Stay Informed
This week, read about:
- PHP 8.4 Released with Major Improvements.
- Linux kernel 6.12 Released.
- Twenty Is Building an Open Source Alternative to Salesforce.
Security Based Updates
The OpenLogic LTS team has successfully released security patches (for CentOS7) a staggering 19 CVEs this month, details below:
- bash-4.2.46-35_ol001.el7
- Backported patch for CVE-2019-18276.
- glibc-2.17-326_ol003.el7_9.3
- Backported patch to fix CVE-2022-23219.
- perl-5.16.3-299_ol001.el7
- Backported patch to fix CVE-2016-6185.
- Backported patch to fix CVE-2023-31484.
- python3-3.6.8-21_ol004.el7_9
- Backported patch to address CVE-2020-10735.
- python-2.7.5-94_ol002.el7
- Backported patch to address CVE-2022-48560.
- Backported patch to address CVE-2020-10735.
- python3-3.6.8-21_ol003.el7_9
- Applied patch to address CVE-2022-48560.
- Applied patch to address CVE-2020-27619.
- binutils-2.27-44.base_ol001.el7.1
- Backported patch to address CVE-2022-44840.
- Backported patch to address CVE-2021-37322.
- Backported patch to address CVE-2021-45078.
- systemd-219-78_ol001.el7.9
- Backported patch to address CVE-2023-26604.
- python3-3.6.8-21_ol002.el7_9
- Backported patch to address CVE-2022-48565.
- perl-HTTP-Tiny-0.033-3_ol001.el7
- Applied patch to address CVE-2023-31486.
- httpd-2.4.6-99_ol005.el7.1
- Backported patch to fix CVE-2022-28614.
- Backported patch to fix CVE-2022-28615.
- glibc-2.17-326_ol002.el7_9.3
- Backported patch to mitigate CVE-2021-35942.
- python-2.7.5-94_ol001.el7
- Backported patch to address CVE-2017-1000158.
CentOS 6 - tzdata-2023c-1_ol001.el6
- We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:
- ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.
Non-Security Based Updates
Angular 19.0.0
Explore Angular v19 with a blog post from the Angular team:
Breaking Changes
compiler:
- `this.foo` property reads no longer refer to template context variables. If you intended to read the template variable, do not use `this.`.
core:
- Angular directives, components and pipes are now standalone by default.
- Specify `standalone: false` for declarations that are currently declared in `@NgModule`s.
- `ng update` for v19 will take care of this automatically.
TypeScript versions less than 5.5 are no longer supported.
- Timing changes for `effect` API (in developer preview):
- effects which are triggered outside of change detection run as part of the change detection process instead of as a microtask. Depending on the specifics of application/test setup, this can result in them executing earlier or later (or requiring additional test steps to trigger; see below examples).
- effects which are triggered during change detection (e.g. by input signals) run _earlier_, before the component's template.
- `ExperimentalPendingTasks` has been renamed to `PendingTasks`.
- The `autoDetect` feature of `ComponentFixture` will now attach the fixture to the `ApplicationRef`. As a result, errors during automatic change detection of the fixture be reported to the `ErrorHandler`. This change may cause custom error handlers to observe new failures that were previously unreported.
- `createComponent` will now render default fallback with empty `projectableNodes`.
- When passing an empty array to `projectableNodes` in the `createComponent` API, the default fallback content of the `ng-content` will be rendered if present. To prevent rendering the default content, pass `document.createTextNode('')` as a `projectableNode`.
```ts
// The first ng-content will render the default fallback content if present createComponent(MyComponent. { projectableNodes: [[], [secondNode]] });
// To prevent projecting the default fallback content: createComponent(MyComponent. { projectableNodes: [[document.createTextNode('')], [secondNode]] });
```
- Errors that are thrown during `ApplicationRef.tick` will now be rethrown when using `TestBed`. These errors should be resolved by ensuring the test environment is set up correctly to complete change detection successfully. There are two alternatives to catch the errors:
- Instead of waiting for automatic change detection to happen, trigger it synchronously and expect the error. For example, a jasmine test could write `expect(() => TestBed.inject(ApplicationRef).tick()).toThrow()`
- `TestBed` will reject any outstanding `ComponentFixture.whenStable` promises. A jasmine test, for example, could write `expectAsync(fixture.whenStable()).toBeRejected()`. As a last resort, you can configure errors to _not_ be rethrown by setting `rethrowApplicationErrors` to `false` in `TestBed.configureTestingModule`.
- The timers that are used for zone coalescing and hybrid mode scheduling (which schedules an application state synchronization when changes happen outside the Angular zone) will now run in the zone above Angular rather than the root zone. This will mostly affect tests which use `fakeAsync`: these timers will now be visible to `fakeAsync` and can be affected by `tick` or `flush`.
- The deprecated `factories` property in `KeyValueDiffers` has been removed.
elements:
- As part of switching away from custom CD behavior to the hybrid scheduler, timing of change detection around custom elements has changed subtly. These changes make elements more efficient, but can cause tests which encoded assumptions about how or when elements would be checked to require updating.
localize:
- The `name` option in the `ng add `@localize`` schematic has been removed in favor of the `project` option.
platform-browser:
- The deprecated `BrowserModule.withServerTransition` method has been removed. Please use the `APP_ID` DI token to set the application id instead.
router:
- The `Router.errorHandler` property has been removed. Adding an error handler should be configured in either `withNavigationErrorHandler` with `provideRouter` or the `errorHandler` property in the extra options of `RouterModule.forRoot`. In addition, the error handler cannot be used to change the return value of the router navigation promise or prevent it from rejecting. Instead, if you want to prevent the promise from rejecting, use `resolveNavigationPromiseOnError`. The return type of the `Resolve` interface now includes`RedirectCommand`.
common:
[feat - 24c6373820] | add optional rounded transform support in cloudinary image loader (#55364)
[feat - 50f08e6c4b] | automatically use sizes auto in NgOptimizedImage (#57479)
[feat - 13c13067bc] | disable keyvalue sorting using null compareFn (#57487)
compiler:
[feat - a2e4ee0cb3] | add diagnostic for unused standalone imports (#57605)
[feat - 0c9d721ac1] | add support for the `typeof` keyword in template expressions. (#58183)
[fix - 09f589f000] | `this.a` should always refer to class property `a` (#55183)
[fix - 98804fd4be] | add more specific matcher for hydrate never block (#58360)
[fix - b25121ee4a] | avoid having to duplicate core environment (#58444)
[fix - 560282aa9b] | control flow nodes with root at the end projected incorrectly (#58607)
[fix - 2be161d015] | fix `:host` parsing in pseudo-selectors (#58681)
[fix - 806a61b5a6] | fix multiline selectors (#58681)
[fix - a3cb530d84] | handle typeof expressions in serializer (#58217)
[fix - ba4340875a] | ignore placeholder-only i18n messages (#58154)
[fix - e5d3abb298] | resolve `:host:host-context(.foo)` (#58681)
[fix - 80f56954ce] | transform chained pseudo-selectors (#58681)
compiler-cli:
[feat - d9687f43dd] | 'strictStandalone' flag enforces standalone (#57935)
[feat - 9e87593055] | ensure template style elements are preprocessed as inline styles (#57429)
[feat - 231e6ff6ca] | generate the HMR replacement module (#58205)
[fix - dbe612f2cd] | disable standalone by default on older versions of Angular (#58405)
[fix - d4d76ead80] | do not fail fatal when references to non-existent module are discovered (#58515)
[fix - 33fe252c58] | do not report unused declarations coming from an imported array (#57940)
[fix - fb44323c51] | incorrectly generating relative file paths on case-insensitive platforms (#58150)
[fix - 22cd6869ef] | make the unused imports diagnostic easier to read (#58468)
[fix - 9bbb01c85e] | report individual diagnostics for unused imports (#58589)
[perf - 4716c3b966] | reduce duplicate component style resolution (#57502)
core:
[feat - 6ea8e1e9aa] | Add a schematics to migrate to `standalone: false`. (#57643)
[feat - 3ebe6b4ad4] | Add async `run` method on `ExperimentalPendingTasks` (#56546)
[feat - 69fc5ae922] | Add incremental hydration public api (#58249)
[feat - 8ebbae88ca] | Add rxjs operator prevent app stability until an event (#56533)
[feat - 19edf2c057] | add syntactic sugar for initializers (#53152)
[feat - c93b510f9b] | allow passing `undefined` without needing to include it in the type argument of `input` (#57621)
[feat - ab25a192ba] | allow running output migration on a subset of paths (#58299)
[feat - fc59e2a7b7] | change effect() execution timing & no-op `allowSignalWrites` (#57874)
[feat - 8bcc663a53] | drop support for TypeScript 5.4 (#57577)
[feat - 18d8d44b1f] | experimental `resource()` API for async dependencies (#58255)
[feat - 9762b24b5e] | experimental impl of `rxResource()` (#58255)
[feat - 6b8c494d05] | flipping the default value for `standalone` to `true` (#58169)
[feat - e6e5d29e83] | initial version of the output migration (#57604)
[feat - be2e49639b] | introduce `afterRenderEffect` (#57549)
[feat - ec386e7f12] | introduce debugName optional arg to framework signal functions (#57073)
[feat - 8311f00faa] | introduce the reactive linkedSignal (#58189)
[feat - 1b1519224d] | mark input, output and model APIs as stable (#57804)
[feat - a7eff3ffaa] | mark signal-based query APIs as stable (#57921)
[feat - a1f229850a] | migrate ExperimentalPendingTasks to PendingTasks (#57533)
[feat - 3f1e7ab6ae] | promote `outputFromObservable` & `outputToObservable` to stable. (#58214)
[feat - 97c44a1d6c] | Promote `takeUntilDestroyed` to stable. (#58200)
[feat - e5adf92965] | stabilize `@let` syntax (#57813)
[feat - b063468027] | support TypeScript 5.6 (#57424)
[feat - 819ff034ce] | treat directives, pipes, components as by default (#58229)
[fix - ee426c62f0] | allow signal write error (#57973)
[fix - c095679f92] | avoid breaking change with apps using rxjs 6.x (#58341)
[fix - 71ee81af2c] | clean up event contract once hydration is done (#58174)
[fix - f03d274e87] | ComponentFixture autoDetect feature works like production (#55228)
[fix - 950a5540f1] | Ensure the `ViewContext` is retained after closure minification (#57903)
[fix - 7b1e5be20b] | fallback to default ng-content with empty projectable nodes. (#57480)
[fix - 0300dd2e18] | Fix fixture.detectChanges with autoDetect disabled and zoneless (#57416)
[fix - 5fe57d4fbb] | fixes issues with control flow and incremental hydration (#58644)
[fix - 51933ef5a6] | prevent errors on contract cleanup (#58614)
[fix - fd7716440b] | Prevents trying to trigger incremental hydration on CSR (#58366)
[fix - 656b5d3e78] | Re-assign error codes to be within core bounds (<1000) (#53455)
[fix - 6e0af6dbbb] | resolve forward-referenced host directives during directive matching (#58492)
[fix - 468d3fb9b1] | rethrow errors during ApplicationRef.tick in TestBed (#57200)
[fix - 226a67dabb] | Schedulers run in zone above Angular rather than root (#57553)
[perf - 97fb86d331] | set encapsulation to `None` for empty component styles (#57130)
[refactor - c15ec36bd1] | remove deprecated `factories` Property in `KeyValueDiffers` (#58064)
elements:
[fix - fe5c4e086a] | support `output()`-shaped outputs (#57535)
[fix - 0cebfd7462] | switch to `ComponentRef.setInput` & remove custom scheduler (#56728)
forms:
[feat - 3e7d724037] | add ability to clear a FormRecord (#50750)
[fix - 18b6f3339f] | fix FormRecord type inference (#50750)
http:
[feat - 4b9accdf16] | promote `withRequestsMadeViaParent` to stable. (#58221)
[fix - 057cf7fb6b] | preserve all headers from Headers object (#57802)
language-service:
[feat - 8da9fb49b5] | add code fix for unused standalone imports (#57605)
[feat - 1f067f4507] | add code reactoring action to migrate `@Input` to signal-input (#57214)
[feat - 56ee47f2ec] | allow code refactorings to compute edits asynchronously (#57214)
[feat - bc83fc1e2e] | support converting to signal queries in VSCode extension (#58106)
[feat - 5c4305f024] | support migrating full classes to signal inputs in VSCode (#57975)
[feat - 6342befff8] | support migrating full classes to signal queries (#58263)
[fix - 7ecfd89592] | The suppress diagnostics option should work for external templates (#57873)
localize:
[refactor - 9c3bd1b5d1] | remove deprecated `name` option. (#58063)
migrations:
[feat - dff4de0f75] | add a combined migration for all signals APIs (#58259)
[feat - b6bc93803c] | add schematic to migrate to signal queries (#58032)
[feat - bb286f65e7] | capture output migration stats (#58321)
[feat - 2bfc64daf1] | expose output as function migration (#58299)
[feat - 59fe9bc772] | introduce signal input migration as `ng generate` schematic (#57805)
[feat - cbec46a51d] | migrate .pipe calls in outputs used in tests (#57691)
[feat - cf70d626cd] | print output migration stats in ng generate (#58321)
[feat - 68e5370a66] | remove complete calls for migrated outputs (#57671)
[feat - 9da21f798d] | replace .next usage on outputs (#57654)
[fix - 42607bf0f2] | add outputs migration to combined shorthand (#58318)
[fix - 71f5ef2aa5] | change imports to be G3 compatible (#57654)
[fix - e6514b9f3d] | do not migrate next calls in template if not an EventEmitter (#58631)
[fix - c5e676bb87] | flip the default standalone flag in route-lazy-loading migration (#58474)
[fix - b84ed2b628] | include the output migration in the defaults of the signal migration (#58635)
[fix - 90c7ec39a0] | inject migration always inserting generated variables before super call (#58393)
[fix - 7a65cdd911] | inject migration not inserting generated code after super call in some cases (#58393)
[fix - 00e2001351] | migrate more .next output usages (#58282)
[fix - e85ac5c7cb] | properly bundle shared compiler code into migrations (#58515)
[fix - 3a264db866] | properly handle comments in output migration (#57691)
[fix - 616b411a6d] | properly migrate output aliases (#58411)
[fix - d504452e2f] | properly replace imports across files (#58414)
[fix - c1aa411cf1] | properly resolve tsconfig paths on windows (#58137)
[fix - e26797b38e] | replace removed NgModules in tests with their exports (#58627)
platform-browser:
[fix - c36a1c023b] | correctly add external stylesheets to ShadowDOM components (#58482)
[refactor - 5c61f46409] | remove deprecated `BrowserModule.withServerTransition` method (#58062)
platform-server:
[fix - 9e82559de4] | destroy `PlatformRef` when error happens during the `bootstrap()` phase (#58112)
router:
[feat - f271021e19] | Add `routerOutletData` input to `RouterOutlet` directive (#57051)
[fix - b2790813a6] | Align RouterModule.forRoot errorHandler with provider error handler (#57050)
[fix - a49c35ec76] | remove setter for `injector` on `OutletContext` (#58343)
[fix - 7436d3180e] | Update Resolve interface to include RedirectCommand like ResolveFn (#57309)
service-worker:
[feat - 8ddce80a0b] | allow specifying maxAge for entire application (#49601) |
[feat - 1479af978c] | finish implementation of refreshAhead feature (#53356) |
Gitlab FOSS 17.6.0
Added (181 changes)
Fixed (176 changes)
Changed (281 changes)
Deprecated (1 change)
Removed (27 changes)
Security (15 changes):
- [Update rails-related gems in gems folder](https://gitlab.com/gitlab-org/gitlab/-/commit/b8bf70b34db2aa27c7a50686a09300713edfd135) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172257))
- [Removed id from authorize buttons and added specs](https://gitlab.com/gitlab-org/gitlab/-/commit/ddf06283c33c5b7828843421812353dfaeee2551)
- [Prevent agent access via unconfirmed or disallowed group members](https://gitlab.com/gitlab-org/gitlab/-/commit/a4c417f124d62068cbf829248f243f9c2e7d1333)
- [Details of blocking merge request can be exposed via list](https://gitlab.com/gitlab-org/gitlab/-/commit/3ed2ec16854bec0b0463207c3c2c604af0635ddb)
- [Remove is-unsafe-link from product analytics tables to prevent XSS](https://gitlab.com/gitlab-org/gitlab/-/commit/80eb472665efdf13beb9296faa1c4149059fd042)
- [HTML injection in vulnerability Code flow leads to XSS on self hosted instances](https://gitlab.com/gitlab-org/gitlab/-/commit/5e822c1e27a1b26518c6ec8ef4ca8f4650f84c82)
- [Use custom adapter for parsing FogBugz XML](https://gitlab.com/gitlab-org/gitlab/-/commit/3880dcd2b426d3bbc384dbdb3146935c643a30af)
- [Update nokogiri to fix recent CVEs](https://gitlab.com/gitlab-org/gitlab/-/commit/bbcb1c987d2f0df2e7731cee25b4aa9aaf253f45) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171655))
- [Limit ProcessCommitWorker by number of branches](https://gitlab.com/gitlab-org/gitlab/-/commit/268840eaf7ca2328cd3dc2307ed10b86618221cd) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171786))
- [Update rexml to fix CVE-2024-49761](https://gitlab.com/gitlab-org/gitlab/-/commit/311f5b34a38d669dc3e2633f42d81b9f27bf43c6) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171537))
- [Bump rack minor versions to patch CVEs](https://gitlab.com/gitlab-org/gitlab/-/commit/fe50ebd6cc23b23e3eb859d1b91570d20cbbdf13) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/169705))
- [Fixed HTML injection in Global Search bug - renamed branch](https://gitlab.com/gitlab-org/gitlab/-/commit/036d7b2cc710cd00a2068b38dfcdf0ea0f8472cb)
- [Limit max size of manifest file upload](https://gitlab.com/gitlab-org/gitlab/-/commit/505c055c8c22a93b32dfc0c0738fd93f81b38335)
- [Update rexml to fix CVE-2024-41946](https://gitlab.com/gitlab-org/gitlab/-/commit/8feae3956828b94ff84f25affc41e61750baa5d1) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/169632))
- [Set Global timeout for Regexp to prevent ReDOS](https://gitlab.com/gitlab-org/gitlab/-/commit/10fd9dfc9473a842fe70a4dd6157b3622215045f) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145679))
Performance (17 changes)
Other (258 changes)
- Admin events might include now additional details about the context when the event is fired. In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column `DETAILS_JSON` to the `ADMIN_EVENT_ENTITY` table.
- Updates to documentation of X.509 client certificate lookup via proxy Potential vulnerable configurations have been identified in the X.509 client certifcate lookup when using a reverse proxy. Additional configuration steps might be required depending on your current configuration. Make sure to review the updated link:{client_certificate_lookup_link}[reverse proxy guide] if you have configured the client certificate lookup via a proxy header.
Elastic Kibana v8.16.1
The 8.16.1 release includes the following bug fixes.
Bug Fixes
Dashboards & Visualizations:
- Fixes an issue preventing a custom panel title from being saved correctly ({kibana-pull}200548[#200548]).
Elastic Observability solution:
- Changes the order of the errors shown on Infrastructure applications to be more relevant ({kibana-pull}200531[#200531]).
- Fixes the summary calculation for a calendar-aligned and occurrences-based SLO ({kibana-pull}199873[#199873]).
- Fixes the `kustomize` command ({kibana-pull}199758[#199758]).
Elastic Security solution:
- For the Elastic Security 8.16.1 release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].
Platform:
- Fixes an issue with duplicate references to objects when copying saved objects to other spaces ({kibana-pull}200053[#200053]).
- Fixes button colors in the "Share data view to spaces" flyout ({kibana-pull}196004[#196004]).
Kubernetes v1.31.3
Changes by Kind
Bug or Regression:
- Fix a bug when the hostname label of a node does not match the node name, pods bound to a PV with nodeAffinity using the hostname may be scheduled to the wrong node or experience scheduling failures. (#127584, @AxeZhan) [SIG Scheduling and Storage]
- Fixed a suboptimal scheduler preemption behavior where potential preemption victims were violating Pod Disruption Budgets. (#128431, @NoicFank) [SIG Scheduling]
- Fixes 1.31 regression that can crash kube-controller-manager's service-lb-controller loop (#128236, @carlory) [SIG API Machinery, Cloud Provider and Network]
Elastic Logstash v8.16.1
Logstash 8.16.1 Release Notes:
Notable issues fixed:
- PipelineBusV2 deadlock proofing: We fixed an issue that could cause a deadlock when the pipeline-to-pipeline feature was in use, causing pipelines (and consequently) {ls} to never terminate [#16680]
Plugins:
*Elastic_integration Filter - 0.1.16*
- Reflect the Elasticsearch GeoIP changes into the plugin and sync with Elasticsearch 8.16 branch [#170]
*Xml Filter - 4.2.1*
- patch rexml to improve performance of multi-threaded xml parsing [#84]
*Beats Input - 6.9.1*
- Upgrade netty to 4.1.115 [#507]
*Http Input - 3.9.2*
- Upgrade netty to 4.1.115 [#183]
*Tcp Input - 6.4.4*
- Upgrade netty to 4.1.115 [#227]
*Http Output - 5.7.1*
- Added new development `rackup` dependency to fix tests
Nodejs 23.3.0
Notable Changes:
* [`5767b76c30`] - **doc**: enforce strict policy to semver-major releases (Rafael Gonzaga) [#55732]
* [`ccb69bb8d5`] - **(SEMVER-MINOR)** **src**: add cli option to preserve env vars on dr (Rafael Gonzaga) [#55697]
* [`d4e792643d`] - **(SEMVER-MINOR)** **util**: add sourcemap support to getCallSites (Marco Ippolito) [#55589]
* [`00e092bb4b`] - **(SEMVER-MINOR)** **util**: fix util.getCallSites plurality (Chengzhong Wu) [#55626]
Commits:
* [`9862912d41`] - **assert**: differentiate cases where `cause` is `undefined` or missing (Antoine du Hamel) [#55738]
* [`32e5bbca95`] - **benchmark**: add `test-reporters` (Aviv Keller) [#55757]
* [`c2103354e6`] - **benchmark**: add `test_runner/mock-fn` (Aviv Keller) [#55771]
* [`472d55e3e4`] - **build**: implement node\_use\_amaro flag in GN build (Cheng) [#55798]
* [`77735674eb`] - **build**: use glob for dependencies of out/Makefile (Richard Lau) [#55789]
* [`bba7323d51`] - **build**: apply cpp linting and formatting to ncrypto (Aviv Keller) [#55362]
* [`e0c222525e`] - **crypto**: allow length=0 for HKDF and PBKDF2 in SubtleCrypto.deriveBits (Filip Skokan) [#55866]
* [`cad557ec53`] - **deps**: update simdutf to 5.6.1 (Node.js GitHub Bot) [#55850]
* [`dc8aca3692`] - **deps**: update undici to 6.21.0 (Node.js GitHub Bot) [#55851]
* [`e0db9ede4f`] - **deps**: update c-ares to v1.34.3 (Node.js GitHub Bot) [#55803]
* [`e147935144`] - **deps**: update icu to 76.1 (Node.js GitHub Bot) [#55551]
* [`e0ef65b8d5`] - **doc**: remove non-working example (Antoine du Hamel) [#55856]
* [`ec953bca09`] - **doc**: add `node:sqlite` to mandatory `node:` prefix list (翠 / green) [#55846]
* [`1b863b96d5`] - **doc**: add `-S` flag release preparation example (Antoine du Hamel) [#55836]
* [`a8311847d1`] - **doc**: clarify UV\_THREADPOOL\_SIZE env var usage (Preveen P) [#55832]
* [`787e51e603`] - **doc**: add notable-change mention to sec release (Rafael Gonzaga) [#55830]
* [`e56265cc18`] - **doc**: fix history info for `URL.prototype.toJSON` (Antoine du Hamel) [#55818]
* [`c5afdaf5cb`] - **doc**: correct max-semi-space-size statement (Joe Bowbeer) [#55812]
* [`65ffb2cae3`] - **doc**: update unflag info of `import.meta.resolve` (skyclouds2001) [#55810]
* [`9aeb671677`] - **doc**: run license-builder (github-actionsbot]) [#55813]
* [`df5ea1a5b3`] - **doc**: clarify triager role (Gireesh Punathil) [#55775]
* [`aa12de0f03`] - **doc**: sort --report-exclude alphabetically (Rafael Gonzaga) [#55788]
* [`8576ca9897`] - **doc**: clarify removal of experimental API does not require a deprecation (Antoine du Hamel) [#55746]
* [`5767b76c30`] - **doc**: enforce strict policy to semver-major releases (Rafael Gonzaga) [#55732]
* [`1f2fcf1dc8`] - **doc**: add history entries for JSON modules stabilization (Antoine du Hamel) [#55855]
* [`83ba688d8f`] - **esm**: fix import.meta.resolve crash (Marco Ippolito) [#55777]
* [`bdb6d12e7a`] - **events**: add hasEventListener util for validate (Sunghoon) [#55230]
* [`d41cb49516`] - **fs**: prevent unwanted `dependencyOwners` removal (Carlos Espa) [#55565]
* [`db0d648d8f`] - **fs**: fix bufferSize option for opendir recursive (Ethan Arrowood) [#55744]
* [`693fda0802`] - **lib**: remove unused file `fetch_module` (Michaël Zasso) [#55880]
* [`156873303a`] - **lib**: prefer symbol to number in webidl `type` function (Antoine du Hamel) [#55737]
* [`cfe28b161a`] - **lib**: remove unnecessary optional chaining (Gürgün Dayıoğlu) [#55728]
* [`bbb8f5914d`] - **lib**: use `Promise.withResolvers()` in timers (Yagiz Nizipli) [#55720]
* [`11e1bdd409`] - **module**: tidy code string concat → string templates (Jacob Smith) [#55820]
* [`9c99255468`] - **permission**: ignore internalModuleStat on module loading (Rafael Gonzaga) [#55797]
* [`5a437c446f`] - **report**: fix network queries in getReport libuv with exclude-network (Adrien Foulon) [#55602]
* [`bcbba723de`] - **sqlite**: add support for SQLite Session Extension (Bart Louwers) [#54181]
* [`49d55228de`] - **src**: use env strings to create sqlite results (Michaël Zasso) [#55785]
* [`58d7a6ec10`] - _**Revert**_ "**src**: migrate `String::Value` to `String::ValueView`" (Michaël Zasso) [#55828]
* [`16786a6df8`] - **src**: improve `node:os` userInfo performance (Yagiz Nizipli) [#55719]
* [`ccb69bb8d5`] - **(SEMVER-MINOR)** **src**: add cli option to preserve env vars on dr (Rafael Gonzaga) [#55697]
* [`770670c52c`] - **test**: fix permission fixtures lint (Rafael Gonzaga) [#55819]
* [`84c47478d0`] - **test**: improve test coverage for child process message sending (Juan José) [#55710]
* [`e1f54e2527`] - **test**: ensure that test priority is not higher than current priority (Livia Medeiros) [#55739]
* [`e1b42e7637`] - **test**: add buffer to fs\_permission tests (Rafael Gonzaga) [#55734]
* [`d1ad43e9ae`] - **test**: improve test coverage for `ServerResponse` (Juan José) [#55711]
* [`034505e037`] - **test\_runner**: error on mocking an already mocked date (Aviv Keller) [#55858]
* [`44324aa7e9`] - **tools**: bump @eslint/plugin-kit from 0.2.0 to 0.2.3 in /tools/eslint (dependabotbot]) [#55875]
* [`3cfacd3fbb`] - **tools**: fix exclude labels for commit-queue (Richard Lau) [#55809]
* [`8111a7655d`] - **tools**: make commit-queue check blocked label (Marco Ippolito) [#55781]
* [`419ea068fb`] - **tools**: remove non-existent file from eslint config (Aviv Keller) [#55772]
* [`7814669377`] - **tools**: fix c-ares updater script for Node.js 18 (Richard Lau) [#55717]
* [`3a9733cc4f`] - **util**: do not mark experimental feature as deprecated (Antoine du Hamel) [#55740]
* [`d4e792643d`] - **(SEMVER-MINOR)** **util**: add sourcemap support to getCallSites (Marco Ippolito) [#55589]
* [`00e092bb4b`] - **(SEMVER-MINOR)** **util**: fix util.getCallSites plurality (Chengzhong Wu) [#55626]
php-8.4.1
BcMath:
- [RFC] Add bcfloor, bcceil and bcround to BCMath.
- Improve performance.
- Adjust bcround()'s $mode parameter to only accept the RoundingMode enum.
- Fixed LONG_MAX in BCMath ext.
- Fixed bcdiv() div by one.
- [RFC] Support object types in BCMath.
- bcpow() performance improvement.
- ext/bcmath: Check for scale overflow.
- [RFC] ext/bcmath: Added bcdivmod.
- Fix GH-15968 (Avoid converting objects to strings in operator calculations).
- Fixed bug GH-16265 (Added early return case when result is 0) (Saki Takamachi).
- Fixed bug GH-16262 (Fixed a bug where size_t underflows) (Saki Takamachi).
- Fixed GH-16236 (Fixed a bug in BcMath\Number::pow() and bcpow() when raising negative powers of 0) (Saki Takamachi).
Core:
- Added zend_call_stack_get implementation for NetBSD, DragonFlyBSD, Solaris and Haiku.
- Enabled ifunc checks on FreeBSD from the 12.x releases.
- Changed the type of PHP_DEBUG and PHP_ZTS constants to bool.
- Fixed bug GH-13142 (Undefined variable name is shortened when contains \0).
- Fixed bug GH-13178 (Iterator positions incorrect when converting packed array to hashed).
- Fixed zend fiber build for solaris default mode (32 bits).
- Fixed zend call stack size for macOs/arm64.
- Added support for Zend Max Execution Timers on FreeBSD.
- Ensure fiber stack is not backed by THP.
- Implement GH-13609 (Dump wrapped object in WeakReference class).
- Added sparc64 arch assembly support for zend fiber.
- Fixed GH-13581 no space available for TLS on NetBSD.
- Added fiber Sys-V loongarch64 support.
- Adjusted closure names to include the parent function's name.
- Improve randomness of uploaded file names and files created by tempnam().
- Added gc and shutdown callbacks to zend_mm custom handlers.
- Fixed bug GH-14650 (Compute the size of pages before allocating memory).
- Fixed bug GH-11928 (The --enable-re2c-cgoto doesn't add the -g flag).
- Added the #[\Deprecated] attribute.
- Fixed GH-11389 (Allow suspending fibers in destructors).
- Fixed bug GH-14801 (Fix build for armv7).
- Implemented property hooks RFC.
- Fix GH-14978 (The xmlreader extension phpize build).
- Throw Error exception when encountering recursion during comparison, rather than fatal error.
- Added missing cstddef include for C++ builds.
- Updated build system scripts config.guess to 2024-07-27 and config.sub to 2024-05-27.
- Fixed bug GH-15240 (Infinite recursion in trait hook).
- Fixed bug GH-15140 (Missing variance check for abstract set with asymmetric type).
- Fixed bug GH-15181 (Disabled output handler is flushed again).
- Passing E_USER_ERROR to trigger_error() is now deprecated.
- Fixed bug GH-15292 (Dynamic AVX detection is broken for MSVC).
- Using "_" as a class name is now deprecated.
- Exiting a namespace now clears seen symbols.
- The exit (and die) language constructs now behave more like a function. They can be passed liked callables, are affected by the strict_types declare statement, and now perform the usual type coercions instead of casting any non-integer value to a string. As such, passing invalid types to exit/die may now result in a TypeError being thrown.
- Fixed bug GH-15438 (Hooks on constructor promoted properties without visibility are ignored).
- Fixed bug GH-15419 (Missing readonly+hook incompatibility check for readonly classes).
- Fixed bug GH-15187 (Various hooked object iterator issues).
- Fixed bug GH-15456 (Crash in get_class_vars() on virtual properties).
- Fixed bug GH-15501 (Windows HAVE_<header>_H macros defined to 1 or undefined).
- Implemented asymmetric visibility for properties.
- Fixed bug GH-15644 (Asymmetric visibility doesn't work with hooks).
- Implemented lazy objects RFC.
- Fixed bug GH-15686 (Building shared iconv with external iconv library).
- Fixed missing error when adding asymmetric visibility to unilateral virtual property.
- Fixed bug GH-15693 (Unnecessary include in main.c bloats binary).
- Fixed bug GH-15731 (AllowDynamicProperties validation should error on enums).
- Fixed bug GH-16040 (Use-after-free of object released in hook).
- Fixed bug GH-16026 (Reuse of dtor fiber during shutdown).
- Fixed bug GH-15999 (zend_std_write_property() assertion failure with lazy objects).
- Fixed bug GH-15960 (Foreach edge cases with lazy objects).
- Fixed bug GH-16185 (Various hooked object iterator issues).
- Fixed bug OSS-Fuzz #371445205 (Heap-use-after-free in attr_free).
- Fixed missing error when adding asymmetric visibility to static properties.
- Fixed bug OSS-Fuzz #71407 (Null-dereference WRITE in zend_lazy_object_clone).
- Fixed bug GH-16574 (Incorrect error "undefined method" messages).
- Fixed bug GH-16577 (EG(strtod_state).freelist leaks with opcache.preload).
- Fixed bug GH-16615 (Assertion failure in zend_std_read_property).
- Fixed bug GH-16342 (Added ReflectionProperty::isLazy()).
- Fixed bug GH-16725 (Incorrect access check for non-hooked props in hooked object iterator).
Curl:
- Deprecated the CURLOPT_BINARYTRANSFER constant.
- Bumped required libcurl version to 7.61.0.
- Added feature_list key to the curl_version() return value.
- Added constants CURL_HTTP_VERSION_3 (libcurl 7.66) and CURL_HTTP_VERSION_3ONLY (libcurl 7.88) as options for CURLOPT_HTTP_VERSION (Ayesh Karunaratne)
- Added CURLOPT_TCP_KEEPCNT to set the number of probes to send before dropping the connection.
- Added CURLOPT_PREREQFUNCTION Curl option to set a custom callback after the connection is established, but before the request is performed.
- Added CURLOPT_SERVER_RESPONSE_TIMEOUT, which was formerly known as CURLOPT_FTP_RESPONSE_TIMEOUT.
- The CURLOPT_DNS_USE_GLOBAL_CACHE option is now silently ignored.
- Added CURLOPT_DEBUGFUNCTION as a Curl option.
- Fixed bug GH-16359 (crash with curl_setopt* CURLOPT_WRITEFUNCTION without null callback).
- Fixed bug GH-16723 (CURLMOPT_PUSHFUNCTION issues).
Date:
- Added DateTime[Immutable]::createFromTimestamp.
- Added DateTime[Immutable]::[get|set]Microsecond.
- Constants SUNFUNCS_RET_TIMESTAMP, SUNFUNCS_RET_STRING, and SUNFUNCS_RET_DOUBLE are now deprecated.
- Fixed bug GH-13773 (DatePeriod not taking into account microseconds for end date).
DBA:
- Passing null or false to dba_key_split() is deprecated.
Debugging:
- Fixed bug GH-15923 (GDB: Python Exception <class 'TypeError'>: exceptions must derive from BaseException).
DOM:
- Added DOMNode::compareDocumentPosition().
- Implement #53655 (Improve speed of DOMNode::C14N() on large XML documents).
- Fix cloning attribute with namespace disappearing namespace.
- Implement DOM HTML5 parsing and serialization RFC.
- Fix DOMElement->prefix with empty string creates bogus prefix.
- Handle OOM more consistently.
- Implemented "Improve callbacks in ext/dom and ext/xsl" RFC.
- Added DOMXPath::quote() static method.
- Implemented opt-in ext/dom spec compliance RFC.
- Fixed bug #79701 (getElementById does not correctly work with duplicate definitions).
- Implemented "New ext-dom features in PHP 8.4" RFC.
- Fixed GH-14698 (segfault on DOM node dereference).
- Improve support for template elements.
- Fix trampoline leak in xpath callables.
- Throw instead of silently failing when creating a too long text node in (DOM)ParentNode and (DOM)ChildNode.
- Fixed bug GH-15192 (Segmentation fault in dom extension (html5_serializer)).
- Deprecated DOM_PHP_ERR constant.
- Removed DOMImplementation::getFeature().
- Fixed bug GH-15331 (Element::$substitutedNodeValue test failed).
- Fixed bug GH-15570 (Segmentation fault (access null pointer) in ext/dom/html5_serializer.c).
- Fixed bug GH-13988 (Storing DOMElement consume 4 times more memory in PHP 8.1 than in PHP 8.0).
- Fix XML serializer errata: xmlns="" serialization should be allowed.
- Fixed bug GH-15910 (Assertion failure in ext/dom/element.c).
- Fix unsetting DOM properties.
- Fixed bug GH-16190 (Using reflection to call Dom\Node::__construct causes assertion failure).
- Fix edge-case in DOM parsing decoding.
- Fixed bug GH-16465 (Heap buffer overflow in DOMNode->getElementByTagName).
- Fixed bug GH-16594 (Assertion failure in DOM -> before).
Fileinfo:
- Update to libmagic 5.45.
- Fixed bug #65106 (PHP fails to compile ext/fileinfo).
FPM:
- Implement GH-12385 (flush headers without body when calling flush()).
- Added DragonFlyBSD system to the list which set FPM_BACKLOG_DEFAULT to SOMAXCONN.
- /dev/poll events.mechanism for Solaris/Illumos setting had been retired.
- Added memory peak to the scoreboard / status page.
FTP:
- Removed the deprecated inet_ntoa call support.
- Fixed bug #63937 (Upload speed 10 times slower with PHP).
GD:
- Fix parameter numbers and missing alpha check for imagecolorset().
- imagepng/imagejpeg/imagewep/imageavif now throw an exception on invalid quality parameter.
- Check overflow/underflow for imagescale/imagefilter.
- Added gdImageClone to bundled libgd.
Gettext:
- bind_textdomain_codeset, textdomain and d(*)gettext functions now throw an exception on empty domain.
GMP:
- The GMP class is now final and cannot be extended anymore.
- RFC: Change GMP bool cast behavior.
Hash:
- Changed return type of hash_update() to true.
- Added HashContext::__debugInfo().
- Deprecated passing incorrect data types for options to ext/hash functions.
- Added SSE2 and SHA-NI implementation of SHA-256.
- Fix GH-15384 (Build fails on Alpine / Musl for amd64).
- Fixed bug GH-15742 (php_hash_sha.h incompatible with C++).
IMAP:
- Moved to PECL.
Intl:
- Added IntlDateFormatter::PATTERN constant.
- Fixed Numberformatter::__construct when the locale is invalid, now throws an exception.
- Added NumberFormatter::ROUND_TOWARD_ZERO and ::ROUND_AWAY_FROM_ZERO as aliases for ::ROUND_DOWN and ::ROUND_UP.
- Added NumberFormatter::ROUND_HALFODD.
- Added PROPERTY_IDS_UNARY_OPERATOR, PROPERTY_ID_COMPAT_MATH_START and PROPERTY_ID_COMPAT_MATH_CONTINUE constants.
- Added IntlDateFormatter::getIanaID/intltz_get_iana_id method/function.
- Set to C++17 standard for icu 74 and onwards.
- resourcebundle_get(), ResourceBundle::get(), and accessing offsets on a ResourceBundle object now throw: - TypeError for invalid offset types - ValueError for an empty string - ValueError if the integer index does not fit in a signed 32 bit integer
- ResourceBundle::get() now has a tentative return type of: ResourceBundle|array|string|int|null
- Added the new Grapheme function grapheme_str_split.
- Added IntlDateFormatter::parseToCalendar.
- Added SpoofChecker::setAllowedChars to set unicode chars ranges.
LDAP:
- Added LDAP_OPT_X_TLS_PROTOCOL_MAX/LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 constants.
LibXML:
- Added LIBXML_RECOVER constant.
- libxml_set_streams_context() now throws immediately on an invalid context instead of at the use-site.
- Added LIBXML_NO_XXE constant.
MBString:
- Added mb_trim, mb_ltrim and mb_rtrim.
- Added mb_ucfirst and mb_lcfirst.
- Updated Unicode data tables to Unicode 15.1.
- Fixed bug GH-15824 (mb_detect_encoding(): Argument $encodings contains invalid encoding "UTF8").
- Updated Unicode data tables to Unicode 16.0.
Mysqli:
- The mysqli_ping() function and mysqli::ping() method are now deprecated, as the reconnect feature was removed in PHP 8.2.
- The mysqli_kill() function and mysqli::kill() method are now deprecated. If this functionality is needed a SQL "KILL" command can be used instead.
- The mysqli_refresh() function and mysqli::refresh() method are now deprecated. If this functionality is needed a SQL "FLUSH" command can be used instead.
- Passing explicitly the $mode parameter to mysqli_store_result() has been deprecated. As the MYSQLI_STORE_RESULT_COPY_DATA constant was only used in conjunction with this function it has also been deprecated.
MySQLnd:
- Fixed bug GH-13440 (PDO quote bottleneck).
- Fixed bug GH-10599 (Apache crash on Windows when using a self-referencing anonymous function inside a class with an active mysqli connection).
Opcache:
- Added large shared segments support for FreeBSD.
- If JIT is enabled, PHP will now exit with a fatal error on startup in case of JIT startup initialization issues.
- Increased the maximum value of opcache.interned_strings_buffer to 32767 on 64bit archs.
- Fixed bug GH-13834 (Applying non-zero offset 36 to null pointer in zend_jit.c).
- Fixed bug GH-14361 (Deep recursion in zend_cfg.c causes segfault).
- Fixed bug GH-14873 (PHP 8.4 min function fails on typed integer).
- Fixed bug GH-15490 (Building of callgraph modifies preloaded symbols).
- Fixed bug GH-15178 (Assertion in tracing JIT on hooks).
- Fixed bug GH-15657 (Segmentation fault in dasm_x86.h).
- Added opcache_jit_blacklist() function.
- Fixed bug GH-16009 (Segmentation fault with frameless functions and undefined CVs).
- Fixed bug GH-16186 (Assertion failure in Zend/zend_operators.c).
- Fixed bug GH-16572 (Incorrect result with reflection in low-trigger JIT).
- Fixed GH-16839 (Error on building Opcache JIT for Windows ARM64).
OpenSSL:
- Fixed bug #80269 (OpenSSL sets Subject wrong with extraattribs parameter).
- Implement request #48520 (openssl_csr_new - allow multiple values in DN).
- Introduced new serial_hex parameter to openssl_csr_sign.
- Added X509_PURPOSE_OCSP_HELPER and X509_PURPOSE_TIMESTAMP_SIGN constants.
- Bumped minimum required OpenSSL version to 1.1.1.
- Added compile-time option --with-openssl-legacy-provider to enable legacy provider.
- Added support for Curve25519 + Curve448 based keys.
- Fixed bug GH-13343 (openssl_x509_parse should not allow omitted seconds in UTCTimes).
- Bumped minimum required OpenSSL version to 1.1.0.
- Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2.
Output:
- Clear output handler status flags during handler initialization.
- Fixed bug with url_rewriter.hosts not used by output_add_rewrite_var().
PCNTL:
- Added pcntl_setns for Linux.
- Added pcntl_getcpuaffinity/pcntl_setcpuaffinity.
- Updated pcntl_get_signal_handler signal id upper limit to be more in line with platforms limits.
- Added pcntl_getcpu for Linux/FreeBSD/Solaris/Illumos.
- Added pcntl_getqos_class/pcntl_setqos_class for macOs.
- Added SIGCKPT/SIGCKPTEXIT constants for DragonFlyBSD.
- Added FreeBSD's SIGTRAP handling to pcntl_siginfo_to_zval.
- Added POSIX pcntl_waitid.
- Fixed bug GH-16769: (pcntl_sigwaitinfo aborts on signal value as reference).
PCRE:
- Upgrade bundled pcre2lib to version 10.43.
- Add "/r" modifier.
- Upgrade bundled pcre2lib to version 10.44.
- Fixed GH-16189 (underflow on offset argument).
- Fix UAF issues with PCRE after request shutdown.
PDO:
- Fixed setAttribute and getAttribute.
- Implemented PDO driver-specific subclasses RFC.
- Added support for PDO driver-specific SQL parsers.
- Fixed bug GH-14792 (Compilation failure on pdo_* extensions).
- mysqlnd: support ER_CLIENT_INTERACTION_TIMEOUT.
- The internal header php_pdo_int.h is no longer installed; it is not supposed to be used by PDO drivers.
- Fixed bug GH-16167 (Prevent mixing PDO sub-classes with different DSN).
- Fixed bug GH-16314 ("Pdo\Mysql object is uninitialized" when opening a persistent connection).
PDO_DBLIB:
- Fixed setAttribute and getAttribute.
- Added class Pdo\DbLib.
PDO_Firebird:
- Fixed setAttribute and getAttribute.
- Feature: Add transaction isolation level and mode settings to pdo_firebird.
- Added class Pdo\Firebird.
- Added Pdo\Firebird::ATTR_API_VERSION.
- Added getApiVersion() and removed from getAttribute().
- Supported Firebird 4.0 datatypes.
- Support proper formatting of time zone types.
- Fixed GH-15604 (Always make input parameters nullable).
PDO_MYSQL:
- Fixed setAttribute and getAttribute.
- Added class Pdo\Mysql.
- Added custom SQL parser.
- Fixed GH-15949 (PDO_MySQL not properly quoting PDO_PARAM_LOB binary data).
PDO_ODBC:
- Added class Pdo\Odbc.
PDO_PGSQL:
- Fixed GH-12423, DSN credentials being prioritized over the user/password PDO constructor arguments.
- Fixed native float support with pdo_pgsql query results.
- Added class Pdo\Pgsql.
- Retrieve the memory usage of the query result resource.
- Added Pdo\Pgsql::setNoticeCallBack method to receive DB notices.
- Added custom SQL parser.
- Fixed GH-15986 (Double-free due to Pdo\Pgsql::setNoticeCallback()).
- Fixed GH-12940 (Using PQclosePrepared when available instead of the DEALLOCATE command to free statements resources).
- Remove PGSQL_ATTR_RESULT_MEMORY_SIZE constant as it is provided by the new PDO Subclass as Pdo\Pgsql::ATTR_RESULT_MEMORY_SIZE.
PDO_SQLITE:
- Added class Pdo\Sqlite.
- Fixed bug #81227 (PDO::inTransaction reports false when in transaction).
- Added custom SQL parser.
PHPDBG:
- array out of bounds, stack overflow handled for segfault handler on windows.
- Fixed bug GH-16041 (Support stack limit in phpdbg).
PGSQL:
- Added the possibility to have no conditions for pg_select.
- Persistent connections support the PGSQL_CONNECT_FORCE_RENEW flag.
- Added pg_result_memory_size to get the query result memory usage.
- Added pg_change_password to alter an user's password.
- Added pg_put_copy_data/pg_put_copy_end to send COPY commands and signal the end of the COPY.
- Added pg_socket_poll to poll on the connection.
- Added pg_jit to get infos on server JIT support.
- Added pg_set_chunked_rows_size to fetch results per chunk.
- pg_convert/pg_insert/pg_update/pg_delete ; regexes are now cached.
Phar:
- Fixed bug GH-12532 (PharData created from zip has incorrect timestamp).
POSIX:
- Added POSIX_SC_CHILD_MAX and POSIX_SC_CLK_TCK constants.
- Updated posix_isatty to set the error number on file descriptors.
PSpell:
- Moved to PECL.
Random:
- Fixed bug GH-15094 (php_random_default_engine() is not C++ conforming).
- lcg_value() is now deprecated.
Readline:
- Fixed readline_info, rl_line_buffer_length/rl_len globals on update.
- Fixed bug #51558 (Shared readline build fails).
- Fixed UAF with readline_info().
Reflection:
- Implement GH-12908 (Show attribute name/class in ReflectionAttribute dump).
- Make ReflectionGenerator::getFunction() legal after generator termination.
- Added ReflectionGenerator::isClosed().
- Fixed bug GH-15718 (Segfault on ReflectionProperty::get{Hook,Hooks}() on dynamic properties).
- Fixed bug GH-15694 (ReflectionProperty::isInitialized() is incorrect for hooked properties).
- Add missing ReflectionProperty::hasHook[s]() methods.
- Add missing ReflectionProperty::isFinal() method.
- Fixed bug GH-16122 (The return value of ReflectionFunction::getNamespaceName() and ReflectionFunction::inNamespace() for closures is incorrect).
- Fixed bug GH-16162 (No ReflectionProperty::IS_VIRTUAL) (DanielEScherzer)
- Fixed the name of the second parameter of ReflectionClass::resetAsLazyGhost().
Session:
- INI settings session.sid_length and session.sid_bits_per_character are now deprecated.
- Emit warnings for non-positive values of session.gc_divisor and negative values of session.gc_probability.
- Fixed bug GH-16590 (UAF in session_encode()).
SimpleXML:
- Fix signature of simplexml_import_dom().
SNMP:
- Removed the deprecated inet_ntoa call support.
SOAP:
- Add support for clark notation for namespaces in class map.
- Mitigate #51561 (SoapServer with a extented class and using sessions, lost the setPersistence()).
- Fixed bug #49278 (SoapClient::__getLastResponseHeaders returns NULL if wsdl operation !has output).
- Fixed bug #44383 (PHP DateTime not converted to xsd:datetime).
- Fixed bug GH-11941 (soap with session persistence will silently fail when "session" built as a shared object).
- Passing an int to SoapServer::addFunction() is now deprecated. If all PHP functions need to be provided flatten the array returned by get_defined_functions().
- The SOAP_FUNCTIONS_ALL constant is now deprecated.
- Fixed bug #61525 (SOAP functions require at least one space after HTTP header colon).
- Implement request #47317 (SoapServer::__getLastResponse()).
Sockets:
- Removed the deprecated inet_ntoa call support.
- Added the SO_EXECLUSIVEADDRUSE windows constant.
- Added the SOCK_CONN_DGRAM/SOCK_DCCP netbsd constants.
- Added multicast group support for ipv4 on FreeBSD.
- Added the TCP_SYNCNT constant for Linux to set number of attempts to send SYN packets from the client.
- Added the SO_EXCLBIND constant for exclusive socket binding on illumos/solaris.
- Updated the socket_create_listen backlog argument default value to SOMAXCONN.
- Added the SO_NOSIGPIPE constant to control the generation of SIGPIPE for macOs and FreeBSD.
- Added SO_LINGER_SEC for macOs, true equivalent of SO_LINGER in other platforms.
- Add close-on-exec on socket created with socket_accept on unixes.
- Added IP_PORTRANGE* constants for BSD systems to control ephemeral port ranges.
- Added SOCK_NONBLOCK/SOCK_CLOEXEC constants for socket_create and socket_create_pair to apply O_NONBLOCK/O_CLOEXEC flags to the newly created sockets.
- Added SO_BINDTOIFINDEX to bind a socket to an interface index.
Sodium:
- Add support for AEGIS-128L and AEGIS-256.
- Enable AES-GCM on aarch64 with the ARM crypto extensions.
SPL:
- Implement SeekableIterator for SplObjectStorage.
- The SplFixedArray::__wakeup() method has been deprecated as it implements __serialize() and __unserialize() which need to be overwritten instead.
- Passing a non-empty string for the $escape parameter of: - SplFileObject::setCsvControl() - SplFileObject::fputcsv() - SplFileObject::fgetcsv() is now deprecated.
Standard:
- Implement GH-12188 (Indication for the int size in phpinfo()).
- Partly fix GH-12143 (Incorrect round() result for 0.49999999999999994).
- Fix GH-12252 (round(): Validate the rounding mode).
- Increase the default BCrypt cost to 12.
- Fixed bug GH-12592 (strcspn() odd behaviour with NUL bytes and empty mask).
- Removed the deprecated inet_ntoa call support.
- Cast large floats that are within int range to int in number_format so the precision is not lost.
- Add support for 4 new rounding modes to the round() function.
- debug_zval_dump() now indicates whether an array is packed.
- Fix GH-12143 (Optimize round).
- Changed return type of long2ip to string from string|false.
- Fix GH-12143 (Extend the maximum precision round can handle by one digit).
- Added the http_get_last_response_headers() and http_clear_last_response_headers() that allows retrieving the same content as the magic $http_response_header variable.
- Add php_base64_encode_ex() API.
- Implemented "Raising zero to the power of negative number" RFC.
- Added array_find(), array_find_key(), array_all(), and array_any().
- Change highlight_string() and print_r() return type to string|true.
- Fix references in request_parse_body() options array.
- Add RoundingMode enum.
- Unserializing the uppercase 'S' tag is now deprecated.
- Enables crc32 auxiliary detection on OpenBSD.
- Passing a non-empty string for the $escape parameter of: - fputcsv() - fgetcsv() - str_getcsv() is now deprecated.
- The str_getcsv() function now throws ValueErrors when the $separator and $enclosure arguments are not one byte long, or if the $escape is not one byte long or the empty string. This aligns the behaviour to be identical to that of fputcsv() and fgetcsv().
- php_uname() now throws ValueErrors on invalid inputs.
- The "allowed_classes" option for unserialize() now throws TypeErrors and ValueErrors if it is not an array of class names.
- Implemented GH-15685 (improve proc_open error reporting on Windows).
- Add support for backed enums in http_build_query().
- Fixed bug GH-15982 (Assertion failure with array_find when references are involved).
- Fixed parameter names of fpow() to be identical to pow().
Streams:
- Implemented GH-15155 (Stream context is lost when custom stream wrapper is being filtered).
Tidy:
- Failures in the constructor now throw exceptions rather than emitting warnings and having a broken object.
- Add tidyNode::getNextSibling() and tidyNode::getPreviousSibling().
Windows:
- Update the icon of the Windows executables, e.g. php.exe.
- Fixed bug GH-16199 (GREP_HEADER() is broken).
XML:
- Added XML_OPTION_PARSE_HUGE parser option.
- Fixed bug #81481 (xml_get_current_byte_index limited to 32-bit numbers on 64-bit builds).
- The xml_set_object() function has been deprecated.
- Passing non-callable strings to the xml_set_*_handler() functions is now deprecated.
XMLReader:
- Declares class constant types.
- Add XMLReader::fromStream(), XMLReader::fromUri(), XMLReader::fromString().
- Fixed bug GH-15123 (var_dump doesn't actually work on XMLReader).
XMLWriter:
- Add XMLWriter::toStream(), XMLWriter::toUri(), XMLWriter::toMemory().
XSL:
- Implement request #64137 (XSLTProcessor::setParameter() should allow both quotes to be used).
- Implemented "Improve callbacks in ext/dom and ext/xsl" RFC.
- Added XSLTProcessor::$maxTemplateDepth and XSLTProcessor::$maxTemplateVars.
- Fix trampoline leak in xpath callables.
Zip:
- Added ZipArchive::ER_TRUNCATED_ZIP added in libzip 1.11.
php-8.3.14
CLI:
- Fixed bug GH-16373 (Shebang is not skipped for router script in cli-server started through shebang).
- Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface).
COM:
- Fixed out of bound writes to SafeArray data.
Core:
- Fixed bug GH-16168 (php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15).
- Fixed bug GH-16371 (Assertion failure in Zend/zend_weakrefs.c:646).
- Fixed bug GH-16515 (Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline).
- Fixed bug GH-16509 (Incorrect line number in function redeclaration error).
- Fixed bug GH-16508 (Incorrect line number in inheritance errors of delayed early bound classes).
- Fixed bug GH-16648 (Use-after-free during array sorting).
Curl:
- Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if curl_multi_add_handle fails).
Date:
- Fixed bug GH-16454 (Unhandled INF in date_sunset() with tiny $utcOffset).
- Fixed bug GH-14732 (date_sun_info() fails for non-finite values).
DBA:
- Fixed bug GH-16390 (dba_open() can segfault for "pathless" streams).
DOM:
- Fixed bug GH-16316 (DOMXPath breaks when not initialized properly).
- Add missing hierarchy checks to replaceChild.
- Fixed bug GH-16336 (Attribute intern document mismanagement).
- Fixed bug GH-16338 (Null-dereference in ext/dom/node.c).
- Fixed bug GH-16473 (dom_import_simplexml stub is wrong).
- Fixed bug GH-16533 (Segfault when adding attribute to parent that is not an element).
- Fixed bug GH-16535 (UAF when using document as a child).
- Fixed bug GH-16593 (Assertion failure in DOM->replaceChild).
- Fixed bug GH-16595 (Another UAF in DOM -> cloneNode).
EXIF:
- Fixed bug GH-16409 (Segfault in exif_thumbnail when not dealing with a real file).
FFI:
- Fixed bug GH-16397 (Segmentation fault when comparing FFI object).
Filter:
- Fixed bug GH-16523 (FILTER_FLAG_HOSTNAME accepts ending hyphen).
FPM:
- Fixed bug GH-16628 (FPM logs are getting corrupted with this log statement).
GD:
- Fixed bug GH-16334 (imageaffine overflow on matrix elements).
- Fixed bug GH-16427 (Unchecked libavif return values).
- Fixed bug GH-16559 (UBSan abort in ext/gd/libgd/gd_interpolation.c:1007).
GMP:
- Fixed floating point exception bug with gmp_pow when using large exposant values. (David Carlier).
- Fixed bug GH-16411 (gmp_export() can cause overflow).
- Fixed bug GH-16501 (gmp_random_bits() can cause overflow).
- Fixed gmp_pow() overflow bug with large base/exponents.
- Fixed segfaults and other issues related to operator overloading with GMP objects.
LDAP:
- Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932)
MBstring:
- Fixed bug GH-16361 (mb_substr overflow on start/length arguments).
MySQLnd:
- Fixed bug GHSA-h35g-vwh6-m678 (Leak partial content of the heap through heap buffer over-read). (CVE-2024-8929)
Opcache:
- Fixed bug GH-16408 (Array to string conversion warning emitted in optimizer).
OpenSSL:
- Fixed bug GH-16357 (openssl may modify member types of certificate arrays).
- Fixed bug GH-16433 (Large values for openssl_csr_sign() $days overflow).
- Fix various memory leaks on error conditions in openssl_x509_parse().
PDO DBLIB:
- Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing OOB writes). (CVE-2024-11236)
PDO Firebird:
- Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter causing OOB writes). (CVE-2024-11236)
PDO ODBC:
- Fixed bug GH-16450 (PDO_ODBC can inject garbage into field values).
Phar:
- Fixed bug GH-16406 (Assertion failure in ext/phar/phar.c:2808).
PHPDBG:
- Fixed bug GH-16174 (Empty string is an invalid expression for ev).
Reflection:
- Fixed bug GH-16601 (Memory leak in Reflection constructors).
Session:
- Fixed bug GH-16385 (Unexpected null returned by session_set_cookie_params).
- Fixed bug GH-16290 (overflow on cookie_lifetime ini value).
SOAP:
- Fixed bug GH-16318 (Recursive array segfaults soap encoding).
- Fixed bug GH-16429 (Segmentation fault access null pointer in SoapClient).
Sockets:
- Fixed bug with overflow socket_recvfrom $length argument.
SPL:
- Fixed bug GH-16337 (Use-after-free in SplHeap).
- Fixed bug GH-16464 (Use-after-free in SplDoublyLinkedList::offsetSet()).
- Fixed bug GH-16479 (Use-after-free in SplObjectStorage::setInfo()).
- Fixed bug GH-16478 (Use-after-free in SplFixedArray::unset()).
- Fixed bug GH-16588 (UAF in Observer->serialize).
- Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed SplFileObject::__constructor).
- Fixed bug GH-16589 (UAF in SplDoublyLinked->serialize()).
- Fixed bug GH-14687 (segfault on SplObjectIterator instance).
- Fixed bug GH-16604 (Memory leaks in SPL constructors).
Fixed bug GH-16646 (UAF in ArrayObject::unset() and ArrayObject::exchangeArray()).
Standard:
- Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with bail enabled).
Streams:
- Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might allow for CRLF injection in URIs). (CVE-2024-11234)
- Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with convert.quoted-printable-decode filter). (CVE-2024-11233)
SysVMsg:
- Fixed bug GH-16592 (msg_send() crashes when a type does not properly serialized).
SysVShm:
- Fixed bug GH-16591 (Assertion error in shm_put_var).
XMLReader:
- Fixed bug GH-16292 (Segmentation fault in ext/xmlreader/php_xmlreader.c).
Zlib:
- Fixed bug GH-16326 (Memory management is broken for bad dictionaries.) (cmb)
Postgresql 17.2
E.1. Release 17.2:
- This release contains a few fixes from 17.1. For information about new features in major release 17, see Section E.3 .
E.1.1. Migration to Version 17.2:
- A dump/restore is not required for those running 17.X. However, if you are upgrading from a version earlier than 17.1, see Section E.2 .
E.1.2. Changes:
- Repair ABI break for extensions that work with struct ResultRelInfo (Tom Lane). Last week's minor releases unintentionally broke binary compatibility with timescaledb and several other extensions. Restore the affected structure to its previous size, so that such extensions need not be rebuilt.
- Restore functionality of ALTER {ROLE|DATABASE} SET role (Tom Lane, Noah Misch). The fix for CVE-2024-10978 accidentally caused settings for role to not be applied if they come from non-interactive sources, including previous ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable.
- Fix cases where a logical replication slot's restart_lsn could go backwards (Masahiko Sawada). Previously, restarting logical replication could sometimes cause the slot's restart point to be recomputed as an older value than had previously been advertised in pg_replication_slots. This is bad, since for example WAL files might have been removed on the basis of the later restart_lsn value, in which case replication would fail to restart.
- Avoid deleting still-needed WAL files during pg_rewind (Polina Bungina, Alexander Kukushkin). Previously, in unlucky cases, it was possible for pg_rewind to remove important WAL files from the rewound demoted primary. In particular this happens if those files have been marked for archival (i.e., their .ready files were created) but not yet archived. Then the newly promoted node no longer has such files because of them having been recycled, but likely they are needed for recovery in the demoted node. If pg_rewind removes them, recovery is not possible anymore.
- Fix race conditions associated with dropping shared statistics entries (Kyotaro Horiguchi, Michael Paquier). These bugs could lead to loss of statistics data, assertion failures, or “can only drop stats once” errors.
- Count index scans in contrib/bloom indexes in the statistics views, such as the pg_stat_user_indexes .idx_scan counter (Masahiro Ikeda)
- Fix crash when checking to see if an index's opclass options have changed (Alexander Korotkov). Some forms of ALTER TABLE would fail if the table has an index with non-default operator class options.
- Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing (Tom Lane)
- This bug does not appear to have any visible consequences in non-assert builds.
Rabbitmq-server v4.0.4
RabbitMQ `4.0.4` is a maintenance release in the `4.0.x` [release series]
Minimum Supported Erlang Version:
- This release requires Erlang 26 and supports Erlang versions up to `27.1.x`.
- [RabbitMQ and Erlang/OTP Compatibility Matrix] has more details on
- Erlang version requirements for RabbitMQ.
- Nodes **will fail to start** on older Erlang releases.
- Changes Worth Mentioning
- Release notes can be found on GitHub at [rabbitmq-server/release-notes]
Core Broker
Bug Fixes:
- In rare cases quorum queue could end up without an elected leader because chosen candidate replica was not verified for aliveness. Contributed by @Ayanda-D. GitHub issues: [#12727] [#10423] [#12701]
- Quorum queue follower replicas that have falled behind the leader could run into an exception after installing a snapshot. GitHub issue: [#12635]
- Clusters with a large number of streams could run into confusing timeout exceptions. GitHub issue: [#12693]
- Stream members could fail to start when their data directories had externally added files,for example, metadata of certain file systems. GitHub issue: [#12688]
- Fetching metrics of AMQP 1.0 connections could fail with an exception. GitHub issue: [#12700]
- Nodes using Khepri for schema data store now follow a set of `rabbitmqctl reset` procedures better aligned with those performed by nodes still using Mnesia. GitHub issue: [#12763]
Enhancements:
- Policy changes are now periodicaly re-applied (only if necessary) to quorum queues. Quorum queues that did not have an online elected leader at the time of policy change would now eventually "pick up" the settings from that policy. Contributed by @LoisSotoLopez. GitHub issue: [#12667]
- Clusters with many streams and stream consumers will see a reduced per-stream CPU and network I/O footprint. GitHub issue: [#12685]
- Clusters now can optionally be tagged with key-value pairs (cluster tags). The tags will be reported by `rabbitmq-diagnostics cluster_status` and the `GET /api/overview` HTTP API endpoint. Note that the Prometheus scraper API endpoint intentionally omits them because this kind of metadata in Prometheus is considered to be [deployment and not application metadata]#issuecomment-2424985095).
The tags are configured using `rabbitmq.conf`:
```ini
cluster_tags.environment = production
cluster_tags.region = us-east
cluster_tags.az = us-east-3
```Contributed by @SimonUnge. GitHub issue: [#12552]
- Nodes now can optionally be tagged with key-value pairs (node tags). The tags will be reported by `rabbitmq-diagnostics status` and the `GET /api/overview` HTTP API endpoint. Note that the Prometheus scraper API endpoint intentionally omits them because this kind of metadata in Prometheus is considered to be [deployment and not application metadata]#issuecomment-2424985095).
The tags are configured using `rabbitmq.conf`:
```ini
nodes_tags.environment = production
nodes_tags.region = us-east
nodes_tags.az = us-east-3
``` Contributed by @SimonUnge. GitHub issue: [#12703]
- When a [max length] limit is applied to a quorum queue with a larger backlog (e.g. millions of messages), the deletion of excess messages now carries a significantly more moderate spike in memory footprint of the queue. GitHub issue: [#12608]
CLI Tools
Bug Fixes:
- `rabbitmq-diagnostics check_if_any_deprecated_features_are_used` now takes more deprecated features into account. GitHub issue: [#12734] [#12738]
MQTT Plugin
Bug Fixes:
- A message with expiration (TTL) set, that was published by an AMQP 0-9-1 publusher, could not be converted for an MQTT consumer. GitHub issue: [#12711]
- When x.509 (TLS) certificate-based authentication was used, two keys that controlled what SAN (Subject Alternative Name) fields were used to fetch client identity did not have any effect when used in `rabbitmq.conf`. Partially contributed by @janezturk. GitHub issue: [#12618]
Prometheus Plugin and Grafana Dashboards
Bug Fixes:
- Tweaks for Grafana 11.3 compatibility. Contributed by @anhanhnguyen. GitHub issue: [#12720]
Management Plugin
Enhancements:
- The endpoint that creates bindings now uses a much smaller HTTP request body size limit by default. Unlike the definition upload endpoint that accepts large definition documents, bindings do not need the generous multi-MiB limit. Note that the default HTTP request body size limit [can be configured]#http-body-size-limit), for example, to reduce it across the board. GitHub issue: [#12697]
- Improved alignment of optional queue arguments on the queue declaration page. Contributed by @markus812498. GitHub issue: [#12678]
OAuth 2 Plugin
Bug Fixes:
- When configuring [multiple resource servers]#multiple-resource-servers-configuration), `additional_scopes_key` was not taken into account, which means some scopes were not considered when making an authorization decision. Contributed by @Hathoute. GitHub issue: [#12750]
Debian Package
Enhancements:
- The package now list Erlang 27.x as supported series. GitHub issue: [#12603]
RPM Package
Enhancements:
- The package now list Erlang 27.x as supported series. GitHub issue: [#12603]
Dependency Changes:
- `osiris` was upgraded to [`1.8.4`]
Source Code Archives:
- To obtain source code of the entire distribution, please download the archive named `rabbitmq-server-4.0.4.tar.xz` instead of the source tarball produced by GitHub.
Spring-boot v3.2.12
Bug Fixes:
- Cannot package OCI image when 'docker.io/paketobuildpacks/new-relic' is provided as a buildpack [#43126]
- WebServerPortFileWriter fails when using a portfile without extension [#43115]
- SslOptions.isSpecified() only returns true if ciphers and enabled protocols are set [#43082]
- Logback logging system does not process URLs with paths not ending in .xml [#42986]
- NPE in bootBuildImage when setting DOCKER\_CONTEXT=default [#42958]
- build-info doesn't support seconds since the epoch from project.build.outputTimestamp [#42922]
- X-Registry-Auth header sent to Docker Engine API contains field "authHeader" [#42910]
- NPE in OnClassCondition.resolveOutcomesThreaded following thread interruption because firstHalf is null [#41709]
- Root cause of errors is hidden when loading images from archive [#31243]
Documentation:
- Documentation for 'spring.datasource.type' is misleading [#43193]
- Update "Upgrading From" section to use "2.x" [#43123]
- Rework DataSource configuration examples to separate defining an additional DataSource and defining a DataSource of a different type [#43054]
- Link to Eclipse setup instructions [#42918]
- Update HttpWebServiceMessageSenderBuilder javadoc [#42868]
- Move default value descriptions to "description" in logging property metadata [#42848]
- Document how and where to add custom GraalVM configuration files [#42515]
- [WFLY-19891](https://issues.redhat.com/browse/WFLY-19891) Fix deadlock when application tries to invoke a timed-out timer referenced from TimerService.getTimers() within a @Timeout method. by @pferraro in #18397
- [WFLY-19909](https://issues.redhat.com/browse/WFLY-19909) Wrong routing of EJB calls in cluster by @pferraro in #18406
Component Upgrade:
- [WFLY-19927](https://issues.redhat.com/browse/WFLY-19927) Upgrade RESTEasy to 6.2.11.Final by @jamezp in #18359
- [WFLY-19928](https://issues.redhat.com/browse/WFLY-19928) Upgrade RESTEasy to 7.0.0.Alpha4 (in WildFly Preview) by @jamezp in #18359
- [WFLY-19964](https://issues.redhat.com/browse/WFLY-19964) Upgrade Netty to 4.1.115.Final by @pferraro in #18403
- [WFLY-19977](https://issues.redhat.com/browse/WFLY-19977) Upgrade wildfly-clustering to 1.1.3.Final by @pferraro in #18406