Deprecated support for IBM i v7r2 due to openssl 1.1.1 deprecation by IBM. All IBM i >= v7r3 must use at least OSS base 7.3 to be able to install/upgrade.

Fixed

  • Zend Server Z-Ray Database Queries failed to update placeholder value bindings in queries view when PDOStatement::bindValue() was called multiple times for the same placeholder.
  • JQD excessive memory consumption when jobs failed in combination with redirects
  • JQD crashes when running HTTPS jobs when Zend Server was used in cluster mode with MySQL database
  • e-mail configuration testing
  • Fixed e-mail notifications for Zend Server JobQueue events
  • Monitor rules import, e-mail address export/import in monitoring rules

Added

  • PHP directive max_multipart_body_parts in Zend Server GUI. Parameter has been added as PHP security fix

Changed

  • Zend Server GUI, Plugins Gallery, change the plugin's package download url from static.zend.com to api-plugins.zend.com

Updated

PHP Extensions

  • Linux
    • memcached 3.2.0
    • mongodb (php-specific) 1.19.1/1.16.2/1.11.1
    • redis 6.0.2
    • ssh2 1.4.1
  • Windows
    • imagick 3.7.0
    • redis 6.0.2 (php >= 7.2) PHP and Zend Server dependency components
  • Linux, IBM i (selected components only)
    • lighttpd 1.4.76
    • zlib 1.3.1
    • libxml2 2.11.8
    • libssh2 (where needed) 1.11.0
    • openldap (selected distros only) 2.5.18
    • freetype 2.13.2
    • libimagic 6.9.13.11
    • libsodium 1.0.20
    • libzip 1.10.1
    • xerces 3.2.5
    • IBM i builds linked with OpenSSL 3.
  • Windows
    • httpd 2.4.62
    • libzip 1.10.1
    • curl 8.10.1
    • imagemagick 7.1.0-18

Backported PHP CVE fixes

PHP 7.4.33.7 changes

  • CGI

    • Fixed bug GHSA-p99j-rfp4-xqvq: Bypass of CVE-2024-4577, Parameter Injection Vulnerability. (CVE-2024-8926)
    • Fixed bug GHSA-94p6-54jq-9mwp: cgi.force_redirect configuration is bypassable due to the environment variable collision. (CVE-2024-8927)

  • FPM

    • Fixed bug GHSA-865w-9rf3-2wh5: Logs from childrens may be altered. (CVE-2024-9026)

  • SAPI

    • Fixed bug GHSA-9pqp-7h25-4f32: Erroneous parsing of multipart form data. (CVE-2024-8925)

PHP 7.3.33.12, 7.2.34.20, 7.1.33.24 changes

  • CGI

    • Fixed bug GHSA-p99j-rfp4-xqvq: Bypass of CVE-2024-4577, Parameter Injection Vulnerability. (CVE-2024-8926)
    • Fixed bug GHSA-94p6-54jq-9mwp: cgi.force_redirect configuration is bypassable due to the environment variable collision. (CVE-2024-8927)

  • SAPI

    • Fixed bug GHSA-9pqp-7h25-4f32: Erroneous parsing of multipart form data. (CVE-2024-8925)