CVE-2022-36937: TLS 1.0 connections
We’ve just released patch releases for HHVM: 4.172.1, 4.168.2 and 4.153.4. These resolve the security issue CVE-2022-36937.
stream_socket_client (part of
the stream extension) accept URLs. When a URL starts with
these would previously allow TLS 1.0 connections.
TLS 1.0 is deprecated and considered insecure. As of these new
stream_socket_client only permit
newer TLS connections.