Software 42837 Published by

Ben Ramsey has announced the release of PHP 8.1.28, which addresses three security issues. These issues include the ability to implement command injection, the bypassing of secure cookies, and a problem with the verification of passwords.



php-8.1.28

- Standard:
. Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
. Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
. Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)

Release php-8.1.28 · php/php-src