Zend Server Changelog

The list below provides the full release notes and changelogs for Zend Server.

Zend Server Common changes in version 2021.3.2 (2023-08-14)

Contains only fixes and changes for PHP and installer/packaging. There were no changes in Zend Server itself.

Backported PHP CVE fixes:

  • PHP version 7.1.33.21, 7.2.34.17, 7.3.33.9, 7.4.33.4 CVE fixes

    • Libxml:

      Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)

    • Phar:

      Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()). (CVE-2023-3824)

  • PHP version 7.1.33.20, 7.2.34.16, 7.3.33.8, 7.4.33.3 CVE fix

    • Soap:

      Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP). (CVE-2023-3247)

  • PHP version 7.1.33.19, 7.2.34.15, 7.3.33.7 fix:

Windows package updates:

  • Apache 2.4.57

Known issues

Symptom: The RHEL 8 upgrade may fail with the message:

Problem: cannot install the best update candidate for package liboci8-zend-11.2.0.4-8.x86_64

The problem is related to RHEL rpm package dependency resolving and cannot be fixed in Zend Server packaging. The dependent package libaio from the RHEL repository does not install for reasons unknown to us.

Solution: Enter the following command when this error message appears, then retry the upgrade.

Fix Zend Server 2021 upgrade on RHEL8:

sudo yum install liboci8-zend

Zend Server Common changes in version 2021.3.1 (2023-03-21)

Backported PHP CVE fixes:

  • PHP version 7.1.33.18, 7.2.34.14, 7.3.33.6, 7.4.33.2 CVE fixes:

    • Core:

      • Fixed bug #81744 (Password_verify() always return true with some hash).

      • Fixed bug #81746 (1-byte array overrun in common path resolve code).

    • FPM:

      • Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662)

  • PHP version 7.1.33.17, 7.2.34.13, 7.3.33.5, 7.4.33.1 CVE fixes:

    • PDO/SQLite:

      • Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)

Windows package updates:

  • Apache 2.4.56 (adding also MS vs17 64-bit c++ redistributable installation)

  • OpenSSL 1.1.1t

  • cURL 7.88.1

Zend Server Common changes in version 2021.3.0 (2022-11-28)

  • Fixed:

    • JobQueue HTTPS requests failure on IBM i

    • Change lighttpd configuration for HTTPv.1.1 compatibility

    • JobQueue incorrect behavior during DST change

    • Zend Server RPM php-sources-zend-server packages missing PHP 7.1 sources

  • Updated:

    • Upgrade angularjs to latest perforce-angular 1.8.4 in Zend Server

    • Update ZS2021.3.0 PHP versions: 7.1.33.16, 7.2.34.11, 7.3.33.3, 7.4.32

    • CVE fixes for: CVE-2022-31628 and CVE-2022-31629

  • PHP CVE fixes (all supported versions):
    • Core:

      • Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628).

      • Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629).