66820 (out-of-bounds memory access in fileinfo) (CVE-2014-2270).
• LDAP:
  • Implemented ldap_modify_batch (https://wiki.php.net/rfc/ldap_modify_batch).
• Openssl:
  • Fixed bug #66501 (Add EC key support to php_openssl_is_private_key).
• Pgsql:
  • Added warning for dangerous client encoding and remove possible injections for pg_insert()/pg_update()/pg_delete()/pg_select().

06 Feb 2014

• Core:
  • Fixed bug #66286 (Incorrect object comparison with inheritance).
  • Fixed bug #66509 (copy() arginfo has changed starting from 5.4).
• mysqlnd:
  • Fixed bug #66283 (Segmentation fault after memory_limit).
• PDO_pgsql:
  • Fixed bug #62479 (PDO-psql cannot connect if password contains spaces).
• Session:
  • Fixed bug #66481 (Calls to session_name() segfault when session.name is null).

09 Jan 2014

• Core:
  • Added validation of class names in the autoload process.
  • Fixed invalid C code in zend_strtod.c.
  • Fixed bug #61645 (fopen and O_NONBLOCK).
• Date:
  • Fixed bug #66060 (Heap buffer over-read in DateInterval, CVE-2013-6712).
  • Fixed bug #63391 (Incorrect/inconsistent day of week prior to the year 1600).
  • Fixed bug #61599 (Wrong Day of Week).
• DOM:
  • Fixed bug #65196 (Passing DOMDocumentFragment to DOMDocument::saveHTML() Produces invalid Markup).
• Exif:
  • Fixed bug #65873 (Integer overflow in exif_read_data()).
• Filter:
  • Fixed bug #66229 (128.0.0.0/16 isn't reserved any longer).
• GD:
  • Fixed bug #64405 (Use freetype-config for determining freetype2 dir(s)).
• PDO_odbc:
  • Fixed bug #66311 (Stack smashing protection kills PDO/ODBC queries).
• SNMP:
  • Fixed SNMP_ERR_TOOBIG handling for bulk walk operations.
• XSL:
  • Fixed bug #49634 (Segfault throwing an exception in a XSL registered function).
• ZIP:
  • Fixed bug #66321 (ZipArchive::open() ze_obj->filename_len not real).

12 Dec 2013

• Core:
  • Fixed bug #66094 (unregister_tick_function tries to cast a Closure to a string).
  • Fixed bug #65947 (basename is no more working after fgetcsv in certain situation).
• JSON:
  • Fixed whitespace part of #64874 ('json_decode handles whitespace and case-sensitivity incorrectly').
• MySQLi:
  • Fixed bug #66043 (Segfault calling bind_param() on mysqli).
• mysqlnd:
  • Fixed bug #66124 (mysqli under mysqlnd loses precision when bind_param with 'i').
  • Fixed bug #66141 (mysqlnd quote function is wrong with NO_BACKSLASH_ESCAPES after failed query).
• OpenSSL:
  • Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420). (Stefan Esser).
• PDO:
  • Fixed bug #65946 (sql_parser permanently converts values bound to strings).

14 Nov 2013

• Core:
  • Fixed bug #65911 (scope resolution operator - strange behavior with $this).
• CLI server:
  • Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding).
• Exif:
  • Fixed crash on unknown encoding.
• FTP:
  • Fixed bug #65667 (ftp_nb_continue produces segfault).
• ODBC:
  • Fixed bug #65950 (Field name truncation if the field name is bigger than 32 characters).
• Sockets:
  • Fixed bug #65808 (the socket_connect() won't work with IPv6 address).
• Standard:
  • Fixed bug #64760 (var_export() does not use full precision for floating-point numbers).
• XMLReader:
  • Fixed bug #51936 (Crash with clone XMLReader).
  • Fixed bug #64230 (XMLReader does not suppress errors).