PHP Minor versions impact report

This is the list of bugfixes, found in minor versions of PHP that may impact your code.

Title7.37.27.17.0php-srcBugsCVE
Opcache causes incorrect "undefined variable" errors - 7.1.18 7.1.18 7.1.18 - #76281 -
ldap_bind using ldaps or ldap_start_tls()=exception in libcrypto-1_1-x64.dll - 7.2.15 - - - #77440 -
DateTime::diff gives wrong diff when the actual diff is less than 1 second - 7.2.14 - - - #77097 -
Issue with re-binding on SQLite3 - 7.2.14 - - - #77051 -
U_ARGUMENT_TYPE_MISMATCH - 7.2.12 7.1.24 - - #76942 -
tidy::getOptDoc() not available on Windows - 7.2.12 7.1.24 - - #77027 -
fractions in `diff()` are not correctly normalized - 7.2.12 - - - #77007 -
ReflectionFunction::invoke does not invoke closure with object scope - 7.2.12 - - - #66430 -
Wrong exception being thrown when using ReflectionMethod - 7.2.11 7.1.23 - - #74454 -
Bindto IPv6 works with file_get_contents but fails with stream_socket_client - 7.2.11 7.1.23 - - #74764 -
php_zlib_inflate_filter() may not update bytes_consumed - 7.2.11 7.1.23 - - #75273 -
Memory leak when fetching a BLOB field - 7.2.9 - - - #76488 -
Possible Memory Leak using PDO::CURSOR_SCROLL option - 7.2.9 - - - #75402 -
Segmentation fault when using `output_add_rewrite_var` - 7.2.9 - - - #76643 -
ZipArchive memory leak (OVERWRITE flag and empty archive) - 7.2.9 - - - #76524 -
NoRewindIterator segfault 11 - 7.2.7 - - - #76367 -
Malicious LDAP-Server Response causes Crash - 7.2.5 7.1.17 7.0.30 - #76248 -
mismatch arginfo for date_create - 7.2.5 7.1.17 - - #76131 -
Wrong cp1251 detection - 7.2.5 7.1.17 - - #75944 -
Intl compilation fails with icu4c 61.1 - 7.2.5 - - - #76153 -
mbstring does not build with Oniguruma 6.8.1 - 7.2.5 - - - #76113 -
Access violation when using opcache - 7.2.5 - - - #76094 -
wrong unicode mapping in some charsets - 7.2.4 7.1.15 7.0.29 - #62545 -
Assertion failure in live range DCE due to block pass misoptimization - 7.2.4 7.1.15 7.0.29 - #75969 -
Segmentation fault in buildFromIterator when directory name contains a \n - 7.2.4 7.1.15 7.0.29 - #76085 -
Timezone gets truncated when formatted - 7.2.3 7.1.15 - - #75857 -
Argument 2 for `DateTimeZone::listIdentifiers()` should accept `null` - 7.2.3 7.1.15 - - #75928 -
deal with leading slash while adding files correctly - 7.2.3 7.1.15 - - #65414 -
strange behavior of AppendIterator - 7.2.3 7.1.15 - - #74519 -
Prevent reading beyond buffer start in http wrapper - 7.2.3 7.1.15 - - #75981 -
Phar::extractTo() does not accept specific directories to be extracted - 7.2.3 - - - #54289 -
opcache segfault when installing Bitrix - 7.2.3 - - - #75729 -
file_get_contents $http_response_header variable bugged with opcache - 7.2.3 - - - #75893 -
SoapClient generates E_ERROR even if exceptions=1 is used - 7.2.2 7.1.14 - - #70469 -
RecursiveArrayIterator does not traverse arrays by reference - 7.2.2 7.1.14 - - #75717 -
RecursiveArrayIterator doesn't have constants from parent class - 7.2.2 7.1.14 - - #75242 -
RecursiveArrayIterator does not iterate object properties - 7.2.2 7.1.14 - - #73209 -
Using @ crashes php7.2-fpm - 7.2.2 - - - #75698 -
array_values don't work on empty array - 7.2.2 - - - #75653 -
remove file name from output to avoid XSS - 7.2.1 7.1.13 - - #74782 -
accept EFAULT in addition to ENOSYS as indicator that getrandom() is missing - 7.2.1 7.1.13 - - #75409 -
Segfault with libzip 1.3.1 - 7.2.1 7.1.13 - - #75540 -
Invalid opcode 138/1/1 - 7.2.1 - - - #75556 -
MessageFormatter::formatMessage memory corruption with 11+ named placeholders - - 7.1.22 - - #74484 -
unusable ssl => peer_fingerprint in stream_context_create() - - 7.1.22 - - #76705 -
RegexIterator pregFlags are NULL instead of 0 - - 7.1.22 - - #68175 -
Zlib version check fails when an include/zlib/ style dir is passed to the --with-zlib configure option - - 7.1.22 - - #65988 -
Undefined property: DateInterval::$f - - 7.1.20 - - #76462 -
Integer Underflow when unserializing GMP and possible other classes - - 7.1.20 - - #74670 -
PHP crashes with core dump when throwing exception in error handler - - 7.1.20 - - #76536 -
ReflectionProperty#getValue() incorrectly works with inherited classes - - 7.1.20 - - #75231 -
self keyword leads to incorrectly generated TypeError when in closure in trait - - 7.1.14 - - #75079 -
Enchant still reports version 1.1.0 - - 7.1.12 7.0.26 - #75365 -
Exif extension has built in revision version - - 7.1.12 7.0.26 - #75301 -
UConverter::setDestinationEncoding changes source instead of destination - - 7.1.12 7.0.26 - #75317 -
infinite loop when printing an error-message - - 7.1.11 7.0.25 - #75236 -
debug info of Closures of internal functions contain garbage argument names - - 7.1.11 7.0.25 - #75290 -
error: 'zend_hash_key' has no member named 'arKey' in apache2handler - - 7.1.11 7.0.25 - #75311 -
The parameter of UConverter::getAliases() is not optional - - 7.1.11 7.0.25 - #75318 -
arcfour encryption stream filter crashes php - - 7.1.11 7.0.25 - #72535 -
applied upstream patch for CVE-2016-1283 - - 7.1.11 7.0.25 - #75207 -
SplDoublyLinkedList::setIteratorMode masks intern flags - - 7.1.11 7.0.25 - #73629 -
Data corruption when reading fields of bit type - - 7.1.11 - - #75018 -
Request hangs and not finish - - 7.1.11 - - #75255 -
Type 'bit' is fetched as unexpected string - - 7.1.11 - - #75177 -
BC math handles minus zero incorrectly - - 7.1.10 7.0.24 - #46781 -
libgd/gd_interpolation.c:1786: suspicious if ? - - 7.1.10 7.0.24 - #75139 -
incorrect behavior of AppendIterator::append in foreach loop - - 7.1.10 7.0.24 - #75173 -
AppendIterator::append() is broken when appending another AppendIterator - - 7.1.10 - - #75155 -
Fixed finding CURL on systems with multiarch support - - 7.1.9 7.0.23 - #74125 -
include_path has a 4096 char limit in some cases - - 7.1.9 7.0.23 - #74991 -
null pointer dereference in _function_string - - 7.1.9 7.0.23 - #74949 -
Unserialize ArrayIterator broken - - 7.1.9 7.0.23 - #74669 -
Crash in recursive iterator destructors - - 7.1.9 7.0.23 - #75015 -
Main CWD initialized with wrong codepage - - 7.1.9 - - #75063 -
Url Rewriting (trans_sid) not working on urls that start with "#" - - 7.1.9 - - #74892 -
Appending AppendIterator leads to segfault - - 7.1.9 - - #74977 -
References to deleted XPath query results - - 7.1.7 7.0.21 - #69373 -
Stack Buffer Overflow in msgfmt_parse_message - - 7.1.7 7.0.21 - #73473 -
Wrong reflection on Collator::getSortKey and collator_get_sort_key - - 7.1.7 7.0.21 - #74705 -
Segfault with opcache.memory_protect and validate_timestamp - - 7.1.7 7.0.21 - #74663 -
Segfault when cast Reflection object to string with undefined constant - - 7.1.7 7.0.21 - #74673 -
null coalescing operator failing with SplFixedArray - - 7.1.7 7.0.21 - #74478 -
ftp:// wrapper ignores context arg - - 7.1.7 7.0.21 - #74598 -
Phar::__construct reflection incorrect - - 7.1.7 7.0.21 - #74386 -
Incorrect conversion array with WSDL_CACHE_MEMORY - - 7.1.7 7.0.21 - #74679 -
implement clone for DatePeriod and DateInterval - - 7.1.7 - - #74639 -
PharData always creates new files with mode 0666 - - - 7.0.33 - #77022 -
Heap Buffer Overflow (READ: 4) in phar_parse_pharfile - - - 7.0.33 - #77143 -
Null Pointer Dereference in timelib_time_clone - - - 7.0.23 - #75002 -
grapheme_strpos illegal memory access - - - 7.0.21 - #73634 -
Segmentation fault in PHP7.1.1(compiled using the bundled PCRE library) - - - 7.0.21 - #74087 -
Invalid Reflection signatures for random_bytes and random_int - - - 7.0.21 - #74708 -
Heap buffer overflow in substr - - - 7.0.21 - #73648 -
PDO MySQL segfaults with persistent connection 7.3.2 - - - - #77289 -
Segmentation Fault when executing method with an empty parameter 7.3.2 - - - - #77410 -
preg_split does not raise an error on invalid UTF-8 7.3.4 - - - - #76127 -
var_export() does not create a parsable value for PHP_INT_MIN 7.3.4 - - - - #76717 -
Extract with EXTR_SKIP should skip $this 7.3.7 - - - - #77135 -
preg_match failed 7.3.7 - - - - #77937 -
Use after free with json serializer 7.3.6 - - - - #77843 -
wrong reflection on Collator::sortWithSortKeys - - 7.1.6 7.0.20 - #74468 -
mysqli::change_user() doesn't accept null as $database argument w/strict_types - - 7.1.6 7.0.20 - #74547 -
SIGSEGV with opcache.revalidate_path enabled - - 7.1.6 7.0.20 - #74596 -
Phar::webPhar() does not handle requests sent through PUT and DELETE method - - 7.1.6 7.0.20 - #51918 -
Wrong reflection on XMLReader::expand - - 7.1.6 7.0.20 - #74457 -
__DIR__ wrong for unicode character - - 7.1.6 - - #74589 -
Wrong reflection on DOMNode::cloneNode - - 7.1.5 7.0.19 - #74416 -
phar method parameters reflection correction - - 7.1.5 7.0.19 - #74383 -
setcookie allows max-age to be negative - - 7.1.5 7.0.19 - #72071 -
multiple catch freezes in some cases - - 7.1.5 - - #74444 -
Intl does not support DateTimeImmutable - - 7.1.5 - - #65683 -
IntlDateFormatter->format() doesn't return microseconds/fractions - - 7.1.5 - - #74298 -
Segmentation error while running a script in CLI mode - - 7.1.5 - - #74456 -
foreach infinite loop - - 7.1.5 - - #74431 -
Opcached version produces a nested array - - 7.1.5 - - #74442 -
yield fromLABEL is over-greedy - - 7.1.4 7.0.18 - #74302 -
fwrite() on non-blocking SSL sockets doesn't work - - 7.1.4 7.0.18 - #72333 -
array_key_exists fails on arrays created by get_object_vars - - 7.1.3 7.0.17 - #73998 -
NAN check fails on Alpine Linux with musl - - 7.1.3 7.0.17 - #73954 -
fetch_array broken data. Data more then MEDIUMBLOB - - 7.1.3 7.0.17 - #74021 -
stream_get_contents maxlength>-1 returns empty string - - 7.1.3 7.0.17 - #74090 -
Segfault with nested generators - - 7.1.3 - - #74157 -
incorrect reflection for SQLite3::enableExceptions - - - 7.0.19 - #74413 -
DateTime wrong when date string is negative - - - 7.0.17 - #73294 -
wrong timestamp when call setTimeZone multi times with UTC offset - - - 7.0.17 - #73489 -
$date->modify('Friday this week') doesn't return a Friday if $date is a Sunday - - - 7.0.17 - #73942 -
ReflectionFunction incorrectly reports the number of arguments - - - 7.0.17 - #74148 -
Unsetting result set may reset other result set - - - 7.0.14 - #73530 -
version_compare illegal write access - - - 7.0.14 - #73645 -
Integer Overflow in php_html_entities() - - - 7.0.14 - #72135 -
session_unset() empties values from all variables in which is $_session stored - - - 7.0.13 - #73273 -
session_destroy null dereference in ps_files_path_create - - - 7.0.12 - #73100 -
ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5 - - - 7.0.11 - #72764 -
assign_dim on string doesn't reset hval - - - 7.0.11 - #72943 -
curl_setopt segfault with empty CURLOPT_HTTPHEADER - - - 7.0.10 - #71709 -
Spurious warning when exception is thrown in user defined function - - - 7.0.10 - #72668 -
base64_decode $strict fails to detect null byte - - - 7.0.10 - #72152 -
base64_decode skips a character after padding in strict mode - - - 7.0.10 - #72263 -
base64_decode $strict fails with whitespace between padding - - - 7.0.10 - #72264 -
opendir() does not work with ftps:// wrapper - - - 7.0.10 - #54431 -
opendir() with ftp:// attempts to open data stream for non-existent directories - - - 7.0.10 - #72667 -
Certification information (CERTINFO) data parsing error - - - 7.0.10 - #71929 -
CSV fields incorrectly split if escape char followed by UTF chars - - - 7.0.10 - #72330 -
base64_decode $strict fails to detect null byte - - - 7.0.10 - #72152 -
base64_decode skips a character after padding in strict mode - - - 7.0.10 - #72263 -
base64_decode $strict fails with whitespace between padding - - - 7.0.10 - #72264 -
opendir() does not work with ftps:// wrapper - - - 7.0.10 - #54431 -
use-after-free - error_reporting - - - 7.0.7 - #72162 -
Cyclic references causing session_start(): Failed to decode session object - - - 7.0.7 - #71972 -
Out of bounds heap read access in exif header processing - - - 7.0.6 - #72094 CVE-2016-4542,
CVE-2016-4543,
CVE-2016-4544
str_replace returns an incorrect resulting array after a foreach by reference - - - 7.0.6 - #71969 -
substr_replace bug, string length - - - 7.0.6 - #71827 -
php_crypt() crashes if crypt_r() does not exist or _REENTRANT is not defined - - - 7.0.6 - #67512 -
yield from does not count EOLs - - - 7.0.5 - #71724 -
Variable references on array elements don't work when using count - - - 7.0.4 - #71529 -
exec functions ignore length but look for NULL termination - - - 7.0.3 - #71039 -
var_export(INF) prints INF.0 - - - 7.0.3 - #71314 -
curl_setopt() fails to set CURLOPT_POSTFIELDS with reference to CURLFile - - - 7.0.3 - #71225 -
str_replace converts integers in original $search array to strings - - - 7.0.3 - #71188 -
substr_replace converts integers in original $search array to strings - - - 7.0.3 - #71190 -
file_get_contents() ignores "header" context option if it's a reference - - - 7.0.3 - #71245 -
file_put_contents() returns unexpected value when filesystem runs full - - - 7.0.3 - #71264 -
ldap_mod_replace/ldap_mod_add store value as string "Array" - - - 7.0.3 - #71249 -
ldap_mod_replace/ldap_mod_add store value as string "Array" - - - 7.0.3 - #71249 -
Upgraded bundled PCRE library to 8.38. - - - 7.0.3 - # CVE-2015-8383,
CVE-2015-8386,
CVE-2015-8387,
CVE-2015-8389,
CVE-2015-8390,
CVE-2015-8391,
CVE-2015-8393,
CVE-2015-8394
var_export() exports float as integer - - - 7.0.2 - #66179 -
filter_input(INPUT_ENV, ..) does not work - - - 7.0.2 - #71063 -
Heap BufferOver Flow in escapeshell functions - - - 7.0.2 - #71270 CVE-2016-1904
preg_replace with arrays creates [0] in replace array if not already set - - - 7.0.2 - #71178 -
Array key references break argument processing - - - 7.0.1 - #70993 -
Duplicate array key via undefined index error handler - - - 7.0.0 - #70662 -
__COMPILER_HALT_OFFSET__ under namespace is not defined - - - 7.0.0 - #70164 -
Different arrays compare indentical due to integer key truncation - - - 7.0.0 - #69892 -
Different arrays compare indentical due to integer key truncation - - - 7.0.0 - #69892 -
304 responses return Content-Type header - - - 7.0.0 - #64878 -
HTTP Authorization Header is sometimes passed to newer reqeusts - - - 7.0.0 - #70279 -
openssl extension does not get the DH parameters from DH key resource - - - 7.0.0 - #55259 -
OpenSSL error "key values mismatch" after openssl_pkcs12_read with extra cert - - - 7.0.0 - #69882 -
pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL - - - 7.0.0 - #60509 -
FASYNC not defined, needs sys/file.h include - - - 7.0.0 - #70214 -
extract() breaks variable references - - - 7.0.0 - #70910 -
setcookie() conditional for empty values not met - - - 7.0.0 - #67131 -
extract() turns array elements to references - - - 7.0.0 - #70250 -
str_ireplace/php_string_tolower - Arbitrary Code Execution - - - 7.0.0 - #70140 -
Allow "dirname" to go up various times - - - 7.0.0 - #70112 -
exec does not strip all whitespace - - - 7.0.0 - #70018 -
Regression in array_filter's $flag argument in PHP 7 - - - 7.0.0 - #69299 -
flock() out parameter not set correctly in windows - - - 7.0.0 - #65272 -