Bump libxml version requirement 2.7.6 => 2.9.0

Since libxml version 2.9.0 external entity loading is disabled by default. Bumping the version requirement means that XML processing in PHP is no longer vulnerable to XXE processing attacks by default.
author: Dik Takken <d.h.j.takken@freedom.nl> 2020-07-16 14:19:40 +0200
committer: Nikita Popov <nikita.ppv@gmail.com> 2020-08-03 21:51:10 +0200
commit: 691a09f291a909cba8821ef16a447a5e615dee69 (patch)
tree: 0419088687170f2e22b1bd56b39cea705ed4e7eb /UPGRADING
parent: 44c7128fb726696a7c23ff694d1077cf0cf435d4 (diff)
download: php-git-691a09f291a909cba8821ef16a447a5e615dee69.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/UPGRADING b/UPGRADING
index 36022bbd48..d08dcb5df4 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -984,6 +984,11 @@ PHP 8.0 UPGRADE NOTES
 - PDO:
   . PDOStatement now implements IteratorAggregate (instead of Traversable).
 
+- LibXML:
+  . The minimum required libxml version is now 2.9.0. This means that external
+    entity loading is now guaranteed to be disabled by default, and no extra
+    steps need to be taken to protect against XXE attacks.
+
 - MySQLi / PDO MySQL:
   . When mysqlnd is not used (which is the default and recommended option),
     the minimum supported libmysqlclient version is now 5.1.
author	Dik Takken <d.h.j.takken@freedom.nl>	2020-07-16 14:19:40 +0200
committer	Nikita Popov <nikita.ppv@gmail.com>	2020-08-03 21:51:10 +0200
commit	691a09f291a909cba8821ef16a447a5e615dee69 (patch)
tree	0419088687170f2e22b1bd56b39cea705ed4e7eb /UPGRADING
parent	44c7128fb726696a7c23ff694d1077cf0cf435d4 (diff)
download	php-git-691a09f291a909cba8821ef16a447a5e615dee69.tar.gz