Zend Server Changelog

The list below provides the full release notes and changelogs for Zend Server.

Zend Server Common changes in version 2021.4.0 (2024-11-11)

Deprecated support for IBM i v7r2 due to OpenSSL 1.1.1 deprecation by IBM.

All IBM i >= v7r3 must use at least OSS base 7.3 to be able to install or upgrade.

Fixed:

  • Zend Server Z-Ray Database Queries failed to update placeholder value bindings in queries view when PDOStatement::bindValue() was called multiple times for the same placeholder. (ZEND-3536)

  • JQD excessive memory consumption when jobs failed in combination with redirects (ZEND-4191)

  • JQD crashes when running HTTPS jobs when Zend Server was used in cluster mode with MySQL database (ZEND-2644)

  • e-mail configuration testing (ZEND-2572)

  • Fixed e-mail notifications for Zend Server JobQueue events (ZEND-3816)

  • Monitor rules import, e-mail address export/import in monitoring rules (ZEND-2109)

Added:

  • PHP directive max_multipart_body_parts in Zend Server GUI. Parameter has been added as PHP security fix (ZEND-3499)

Changed:

  • Zend Server GUI, Plugins Gallery, change the plugin's package download url from static.zend.com to api-plugins.zend.com (ZEND-2618).

Updated:

PHP security fixes

  • PHP 7.4.33.7 fixes

  • PHP 7.3.33.12, 7.2.34.20, 7.1.33.24 fixes

PHP Extensions

Linux

  • memcached 3.2.0

  • mongodb (php-specific) 1.19.1/1.16.2/1.11.1

  • redis 6.0.2

  • ssh2 1.4.1

Windows

  • imagick 3.7.0

  • redis 6.0.2 (php >= 7.2)

PHP and Zend Server dependency components

Linux, IBM i (selected components only)

  • lighttpd 1.4.76

  • zlib 1.3.1

  • libxml2 2.11.8

  • libssh2 (where needed) 1.11.0

  • openldap (selected distros only) 2.5.18

  • freetype 2.13.2

  • libimagic 6.9.13.11

  • libsodium 1.0.20

  • libzip 1.10.1

  • xerces 3.2.5

  • IBM i builds linked with OpenSSL 3.

Windows

  • httpd 2.4.62

  • libzip 1.10.1

  • curl 8.10.1

  • imagemagick 7.1.0-18

Zend Server Common changes in version 2021.3.2 (2023-08-14)

Contains only fixes and changes for PHP and installer/packaging. There were no changes in Zend Server itself.

Backported PHP CVE fixes:

  • PHP version 7.1.33.21, 7.2.34.17, 7.3.33.9, 7.4.33.4 CVE fixes

    • Libxml:

      Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)

    • Phar:

      Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()). (CVE-2023-3824)

  • PHP version 7.1.33.20, 7.2.34.16, 7.3.33.8, 7.4.33.3 CVE fix

    • Soap:

      Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP). (CVE-2023-3247)

  • PHP version 7.1.33.19, 7.2.34.15, 7.3.33.7 fix:

Windows package updates:

  • Apache 2.4.57

Known issues

Symptom: The RHEL 8 upgrade may fail with the message:

Problem: cannot install the best update candidate for package liboci8-zend-11.2.0.4-8.x86_64

The problem is related to RHEL rpm package dependency resolving and cannot be fixed in Zend Server packaging. The dependent package libaio from the RHEL repository does not install for reasons unknown to us.

Solution: Enter the following command when this error message appears, then retry the upgrade.

Fix Zend Server 2021 upgrade on RHEL8: 

sudo yum install liboci8-zend

Zend Server Common changes in version 2021.3.1 (2023-03-21)

Backported PHP CVE fixes:

  • PHP version 7.1.33.18, 7.2.34.14, 7.3.33.6, 7.4.33.2 CVE fixes:

    • Core:

      • Fixed bug #81744 (Password_verify() always return true with some hash).

      • Fixed bug #81746 (1-byte array overrun in common path resolve code).

    • FPM:

      • Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662)

  • PHP version 7.1.33.17, 7.2.34.13, 7.3.33.5, 7.4.33.1 CVE fixes:

    • PDO/SQLite:

      • Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)

Windows package updates:

  • Apache 2.4.56 (adding also MS vs17 64-bit c++ redistributable installation)

  • OpenSSL 1.1.1t

  • cURL 7.88.1

Zend Server Common changes in version 2021.3.0 (2022-11-28)

  • Fixed:

    • JobQueue HTTPS requests failure on IBM i

    • Change lighttpd configuration for HTTPv.1.1 compatibility

    • JobQueue incorrect behavior during DST change

    • Zend Server RPM php-sources-zend-server packages missing PHP 7.1 sources

  • Updated:

    • Upgrade angularjs to latest perforce-angular 1.8.4 in Zend Server

    • Update ZS2021.3.0 PHP versions: 7.1.33.16, 7.2.34.11, 7.3.33.3, 7.4.32

    • CVE fixes for: CVE-2022-31628 and CVE-2022-31629

  • PHP CVE fixes (all supported versions):
    • Core:

      • Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628).

      • Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629).