OpenSwoole 4.12.0 is release including compatibility improvements for PHP 8.2 and new features.
There are major changes to support the upcoming official PHP 8.2 releases. OpenSwoole v4.12.0 has tested with the recent released PHP8.2RC3 on 29 September 2022.
PHP 8.2 will be released on
November 24, 2022.
Start from OpenSwoole v4.12.0, OpenSwoole server hide server token by default as a security improvement. You can enable it explicitly by:
<?php $server->set(['enable_server_token' => true]);
. New server option: enable_server_token, disable by default . Compatible with PHP 8.2 latest changes (PHP-8.2-RC3) . Fix: ignore user set encoding if it is not supported . Fix: Remove illegal http header . Fix convert double sec to long microseconds in hooked usleep by @shandyDev
. Upgrade PHP to latest versions: PHP7.4.32, PHP8.0.24, PHP8.1.11 . Drop support for PHP7.2, PHP7.3
It is recommended to upgrade to the latest PHP versions: PHP7.4.32, PHP8.0.24, PHP8.1.11.
In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.
In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a
__Secure- cookie by PHP applications.
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
You can upgrade to OpenSwoole v4.12.0 now:
pecl install openswoole
Or use Docker images:
docker pull openswoole/swoole:latest
Join 4,000+ others and never miss out on new tips, tutorials, and more.