> On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote: >> Hi Leo, >> >> I've just submitted a patch to update PHP to version 7.1.7, which >> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine >> (but also on the previous version), so I could not fully build it >> (disabling tests results in a working version of PHP). > > I got this building with that patch: > > ===================================================================== > FAILED TEST SUMMARY > --------------------------------------------------------------------- > Test for DateTime::modify() with absolute time statements > [ext/date/tests/date-time-modify-times.phpt] > Bug #74435 (Buffer over-read into uninitialized memory) > [ext/gd/tests/bug74435.phpt] > Bug #70436: Use After Free Vulnerability in unserialize() > [ext/standard/tests/strings/bug70436.phpt] > Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in > Deserialization [ext/standard/tests/strings/bug72663_3.phpt] > =====================================================================
OK that's what I've got too. I guess it will need some investigation… :-( Thanks for testing! Alex Leo Famulari writes: