Wampserver 3.3.6
Posted by: rodd@collect.org (---.collect.org)
Date: June 21, 2024 10:48PM

Is there an ETA for Wampserver 3.3.6, using PHP 8.1.29 or 8.2?

AWS Inspector gave me the usual warnings about the new CVEs for PHP, so I updated Apache's PHP to 8.2.20, but I'm still getting the warnings.

I suspect it's due to Wampserver still using 8.1.28.

Options: ReplyQuote
Re: Wampserver 3.3.6
Posted by: Otomatic (Moderator)
Date: June 22, 2024 08:45AM

Could you please provide the details of the AWS Warnings.

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Options: ReplyQuote
Re: Wampserver 3.3.6
Posted by: jwj (101.32.44.---)
Date: June 27, 2024 04:01AM

It could be that you installed a new version of php, but the old one wasn't removed, and then it was scanned and triggered the warning

Options: ReplyQuote
Re: Wampserver 3.3.6
Posted by: rodd@collect.org (---.collect.org)
Date: July 09, 2024 05:15PM

Sorry for the delay, I didn't receive an email for your reply.

My bin/php folder only has 2 sub-folders:
- php8.1.28 for Wampserver
- php8.2.20 for Apache

Here are the AWS messages:

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.

The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: [github.com] (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.

Options: ReplyQuote
Re: Wampserver 3.3.6
Posted by: Otomatic (Moderator)
Date: July 09, 2024 08:47PM

Hi,

With the Wampserver 3.3.6 update, PHP 8.1.29 will be installed and become the version used by Wampserver's internal scripts.

However, PHP 8.1.28 will not be removed, which you can do via Right-Click -> Tools -> Remove unused versions.

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Options: ReplyQuote
Re: Wampserver 3.3.6
Posted by: rodd@collect.org (---.collect.org)
Date: July 09, 2024 10:58PM

Awesome, thank you.

Options: ReplyQuote
Re: Wampserver 3.3.6
Posted by: Dragos (---.workpage.ro)
Date: July 10, 2024 07:13AM

where I find to download 3.3.6 version/update?

===========================
thank you,
Dragos
===========================
I use:
windows 10 x64 bit
wampserver 3.3.6 (64bit)
php 8.3.9
mysql 9.0.1
phpmyadmin 5.2.1
apache 2.4.62
MariaDB 11.4.2

Options: ReplyQuote
Re: Wampserver 3.3.6
Posted by: Otomatic (Moderator)
Date: July 10, 2024 08:27AM

> where I find to download 3.3.6 version/update?

Nowhere to be found! It's not available yet!

In another post, I wrote that it would be available before the end of July 2024.

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Options: ReplyQuote
Re: Wampserver 3.3.6
Posted by: Dragos (---.workpage.ro)
Date: July 10, 2024 08:34AM

Thank you very much again...

===========================
thank you,
Dragos
===========================
I use:
windows 10 x64 bit
wampserver 3.3.6 (64bit)
php 8.3.9
mysql 9.0.1
phpmyadmin 5.2.1
apache 2.4.62
MariaDB 11.4.2

Options: ReplyQuote


Sorry, only registered users may post in this forum.