PHP 8.0.12, 7.4.25 (CVE)

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
905
Location
🇳🇱
22 Oct 2021

PHP 7.4.25 Released!

The PHP development team announces the immediate availability of PHP 7.4.25. This is a security release.
All PHP 7.4 users are encouraged to upgrade to this version.
For source downloads of PHP 7.4.25 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

21 Oct 2021

PHP 8.0.12 Released!

The PHP development team announces the immediate availability of PHP 8.0.12. This is a security fix release.
All PHP 8.0 users are encouraged to upgrade to this version.
For source downloads of PHP 8.0.12 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
 
@smtalk PHP imagick extension has also been updated to v3.5.1 with full PHP8 support, latest in CB is 3.4.4.

ImageMagick also has a newer version: latest version is 7.1.0-10

--

And while where at it :LOL:, Composer has also been updated to 2.1.9
 
Last edited:
@smtalk

Restarting php-fpm80.

imagick 3.5.1 PHP extension has been installed successfully.

Latest version of ImageMagick: 7.1.0-10
Installed version of ImageMagick: 7.1.0-10

Latest version of imagick: 3.5.1
Installed version of imagick: @PACKAGE_VERSION@

Imagick @PACKAGE_VERSION@ to 3.5.1 update is available.
 
Just look how to devs work on it:

"There's not that much rush though as we classify those as a low security impact because one needs to have access to the worker first. Basically it's a problem just for the shared hostings but most users shoudl not be impacted. Still security issue though."

and after somebody disagreed and suggested that CVE must be given, the same guy said:

"Yeah it's probably more medium so it should get CVE."

and later even:

"Also I decided to target only 7.4+ as 7.3 will be soon out of security support"

I am speachless. Even 7.3 is still in security support, they did not patch it... And this is a security patch which is related to root priviledge escallation!!!
 
I spoke with Martynas regarding this in a ticket and he backported the security fix in PHP 5.6+ from rev 2769 so it should be a recompile now to resolve it!
 
Looks like tommorow they will release 7.3.22 with the patch.

Also the same patch works for 7.2 and 7.1 but doesn't work for PHP 5.6.

As I am not using DirectAdmin, is any way to see the patch for 5.6?
 
CustomBuild patches versions 5.6 and up automatically.
 
Got an auto update notification this morning...

PHP 5.6: 5.6.40 to 5.6.40 update is available.
PHP 7.3: 7.3.31 to 7.3.31 update is available.

Looks like both versions downloaded a new patch file, fpm_scoreboard_proc_oob_fix_v4_5.6.patch and fpm_scoreboard_proc_oob_fix_v4.patch respectively.
Do those version numbers seem right?
 
Back
Top