May 2021Release Notes for Zend Server 2021The list below provides the full release notes and changelog for Zend Server 2021.x.Download Available Now for Linux, Windows, and IBM i Zend Server 2021.3.2 (August 2023)Changes- Added Support for IBM i 7.5- Backported PHP CVE fixes:PHP version 7.1.33.21, 7.2.34.17, 7.3.33.9, 7.4.33.4 CVE fixesLibxml:Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)Phar:Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()). (CVE-2023-3824)PHP version 7.1.33.20, 7.2.34.16, 7.3.33.8, 7.4.33.3 CVE fixSoap:Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP). (CVE-2023-3247)PHP version 7.1.33.19, 7.2.34.15, 7.3.33.7 fix:Intl:Fixed bug #72809 (Locale::lookup() wrong result with canonicalize option).- Windows package updates:Apache 2.4.57 Zend Server 2021.3.1 (March 2023)Backported PHP CVE fixesPHP version 7.1.33.18, 7.2.34.14, 7.3.33.6, 7.4.33.2 CVE fixes- Core: . Fixed bug #81744 (Password_verify() always return true with some hash). (CVE-2023-0567) (Tim Düsterhus) . Fixed bug #81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568) (Niels Dossche)- FPM: . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662) (Jakub Zelenka)PHP version 7.1.33.17, 7.2.34.13, 7.3.33.5, 7.4.33.1 CVE fixes:- PDO/SQLite: . Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631) (cmb)Windows Package Updates:Apache 2.4.56 (adding also MS vs17 64-bit c++ redistributable installation)OpenSSL 1.1.1tcURL 7.88.1Zend Server 2021.3.0 (November 2022)Fixed:JobQueue HTTPS requests failure on IBM iChange lighttpd configuration for HTTPv.1.1 compatibilityJobQueue incorrect behavior during DST change Zend Server RPM php-sources-zend-server packages missing PHP 7.1 sourcesUpdated:Upgrade angularjs to latest perforce-angular 1.8.4 in Zend ServerUpdate ZS2021.3.0 PHP versions: 7.1.33.16, 7.2.34.12, 7.3.33.4, 7.4.33PHP CVE fixes in 7.2, 7.3, 7.4Hash:Fixed bug #81738: buffer overflow in hash_update() on long parameter.(CVE-2022-37454) (nicky at mouha dot be)(applies to 7.4.33 ONLY) Fixed bug #81739: OOB read due to insufficient input validation in imageloadfont(). (CVE-2022-31630) PHP CVE fixes (all supported versions):- Core: . Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628). ( . Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629). Zend Server 2021.2.0 (July 2022) Fixed:jobqueueAddJob output in JSON format (ZEND-2244)ZendServer MonitorNode schema check with invalid version (ZEND-2077)Vhost attach functionality with Nginx (ZEND-2351)Installation on RHEL8, apache php-fpm setup (ZEND-2454)Removed php-fpm binary from IBM i package (ZEND-2369)IBM i green screen ZS info page errors (ZEND-2166)PHP version check failure on zpk install (ZEND-1961)Unable to Save changes after switching GUI tabs in ZS Settings (ZEND-2249)Change UI License Expiration information for IBM i (suggesting ZendPHP) (ZEND-1141)ZDD lock issues (zend_deployment.detect_apps ignored) (ZEND-1952)Application defining failures (ZEND-2291)Updated:PHP versions 7.1.33.15 (incl. TLSv1.2 support for mysql), 7.2.34.10, 7.3.33.2, 7.4.30. CVE fixes:- mysqlnd: . Fixed bug #81719: mysqlnd/pdo password buffer overflow. (CVE-2022-31626) (c dot fol at ambionics dot io)- pgsql . Fixed bug #81720: Uninitialized array in pg_query_params(). (CVE-2022-31625) (cmb)IBM_DB2 extension v.2.1.5 for PHP v>=7.3 (not compatible with PHP 7.2) (ZEND-2172)ssh2 extension v.1.3.1 (ZEND-2165)PECL extensions updated: pdo_ibm v.1.4.2, imagick v.3.7.0 (Windows v.3.5.0), mongodb v. 1.11.1, redis v.5.3.5,Windows: installer contains Apache 2.4.53, MS ODBC drivers v.17 (for sqlsrv ext), vcredist c++ 64 bit VS2017.Linux: lighttpd v.1.4.64ZendServerSDK v.1.2.1 (ZEND-2451)PHPToolkit for IBM i v.1.9.1 (ZEND-2161)angularJs update to 1.8.2 Perforce release (ZEND-2423,2434)Added:webp support for gd extension, linux and IBM i (ZEND-2255,2084)php-cli.sh shell script on IBM i for running php scripts from green screen (ZEND-2374)Sample use: CALL PGM(QP2SHELL) PARM('/usr/local/zendphp74/bin/php-cli.sh' 'test.php')Script output is stored as process print file, not displayed on the terminal screen.IBM i support tool improvements - display created spool file location (ZEND-2167)Other:Windows installer - changed misleading message during upgrade (PHP version change) (ZEND-2230)Extra notes:Upgrade from 2019.x.x to 2021.2.0 on RHEL8.Upgrade may fail. Reporting:Problem: cannot install the best update candidate for package liboci8-zend-11.2.0.4-8.x86_64 - nothing provides libaio.so.1 needed by liboci8-zend-21.1.0.0-25.x86_64To continue from such situation, liboci8-zend package (new version) should be installed manually.sudo yum install -y liboci8-zendThen restart the upgrade sequence from the step (including) that caused the error (re-run repository installer or other method you have chosen for ZendServer upgrade).Known problems (fix postponed):php-fpm restart on Linux.Related to PHP version change through GUI. php-fpm processes do not restart automatically.As a workaround, php-fpm should be restarted manually from the console after switching PHP versionsudo /usr/local/zend/bin/php-fpm.sh restartJobQueue misbehavior during DST change (DST end in October).Jobs scheduled during the hour of DST change get executed large number of times.No known easy workaround. One option is to temporarily disable specific jobs for the specific DST change time period. Zend Server 2021.1.2 (March 2022)UPDATED to PHP 7.4.28PHP 7.4.28: Fix #81708: UAF due to php_filter_float() failing for ints. Relevant for PHP 7.4 only (CVE-2021-21708)Older PHP versions 7.1.33.12, 7.2.34.8 and 7.3.33 are updated and rebuilt with the latest timezone database.For IBM i build, the freetds library is updated to new version 1.3.9Windows installer update notification text changeLinux rpm repositories: Qt libraries package dependency fix for libicu.Repository installer script displays correct Zend Server Web Ui port number (10101)Zend Server 2021.1.1 (December 2021)Updated PHP from 7.4.22 to 7.4.26Core: Fixed bug #81518 (Header injection via default_mimetype / default_charset).Date: Fixed bug #81500 (Interval serialization regression since 7.3.14 / 7.4.2).MBString: Fixed bug #76167 (mbstring may use pointer from some previous request).MySQLi: Fixed bug #81494 (Stopped unbuffered query does not throw error).PCRE: Fixed bug #81424 (PCRE2 10.35 JIT performance regression).Streams: Fixed bug #54340 (Memory corruption with user_filter).XML: Fixed bug #79971 (special character is breaking the path in xml function). (CVE-2021-21707)Updated PHP from 7.3.29 to 7.3.33XML: Fix #79971: special character is breaking the path in xml function. (CVE-2021-21707)Updated PHP from 7.2.34.4 to 7.2.34.8Fix #79971: special character is breaking the path in xml function.Updated PHP from 7.1.33.8 to 7.1.33.12Fix #79971: special character is breaking the path in xml function.Zend Server 2021.1.0 (September 2021)Fixed Code Tracing that used a conflicting function flag value with PHP 7.4 when marking traceable PHP internal functions causing potential memory leaks. In addition, Code Tracing was including extra PHP internal functions in code traces that were not supposed to be there.Added pdo_odbc extension for IBM i build. This module has a conflict with ibm_db2, pdo_ibm and odbc extensions. Which means that those listed modules MUST be disabled when pdo_odbc is in use or else php will crash due to conflicting symbols from libodbc and libdb400 dynamically loaded system libraries. In addition, to be noted that odbc extension (not pdo_odbc) is heavily modified in Zend Server IBM i build, not functionally equal to ZendPHP (community) variant, adding db2 features and linked to libdb400 library instead of libodbc. This has been like that for long time in Zend Server and we do not change that functionality now to be backwards compatible for customers who may be using odbc extension to communicate with db2 database. ZendPHP does not have such modifications, being functionally different - community variant.ZSD automatically disables ibm_db2, pdo_ibm and odbc extensions when pdo_odbc extension is enabled from GUI. This is true the other way around: when either ibm_db2, pdo_ibm or odbc extension are enabled from GUI pdo_odbc is disabled automatically by ZSD. A NOTICE message is written to zsd.log file when this is done. The functionality is there to avoid PHP crash as explained in the previous bulletin. This functionality can not resolve conflicts when extension .ini files are modified manually in the file system.Fix the functionality to create zendadmin user during automated installation process on IBM iFix Zend Server directory access permissions on IBM iImprove installation sequence on IBM i. Moved version message initialization logic out from nativelibrary package into zend-server package to avoid errors in nativelibrary install program and to fix version message content in case of ZS upgrades.Improve ZS daemons startup logic, now all processes are in proper IBM "namespaces" after ZS restart from web GUI.Improve nativelib-zendphp74 package installation scripts for upgrades (ZS subsystem stop/(re)start logic).Improve uninstall script for IBM i to avoid uninstalling of ZendPHP when using automated uninstall script for Zend ServerImprove IBM i version detection in RepositoryInstaller script.Fix/improve gd extension on linux (PHP 7.1, 7.2, 7.3) and IBM i (PHP 7.2, 7.3) builds to support FreeType formats.Update qt version to 5.12.11 (old 5.12.6)Update PHP versions to 7.1.33.8, 7.2.34.4, 7.3.29, 7.4.22Updated libpng from 1.6.32 to1.6.37 on Windows. This eliminates CVE: CVE-2019-7317 http://www.libpng.org/pub/png/libpng.htmlFix in IBMi ZS2021.1 installer so that incorrect "INVALID_LICENSE" message would not be generated with side by side install.Fix warnings in log files on Windows platform caused by bad formatting in install-time SQL scripts.Updated Oracle OCI libraries on linux platform. x64 uses now v21.1, ppc64 uses 19.3.Updated sqlsrv version to 5.9.0 for PHP 7.3 and 7.4 on Linux.Updated ibm_db2 extension version to 2.1.3Updated paragonie/random_compat from 2.0.17 to 9.99.99Updated psr/log from 1.0.2 to 1.1.4Updated symfony/polyfill-mbstring from 1.8.0 to 1.23.1Updated zendframework/zend-authentication from 2.6.0 to 2.7.0Updated zendframework/zend-barcode from 2.7.0 to 2.8.0Updated zendframework/zend-cache from 2.8.2 to 2.9.0Updated zendframework/zend-captcha from 2.8.0 to 2.9.0Updated zendframework/zend-code from 3.3.0 to 3.4.1Updated zendframework/zend-component-installer from 2.1.1 to 2.1.2Updated zendframework/zend-console from 2.7.0 to 2.8.0Updated zendframework/zend-crypt from 3.3.0 to 3.3.1Updated zendframework/zend-db from 2.9.3 to 2.11.0Updated zendframework/zend-diactoros from 1.8.2 to 1.8.7Updated zendframework/zend-dom from 2.7.1 to 2.7.2Updated zendframework/zend-escaper from 2.6.0 to 2.6.1Updated zendframework/zend-feed from 2.10.2 to 2.12.0Updated zendframework/zend-file from 2.8.1 to 2.8.3Updated zendframework/zend-filter from 2.8.0 to 2.9.2Updated zendframework/zend-form from 2.12.0 to 2.14.3Updated zendframework/zend-http from 2.8.0 to 2.11.2Updated zendframework/zend-hydrator from 2.4.0 to 2.4.2Updated zendframework/zend-i18n from 2.9.0 to 2.10.1Updated zendframework/zend-i18n-resources from 2.6.0 to 2.6.1Updated zendframework/zend-inputfilter from 2.8.2 to 2.10.1Updated zendframework/zend-json from 3.1.0 to 3.1.2Updated zendframework/zend-json-server from 3.1.0 to 3.2.0Updated zendframework/zend-ldap from 2.10.0 to 2.10.1Updated zendframework/zend-loader from 2.6.0 to 2.6.1Updated zendframework/zend-log from 2.10.0 to 2.12.0Updated zendframework/zend-math from 3.1.1 to 3.2.0Updated zendframework/zend-memory from 2.6.0 to 2.6.1Updated zendframework/zend-mime from 2.7.1 to 2.7.2Updated zendframework/zend-modulemanager from 2.8.2 to 2.8.4Updated zendframework/zend-mvc-i18n from 1.1.0 to 1.1.1Updated zendframework/zend-mvc-plugin-flashmessenger from 1.1.0 to 1.2.0Updated zendframework/zend-mvc-plugin-identity from 1.1.0 to 1.1.1Updated zendframework/zend-mvc-plugin-prg from 1.1.0 to 1.2.0Updated zendframework/zend-navigation from 2.9.0 to 2.9.1Updated zendframework/zend-paginator from 2.8.1 to 2.8.2Updated zendframework/zend-permissions-acl from 2.7.0 to 2.7.1Updated zendframework/zend-progressbar from 2.6.0 to 2.7.0Updated zendframework/zend-router from 3.1.0 to 3.3.0Updated zendframework/zend-serializer from 2.9.0 to 2.9.1Updated zendframework/zend-server from 2.8.0 to 2.8.1Updated zendframework/zend-servicemanager from 3.3.2 to 3.4.0Updated zendframework/zend-servicemanager-di from 1.2.0 to 1.2.1Updated zendframework/zend-session from 2.8.5 to 2.9.1Updated zendframework/zend-soap from 2.7.0 to 2.8.0Updated zendframework/zend-stdlib from 3.2.0 to 3.2.1Updated zendframework/zend-tag from 2.7.0 to 2.7.1Updated zendframework/zend-text from 2.7.0 to 2.7.1Updated zendframework/zend-uri from 2.6.1 to 2.7.1Updated zendframework/zend-validator from 2.10.2 to 2.13.0Updated zendframework/zend-view from 2.10.0 to 2.11.4Updated zendframework/zend-xml2json from 3.1.1 to 3.1.2Updated zendframework/zend-xmlrpc from 2.7.0 to 2.9.0Updated zendframework/zendxml from 1.1.0 to 1.2.0Removed jquery-minicolorsZend Server 2021 (May 2021)AdditionsAdds support for PHP 7.4, shipping 7.4.16.New extensions available for Linux: pdo_oci, sqlsrv, and sodium; ffi is available when using PHP 7.4Supported platforms: CentOS/RHEL 7.7 and 8 (both Linux and Power 8) Ubuntu 18.04 and 20.04 Debian 9 and 10 IBM i 7.2, 7.3, and 7.4 Windows Server 2016 and 2019Redis extension directives are now available in the Zend Server GUIImplemented the functionality to suspend/resume individual JobQueue queues using API commands suspendQueue() and resumeQueue()Implemented the functionality to suspend/resume multiple JobQueue queues using API commands suspendQueues() and resumeQueues()SELinux additional settings for Power8 and x86 architecture - to fix failures on bootstrap and process restartsUsers can now customize the command for restarting the web server via the zend_utils.restart_cmd directiveAdds support for configuring the mbstring mbstring.regex_stack_limit setting in the Admin GUI.Adds support for configuring the opcache.preload directive (PHP versions >= 7.2) in the Admin GUI.UpdatesUpdates core dependencies used by Zend Server.Updates ibm_db2 extensions to 2.1.2Updates XDebug to 2.9.8PHPToolkitForIBMi updated to version 1.8.3.ZendServerSDK updated to 1.1.7.ZS WebAPI token-based access is now idempotent.Update Symfony Z-Ray plugin to version 1.0.6.Enhance log messages during Zend Server install: being more specific if Zend Server installation fails or just Web Server configuration fails.Changes and RemovalsZendGlobalDirectives.ini file moves from /etc/conf.d/ to /etc/ directoryIBM i: denies access to web.config and .htaccess files by defaultFixesGeneralUpdated vhost configuration template for Nginx-based installs so that the proper vhost URL is selectable during both App definition and deployment.PHP extension directives support compatibility and visibility attributesVhost no longer goes to erroneus "Pending restart" state after app upgrade with hot deploymentFixed applying a new Zend Server license when the previous one was expiredFix bootstrap error messageUIShowing error message when log file is not readableTimezone detection removed, using configured valueIBM iDetecting IBM i os400 properlyFix Broken help link in Deploy application popup in IBMiFixed "ZRay is activated in production profile on IBMi"Power 8 fixes - PHP patch and and improved build options.ZSDFixed ZSD that failed to update the blueprint when discovering new PHP extensionsFixed ZSD that picked up directives from inactive PHP versions when creating the blueprintFixed ZSD that picked up modified directives from an inactive PHP versionFixed ZSD that failed to start up if there were errors in the zend_extensions_map.json fileZend MonitorPHP version switch audit trail status messageFixed segfaulting of ZendMonitor extension when privacy filter was being applied to $_SERVER superglobalFixed Buffer Overflow error in Zend Monitor caused by a large number of socket descriptorsZRayFixed a ZRay crash caused by closures in PHP codeFixed a potential crash in the ZRay caused by an infinite loop when a ZRay extension added storage linesFixed ZRay that modified an internal PHP structure that it was not supposed to doFixed ZRay that failed to collect PHP local variablesKnown IssuesWhen you upgrade Zend Server on Windows, the installer leaves an extra entry under “Programs and Features” page, referencing the former version. If you uninstall Zend Server later, the extra entry will remain on the list of installed programs and cannot be removed by running the “uninstall” action. To manually remove the extra entry, you can edit the registry, search for “Zend Server” under registry keys “HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall” and “HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall”, then remove the key holding the uninstall data. For any questions or concerns, please contact Zend Server support.
