From 8107f111bf5a14a3b2d6075b11419052f8b0ab7d Mon Sep 17 00:00:00 2001 From: Phil Tyler Date: Mon, 15 Apr 2024 13:33:37 -0700 Subject: [PATCH] [CMSP-1007] PHP 8 patch updates (#8931) * [CMSP-1007] PHP 8 patch updates * Links for CVEs * PHP 82 * Escape bold with underscores --- source/releasenotes/2024-04-15-php-81-82-82.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 source/releasenotes/2024-04-15-php-81-82-82.md diff --git a/source/releasenotes/2024-04-15-php-81-82-82.md b/source/releasenotes/2024-04-15-php-81-82-82.md new file mode 100644 index 0000000000..ea73e5dfbe --- /dev/null +++ b/source/releasenotes/2024-04-15-php-81-82-82.md @@ -0,0 +1,16 @@ +--- +title: "PHP 8.1, 8.2 and 8.3 updated to their latest patch releases" +published_date: "2024-04-15" +categories: [infrastructure, security] +--- +PHP [8.1.28](https://www.php.net/ChangeLog-8.php#PHP_8_1), [8.2.18](https://www.php.net/ChangeLog-8.php#PHP_8_2), and [8.3.6](https://www.php.net/ChangeLog-8.php#PHP_8_3) were released on the platform. They contain the latest bug fixes and security releases for PHP. + +Updates include patches for the following CVEs ( +Common Vulnerabilities and Exposures): + +* [CVE-2024-1874](https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7) "Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows" +* [CVE-2024-2756](https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4) "\_\_Host-/\_\_Secure- cookie bypass due to partial CVE-2022-31629 fix" +* [CVE-2024-3096](https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr) "password_verify can erroneously return true, opening ATO risk" +* [CVE-2024-2757](https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq) "mb_encode_mimeheader runs endlessly for some inputs" (PHP 8.3 only) + +As a reminder, PHP 8.0 reached End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.2 and above.