search

invoiceninja / dockerfiles

Docker files for Invoice Ninja
https://hub.docker.com/r/invoiceninja/invoiceninja
GNU General Public License v2.0
398 stars 264 forks source link

Update php to fix CVE's #522

Closed jsargent8789 closed 1 year ago

jsargent8789 commented 1 year ago

Update php from 8.1.13 to 8.1.21

List of Bug fixes and CVE's

06 Jun 2023

CLI:
    Fixed bug [GH-11246](https://github.com/php/php-src/issues/11246) (cli/get_set_process_title fails on MacOS).
Core:
    Fixed build for the riscv64 architecture/GCC 12.
Curl:
    Fixed bug [GH-11433](https://github.com/php/php-src/issues/11433) (Unable to set CURLOPT_ACCEPT_ENCODING to NULL).
DOM:
    Fixed bugs [GH-11288](https://github.com/php/php-src/issues/11288) and [GH-11289](https://github.com/php/php-src/issues/11289) and [GH-11290](https://github.com/php/php-src/issues/11290) and [GH-9142](https://github.com/php/php-src/issues/9142) (DOMExceptions and segfaults with replaceWith).
    Fixed bug [GH-10234](https://github.com/php/php-src/issues/10234) (Setting DOMAttr::textContent results in an empty attribute value).
    Fix return value in stub file for DOMNodeList::item.
    Fix spec compliance error with '*' namespace for DOMDocument::getElementsByTagNameNS.
    Fix DOMElement::append() and DOMElement::prepend() hierarchy checks.
    Fixed bug [GH-11347](https://github.com/php/php-src/issues/11347) (Memory leak when calling a static method inside an xpath query).
    Fixed bug [#67440](http://bugs.php.net/67440) (append_node of a DOMDocumentFragment does not reconcile namespaces).
    Fixed bug [#81642](http://bugs.php.net/81642) (DOMChildNode::replaceWith() bug when replacing a node with itself).
    Fixed bug [#77686](http://bugs.php.net/77686) (Removed elements are still returned by getElementById).
    Fixed bug [#70359](http://bugs.php.net/70359) (print_r() on DOMAttr causes Segfault in php_libxml_node_free_list()).
    Fixed bug [#78577](http://bugs.php.net/78577) (Crash in DOMNameSpace debug info handlers).
    Fix lifetime issue with getAttributeNodeNS().
    Fix "invalid state error" with cloned namespace declarations.
    Fixed bug [#55294](http://bugs.php.net/55294) and #47530 and #47847 (various namespace reconciliation issues).
    Fixed bug [#80332](http://bugs.php.net/80332) (Completely broken array access functionality with DOMNamedNodeMap).
Opcache:
    Fix allocation loop in zend_shared_alloc_startup().
    Access violation on smm_shared_globals with ALLOC_FALLBACK.
    Fixed bug [GH-11336](https://github.com/php/php-src/issues/11336) (php still tries to unlock the shared memory ZendSem with opcache.file_cache_only=1 but it was never locked).
OpenSSL:
    Fixed bug [GH-9356](https://github.com/php/php-src/issues/9356) Incomplete validation of IPv6 Address fields in subjectAltNames (James Lucas, Jakub Zelenka).
PGSQL:
    Fixed intermittent segfault with pg_trace.
Phar:
    Fix cross-compilation check in phar generation for FreeBSD.
SPL:
    Fixed bug [GH-11338](https://github.com/php/php-src/issues/11338) (SplFileInfo empty getBasename with more than one slash).
Standard:
    Fix access on NULL pointer in array_merge_recursive().
    Fix exception handling in array_multisort().

Version 8.1.20 08 Jun 2023

Core:
    Fixed bug [GH-9068](https://github.com/php/php-src/issues/9068) (Conditional jump or move depends on uninitialised value(s)).
    Fixed bug [GH-11189](https://github.com/php/php-src/issues/11189) (Exceeding memory limit in zend_hash_do_resize leaves the array in an invalid state).
    Fixed bug [GH-11222](https://github.com/php/php-src/issues/11222) (foreach by-ref may jump over keys during a rehash).
Date:
    Fixed bug [GH-11281](https://github.com/php/php-src/issues/11281) (DateTimeZone::getName() does not include seconds in offset).
Exif:
    Fixed bug [GH-10834](https://github.com/php/php-src/issues/10834) (exif_read_data() cannot read smaller stream wrapper chunk sizes).
FPM:
    Fixed bug [GH-10461](https://github.com/php/php-src/issues/10461) (PHP-FPM segfault due to after free usage of child->ev_std(out|err)).
    Fixed bug [#64539](http://bugs.php.net/64539) (FPM status page: query_string not properly JSON encoded).
    Fixed memory leak for invalid primary script file handle.
Hash:
    Fixed bug [GH-11180](https://github.com/php/php-src/issues/11180) (hash_file() appears to be restricted to 3 arguments).
LibXML:
    Fixed bug [GH-11160](https://github.com/php/php-src/issues/11160) (Few tests failed building with new libxml 2.11.0).
Opcache:
    Fixed bug [GH-11134](https://github.com/php/php-src/issues/11134) (Incorrect match default branch optimization).
    Fixed too wide OR and AND range inference.
    Fixed bug [GH-11245](https://github.com/php/php-src/issues/11245) (In some specific cases SWITCH with one default statement will cause segfault).
PGSQL:
    Fixed parameter parsing of pg_lo_export().
Phar:
    Fixed bug [GH-11099](https://github.com/php/php-src/issues/11099) (Generating phar.php during cross-compile can't be done).
Soap:
    Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP). (CVE-2023-3247)
    Fixed bug [GH-8426](https://github.com/php/php-src/issues/8426) (make test fail while soap extension build).
SPL:
    Fixed bug [GH-11178](https://github.com/php/php-src/issues/11178) (Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18)).
Standard:
    Fixed bug [GH-11138](https://github.com/php/php-src/issues/11138) (move_uploaded_file() emits open_basedir warning for source file).
    Fixed bug [GH-11274](https://github.com/php/php-src/issues/11274) (POST/PATCH request switches to GET after a HTTP 308 redirect).
Streams:
    Fixed bug [GH-10031](https://github.com/php/php-src/issues/10031) ([Stream] STREAM_NOTIFY_PROGRESS over HTTP emitted irregularly for last chunk of data).
    Fixed bug [GH-11175](https://github.com/php/php-src/issues/11175) (Stream Socket Timeout).
    Fixed bug [GH-11177](https://github.com/php/php-src/issues/11177) (ASAN UndefinedBehaviorSanitizer when timeout = -1 passed to stream_socket_accept/stream_socket_client).

Version 8.1.19 11 May 2023

Core:
    Fix inconsistent float negation in constant expressions.
    Fixed bug [GH-8841](https://github.com/php/php-src/issues/8841) (php-cli core dump calling a badly formed function).
    Fixed bug [GH-10737](https://github.com/php/php-src/issues/10737) (PHP 8.1.16 segfaults on line 597 of sapi/apache2handler/sapi_apache2.c).
    Fixed bug [GH-11028](https://github.com/php/php-src/issues/11028) (Heap Buffer Overflow in zval_undefined_cv.).
    Fixed bug [GH-11108](https://github.com/php/php-src/issues/11108) (Incorrect CG(memoize_mode) state after bailout in ??=).
DOM:
    Fixed bug [#80602](http://bugs.php.net/80602) (Segfault when using DOMChildNode::before()).
    Fixed incorrect error handling in dom_zvals_to_fragment().
Exif:
    Fixed bug [GH-9397](https://github.com/php/php-src/issues/9397) (exif read : warnings and errors : Potentially invalid endianess, Illegal IFD size and Undefined index).
Intl:
    Fixed bug [GH-11071](https://github.com/php/php-src/issues/11071) (TZData version not displayed anymore).
PCRE:
    Fixed bug [GH-10968](https://github.com/php/php-src/issues/10968) (Segfault in preg_replace_callback_array()).
Standard:
    Fixed bug [GH-10990](https://github.com/php/php-src/issues/10990) (mail() throws TypeError after iterating over $additional_headers array by reference).
    Fixed bug [GH-9775](https://github.com/php/php-src/issues/9775) (Duplicates returned by array_unique when using enums).

Version 8.1.18 13 Apr 2023

Core:
    Added optional support for max_execution_time in ZTS/Linux builds.
    Fixed use-after-free in recursive AST evaluation.
    Fixed bug [GH-8646](https://github.com/php/php-src/issues/8646) (Memory leak PHP FPM 8.1).
    Fixed bug [GH-10801](https://github.com/php/php-src/issues/10801) (Named arguments in CTE functions cause a segfault).
    Fixed bug [GH-8789](https://github.com/php/php-src/issues/8789) (PHP 8.0.20 (ZTS) zend_signal_handler_defer crashes on apache).
    Fixed bug [GH-10015](https://github.com/php/php-src/issues/10015) (zend_signal_handler_defer crashes on apache shutdown).
    Fixed bug [GH-10810](https://github.com/php/php-src/issues/10810) (Fix NUL byte terminating Exception::__toString()).
    Fix potential memory corruption when mixing __callStatic() and FFI.
Date:
    Fixed bug [GH-10583](https://github.com/php/php-src/issues/10583) (DateTime modify with tz pattern should not update linked timezone).
FPM:
    Fixed bug [GH-10611](https://github.com/php/php-src/issues/10611) (fpm_env_init_main leaks environ).
    Destroy file_handle in fpm_main.
    Fixed bug [#74129](http://bugs.php.net/74129) (Incorrect SCRIPT_NAME with apache ProxyPassMatch when spaces are in path).
FTP:
    Propagate success status of ftp_close().
    Fixed bug [GH-10521](https://github.com/php/php-src/issues/10521) (ftp_get/ftp_nb_get resumepos offset is maximum 10GB).
IMAP:
    Fix build failure with Clang 16.
MySQLnd:
    Fixed bug [GH-8979](https://github.com/php/php-src/issues/8979) (Possible Memory Leak with SSL-enabled MySQL connections).
Opcache:
    Fixed build for macOS to cater with pkg-config settings.
    Fixed bug [GH-8065](https://github.com/php/php-src/issues/8065) (opcache.consistency_checks > 0 causes segfaults in PHP >= 8.1.5 in fpm context).
OpenSSL:
    Add missing error checks on file writing functions.
PDO Firebird:
    Fixed bug [GH-10908](https://github.com/php/php-src/issues/10908) (Bus error with PDO Firebird on RPI with 64 bit kernel and 32 bit userland).
PDO ODBC:
    Fixed missing and inconsistent error checks on SQLAllocHandle.
Phar:
    Fixed bug [GH-10766](https://github.com/php/php-src/issues/10766) (PharData archive created with Phar::Zip format does not keep files metadata (datetime)).
    Add missing error checks on EVP_MD_CTX_create() and EVP_VerifyInit().
PGSQL:
    Fixed typo in the array returned from pg_meta_data (extended mode).
SPL:
    Fixed bug [GH-10519](https://github.com/php/php-src/issues/10519) (Array Data Address Reference Issue).
    Fixed bug [GH-10844](https://github.com/php/php-src/issues/10844) (ArrayIterator allows modification of readonly props).
Standard:
    Fixed bug [GH-10885](https://github.com/php/php-src/issues/10885) (stream_socket_server context leaks).
    Fixed bug [GH-10052](https://github.com/php/php-src/issues/10052) (Browscap crashes PHP 8.1.12 on request shutdown (apache2)).
    Fixed oss-fuzz #57392 (Buffer-overflow in php_fgetcsv() with \0 delimiter and enclosure).
    Fixed undefined behaviour in unpack().

Version 8.1.17 16 Mar 2023

Core:
    Fixed incorrect check condition in ZEND_YIELD.

    Fixed incorrect check condition in type inference.

    Fixed overflow check in OnUpdateMemoryConsumption.

    Fixed bug [GH-9916](https://github.com/php/php-src/issues/9916) (Entering shutdown sequence with a fiber suspended in a Generator emits an unavoidable fatal error or crashes).

    Fixed bug [GH-10437](https://github.com/php/php-src/issues/10437) (Segfault/assertion when using fibers in shutdown function after bailout).

Fixed SSA object type update for compound assignment opcodes.

    Fixed language scanner generation build.

    Fixed zend_update_static_property() calling zend_update_static_property_ex() misleadingly with the wrong return type.

    Fix bug [GH-10570](https://github.com/php/php-src/issues/10570) (Fixed unknown string hash on property fetch with integer constant name).

    Fixed php_fopen_primary_script() call resulted on zend_destroy_file_handle() freeing dangling pointers on the handle as it was uninitialized.

Curl:

    Fixed deprecation warning at compile time.

    Fixed bug [GH-10270](https://github.com/php/php-src/issues/10270) (Unable to return CURL_READFUNC_PAUSE in readfunc

callback).

Date:

    Fix [GH-10447](https://github.com/php/php-src/issues/10447) ('p' format specifier does not yield 'Z' for 00:00).
FFI:

    Fixed incorrect bitshifting and masking in ffi bitfield.

Fiber:

    Fixed assembly on alpine x86.

    Fixed bug [GH-10496](https://github.com/php/php-src/issues/10496) (segfault when garbage collector is invoked inside of fiber).

FPM:

    Fixed bug [GH-10315](https://github.com/php/php-src/issues/10315) (FPM unknown child alert not valid).

    Fixed bug [GH-10385](https://github.com/php/php-src/issues/10385) (FPM successful config test early exit).
Intl:

    Fixed bug [GH-10647](https://github.com/php/php-src/issues/10647) (Spoolchecker isSuspicious/areConfusable methods error code's argument always returning NULL0.
JSON:

    Fixed JSON scanner and parser generation build.

MBString:

    ext/mbstring: fix new_value length check.

    Fix bug [GH-10627](https://github.com/php/php-src/issues/10627) (mb_convert_encoding crashes PHP on Windows).

Opcache:

    Fix incorrect page_size check.

OpenSSL:

    Fixed php_openssl_set_server_dh_param() DH params errors handling.

PDO OCI:
    Fixed bug [#60994](http://bugs.php.net/60994) (Reading a multibyte CLOB caps at 8192 chars).

PHPDBG:

    Fixed bug [GH-10715](https://github.com/php/php-src/issues/10715) (heap buffer overflow on --run option misuse).

PGSQL:

    Fix [GH-10672](https://github.com/php/php-src/issues/10672) (pg_lo_open segfaults in the strict_types mode).

Phar:

    Fix incorrect check in phar tar parsing.

Reflection:

    Fixed bug [GH-10623](https://github.com/php/php-src/issues/10623) (Reflection::getClosureUsedVariables opcode fix with variadic arguments).

    Fix Segfault when using ReflectionFiber suspended by an internal function.

Session:

    Fixed ps_files_cleanup_dir() on failure code paths with -1 instead of 0 as the latter was considered success by callers. (nielsdos).
Standard:
    Fixed bug [GH-10292](https://github.com/php/php-src/issues/10292) (Made the default value of the first param of srand() and mt_srand() unknown).
    Fix incorrect check in cs_8559_5 in map_from_unicode().
    Fix bug [GH-9697](https://github.com/php/php-src/issues/9697) for reset/end/next/prev() attempting to move pointer of properties table for certain internal classes such as FFI classes
    Fix incorrect error check in browsecap for pcre2_match().
Tidy:
    Fix memory leaks when attempting to open a non-existing file or a file over 4GB.
    Add missing error check on tidyLoadConfig.
Zlib:
    Fixed output_handler directive value's length which counted the string terminator.

Version 8.1.16 14 Feb 2023

Core:
    Fixed bug [#81744](http://bugs.php.net/81744) (Password_verify() always return true with some hash).
    Fixed bug [#81746](http://bugs.php.net/81746) (1-byte array overrun in common path resolve code).
SAPI:
    Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662)

Version 8.1.15 02 Feb 2023

Apache:
    Fixed bug [GH-9949](https://github.com/php/php-src/issues/9949) (Partial content on incomplete POST request).
Core:
    Fixed bug [GH-10072](https://github.com/php/php-src/issues/10072) (PHP crashes when execute_ex is overridden and a __call trampoline is used from internal code).
    Fix [GH-10251](https://github.com/php/php-src/issues/10251) (Assertion `(flag & (1<<3)) == 0' failed).
    Fix wrong comparison in block optimisation pass after opcode update.
Date:
    Fixed bug [GH-9891](https://github.com/php/php-src/issues/9891) (DateTime modify with unixtimestamp (@) must work like setTimestamp).
    Fixed bug [GH-10218](https://github.com/php/php-src/issues/10218) (DateTimeZone fails to parse time zones that contain the "+" character).
Fiber:
    Fix assertion on stack allocation size.
FPM:
    Fixed bug [GH-9981](https://github.com/php/php-src/issues/9981) (FPM does not reset fastcgi.error_header).
    Fixed bug [#67244](http://bugs.php.net/67244) (Wrong owner:group for listening unix socket).
Hash:
    Handle exceptions from __toString in XXH3's initialization (nielsdos)
LDAP:
    Fixed bug [GH-10112](https://github.com/php/php-src/issues/10112) (LDAP\Connection::__construct() refers to ldap_create()).
MBString:
    Fixed: mb_strlen (and a couple of other mbstring functions) would wrongly treat 0x80, 0xFD, 0xFE, 0xFF, and certain other byte values as the first byte of a 2-byte SJIS character.
Opcache:
    Fix inverted bailout value in zend_runtime_jit() (Max Kellermann).
    Fix access to uninitialized variable in accel_preload().
    Fix zend_jit_find_trace() crashes.
    Added missing lock for EXIT_INVALIDATE in zend_jit_trace_exit.
Phar:
    Fix wrong flags check for compression method in phar_object.c (nielsdos)
PHPDBG:
    Fix undefined behaviour in phpdbg_load_module_or_extension().
    Fix NULL pointer dereference in phpdbg_create_conditional_breal().
    Fix [GH-9710](https://github.com/php/php-src/issues/9710): phpdbg memory leaks by option "-h" (nielsdos)
    Fix phpdbg segmentation fault in case of malformed input (nielsdos)
Posix:
    Fix memory leak in posix_ttyname() (girgias)
Standard:
    Fix [GH-10187](https://github.com/php/php-src/issues/10187) (Segfault in stripslashes() with arm64).
    Fix substr_replace with slots in repl_ht being UNDEF.
TSRM:
    Fixed Windows shmget() wrt. IPC_PRIVATE.
XMLWriter:
    Fix missing check for xmlTextWriterEndElement (nielsdos)

Version 8.1.14 05 Jan 2023

Core:
    Fixed bug [GH-9905](https://github.com/php/php-src/issues/9905) (constant() behaves inconsistent when class is undefined).
    Fixed bug [GH-9918](https://github.com/php/php-src/issues/9918) (License information for xxHash is not included in README.REDIST.BINS file).
    Fixed bug [GH-9650](https://github.com/php/php-src/issues/9650) (Can't initialize heap: [0x000001e7]).
    Fixed potentially undefined behavior in Windows ftok(3) emulation.
Date:
    Fixed bug [GH-9699](https://github.com/php/php-src/issues/9699) (DateTimeImmutable::diff differences in 8.1.10 onwards - timezone related).
    Fixed bug [GH-9700](https://github.com/php/php-src/issues/9700) (DateTime::createFromFormat: Parsing TZID string is too greedy).
    Fixed bug [GH-9866](https://github.com/php/php-src/issues/9866) (Time zone bug with \DateTimeInterface::diff()).
    Fixed bug [GH-9880](https://github.com/php/php-src/issues/9880) (DateTime diff returns wrong sign on day count when using a timezone).
FPM:
    Fixed bug [GH-9959](https://github.com/php/php-src/issues/9959) (Solaris port event mechanism is still broken after bug #66694).
    Fixed bug [#68207](http://bugs.php.net/68207) (Setting fastcgi.error_header can result in a WARNING).
    Fixed bug [GH-8517](https://github.com/php/php-src/issues/8517) (Random crash of FPM master process in fpm_stdio_child_said).
MBString:
    Fixed bug [GH-9535](https://github.com/php/php-src/issues/9535) (The behavior of mb_strcut in mbstring has been changed in PHP8.1).
Opcache:
    Fixed bug [GH-9968](https://github.com/php/php-src/issues/9968) (Segmentation Fault during OPCache Preload).
OpenSSL:
    Fixed bug [GH-9064](https://github.com/php/php-src/issues/9064) (PHP fails to build if openssl was built with --no-ec).
    Fixed bug [GH-10000](https://github.com/php/php-src/issues/10000) (OpenSSL test failures when OpenSSL compiled with no-dsa).
Pcntl:
    Fixed bug [GH-9298](https://github.com/php/php-src/issues/9298) (Signal handler called after rshutdown leads to crash).
PDO_Firebird:
    Fixed bug [GH-9971](https://github.com/php/php-src/issues/9971) (Incorrect NUMERIC value returned from PDO_Firebird).
PDO/SQLite:
    Fixed bug [#81740](http://bugs.php.net/81740) (PDO::quote() may return unquoted string). (CVE-2022-31631)
Session:
    Fixed [GH-9932](https://github.com/php/php-src/issues/9932) (session name silently fails with . and [).
SPL:
    Fixed [GH-9883](https://github.com/php/php-src/issues/9883) (SplFileObject::__toString() reads next line).
    Fixed [GH-10011](https://github.com/php/php-src/issues/10011) (Trampoline autoloader will get reregistered and cannot be unregistered).
SQLite3:
    Fixed bug [#81742](http://bugs.php.net/81742) (open_basedir bypass in SQLite3 by using file URI).
turbo124 commented 1 year ago

The next version will be built with PHP 8.2, the existing image was no longer maintained.