search

swoole / swoole-cli

SWOOLE-CLI is a php binary distribution composed swoole & php-core & cli & fpm and mostly of common extensions.
183 stars 34 forks source link

update php to 8.1.29 #654

Open aldok10 opened 1 month ago

aldok10 commented 1 month ago

Update PHP from 8.1.27 to 8.1.29 :

06 Jun 2024, PHP 8.1.29

- CGI:
  . Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection
    in PHP-CGI). (CVE-2024-4577) (nielsdos)

- Filter:
  . Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL).
    (CVE-2024-5458) (nielsdos)

- OpenSSL:
  . The openssl_private_decrypt function in PHP, when using PKCS1 padding
    (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack
    unless it is used with an OpenSSL version that includes the changes from this pull
    request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection).
    These changes are part of OpenSSL 3.2 and have also been backported to stable
    versions of various Linux distributions, as well as to the PHP builds provided for
    Windows since the previous release. All distributors and builders should ensure that
    this version is used to prevent PHP from being vulnerable. (CVE-2024-2408)

- Standard:
  . Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874).
    (CVE-2024-5585) (nielsdos)

11 Apr 2024, PHP 8.1.28

- Standard:
  . Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
    parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
  . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
    partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
  . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
    opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
jingjingxyk commented 1 month ago

upgrade php version step :

  1. setup php version in the PHP-VERSION.conf

  2. execute upgrade script

    see file sync-source-code.php

    
# test 
php sync-source-code.php

    release

    php sync-source-code.php --action run

aldok10 commented 1 month ago

upgrade php version step :

1. setup  php version in the  [PHP-VERSION.conf ](https://github.com/swoole/swoole-cli/blob/main/sapi/PHP-VERSION.conf)

2. execute upgrade script

see file sync-source-code.php

 # test 
 php sync-source-code.php

 # release
php sync-source-code.php --action run

The pull request (PR) needs to be implemented because the previous version contains significant security vulnerabilities. These issues pose a serious risk to the system's integrity and the data it manages. Addressing these vulnerabilities is crucial to ensure that the system remains secure and that sensitive information is protected from potential threats. By making the necessary updates and improvements through this PR, we aim to enhance the overall security posture and mitigate any risks associated with the identified flaws in the earlier version.