PHP 7.4.12, 7.3.24

The PHP development team announces the immediate availability of PHP 7.4.12. This is a bug fix release.

All PHP 7.4 users are encouraged to upgrade to this version.

The PHP development team announces the immediate availability of PHP 7.3.24. This is a bug fix release.

All PHP 7.3 users are encouraged to upgrade to this version.

PHP 7.2.34, 7.3.23, 7.4.11

01 Oct 2020

The PHP development team announces the immediate availability of PHP 7.3.23. This is a security release.

All PHP 7.3 users are encouraged to upgrade to this version.

01 Oct 2020

The PHP development team announces the immediate availability of PHP 7.4.11. This is a security release.

All PHP 7.4 users are encouraged to upgrade to this version.

01 Oct 2020

The PHP development team announces the immediate availability of PHP 7.2.34. This is a security release.

All PHP 7.2 users are encouraged to upgrade to this version.

PHP 8.0.0 Alpha 1 available for testing

The PHP team is pleased to announce the first testing release of PHP 8.0.0, Alpha 1. This starts the PHP 8.0 release cycle, the rough outline of which is specified in the PHP Wiki.

For source downloads of PHP 8.0.0 Alpha 1 please visit the download page.

Please carefully test this version and report any issues found in the bug reporting system.

Please DO NOT use this version in production, it is an early test version.

For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.

The next release will be Alpha 2, planned for 9 Jul 2020.

PHP 7.2.31 Released

The PHP development team announces the immediate availability of PHP 7.2.31. This is a security release.

All PHP 7.2 users are encouraged to upgrade to this version.

PHP 7.3.19 Released

The PHP development team announces the immediate availability of PHP 7.3.19. This is a bug fix release.

All PHP 7.3 users are encouraged to upgrade to this version.

PHP 7.4.7 Released!

The PHP development team announces the immediate availability of PHP 7.4.7. This release is a bug fix release.

All PHP 7.4 users are encouraged to upgrade to this version.

PHP 7.3.17 Released

16 Apr 2020

The PHP development team announces the immediate availability of PHP 7.3.17 This is a security release which also contains several bug fixes.

All PHP 7.3 users are encouraged to upgrade to this version.

PHP 7.4.5 Released

16 Apr 2020

The PHP development team announces the immediate availability of PHP 7.4.5. This is a security release which also contains several bug fixes.

All PHP 7.4 users are encouraged to upgrade to this version.

CVE-2019-11043: PHP-FPM arbitrary code execution vulnerability alert

CVE-2019-11043 is an env_path_info underflow flaw in PHP-FPM’s fpm_main.c. The vulnerability was first reported to the PHP bug-tracker by security researcher Emil Lerner on September 26, 2019. Lerner also credits Andrew Danau, a security researcher at Wallarm, who identified the “anomaly” during a Capture The Flag competition in September 2019, and Ganiev for helping to finalize the php.ini options for the PoC.

What’s vulnerable

If a webserver runs Nginx + PHP-FPM and Nginx have a configuration like

which also lacks any script existence checks (like try_files), then you are probably vulnerable.

The full list of preconditions

  1. Nginx + PHP-FPM, location ~ [^/]\.php(/|$) must be forwarded to PHP-FPM.
  2. The fastcgi_split_path_info directive must be there and contain a regexp starting with ^ and ending with $, so we can break it with a newline character.
  3. There must be a PATH_INFO variable assignment via statement fastcgi_param PATH_INFO $fastcgi_path_info;. Note that it isn’t always present in the fastcgi_params file.
  4. No file existence checks like try_files $uri =404 or if (-f $uri). If Nginx drops requests to non-existing scripts before FastCGI forwarding, the code execution can’t be triggered. Adding this is also the easiest way to patch.
  5. The bug itself is present in earlier versions.

Fixes

Newest released PHP 7.1.33, 7.2.24, 7.3.11 fixed the bug, users are encouraged to upgrade to one these versions.