PHP microagent release notes

---

Sqreen PHP extension

[1.23.0] 2020-12-04

• PHP 8 Support for Debian and Red Hat based systems.
• Added LFI filter callback.
• Improved composer support.

[1.22.1] 2020-10-07

• Fixed HTTP tracing potentially causing malformed headers.
• Security and reliability improvements.

[1.22.0] 2020-09-17

• Added support for asynchronous tracing events.
• Introduced native callback for user tracking SDK.

[1.21.0] 2020-07-29

• Introduced tracing for HTTP services.
• New blocking page design.
• Added default daemon parameter to listen on localhost when launched by the extension.

[1.20.1] 2020-06-19

• Bug fixes on sqeen-installer.

[1.20.0] 2020-06-11

• Added support for Ubuntu Eoan and Focal.
• Support for stripping environment variables.
• Bug fixes and improvements.

[1.19.1] 2020-05-13

• Bug fixes and improvements.
• Added support for environment tokens.

[1.19.0] 2020-02-12

• Support PHP 7.4
• Fix shutdown crash on PHP 5.6/ZTS.
• Fix sqreen-installer escaping certain characters.
• Miscellaneous fixes and improvements.

[1.18.0] 2019-09-04

• Introduce support for the In-app WAF

[1.17.1] 2019-08-13

• Fix potentially uninitialized memory in track events

[1.17.0] 2019-07-10

• sqreen-installer detects and alerts if supplied token is empty or obviously invalid.
• Make agent compatible with a combination of Doctrine ORM and jms/di-extra-bundle.
• Fix an issue on install with application name that embeds punctuation characters.
• sqreen-installer detects PHP 7.3 on Apache on Debian and derivatives
• miscellaneous fixes to instrumentation of user functions (in all supported PHP versions)

[1.16.1] 2019-05-01

• Correct a warning caused when the agent look for installed.json outside of open_basedir's specification

[1.16.0] 2019-04-18

• Improve the performance of the request shutdown
• Improve the performance of attacks recording
• Better limit the time taken by CRS
• Better measure the performance impact of Sqreen

[1.15.0] 2019-03-22

• Support for organization token
• Improve SQL coverage on PostgreSQL
• Improve compatibility with the upcomming Debian Buster, and with Ubuntu 18.04 and 18.10

[1.14.0] 2019-01-22

• Support redirect_user action

[1.13.1] 2019-01-14

• Fix sqreen-installer not recognizing php 7.3 installations
• Better support for performance budget

[1.13.0] 2019-01-07

• Support Sqreen performance budget

[1.12.0] 2018-12-20

• Support performance metrics
• Hooks for connections to mysql/pgsql and callbacks for generating metrics (in order to support database discovery)

[1.11.0] 2018-12-03

• Support PHP 7.3
• Performance improvement for redirect_ip and block_ip actions

[1.10.0] 2018-10-24

• Fix segfault on restart for release builds on PHP 7/ZTS
• Do not log fatal error when blocking
• xss: read content-type in response, ignore non-html

[1.9.5] 2018-08-03

• Remove XSS false positive for reflected JavaScript variable

[1.9.4] 2018-08-01

• Support RunCloud in the installation script

[1.9.3] 2018-07-26

• Improve XSS detection

[1.9.2] 2018-06-19

• Improve block user security response behavior

[1.9.1] 2018-06-18

• Improve compatibility with NewRelic

[1.9.0] 2018-06-12

• Add support for block user security response.
• Update security responses format.

[1.8.2] 2018-06-07

• Improve PHP XSS security plugin detection

[1.8.1] 2018-05-24

• Improve PHP binary detection in the sqreen-installer script

[1.8.0] 2018-05-17

• Improve communication with the daemon
• Add support for security responses
• Improve launch_daemon behavior

[1.7.0] 2018-04-25

• Add new SDK sqreen\track
• Add a new hookpoint on the XML entity loader
• Improve compatibility with Apache 2
• Improve detection of Composer packages

[1.6.0] 2018-03-22

• Improve Alpine packaging
• Improve performance while blocking attacks on PHP FPM
• Move OWASP WAF rule in the extension to improve performances
• Launch the daemon from the extension

[1.5.6] 2018-03-16

• Improve handling of network issue

[1.5.5] 2018-03-07

• Better handling of blocked requests during php-fpm request_startup
• Add connection timeout with the daemon

[1.5.4] 2018-02-28

• Correctly handle headers without colon

[1.5.3] 2018-02-21

• Better detection of PHP in sqreen-installer
• Fix passlist with XSS detection

[1.5.2] 2018-02-17

• Fix PDO deinstrumentation on httpd-itk
• Fix warning on old glibc (<2.17)
• Fix install script on env without $PATH
• Add set_ini option in sqreen-installer

[1.5.1] 2018-02-13

• Support for debian wheezy
• Add missing build for PHP 5.4

[1.5.0] 2018-01-31

• Add support for PHP 5.3 And PHP 5.4
• Add support for libmysqlclient
• Fix error page display

[1.4.0] 2018-01-12

• Support for SDK identify

[1.3.0] 2017-12-19

• Support for PHP 7.2

[1.2.2] 2017-12-14

• Fix an issue with userland function instrumentation
• Display an error when no PHP installation found

[1.2.1] 2017-11-28

• Better handling of CPanel installation
• Fix RPM update

[1.2] 2017-11-21

• Improve XSS protection
• Improve installation on CPanel

[1.1.2] 2017-10-26

• Fix include/eval hook bug in PHP 5.5
• Correctly set sqreen-installer symlink on update

[1.1.1] 2017-10-26

• Improve XSS detection

[1.1.0] 2017-10-20

• Add support for Alpine package
• Improve SQL detection when using Doctrine

[1.0.2] 2017-10-12

• Improve XSS detection

[1.0.1] 2017-10-06

• Logging improvement

[1.0] 2017-10-06

• Fix log file permissions
• Better handling of network issues
• Fix spurious error messages

[0.12.2] 2017-10-05

• Correctly close log file after apache2 reload

[0.12.1] 2017-10-03

• Fix apache graceful restart
• Log in only one file

[0.12] 2017-09-27

• Add support for composer packages
• Add support for the protection mode
• Support for eval injection protection
• Improve performance of backtrace fetching
• Fix an issue with the PostreSQL hook
• Fix wrong metrics being sent

[0.11] 2017-09-18

• Support passlist
• Global performance improvement
• Send parsed params to the daemon
• Performance improvement on PHP processes creation
• Support for PostgreSQL

[0.10.1] 2017-09-06

• Fix Debian setup issues
• Support backtraces
• Better connection failure handling
• Fix extension version dislpay
• Do not require mysqnld anymore

[0.10] 2017-09-04

• Faster XSS protection
• Shell injection protection
• Denylist support
• Extension is not enabled on CLI
• Support for sqreen.disable option
• Remove package dependencies

[0.9] 2017-08-24

• Authentication SDK support
• Improve memory management
• Allow to use hostnames in daemon address

[0.8] 2017-08-21

• Add support for PHP 5.5 and 5.6
• Add support for ZTS
• Fix memory leaks
• Improve log management

[0.7.3] 2017-08-11

• Fix MySQL instrumentation for PDO

[0.7.2] 2017-08-08

• Improve TCP communication with the daemon

[0.7.1] 2017-08-06

• Read configuration after module initialization

[0.7] 2017-08-03

• Improve logs
• Improve memory management
• Improve reliability on agent / daemon communication
• Add the ability to dynamically update the security rules

[0.6.6] 2017-07-27

• Make build compatible with CentOS6
• Fix closing socket on module exit

[0.6.5] 2017-07-18

• Fix issue on request initialization endpoint

[0.6.4] 2017-07-17

• Fix issue on path transmitted to the daemon

[0.5]

• Fix HTTP headers read in FPM

[0.4] 2017-06-13

• Public release of the PHP agent

Sqreen daemon for PHP

[1.21.0] 2020-10-28

• Fixed bug which caused ip_header to be ignored from configuration file.
• Improved backend URL validation.
• Added support for collect_body on SDK track events.
• Improved the In-App WAF.
• Further bug fixes and improvements.

[1.20.0] 2020-09-17

• Added support for asynchronous tracing events.
• Introduced tracing for MySQL, PostgreSQL, SQLite3, Redis, MongoDB and AMQP.
• Improved the In-App WAF.

[1.19.0] 2020-07-29

• Fixed configuration file and environment loading.
• Detect backend connectivity and default to sqreen.com whenever available.
• Introduced tracing for HTTP services.
• Minor fixes and improvements.

[1.18.0] 2020-07-02

• Log file permissions to be more restrictive.
• Restrict backend URLs to known domains.
• Updated PyMiniRacer to version 0.3.0, related to CVE-2020-25489.
• Multiple other bug fixes and improvements.

[1.17.1] 2020-06-11

• Improved the In-App WAF.
• Added support for signal API.
• Improved initialization process.
• General performance improvements and bug fixes.

[1.16.0] 2020-04-10

• Improved PII scrubbing.
• Better JS garbage collection.
• Introduce the STRIP_HTTP_REFERER configuration option.
• Improvements to the In-App WAF.
• Fix the rule signature verification, related to CVE-2020-25490.
• General performance improvements and bug fixes.

[1.15.1] 2019-12-26

• Avoid sending an unexpected field in user monitoring

[1.15.0] 2019-12-18

• Multiple In-App WAF reliability and performance improvements.
• Fix an inconsistency in Security Responses enforcement.
• Improved network loop performance.

[1.14.1] 2019-10-04

• Improve support for the In-App WAF

[1.14.0] 2019-09-24

• Introduce support for the In-App WAF
• Expire old extension sessions when they have not been used for more than 10 minutes
• Multiple performance improvements

[1.13.1] 2019-08-12

• Fix an issue that could cause the agent to go in an infinite loop
• Support the improved format for attack rendering

[1.13.0] 2019-04-18

• Improve the performance of the request shutdown
• Improve the performance of attack recording
• Improve the management of an unstable link between the daemon and the extension
• Add support for Ubuntu 19.04

[1.12.0] 2019-03-22

• Support of organization token
• Configurable PII scrubbing. Learn more about this: configuration
• Improve the behaviour of the agent when our API experience difficulties
• Improve compatibility with the upcomming Debian Buster, and with Ubuntu 18.04 and 18.10
• Improve the handling of malformed IP addresses

[1.10.0] 2019-01-22

• Support redirect_user action

[1.9.2] 2019-01-17

• Support metrics on rules without daemon-side callbacks (db detection rules)

[1.9.1] 2019-01-14

• Better support for performance budget

[1.9.0] 2019-01-07

• Support Sqreen clock time overhead cap

[1.8.1] 2018-12-23

• Improve stability when blocking multiple IPs

[1.8.0] 2018-12-20

• Fix memory leaks
• Reduce number of v8 isolates instantiated (less memory usage)
• Improve performance of ip blocking
• Support performance metrics sent by the PHP extension

[1.7.0] 2018-11-20

• Improve CPU usage

[1.6.5] 2018-08-08

• Improve startup performance

[1.6.4] 2018-08-03

• Improve stability

[1.6.3] 2018-07-10

• Strip sensitive data before sending them to the BackEnd

[1.6.2] 2018-07-03

• Improve performance on high throughput application
• Fix the IP denylist for request without IP

[1.6.1] 2018-06-11

• Update security plugin signature validation algorithm.
• Update vendored dependencies.

[1.6.0] 2018-05-17

• Improve communication with the BackEnd
• Correctly forward security responses to the extension

[1.5.0] 2018-04-25

• Handle track SDK
• Minor performance improvement when executing security rules

[1.4.4] 2018-04-11

• Add IP_HEADER option to configure on which header the IP is fetch

[1.4.3] 2018-04-09

• Improve user-agent matching detection
• Improve log messages
• Make the binary compatible with prelink

[1.4.2] 2018-03-15

• Check Sqreen BackEnd connection before accepting new connections
• Read config file from /etc/default/sqreen-agent if the file exists

[1.4.1] 2018-03-12

• Improve memory usage
• Properly scale down unused processes

[1.4.0] 2018-03-05

• Improve memory usage
• Improve handling of disabled application
• Fixed file descriptor leak

[1.3.1] 2018-02-16

• Don't trigger logging code when logging is not enabled
• Don't record broken pipe error

[1.3.0] 2018-01-12

• Support for sdk identify

[1.2.3] 2018-01-11

• Properly handle SIGTERM with multiple processes

[1.2.2] 2018-01-10

• Start new process when handling lot of connections

[1.2.1] 2018-01-08

• Improve performance when handling many connections

[1.2.1] 2018-01-08

• Improve performance when handling many connection

[1.2.0] 2017-11-23

• Update the user-agent used
• Fix crash that can occurs on invalid payload
• Smaller communication payloads

[1.1.2] 2017-10-27

• Add more accurate log on error
• Display extension version on log

[1.1.1] 2017-10-26

• Remove exec requirement on /tmp

[1.1.0] 2017-10-25

• Handle backtrace fetching during rule execution

[1.0.4] 2017-10-20

• Relogin on PHP extension update

[1.0.3] 2017-10-18

• Improve performance on long parameters

[1.0.2] 2017-10-16

• Better handling of big payload
• Fix encoding issues in JS callbacks
• Improve IP address detection

[1.0.1] 2017-10-13

• Correctly handle disconnected client
• Better handling of IP address

[1.0.0] 2017-10-06

• Better handling of network issues

[0.9.3] 2017-10-05

• Correctly handle HTTP request without IP

[0.9.2] 2017-09-28

• Better detection of vulnerability discovery

[0.9.1] 2017-09-21

• Better connection failure handling

[0.9.0] 2017-09-18

• Support record of PHP traceback
• Global performance improvement

[0.8.2] 2017-09-08

• Fix rules reload behaviour

[0.8.1] 2017-09-01

• Correctly fetch the headers

[0.8.0] 2017-09-01

• Correctly record IP address
• Add passlist support
• Better handling of HTTP request
• Memory improvement
• Correctly handle systemd service

[0.7.9] 2017-08-25

• Better handling of non unicode data
• Better handling of error

[0.7.8] 2017-08-18

• Prevent leak of file descriptor

[0.7.7] 2017-08-17

• Be more resilient on socket creation

[0.7.6] 2017-08-16

• Fix memory leak

[0.7.5] 2017-08-11

• Correctly handle cargs

[0.7.4] 2017-08-10

• Better handling of package removing
• Better handling of invalid msg_pack command

[0.7.3] 2017-08-08

• Improve TCP communication with the extension

[0.7.2] 2017-08-03

• Remove unexpected logging messages

[0.7.1] 2017-08-03

• Better logging when using a proxy

[0.7.0] 2017-08-03

• Improve logging messages
• Improve communication between the agent and the extension