A LOT!
From: http://www.charliebaird.co.uk/bugs_2000.htm
Bugs are not always cute. So, we need to upgrade all software applications we use on a regular basis.
Version 5.5.22
19-Feb-2015
Core:
Fixed bug #67068 (getClosure returns somethings that’s not a closure).
Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow).
Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273)
Added NULL byte protection to exec, system and passthru.
Removed support for multi-line headers, as they are deprecated by RFC 7230.
Date:
Fixed bug #45081 (strtotime incorrectly interprets SGT time zone).
Dba:
Fixed bug #68711 (useless comparisons).
Enchant:
Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()).
Fileinfo:
Fixed bug #68827 (Double free with disabled ZMM).
FPM:
Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).
Fixed bug #68571 (core dump when webserver close the socket).
Libxml:
Fixed bug #64938 (libxml_disable_entity_loader setting is shared between threads).
PDO_mysql:
Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of named pipes).
Phar:
Fixed bug #68901 (use after free).
Pgsql:
Fixed bug #65199 (pg_copy_from() modifies input array variable).
Sqlite3:
Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args).
Mysqli:
Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).
Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors).
Session:
Fixed bug #68941 (mod_files.sh is a bash-script).
Fixed bug #66623 (no EINTR check on flock).
Fixed bug #68063 (Empty session IDs do still start sessions).
Standard:
Fixed bug #65272 (flock() out parameter not set correctly in windows).
Fixed bug #69033 (Request may get env. variables from previous requests if PHP works as FastCGI).
Streams:
Fixed bug which caused call after final close on streams filter.
Version 5.5.21
22 Jan 2015
Core:
Upgraded crypt_blowfish to version 1.3.
Fixed bug #60704 (unlink() bug with some files path).
Fixed bug #65419 (Inside trait, self::class != __CLASS__).
Fixed bug #65576 (Constructor from trait conflicts with inherited constructor).
Fixed bug #55541 (errors spawn MessageBox, which blocks test automation).
Fixed bug #68297 (Application Popup provides too few information).
Fixed bug #65769 (localeconv() broken in TS builds).
Fixed bug #65230 (setting locale randomly broken).
Fixed bug #66764 (configure doesn’t define EXPANDED_DATADIR / PHP_DATADIR correctly).
Fixed bug #68583 (Crash in timeout thread).
Fixed bug #68676 (Explicit Double Free). (CVE-2014-9425)
Fixed bug #68710 (Use After Free Vulnerability in PHP’s unserialize()). (CVE-2015-0231)
CGI:
Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427)
CLI server:
Fixed bug #68745 (Invalid HTTP requests make web server segfault).
cURL:
Fixed bug #67643 (curl_multi_getcontent returns ” when CURLOPT_RETURNTRANSFER isn’t set).
EXIF:
Fixed bug #68799 (Free called on unitialized pointer). (CVE-2015-0232)
Fileinfo:
Fixed bug #68671 (incorrect expression in libmagic).
Fixed bug #68735 (fileinfo out-of-bounds memory access).
Removed readelf.c and related code from libmagic sources.
FPM:
Fixed bug #68751 (listen.allowed_clients is broken).
GD:
Fixed bug #68601 (buffer read overflow in gd_gif_in.c).
Mbstring:
Fixed bug #68504 (–with-libmbfl configure option not present on Windows).
Mcrypt:
Fixed possible read after end of buffer and use after free.
Opcache:
Fixed bug #67111 (Memory leak when using “continue 2” inside two foreach loops).
OpenSSL:
Fixed bug #55618 (use case-insensitive cert name matching).
Pcntl:
Fixed bug #60509 (pcntl_signal doesn’t decrease ref-count of old handler when setting SIG_DFL).
PCRE:
Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream).
pgsql:
Fixed bug #68697 (lo_export return -1 on failure).
PDO:
Fixed bug #68371 (PDO#getAttribute() cannot be called with platform-specific attribute names).
PDO_mysql:
Fixed bug #68424 (Add new PDO mysql connection attr to control multi statements option).
SPL:
Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator).
Fixed bug #65213 (cannot cast SplFileInfo to boolean).
Fixed bug #68479 (Added escape parameter to SplFileObject::fputcsv).
SQLite:
Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2).
Streams:
Fixed bug #68532 (convert.base64-encode omits padding bytes).
Version 5.5.20
18 Dec 2014
Core:
Fixed bug #68091 (Some Zend headers lack appropriate extern “C” blocks).
Fixed bug #68185 (“Inconsistent insteadof definition.”- incorrectly triggered).
Fixed bug #68370 (“unset($this)” can make the program crash).
Fixed bug #68545 (NULL pointer dereference in unserialize.c).
Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142)
Date:
Fixed day_of_week function as it could sometimes return negative values internally.
FPM:
Fixed bug #68381 (fpm_unix_init_main ignores log_level).
Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all addresses).
Fixed bug #68421 (access.format=’%R’ doesn’t log ipv6 address).
Fixed bug #68423 (PHP-FPM will no longer load all pools).
Fixed bug #68428 (listen.allowed_clients is IPv4 only).
Fixed bug #68452 (php-fpm man page is oudated).
Fixed bug #68458 (Change pm.start_servers default warning to notice).
Fixed bug #68463 (listen.allowed_clients can silently result in no allowed access).
Fixed bug #68391 (php-fpm conf files loading order).
Fixed bug #68478 (access.log don’t use prefix).
Mcrypt:
Fixed possible read after end of buffer and use after free.
PDO_pgsql:
Fixed bug #66584 (Segmentation fault on statement deallocation).
Fixed bug #67462 (PDO_PGSQL::beginTransaction() wrongly throws exception when not in transaction).
Fixed bug #68351 (PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving).
SOAP:
Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes).
zlib:
Fixed bug #53829 (Compiling PHP with large file support will replace function gzopen by gzopen64).
Version 5.5.19
13 Nov 2014
Core:
Fixed bug #68095 (AddressSanitizer reports a heap buffer overflow in php_getopt()).
Fixed bug #68118 ($a->foo .= ‘test’; can leave $a->foo undefined).
Fixed bug #68129 (parse_url() – incomplete support for empty usernames and passwords).
Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).
cURL:
Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, and CURL_SSLVERSION_TLSv1_2 constants if supported by libcurl.
Fileinfo:
Fixed bug #66242 (libmagic: don’t assume char is signed).
Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers). (CVE-2014-3710)
FPM:
Implemented FR #55508 (listen and listen.allowed_clients should take IPv6 addresses.
GD:
Fixed bug #65171imagescale() fails without height param
GMP:
Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).
Mysqli:
Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).
ODBC:
Fixed bug #68087 (ODBC not correctly reading DATE column when preceded by a VARCHAR column)
SPL:
Fixed bug #68128 (Regression in RecursiveRegexIterator)
Version 5.5.18
16 Oct 2014
Core:
Fixed bug #67985 (Incorrect last used array index copied to new array after unset).
Fixed bug #67739 (Windows 8.1/Server 2012 R2 OS build number reported as 6.2 (instead of 6.3)).
Fixed bug #67633 (A foreach on an array returned from a function not doing copy-on-write).
Fixed bug #51800 (proc_open on Windows hangs forever).
Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669)
cURL:
Fixed bug #68089 (NULL byte injection – cURL lib).
Exif:
Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)
FPM:
Fixed bug #65641 (PHP-FPM incorrectly defines the SCRIPT_NAME variable when using Apache, mod_proxy-fcgi and ProxyPass).
OpenSSL:
Revert regression introduced by fix of bug #41631.
Reflection:
Fixed bug #68103 (Duplicate entry in Reflection for class alias).
Session:
Fixed bug #67972 (SessionHandler Invalid memory read create_sid()).
XMLRPC:
Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668)
Version 5.5.17
18 Sep 2014
Core:
Fixed bug #47358 (glob returns error, should be empty array()).
Fixed bug #65463 (SIGSEGV during zend_shutdown()).
Fixed bug #66036 (Crash on SIGTERM in apache process).
Fixed bug #67878 (program_prefix not honoured in man pages).
COM:
Fixed bug #41577 (DOTNET is successful once per server run).
Date:
Fixed bug #66091 (memory leaks in DateTime constructor).
Fixed bug #66985 (Some timezones are no longer valid in PHP 5.5.10).
Fixed bug #67109 (First uppercase letter breaks date string parsing).
FPM:
Fixed bug #67606 (FPM with mod_fastcgi/apache2.4 is broken).
GD:
Made fontFetch’s path parser thread-safe.
MySQLi:
Fixed bug #67839 (mysqli does not handle 4-byte floats correctly).
OpenSSL:
Fixed bug #41631 (socket timeouts not honored in blocking SSL reads).
Fixed bug #67850 (extension won’t build if openssl compiled without SSLv3).
SPL:
Fixed bug #67813 (CachingIterator::__construct InvalidArgumentException wrong message).
Zlib:
Fixed bug #67724 (chained zlib filters silently fail with large amounts of data).
Fixed bug #67865 (internal corruption phar error).
Version 5.5.16
21 Aug 2014
COM:
Fixed missing type checks in com_event_sink.
Core:
Fixed bug #67693 (incorrect push to the empty array).
Fileinfo:
Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538).
Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587).
FPM:
Fixed bug #67635 (php links to systemd libraries without using pkg-config).
GD:
Fixed bug #66901 (php-gd ‘c_color’ NULL pointer dereference). (CVE-2014-2497).
Fixed bug #67730 (Null byte injection possible with imagexxx functions). (CVE-2014-5120).
Milter:
Fixed bug #67715 (php-milter does not build and crashes randomly).
Network:
Fixed bug #67717 (segfault in dns_get_record). (CVE-2014-3597).
OpenSSL:
Fixed missing type checks in OpenSSL options.
readline:
Fixed bug #55496 (Interactive mode doesn’t force a newline before the prompt).
Fixed bug #67496 (Save command history when exiting interactive shell with control-c).
Sessions:
Fixed missing type checks in php_session_create_id.
ODBC:
Fixed bug #60616 (odbc_fetch_into returns junk data at end of multi-byte char fields).
Version 5.5.15
24 Jul 2014
CLI server:
Fixed bug #67429 (CLI server is missing some new HTTP response codes).
Fixed bug #66830 (Empty header causes PHP built-in web server to hang).
Core:
Fixed bug #67428 (header(‘Location: foo’) will override a 308-399 response code).
Fixed bug #67436 (Autoloader isn’t called if two method definitions don’t match).
Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0).
Fixed bug #67497 eval with parse error causes segmentation fault in generator).
Fixed bug #67151 (strtr with empty array crashes).
Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012).
FPM:
Fixed bug #67530 (error_log=syslog ignored).
Fixed bug #67531 (syslog cannot be set in pool configuratio).
Intl:
Fixed bug #66921 (Wrong argument type hint for function intltz_from_date_time_zone).
Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).
OPCache:
Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault happen).
pgsql:
Fixed bug #67550 (Error in code “form” instead of “from”, pgsql.c, line 756), which affected builds against libpq < 7.3).
Phar:
Fixed bug #67587 (Redirection loop on nginx with FPM).
SPL:
Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting). (CVE-2014-4698)
Fixed bug #67538 (SPL Iterators use-after-free) (CVE-2014-4670).
Streams:
Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects).
Version 5.5.14
26 Jun 2014
CLI server:
Fixed bug #67406 (built-in web-server segfaults on startup).
Core:
Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases).
Fixed bug #67390 (insecure temporary file use in the configure script). (CVE-2014-3981).
Fixed bug #67399 (putenv with empty variable may lead to crash).
Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability).
Fixed BC break introduced by patch for bug #67072.
Date:
Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
Fixed regression in fix for bug #67118 (constructor can't be called twice).
Fileinfo:
Fixed bug #67326 (cdf_read_short_sector insufficient boundary check). (CVE-2014-0207)).
Fixed bug #67410 (mconvert incorrect handling of truncated pascal string size). (CVE-2014-3478).
Fixed bug #67411 (cdf_check_stream_offset insufficient boundary check). (CVE-2014-3479).
Fixed bug #67412 (cdf_count_chain insufficient boundary check). (CVE-2014-3480).
Fixed bug #67413 (cdf_read_property_info insufficient boundary check). (CVE-2014-3487).
Intl:
Fixed bug #67349 (Locale::parseLocale Double Free).
Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)).
Network:
Fixed bug #67432 (Fix potential segfault in dns_get_record()). (CVE-2014-4049)).
OPCache:
Fixed issue #183 (TMP_VAR is not only used once).
OpenSSL:
Fixed bug #65698 (certificates validity parsing does not work past 2050).
Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME).
PDO-ODBC:
Fixed bug #50444 (PDO-ODBC changes for 64-bit).
SOAP:
Implemented FR #49898 (Add SoapClient::__getCookies()).
SPL:
Fixed bug #66127 (Segmentation fault with ArrayObject unset).
Fixed bug #67359 (Segfault in recursiveDirectoryIterator).
Fixed bug #67360 (Missing element after ArrayObject::getIterator).
Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion). (CVE-2014-3515).
Version 5.5.13
29 May 2014
CLI server:
Fixed bug #67079 (Missing MIME types for XML/XSL files).
COM:
Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)).
Core:
Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()).
Fixed bug #67072 (Echoing unserialized "SplFileObject" crash).
Fixed bug #67245 (usage of memcpy() with overlapping src and dst in zend_exceptions.c).
Fixed bug #67247 (spl_fixedarray_resize integer overflow).
Fixed bug #67249 (printf out-of-bounds read).
Fixed bug #67250 (iptcparse out-of-bounds read).
cURL:
Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset).
Date:
Fixed bug #67118 (DateTime constructor crash with invalid data).
Fixed bug #67251 (date_parse_from_format out-of-bounds read).
Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read).
DOM:
Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset).
Fileinfo:
Fixed bug #66307 (Fileinfo crashes with powerpoint files).
Fixed bug #67327 (CDF infinite loop in nelements DoS) (CVE-2014-0238).
Fixed bug #67328 (numerous file_printf calls resulting in performance degradation) (CVE-2014-0237).
FPM:
Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
GD:
Fixed bug #67248 (imageaffinematrixget missing check of parameters).
PCRE:
Fixed bug #67248 Ungreedy and min/max quantifier bug, applied patch from the upstream.
Phar:
Fixed bug #64498 ($phar->buildFromDirectory can’t compress file with an accent in its name).
Version 5.5.12
01 May 2014
Core:
Fixed bug #61019 (Out of memory on command stream_get_contents).
Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).
Fixed bug #66182 (exit in stream filter produces segfault).
Fixed bug #66736 (fpassthru broken).
Fixed bug #67024 (getimagesize should recognize BMP files with negative heighty).
Fixed bug #67043 (substr_compare broke by previous change).
cURL:
Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
Date:
Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
Embed:
Fixed bug #65715 (php5embed.lib isn’t provided anymore).
Fileinfo:
Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
FPM:
Fixed bug #66482 (unknown entry ‘priority’ in php-fpm.conf).
Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185)).
Json:
Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).
LDAP:
Fixed issue with null bytes in LDAP bindings.
mysqli:
Fixed problem in mysqli_commit()/mysqli_rollback() with second parameter (extra comma) and third parameters (lack of escaping).
Openssl:
Fixed bug #66942 (memory leak in openssl_seal()).
Fixed bug #66952 (memory leak in openssl_open()).
SimpleXML:
Fixed bug #66084 (simplexml_load_string() mangles empty node name).
SQLite:
Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3)
XSL:
Fixed bug #53965 (
Apache2 Handler SAPI:
Fixed Apache log issue caused by APR’s lack of support for %zu (APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120)
Version 5.5.12
01 May 2014
Core:
Fixed bug #61019 (Out of memory on command stream_get_contents).
Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).
Fixed bug #66182 (exit in stream filter produces segfault).
Fixed bug #66736 (fpassthru broken).
Fixed bug #67024 (getimagesize should recognize BMP files with negative heighty).
Fixed bug #67043 (substr_compare broke by previous change).
cURL:
Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
Date:
Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
Embed:
Fixed bug #65715 (php5embed.lib isn’t provided anymore).
Fileinfo:
Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
FPM:
Fixed bug #66482 (unknown entry ‘priority’ in php-fpm.conf).
Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185)).
Json:
Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).
LDAP:
Fixed issue with null bytes in LDAP bindings.
mysqli:
Fixed problem in mysqli_commit()/mysqli_rollback() with second parameter (extra comma) and third parameters (lack of escaping).
Openssl:
Fixed bug #66942 (memory leak in openssl_seal()).
Fixed bug #66952 (memory leak in openssl_open()).
SimpleXML:
Fixed bug #66084 (simplexml_load_string() mangles empty node name).
SQLite:
Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3)
XSL:
Fixed bug #53965 (
Apache2 Handler SAPI:
Fixed Apache log issue caused by APR’s lack of support for %zu (APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120)
Version 5.5.11
03 Apr 2014
Core:
Fixed bug #60602 (proc_open() changes environment array).
Allow zero length comparison in substr_compare().
cURL:
Fixed bug #66109 (Can’t reset CURLOPT_CUSTOMREQUEST to default behaviour).
Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive.
Fileinfo:
Fixed bug #66946 (fileinfo: extensive backtracking in awk rule regular expression (CVE-2013-7345)).
FPM:
Added clear_env configuration directive to disable clearenv() call.
GD:
Fixed bug #66714 (imageconvolution breakage).
Fixed bug #66869 (Invalid 2nd argument crashes imageaffinematrixget).
Fixed bug #66887 (imagescale – poor quality of scaled image).
Fixed bug #66890 (imagescale segfault).
Fixed bug #66893 (imagescale ignore method argument).
GMP:
Fixed bug #66872 (invalid argument crashes gmp_testbit).
Hash:
hash_pbkdf2() now works correctly if the $length argument is not specified.
Intl:
Fixed bug #66873 A reproductible crash in UConverter when given invalid encoding.
Mail:
Fixed bug #66535 (Don’t add newline after X-PHP-Originating-Script).
MySQLi:
Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed).
OPCache:
Added function opcache_is_script_cached().
Added information about interned strings usage.
Openssl:
Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1).
SQLite:
Updated bundled libsqlite to 3.8.3.1.
SPL:
Added feature #65545 (SplFileObject::fread()).
Version 5.5.10
06 Mar 2014
Core:
Fixed bug #66574 (Allow multiple paths in php_ini_scanned_path).
Date:
Fixed bug #45528 (Allow the DateTimeZone constructor to accept timezones per offset too).
Fileinfo:
Fixed bug #66731 (file: infinite recursion (CVE-2014-1943)).
Fixed bug #66820 (out-of-bounds memory access in fileinfo (CVE-2014-2270)).
GD:
Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer (CVE-2013-7327)).
JSON:
Fixed bug #65753 (JsonSerializeable couldn’t implement on module extension).
LDAP:
Implemented ldap_modify_batch (https://wiki.php.net/rfc/ldap_modify_batch).
Openssl:
Fixed bug #66501 (Add EC key support to php_openssl_is_private_key).
PCRE:
Upgraded to PCRE 8.34.
Pgsql:
Added warning for dangerous client encoding and remove possible injections for pg_insert()/pg_update()/pg_delete()/pg_select().
Version 5.5.9
06 Feb 2014
Core:
Fixed bug #66509 (copy() arginfo has changed starting from 5.4).
GD:
Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop(), CVE-2013-7226).
OPCache:
Fixed bug #66474 (Optimizer bug in constant string to boolean conversion).
Fixed bug #66461 (PHP crashes if opcache.interned_strings_buffer=0).
Fixed bug #66298 (ext/opcache/Optimizer/zend_optimizer.c has dos-style ^M as lineend).
PDO_pgsql:
Fixed bug #62479 (PDO-pgsql cannot connect if password contains spaces).
Readline:
Fixed bug #66412 (readline_clear_history() with libedit causes segfault after #65714).
Session:
Fixed bug #66469 (Session module is sending multiple set-cookie headers when session.use_strict_mode=1).
Fixed bug #66481 (Segfaults on session_name()).
Standard:
Fixed bug #66395 (basename function doesn’t remove drive letter).
Sockets:
Fixed bug #66381 (__ss_family was changed on AIX 5.3).
Zend Engine:
Fixed bug #66009 (Failed compilation of PHP extension with C++ std library using VS 2012).
Version 5.4.25
06 Feb 2014
Core:
Fixed bug #66286 (Incorrect object comparison with inheritance).
Fixed bug #66509 (copy() arginfo has changed starting from 5.4).
mysqlnd:
Fixed bug #66283 (Segmentation fault after memory_limit).
PDO_pgsql:
Fixed bug #62479 (PDO-psql cannot connect if password contains spaces).
Session:
Fixed bug #66481 (Calls to session_name() segfault when session.name is null).
Version 5.5.8
09 Jan 2014
Core:
Disallowed JMP into a finally block.
Added validation of class names in the autoload process.
Fixed invalid C code in zend_strtod.c.
Fixed bug #66041 (list() fails to unpack yielded ArrayAccess object).
Fixed bug #65764 (generators/throw_rethrow FAIL with ZEND_COMPILE_EXTENDED_INFO).
Fixed bug #61645 (fopen and O_NONBLOCK).
Fixed bug #66218 (zend_register_functions breaks reflection).
Date:
Fixed bug #66060 (Heap buffer over-read in DateInterval, CVE-2013-6712).
Fixed bug #65768 (DateTimeImmutable::diff does not work).
DOM:
Fixed bug #65196 (Passing DOMDocumentFragment to DOMDocument::saveHTML() Produces invalid Markup).
Exif:
Fixed bug #65873 (Integer overflow in exif_read_data()).
Filter:
Fixed bug #66229 (128.0.0.0/16 isn’t reserved any longer).
GD:
Fixed bug #64405 (Use freetype-config for determining freetype2 dir(s)).
PDO_odbc:
Fixed bug #66311 (Stack smashing protection kills PDO/ODBC queries).
MySQLi:
Fixed bug #65486 (mysqli_poll() is broken on win x64).
OPCache:
Fixed revalidate_path=1 behavior to avoid caching of symlinks values.
Fixed issue #140 (“opcache.enable_file_override” doesn’t respect “opcache.revalidate_freq”.)
SNMP:
Fixed SNMP_ERR_TOOBIG handling for bulk walk operations.
SOAP:
Fixed bug #66112 (Use after free condition in SOAP extension).
Sockets:
Fixed bug #65923 (ext/socket assumes AI_V4MAPPED is defined).
XSL:
Fixed bug #49634 (Segfault throwing an exception in a XSL registered function).
ZIP:
Fixed bug #66321 (ZipArchive::open() ze_obj->filename_len not real).
Version 5.5.7
12 Dec 2013
Core:
Fixed bug #66094 (unregister_tick_function tries to cast a Closure to a string).
Fixed bug #65969 (Chain assignment with T_LIST failure).
CLI server:
Added some MIME types to the CLI web server.
Implemented FR #65917 (getallheaders() is not supported by the built-in web server) – also implements apache_response_headers()
OPCache:
Fixed bug #66176 (Invalid constant substitution).
Fixed bug #65915 (Inconsistent results with require return value).
Fixed bug #65559 (Opcache: cache not cleared if changes occur while running).
readline:
Fixed bug #65714 (PHP cli forces the tty to cooked mode).
Openssl:
Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420).
Version 5.5.6
14 Nov 2013
Core:
Improved performance of array_merge() and func_get_args() by eliminating useless copying.
Fixed bug #65947 (basename is no more working after fgetcsv in certain situation).
Fixed bug #65939 (Space before “;” breaks php.ini parsing).
Fixed bug #65911 (scope resolution operator – strange behavior with $this).
Fixed bug #65936 (dangling context pointer causes crash).
FPM:
Changed default listen() backlog to 65535.
JSON:
Fixed bug #64874 (json_decode handles whitespace incorrectly).
MySQLi:
Fixed bug #66043 (Segfault calling bind_param() on mysqli).
OPCache:
Increased limit for opcache.max_accelerated_files to 1,000,000.
Fixed issue #115 (path issue when using phar).
Fixed issue #149 (Phar mount points not working with OPcache enabled).
ODBC:
Fixed bug #65950 (Field name truncation if the field name is bigger than 32 characters).
PDO:
Fixed bug #66033 (Segmentation Fault when constructor of PDO statement throws an exception).
Fixed bug #65946 (sql_parser permanently converts values bound to strings).
Standard:
Fixed bug #64760 (var_export() does not use full precision for floating-point numbers).
Version 5.5.5
17 Oct 2013
Core:
Fixed bug #64979 (Wrong behavior of static variables in closure generators).
Fixed bug #65322 (compile time errors won’t trigger auto loading).
Fixed bug #65821 (By-ref foreach on property access of string offset segfaults).
CLI Server:
Fixed bug #65633 (built-in server treat some http headers as case-sensitive).
Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding).
Added application/pdf to PHP CLI Web Server mime types
Datetime:
Fixed bug #64157 (DateTime::createFromFormat() reports confusing error message).
Fixed bug #65502 (DateTimeImmutable::createFromFormat returns DateTime).
Fixed bug #65548 (Comparison for DateTimeImmutable doesn’t work).
DBA:
Fixed bug #65708 (dba functions cast $key param to string in-place, bypassing copy on write).
Filter:
Add RFC 6598 IPs to reserved addresses.
Fixed bug #64441 (FILTER_VALIDATE_URL rejects fully qualified domain names).
FTP:
Fixed bug #65667 (ftp_nb_continue produces segfault).
GD:
Ensure that the defined interpolation method is used with the generic scaling methods.
IMAP:
Fixed bug #65721 (configure script broken in 5.5.4 and 5.4.20 when enabling imap).
OPCache:
Fixed bug #65845 (Error when Zend Opcache Optimizer is fully enabled).
Fixed bug #65665 (Exception not properly caught when opcache enabled).
Fixed bug #65510 (5.5.2 crashes in _get_zval_ptr_ptr_var).
Fixed issue #135 (segfault in interned strings if initial memory is too low).
Added function opcache_compile_file() to load PHP scripts into cache without execution.
Added support for GNU Hurd.
Sockets:
Fixed bug #65808 (the socket_connect() won’t work with IPv6 address).
SPL:
Fixed bug #64782 (SplFileObject constructor make $context optional / give it a default value).
Standard:
Fixed bug #61548 content-type must appear at the end of headers for 201 Location to work in http.
XMLReader:
Fixed bug #51936 Crash with clone XMLReader.
Fixed bug #64230 XMLReader does not suppress errors.
Build system:
Fixed bug #51076 Race condition in shtool’s mkdir -p implementation.
Fixed bug #62396 ‘make test’ crashes starting with 5.3.14 (missing gzencode()).
Version 5.5.4
19 Sep 2013
Core:
Fixed bug #60598 (cli/apache sapi segfault on objects manipulation).
Improved fputcsv() to allow specifying escape character.
Fixed bug #65483 (quoted-printable encode stream filter incorrectly encoding spaces).
Fixed bug #65470 (Segmentation fault in zend_error() with –enable-dtrace).
Fixed bug #65490 (Duplicate calls to get lineno & filename for DTRACE_FUNCTION_*).
Fixed bug #65225 (PHP_BINARY incorrectly set).
Fixed bug #62692 (PHP fails to build with DTrace).
Fixed bug #61759 (class_alias() should accept classes with leading backslashes).
Fixed bug #46311 (Pointer aliasing issue results in miscompile on gcc4.4).
cURL:
Fixed bug #65458 (curl memory leak).
Datetime:
Fixed bug #65554 (createFromFormat broken when weekday name is followed by some delimiters).
Fixed bug #65564 (stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer).
OPCache:
Fixed bug #65561 (Zend Opcache on Solaris 11 x86 needs ZEND_MM_ALIGNMENT=4).
Openssl:
Fixed bug #64802 (openssl_x509_parse fails to parse subject properly in some cases).
Session:
Fixed bug #65475 (Session ID is not initialized properly when strict session is enabled).
Fixed bug #51127 and #65359, FR #25630/#43980/#54383 (Added php_serialize session serialize handler that uses plain serialize())
Standard:
Fix issue with return types of password API helper functions. Found via static analysis by cjones.
Version 5.5.3
22 Aug 2013
Openssl:
Fixed UMR in fix for CVE-2013-4248.