Please enjoy my harrowing tale:
I ran a scan and it popped up suggesting nghttp2.dll that is packaged with Windows PHP is vulnerable to CVE-2020-11080.
Alright, no problem, I’ll just update PHP. Ah, no, the latest one is still using nghttp2 1.40.
Okay, let’s see if PHP has addressed this themselves by building their own version. Hm, can’t find the source anywhere. When you go to PHP: internals:windows:stepbystepbuild_sdk_2 it directs you to GitHub - microsoft/php-sdk-binary-tools: Tool kit for building PHP under Windows which appears to have no releases for the past two years. If you download the latest release, you get version 1.32. That can’t be right.
Let’s see the old documentation here:
Alright if I follow this rabbit hole I get here:
https://windows.php.net/downloads/php-sdk/deps/vs16/x64/ which again has version 1.40. So the old documentation leads me to the newer dll? Cool.
Okay so this is frustrating. Where did PHP get this dll from? If I go to nghttp2 directly and get the 1.40 source and build it, my dll is different from the PHP version.
So where is PHP’s source for this dll? Is it vulnerable to the CVE? How do I know? Why hasn’t PHP upgraded it?