diff options
| -rw-r--r-- | NEWS | 9 | ||||
| -rw-r--r-- | UPGRADING | 4 |
2 files changed, 8 insertions, 5 deletions
@@ -2,10 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 7.4.11 - -17 Sep 2020, PHP 7.4.11RC1 - - Core: + . Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-` + cookies can be sent). (CVE-2020-7070) (Stas) . Fixed bug #79979 (passing value to by-ref param via CUFA crashes). (cmb, Nikita) . Fixed bug #80037 (Typed property must not be accessed before initialization @@ -29,6 +28,10 @@ PHP NEWS . Fixed bug #79825 (opcache.file_cache causes SIGSEGV when custom opcode handlers changed). (SammyK) +- OpenSSL: + . Fixed bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 + bytes IV). (CVE-2020-7069) (Jakub Zelenka) + - PDO: . Fixed bug #80027 (Terrible performance using $query->fetch on queries with many bind parameters (Matteo) @@ -126,8 +126,8 @@ DOM: The new signature is also (LSP) compatible with older PHP versions. - SAPI: - . Starting with 7.4.12, incoming cookie names are not url-decoded. This was never - required by the standard, outgoing cookie names aren't encoded and this leads + . Starting with 7.4.11, incoming cookie names are not url-decoded. This was never + required by the standard, outgoing cookie names aren't encoded and this leads to security issues (CVE-2020-7070). - SPL: |