From: Daniel Lowrey Date: Wed, 4 Mar 2015 20:56:58 +0000 (-0700) Subject: Merge branch 'tls-alpn' X-Git-Tag: PRE_PHP7_NSAPI_REMOVAL~819 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b5d97140c09f5aca752c8cb4bbd5a091fe5e330f;p=php Merge branch 'tls-alpn' * tls-alpn: Improve test to target specific issue Misc updates/cleanup Add TLS ALPN extension support in crypto client/server streams Add stream_socket_crypto_info() function Update for compatibility with newer openssl libs --- b5d97140c09f5aca752c8cb4bbd5a091fe5e330f diff --cc NEWS index 9831ff8fa7,8f93212e56..81aa649452 --- a/NEWS +++ b/NEWS @@@ -7,149 -6,6 +7,157 @@@ . Refactor MIME type handling to use a hash table instead of linear search. (Adam) . Update the MIME type list from the one shipped by Apache HTTPD. (Adam) +======= +- Core: + . Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize). + (Laruence) + . Fixed bug #69121 (Segfault in get_current_user when script owner is not + in passwd with ZTS build). (dan at syneto dot net) + . Fixed bug #65593 (Segfault when calling ob_start from output buffering + callback). (Mike) + . Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file + not validated in memory.c). (nayana at ddproperty dot com) + . Fixed bug #68166 (Exception with invalid character causes segv). (Rasmus) + . Fixed bug #69141 (Missing arguments in reflection info for some builtin + functions). (kostyantyn dot lysyy at oracle dot com) + +- cURL: + . Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on + Win32). (Grant Pannell) + . Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported + by libcurl. (Linus Unneback) + +- ODBC: + . Fixed bug #68964 (Allowed memory size exhausted with odbc_exec). (Anatol) + +- Opcache: + . Fixed bug #69125 (Array numeric string as key). (Laruence) + . Fixed bug #69038 (switch(SOMECONSTANT) misbehaves). (Laruence) + +- OpenSSL: + . Fixed bug #68912 (Segmentation fault at openssl_spki_new). (Laruence) + . Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't observe + socket timeouts). (Brad Broerman) + . Fixed bug #68920 (use strict peer_fingerprint input checks) + (Daniel Lowrey) ++ . Added "alpn_protocols" SSL context option allowing encrypted client/server ++ streams to negotiate alternative protocols using the ALPN TLS extension when ++ built against OpenSSL 1.0.2 or newer. Negotiated protocol information is ++ accessible by passing streams to the new stream_socket_crypto_info(). ++ (Daniel Lowrey) + +- pgsql: + . Fixed bug #68638 (pg_update() fails to store infinite values). + (william dot welter at 4linux dot com dot br, Laruence) + +- Readline: + . Fixed bug #69054 (Null dereference in readline_(read|write)_history() without + parameters). (Laruence) + +- SOAP: + . Fixed bug #69085 (SoapClient's __call() type confusion through + unserialize()). (andrea dot palazzo at truel dot it, Laruence) + +- SPL: + . Fixed bug #69108 ("Segmentation fault" when (de)serializing + SplObjectStorage). (Laruence) + . Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after + calling getChildren()). (Julien) + ++- Stream: ++ . Added stream_socket_crypto_info() allowing inspection of negotiated TLS values ++ +- CGI: + . Fixed bug #69015 (php-cgi's getopt does not see $argv). (Laruence) + +- CLI: + . Fixed bug #67741 (auto_prepend_file messes up __LINE__). (Reeze Xia) + +- FPM: + . Fixed bug #68822 (request time is reset too early). (honghu069 at 163 dot com) + +19 Feb 2015, PHP 5.6.6 + +- Core: + . Removed support for multi-line headers, as the are deprecated by RFC 7230. + (Stas) + . Fixed bug #67068 (getClosure returns somethings that's not a closure). + (Danack at basereality dot com) + . Fixed bug #68942 (Use after free vulnerability in unserialize() with + DateTimeZone). (CVE-2015-0273) (Stas) + . Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname + buffer overflow). (Stas) + . Fixed Bug #67988 (htmlspecialchars() does not respect default_charset + specified by ini_set) (Yasuo) + . Added NULL byte protection to exec, system and passthru. (Yasuo) + +- Dba: + . Fixed bug #68711 (useless comparisons). (bugreports at internot dot info) + +- Enchant: + . Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). + (Antony) + +- Fileinfo: + . Fixed bug #68827 (Double free with disabled ZMM). (Joshua Rogers) + . Fixed bug #67647 (Bundled libmagic 5.17 does not detect quicktime files + correctly). (Anatol) + . Fixed bug #68731 (finfo_buffer doesn't extract the correct mime with some + gifs). (Anatol) + +- FPM: + . Fixed bug #66479 (Wrong response to FCGI_GET_VALUES). (Frank Stolle) + . Fixed bug #68571 (core dump when webserver close the socket). + (redfoxli069 at gmail dot com, Laruence) + +- JSON: + . Fixed bug #50224 (json_encode() does not always encode a float as a float) + by adding JSON_PRESERVE_ZERO_FRACTION. (Juan Basso) + +- LIBXML: + . Fixed bug #64938 (libxml_disable_entity_loader setting is shared + between threads). (Martin Jansen) + +- Mysqli: + . Fixed bug #68114 (linker error on some OS X machines with fixed + width decimal support) (Keyur Govande) + . Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient + has rounding errors) (Keyur Govande) + +- Opcache: + . Fixed bug with try blocks being removed when extended_info opcode + generation is turned on. (Laruence) + +- PDO_mysql: + . Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of + named pipes). (steffenb198 at aol dot com) + +- Phar: + . Fixed bug #68901 (use after free). (bugreports at internot dot info) + +- Pgsql: + . Fixed Bug #65199 (pg_copy_from() modifies input array variable) (Yasuo) + +- Session: + . Fixed bug #68941 (mod_files.sh is a bash-script) (bugzilla at ii.nl, Yasuo) + . Fixed Bug #66623 (no EINTR check on flock) (Yasuo) + . Fixed bug #68063 (Empty session IDs do still start sessions) (Yasuo) + +- Sqlite3: + . Fixed bug #68260 (SQLite3Result::fetchArray declares wrong + required_num_args). (Julien) + +- Standard: + . Fixed bug #65272 (flock() out parameter not set correctly in windows). + (Daniel Lowrey) + . Fixed bug #69033 (Request may get env. variables from previous requests + if PHP works as FastCGI). (Anatol) + +- Streams: + . Fixed bug which caused call after final close on streams filter. (Bob) + +22 Jan 2015, PHP 5.6.5 +>>>>>>> PHP-5.6 - Core: . Fixed bug #68933 (Invalid read of size 8 in zend_std_read_property). diff --cc UPGRADING index af84ee94fe,af84ee94fe..d4b1d0afa3 --- a/UPGRADING +++ b/UPGRADING @@@ -369,6 -369,6 +369,10 @@@ Othe . session.lazy_write(default=On) INI setting enables only write session data when session data is updated. ++- OpenSSL: ++ . Removed the "rsa_key_size" SSL context option in favor of automatically ++ setting the appropriate size given the negotiated crypto algorithm. ++ - PCRE: . Removed support for /e (PREG_REPLACE_EVAL) modifier. Use preg_reaplace_callback() instead. @@@ -401,6 -401,6 +405,12 @@@ . Added the comparison operator (<=>), aka the spaceship operator. (RFC: https://wiki.php.net/rfc/combined-comparison-operator) ++- OpenSSL ++ . Added "alpn_protocols" SSL context option allowing encrypted client/server ++ streams to negotiate alternative protocols using the ALPN TLS extension when ++ built against OpenSSL 1.0.2 or newer. Negotiated protocol information is ++ accessible by passing streams to the new stream_socket_crypto_info(). ++ ======================================== 3. Changes in SAPI modules ======================================== @@@ -437,6 -437,6 +447,10 @@@ - Standard . Added intdiv() function for integer division. ++- Stream: ++ . Added stream_socket_crypto_info() allowing inspection of negotiated TLS ++ connection properties ++ ======================================== 7. New Classes and Interfaces ========================================