April 15, 2024
PHP 8.1.28, 8.2.18, and 8.3.6 were released on the platform. They contain the latest bug fixes and security releases for PHP.
Updates include patches for the following CVEs ( Common Vulnerabilities and Exposures):
- CVE-2024-1874 "Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows"
- CVE-2024-2756 "__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix"
- CVE-2024-3096 "password_verify can erroneously return true, opening ATO risk"
- CVE-2024-2757 "mb_encode_mimeheader runs endlessly for some inputs" (PHP 8.3 only)
As a reminder, PHP 8.0 reached End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.2 and above.