In this release we’ve updated PHP to the latest versions. PHP 7.0 is updated from 7.0.27 to 7.0.28, PHP 7.1 is updated from 7.1.13 to 7.1.15 and PHP 5.6 from 5.6.33 to 5.6.34.

The most notable change is that this fixes CVE-2018-7584, stack-buffer-overflow while parsing HTTP response.

In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.

The complete changelog can be reviewed here for PHP 7 and here for PHP 5.

Changes will be deployed over the course of this week.