Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update php to 8.1.29 #654

Merged
merged 3 commits into from
Aug 23, 2024
Merged

update php to 8.1.29 #654

merged 3 commits into from
Aug 23, 2024

Conversation

aldok10
Copy link
Contributor

@aldok10 aldok10 commented Jun 10, 2024

Update PHP from 8.1.27 to 8.1.29 :

06 Jun 2024, PHP 8.1.29

- CGI:
  . Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection
    in PHP-CGI). (CVE-2024-4577) (nielsdos)

- Filter:
  . Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL).
    (CVE-2024-5458) (nielsdos)

- OpenSSL:
  . The openssl_private_decrypt function in PHP, when using PKCS1 padding
    (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack
    unless it is used with an OpenSSL version that includes the changes from this pull
    request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection).
    These changes are part of OpenSSL 3.2 and have also been backported to stable
    versions of various Linux distributions, as well as to the PHP builds provided for
    Windows since the previous release. All distributors and builders should ensure that
    this version is used to prevent PHP from being vulnerable. (CVE-2024-2408)

- Standard:
  . Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874).
    (CVE-2024-5585) (nielsdos)

11 Apr 2024, PHP 8.1.28

- Standard:
  . Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
    parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
  . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
    partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
  . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
    opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)

@jingjingxyk
Copy link
Contributor

jingjingxyk commented Jun 10, 2024
edited
Loading

upgrade php version step :

  1. setup php version in the PHP-VERSION.conf

  2. execute upgrade script

see file sync-source-code.php

 # test 
 php sync-source-code.php

 # release
php sync-source-code.php --action run

matyhtf
matyhtf requested changes Jun 12, 2024
View reviewed changes
main/main.c Outdated Show resolved Hide resolved
@jingjingxyk jingjingxyk mentioned this pull request Jun 19, 2024
Closed
@aldok10
Copy link
Contributor Author

aldok10 commented Jun 21, 2024

upgrade php version step :

1. setup  php version in the  [PHP-VERSION.conf ](https://github.com/swoole/swoole-cli/blob/main/sapi/PHP-VERSION.conf)

2. execute upgrade script

see file sync-source-code.php

 # test 
 php sync-source-code.php

 # release
php sync-source-code.php --action run

The pull request (PR) needs to be implemented because the previous version contains significant security vulnerabilities. These issues pose a serious risk to the system's integrity and the data it manages. Addressing these vulnerabilities is crucial to ensure that the system remains secure and that sensitive information is protected from potential threats. By making the necessary updates and improvements through this PR, we aim to enhance the overall security posture and mitigate any risks associated with the identified flaws in the earlier version.

@matyhtf matyhtf merged commit 9992fa8 into swoole:main Aug 23, 2024
6 checks passed
matyhtf pushed a commit that referenced this pull request Aug 23, 2024
@aldok10 @matyhtf
update php to 8.1.29 (#654)
645e322 
* update php to 8.1.29

* Update PHP-VERSION.conf

* Revert main.c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matyhtf matyhtf matyhtf requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aldok10 @jingjingxyk @matyhtf