PHP 7.3.31, 7.4.24, and 8.0.11 Released with Bug and Security Fixes
PHP versions 7.3.31, 7.4.24, and 8.0.11 are released with several bug fixes and a security fix.
All of these versions fix a security vulnerability (CVE-2021-21706) in the Zip extension.
Prior to this fix, ZipArchive::extractTo method may extract a Zip archive outside the destination directory under certain file path names in Windows systems. This bug is now fixed in all current supported PHP versions.
Along with the security fix, PHP 7.3.31, 7.4.24, and 8.0.11 also fix several bugs. See the changelog for the list of changes.
The latest releases are available from the PHP git repository, Docker images, and repositories for Ubuntu, Fedora, etc. Compiled Windows binaries are also at windows.php.net
Changelog of 8.0.11
- Core:
- GD:
- Fixed #53580: During resize gdImageCopyResampled cause colors change
- Opcache:
- Fixed #81353: Segfault with preloading and statically bound closure
- Shmop:
- Fixed #81407:
shmop_open
won't attach and causes php to crash
- Fixed #81407:
- Standard:
- SysVMsg:
- Fixed #78819: Heap Overflow in msg_send
- XML:
- Fixed #81351:
xml_parse
may fail, but has no error code
- Fixed #81351:
- Zip:
- Fixed #81420:
ZipArchive::extractTo
extracts outside of destination). (CVE-2021-21706)
- Fixed #81420:
Changelog of 7.4.24
- Core:
- GD:
- Fixed #53580: During resize gdImageCopyResampled cause colors change
- Opcache:
- Fixed #81353: Segfault with preloading and statically bound closure
- Shmop:
- Fixed #81407:
shmop_open
won't attach and causes php to crash
- Fixed #81407:
- Standard:
- SysVMsg:
- Fixed #78819: Heap Overflow in msg_send
- XML:
- Fixed #81351:
xml_parse
may fail, but has no error code
- Fixed #81351:
- Zip:
Changelog of 7.3.31
- Zip:
- Fixed #81420:
ZipArchive::extractTo
extracts outside of destination). (CVE-2021-21706)
- Fixed #81420: