Zend Server 2019

Version 2019.1.5 (October 2023)

Zend Server installer Windows package contains cURL library version 8.4.0 fixing CVE-2023-38545.

Zend Server Linux installation uses Linux distribution packages for curl library. Users shall update linux packages to fix security issues.
Please note that Ubuntu 18.04 and Debian 9 are EOL, no publicly available fixes are available to fix cURL CVE for these distributions.

Information about the IBM i fix has been issued earlier. Here is the copy of that notification:

Please follow these instruction to update Zend Server 2019.1.4 PHP binaries (for cURL CVE-2023-38545 fix). 

Enter the commands below using the terminal shell:

Download the update file:

wget https://downloads.zend.com/zendserver/2019.1.4/zend-server-2019.1.4-curl-8.4.0-pase.tar.gz

Extract the downloaded file to the filesystem root directory:

gzip -dc /HOME/QSECOFR/zend-server-2019.1.4-curl-8.4.0-pase.tar.gz|tar -x -C /

Restart the Zend Server Apache instance. Either use Zend Server tools on the green screen or enter the following terminal shell command:

/usr/local/zendphp7/bin/i5_apache.sh restart

PHP Information shall display curl version 8.4.0 after this update.

Version 2019.1.4 (August 2023)

Contains only PHP and installer/packaging fixes/changes. No changes in Zend Server.

Backported PHP 7.1.33.21, 7.2.34.17, 7.3.33.9 CVE Fixes

• Libxml:
  • Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)
• Phar:
  • Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()). (CVE-2023-3824)   

Backported PHP 7.1.33.20, 7.2.34.16, 7.3.33.8 CVE Fixes

• Soap:
  • Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP). (CVE-2023-3247)

Backported PHP 7.1.33.19, 7.2.34.15, 7.3.33.7 CVE Fixes

• Intl:
  • Fixed bug #72809 (Locale::lookup() wrong result with canonicalize option).

Updated Apache v.2.4.57 in Zend Server Windows installation package
 

Version 2019.1.3 (March 2023)

PHP fixes only.

PHP version 7.1.33.18, 7.2.34.14, 7.3.33.6 CVE fixes
- Core:
 . Fixed bug #81744 (Password_verify() always return true with some hash).
   (CVE-2023-0567) 
 . Fixed bug #81746 (1-byte array overrun in common path resolve code).
   (CVE-2023-0568)

- FPM:
 . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
   request body). (CVE-2023-0662) 
PHP version 7.1.33.17, 7.2.34.13, 7.3.33.5 CVE fixes:

- PDO/SQLite:
 . Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)

Updates for version 2019.1.2 (November 2022)

CVE Fixes for PHP versions: 7.1.33.16, 7.2.34.11, 7.3.33.3

• Hash:
•   Fixed bug #81738: buffer overflow in hash_update() on long parameter. (CVE-2022-37454)

CVE Fixes for PHP versions 7.1.33.16, 7.2.34.11, 7.3.33.3

• Core:
  •   Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628).
  •   Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629).

Updates for version 2019.1.1

Updated:

• PHP versions 7.1.33.15 (incl. TLSv1.2 support for mysql), 7.2.34.10, 7.3.33.2.

CVE Fixes:

• mysqlnd:
  • Fixed bug #81719: mysqlnd/pdo password buffer overflow. (CVE-2022-31626)
• pgsql
  • Fixed bug #81720: Uninitialized array in pg_query_params(). (CVE-2022-31625) 

Updates for version 2019.1.0

• Change: Default customer web server port on IBM i Apache instance changed from 10080 to 10280 (ZEND-2258)
• Fix: Removed PHPRC env variable in IBMi fastcgi.conf , now proper php.ini file is being used for active php version (ZEND-1348, ZEND-1486, ZEND-1773, ZEND-2002, ZEND-1773))
• Fix: Filled Installation_UID placeholder in IBMi fastcgi.conf (ZEND-1182)
• Fix: ZendMontor segfault (ZEND-1488), Buffer overflow fix (ZEND-2046)
• Fix: https GUI access on linux, lighttpd is updated to v1.4.64
• Fix: Broken jqd.ini file caused "Unable to connect to Job Queue server" (ZEND-797, ZEND-1007)
• Fix: jobqueueAddJob output in JSON format (ZEND-2127)
• Update: PHP versions 7.1.33.14, 7.2.34.9, 7.3.33.1
  • PHP CVE fixes after 2019.0.7: CVE-2021-21703, CVE-2021-21704, CVE-2021-21705, CVE-2021-21706, CVE-2021-21707
  • Backported functionality improvement for PHP 7.1: TLSv1.2 functionality for MySqlUpdate: xdebug 2.9.8 in all versions (ZEND-1485)
• Update: ssh2 extension v.1.3.1, libssh2 version to 1.9.0 (ZEND-2071)
• Update: PECL extensions - ibm_db2 2.1.5, imagick 3.5.0-windows/3.7.0, mongodb 1.11.1, pdo_ibm 1.4.2, redis 5.3.5
• Update: sqlsrv extension versions 5.9.0 (PHP 7.3), 5.8.1 (PHP 7.2), 5.6.1 (PHP 7.1), Windows installer sets up MS ODBC driver v 17.9
• Update: IBM i PHP Toolkit 1.9.1 (ZEND-1367)
• Update: ZendServerSDK to version 1.2.0 (ZEND-1224)
• Update: Backport Olson timezonedb from latest PHP to LTS PHP versions (ZEND-2287)
• Update: Apache v. 2.4.53 in Windows package
• Update: Oracle Instantclient updated to version 18.5.0.0.0 for all PHP versions on Windows (ZEND-1801).
• Update: MySql installer for Windows version 5.7.37, MySql server version 5.7.36 (ZEND-2389)
• Added: sqlsrv / pdo_sqlsrv extensions for linux distributions (ZEND-1177)
• Added: Compile GD extension with WebP support - Linux, IBM i (ZEND-2168)
• Other: GeoIP library dynamic linking (required due to licensing type)
• Known issue: When changing configuration parameter via GUI, sometimes the order of parameters list is shuffled after saving.(ZEND-2190)
• Known issue: JobQueue email notifications not working reliably (ZEND-265)
• Known issue: GUI Time Not Synced With PHP & Services (ZEND-1206)
• Known issue: The export of monitor rules doesn't contain all necessary data (ZEND-2106)
• Known issue: ppc64 linux not supported, planned for 2019.2.0

Updates for version 2019.0.7

• Latest backported security fixes in PHP 7.1.33.6 are:
  • Alternative fix for bug 77423 (CVE-2020-7071)
  • Fix bug #80672 - Null Dereference in SoapClient (CVE-2021-21702)
• Latest backported security fixes in PHP 7.2.34.2 are:
  • Alternative fix for bug 77423 (CVE-2020-7071)
  • Fix bug #80672 - Null Dereference in SoapClient (CVE-2021-21702)
• Updated PHP to 7.3.27
  • Fix bug #80672 - Null Dereference in SoapClient (CVE-2021-21702)

Updates for version 2019.0.6

• Latest backported changes in PHP v.7.1.33.5 are:
  • Fix #77423: parse_url() will deliver a wrong host to user
• Latest backported changes in PHP v. 7.2.34.1 are:
  • Fix #77423: parse_url() will deliver a wrong host to user
• Updated PHP to 7.3.26
  • Standard:
    • Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071)

Updates for version 2019.0.5

• Latest backported changes in PHP v.7.1.33.4 are:
  • Fix out-of-bounds write
  • Fix #79877: getimagesize function silently truncates after a null byte
  • Fix #79797: Use of freed hash key in the phar_parse_zipfile function
  • Fixed bug #79881
  • Fix #78876: Long variables cause OOM and temp files are not cleaned
  • Fix #78875: Long filenames cause OOM and temp files are not cleaned
  • Fixed bug #79468
  • Fix bug #79465 - use unsigneds as indexes.
  • Fix bug #79330 - make all execution modes consistent in rejecting
  • Fix bug #79329 - get_headers should not accept
  • Fixed bug #79282
• Updated PHP to 7.2.34
  • Core
    • Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-` cookies can be sent). (CVE-2020-7070)
    • Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). (CVE-2019-11048)
    • Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp files are not cleaned). (CVE-2019-11048)
    • Fixed bug #79329 (get_headers() silently truncates after a null byte) (CVE-2020-7066)
  • EXIF:
    • Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064)
  • OpenSSL:
    • Fixed bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV). (CVE-2020-7069)
  • Phar:
    • Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile function). (CVE-2020-7068)
• Updated PHP to 7.3.23
  • Core:
    • Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-` cookies can be sent). (CVE-2020-7070)
    • Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). (CVE-2019-11048)
    • Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp files are not cleaned). (CVE-2019-11048)
  • EXIF:
    • Fixed bug #79282 (Use-of-uninitialized-value in exif). (CVE-2020-7064)
  • OpenSSL:
    • Fixed bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV). (CVE-2020-7069)
  • MBstring:
    • Fixed bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full). (CVE-2020-7065)
  • Phar:
    • Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile function). (CVE-2020-7068)
  • Standard:
    • Fixed bug #79329 (get_headers() silently truncates after a null byte). (CVE-2020-7066)

Updates for version 2019.0.4

• Latest backported changes in PHP 7.1.33.2 are:
  • bcmath
    • Fix #78878: Buffer underflow in bc_shift_addsub
  • exif
    • Fix bug #78793
    • Fixed bug #78910
  • fileinfo
    • Fix libmagic buffer overflow issue (CVE-2019-18218)
  • mbstring
    • Fix bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`)
  • Phar:
    • Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have all-access permissions). (CVE-2020-7063)
  • Session:
    • Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress). (CVE-2020-7062)
    • Fix #79091: heap use-after-free in session_create_id()
  • SPL
    • Fix #78863: DirectoryIterator class silently truncates after a null byte
  • Standard
    • Fix #79099: OOB read in php_strip_tags_ex
    • Fix #78862: link() silently truncates after a null byte on Windows
• Updated PHP to 7.2.28
  • Bcmath:
    • Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046)
  • Core:
    • Fixed bug #78862 (link() silently truncates after a null byte on Windows). (CVE-2019-11044)
    • Fixed bug #78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045)
  • EXIF:
    • Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer). (CVE-2019-11050)
    • Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047)
  • Mbstring:
    • Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`). (CVE-2020-7060)
  • Phar:
    • Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have all-access permissions). (CVE-2020-7063)
  • Session:
    • Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress). (CVE-2020-7062)
  • Standard:
    • Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059)
• Updated PHP to 7.3.15
  • Bcmath:
    • Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046)
  • Core:
    • Fixed bug #78862 (link() silently truncates after a null byte on Windows). (CVE-2019-11044)
    • Fixed bug #78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045)
    • Fixed bug #78943 (mail() may release string with refcount==1 twice). (CVE-2019-11049)
  • Mbstring:
    • Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`). (CVE-2020-7060)
  • Phar
    • Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have all-access permissions). (CVE-2020-7063)
    • Fixed bug #79171 (heap-buffer-overflow in phar_extract_file). (CVE-2020-7061)
  • Session:
    • Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress). (CVE-2020-7062)
  • Standard:
    • Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059)

Updates for version 2019.0.3

• Improvement: ZS2019.0.1 Update to PHP 7.1.33 (last php.net release), 7.2.24, 7.3.11
• FPM
  • Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE). (CVE-2019-11043)

Updates for version 2019.0.2

• Improvement: ZS2019.0.1 Update to PHP 7.1.32, 7.2.23, 7.3.10

Updates for version 2019.0.1

• Improvement: Fixed warnings while installing Zend Server 2019 on an RPM based OS
• Fixed: Issue with php-fpm running infinitely during worker termination and consuming 100% CPU
• Fixed: Issue with Job Queue crashing and consuming high CPU
• Improvement: Satisfying MySQL security requirements
• Fixed: Issue with max_execution_time ignored on IBM i
• Fixed: Typo on Port management screen
• Fixed: Issue with internal server error when using SOAP/STDERR
• Fixed: Issue with error on "Extensions" page - the extension Zend Global Directives does not exist!
• Improvement: Updated phpMyAdmin App on Guide Page
• Improvement: Added thread-specific database connections pool to ZDb
• Fixed: Issue with Zend Server UI not working after upgrading Zend Server
• Fixed: Issue with XMLService toolkit Demo app not included
• Added: Ability to compile custom extensions for currently chosen PHP version
• Fixed: Issue where if hostname is too long, the email address does not fit into 64 chars, and certificate is not generated due to email being too long
• Added: Issue with php-cli symlink to Zend Server 2019
• Fixed: Issue with error on IBM License Program 5733SC1
• Fixed: Issue with error retrieving php.log from the Zend Server UI
• Improvement: Reduced the number of database initialisation/finalisation cycles in Zend Server
• Improvement: Removed MVC endpoints not in use
• Fixed: Issue where the Zend Server UI breaks after changing default_charset from UTF-8 to Shift_JIS
• Fixed: Issue where jobs with priority using the Web API cannot be created
• Fixed: Typo on new display for Zend Server 2019.0.0 for IBM i
• Fixed: Issue where Lighthttpd fails loading extensions on power8 with 2019.0.0
• Fixed: Issue where ExtensionMapper can't detect Zend Global Directives extension
• Improvement: ZS2019.0.1
• Update to PHP 7.1.32/7.2.22/7.3.9
  • Core:
    • Fixed bug #77630 (rename() across the device may allow unwanted access during processing). (CVE-2019-9637)
  • EXIF:
    • Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
    • Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)
    • Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16) (CVE-2019-11040) 
    • Fixed bug #77950 (Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG) (CVE-2019-11036)
    • Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (CVE-2019-11034)
    • Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (CVE-2019-11035)
    • Fixed bug #77509 (Uninitialized read in exif_process_IFD_in_TIFF). (CVE-2019-9641)
    • Fixed bug #77540 (Invalid Read on exif_process_SOFn). (CVE-2019-9640)
    • Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (CVE-2019-9638)
    • Fixed bug #77659 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (CVE-2019-9639)
  • GD:
    • Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm) (CVE-2019-11038).
  • Iconv:
    • Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow) (CVE-2019-11039).
  • mbstring:
    • Fixed CVE-2019-13224 (don't allow different encodings for onig_new_deluxe)

Updates for version 2019

Bundled PHP

Zend Server 2019 now includes multiple versions of PHP:

• PHP 7.3.2
• PHP 7.2.15
• PHP 7.1.26

Installation

For detailed installation instructions for all supported operating systems, please refer to the Zend Server 2019 Installation Guide.

Click here for specific IBM i notes.

Upgrades

When upgrading from previously installed (and supported) version of Zend Server, Zend Server 2019 will automatically set the active version of PHP to correspond to the version of PHP that you’ve upgraded from:

• When upgrading from Zend Server 9.1, PHP 7.1 will be set as the default version.
• When upgrading from Zend Server 2018, PHP 7.2 will be set as the default version.

Upgrades from Zend Server 9.0.X and earlier versions and not supported.

Note:  When upgrading from a previous installation, the PHP configuration settings (php.ini) will only be migrated for the active PHP version.  If you later change the version of PHP in the Zend Server 2019 UI - you will need to reconfigure any changes you may have made to also apply for this new version.

Limitations and Known Issues

The following issues are known at the time of the Zend Server 2019 release:

• Deployment:
  • If a ZPK contains non-valid monitoring rules, the deployment fails (change of behavior)
  • Nginx: deploying to the root of the default virtual host does not work out-of-the-box and causes configuration problems (ZSRV-10098). Workaround: comment out the location / entry in /etc/nginx/conf.d/default.conf
    #location / {
    # include /etc/nginx/fastcgi.conf;
    #
    # root /usr/share/nginx/html;
    #
    # index index.php index.html index.htm;
    # }
• RPM + FPM/NGINX - alert messages in php-fpm.log ("unknown child"). Can be ignored
• Job Queue:
  • CLI - running a batch command required the .bat suffix
  • Enforcement of recurring jobs names: the job name must be unique
• The directive zend_monitor.event_generate_trace_file is replaced by zend_monitor.event_tracing_mode
• Page Cache will not store or fetch cached pages when Z-Ray is enabled. This is true also in Z-Ray Selective mode.
• WebAPI 'applicationGetStatus' - 'baseUrl' parameter - < default-server > is replaced by the server IP
• Secured VHost
  • Vhosts validation is skipped where exists a secured Vhost
  • SSL Certificates are not validated when editing or creating secured Vhosts. The user must verify that certificate paths and content are valid, before applying in a secured Vhost
• Data Cache
  • Enhanced API - fetch function can now get a callable function as a parameter
    • zend_shm_cache_fetch (key, callable)
    • zend_disk_cache_fetch(key, callable) In case of a cache miss, the user callable code will be triggered, and the returned value will be stored automatically for the specified key, instead of using an extra cache_store API call
  • zend_datacache.shm.memory_cache_size_kb is removed. To limit the shm memory size use zend_datacache.shm.memory_cache_size. Its value is in Mb
  • API function zend_shm_cache_info() return value is in Bytes
  • Added a new directive: "default_ttl" for setting default Time to Live (TTL) value per cache entry
• Z-Ray
  • Z-Ray might be blocked by using the browser content security policy (e.g. PHPMyADmin on Firefox)
  • When using Z-Ray with Load Balanced domains, a special setup is needed:
    • An accessible ZS GUI address must be set in Z-Ray settings (Zend Server Menu -> Z-Ray -> Settings -> Advanced)
    • The Load Balancer IP address must be included in the Z-Ray allowed IPs list (token)
  • Z-Ray is not to be included or enabled in performance tests context (e.g. in AB testing)
  • Z-Ray currently supports the following database drivers: PDO, MySQL/i, OCI8, sqlite3 and DB2
• Mac
  • Sending email using TLS requires the following manual configuration:
  • Get latest cert files: 
    curl -k https://curl.haxx.se/ca/cacert.pem > /System/Library/OpenSSL/certs/cacert.pem
  • Add the following to /usr/local/zend/gui/lighttpd/etc/php-fcgi.ini :
    [openssl]
    openssl.cafile=/System/Library/OpenSSL/certs/cacert.pem
    openssl.capath=/System/Library/OpenSSL/certs/

IBM i Specific Release Notes

Installation

• Zend Server for IBM i 2019 can be installed as a new installation on a partition running Zend Server for IBM i 8.x, and both can be run at the same time, allowing for a migration from version 8 to version 2018
• For detailed installation instructions, please refer to the Zend Server for IBM i Installation Guide.