Fixed bugGH-18639 (Internal class aliases can break preloading + JIT).
Fixed bugGH-18899 (JIT function crash when emitting undefined variable warning and opline is not set yet).
Fixed bugGH-14082 (Segmentation fault on unknown address 0x600000000018 in ext/opcache/jit/zend_jit.c).
Fixed bugGH-18898 (SEGV zend_jit_op_array_hot with property hooks and preloading).
OpenSSL:
Fixed bug#80770 (It is not possible to get client peer certificate with stream_socket_server).
PCNTL:
Fixed bugGH-18958 (Fatal error during shutdown after pcntl_rfork() or pcntl_forkx() with zend-max-execution-timers).
Phar:
Fix stream double free in phar.
Fix phar crash and file corruption with SplFileObject.
SOAP:
Fixed bugGH-18990, bug #81029, bug #47314 (SOAP HTTP socket not closing on object destruction).
Fix memory leak when URL parsing fails in redirect.
SPL:
Fixed bugGH-19094 (Attaching class with no Iterator implementation to MultipleIterator causes crash).
Standard:
Fix misleading errors in printf().
Fix RCN violations in array functions.
FixedGH-18976 pack() overflow with h/H format and INT_MAX repeater value.
Streams:
FixedGH-13264 (fgets() and stream_get_line() do not return false on filter fatal error).
Zip:
Fix leak when path is too long in ZipArchive::extractTo().
Version 8.4.10
BcMath:
Fixed bugGH-18641 (Accessing a BcMath\Number property by ref crashes).
Core:
Fixed bugsGH-17711 andGH-18022 (Infinite recursion on deprecated attribute evaluation) andGH-18464 (Recursion protection for deprecation constants not released on bailout).
FixedGH-18695 (zend_ast_export() - float number is not preserved).
Fix handling of references in zval_try_get_long().
Do not delete main chunk in zend_gc.
Fix compile issues with zend_alloc and some non-default options.
Curl:
Fix memory leak when setting a list via curl_setopt fails.
Date:
Fix leaks with multiple calls to DatePeriod iterator current().
DOM:
Fixed bugGH-18744 (classList works not correctly if copy HTMLElement by clone keyword).
Fix memory leak in intl_datetime_decompose() on failure.
Fix memory leak in locale lookup on failure.
Opcache:
Fixed bugGH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22).
ODBC:
Fix memory leak on php_odbc_fetch_hash() failure.
OpenSSL:
Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
Fixed bug#74796 (Requests through http proxy set peer name).
PGSQL:
FixedGHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during escaping). (CVE-2025-1735)
Fix warning not being emitted when failure to cancel a query with pg_cancel_query().
PDO ODBC:
Fix memory leak if WideCharToMultiByte() fails.
PDO Sqlite:
Fixed memory leak with Pdo_Sqlite::createCollation when the callback has an incorrect return type.
Phar:
Add missing filter cleanups on phar failure.
Fixed bugGH-18642 (Signed integer overflow in ext/phar fseek).
PHPDBG:
Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0.
Random:
Fix reference type confusion and leak in user random engine.
Readline:
Fix memory leak when calloc() fails in php_readline_completion_cb().
SimpleXML:
Fixed bugGH-18597 (Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes).
SOAP:
Fix memory leaks in php_http.c when call_user_function() fails.
FixedGHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix). (CVE-2025-6491)
Standard:
FixedGHSA-3cr5-j632-f35r (Null byte termination in hostnames). (CVE-2025-1220)
Tidy:
Fix memory leak in tidy output handler on error.
Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory.
Version 8.4.8
Core:
FixedGH-18480 (array_splice with large values for offset/length arguments).
Partially fixedGH-18572 (nested object comparisons leading to stack overflow).
Fixed OSS-Fuzz #417078295.
Fixed OSS-Fuzz #418106144.
Curl:
FixedGH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/ CURLOPT_PASSWORD set the Authorization header when set to NULL).
Date:
Fixed bugGH-18076 (Since PHP 8, the date_sun_info() function returns inaccurate sunrise and sunset times, but other calculated times are correct) (JiriJozif).
Fixed bugGH-18481 (date_sunrise with unexpected nan value for the offset).
DOM:
Backport lexbor/lexbor#274.
Intl:
Fix various reference issues.
LDAP:
Fixed bugGH-18529 (ldap no longer respects TLS_CACERT from ldaprc in ldap_start_tls()).
Opcache:
Fixed bugGH-18417 (Windows SHM reattachment fails when increasing memory_consumption or jit_buffer_size).
Fixed bugGH-18297 (Exception not handled when jit guard is triggered).
Fixed bugGH-18408 (Snapshotted poly_func / poly_this may be spilled).
Fixed bugGH-18567 (Preloading with internal class alias triggers assertion failure).
Fixed bugGH-18534 (FPM exit code 70 with enabled opcache and hooked properties in traits).
Fix leak of accel_globals->key.
OpenSSL:
Fix missing checks against php_set_blocking() in xp_ssl.c.
SPL:
Fixed bugGH-18421 (Integer overflow with large numbers in LimitIterator).
Standard:
Fixed bugGH-17403 (Potential deadlock when putenv fails).
Fixed bugGH-18400 (http_build_query type error is inaccurate).
Fixed bugGH-18509 (Dynamic calls to assert() ignore zend.assertions).
Windows:
Fix leak+crash with sapi_windows_set_ctrl_handler().
Zip:
Fixed bugGH-18431 (Registering ZIP progress callback twice doesn't work).
Fixed bugGH-18438 (Handling of empty data and errors in ZipArchive::addPattern).
FixGH-14978 (The xmlreader extension phpize build).
Throw Error exception when encountering recursion during comparison, rather than fatal error.
Added missing cstddef include for C++ builds.
Updated build system scripts config.guess to 2024-07-27 and config.sub to 2024-05-27.
Fixed bugGH-15240 (Infinite recursion in trait hook).
Fixed bugGH-15140 (Missing variance check for abstract set with asymmetric type).
Fixed bugGH-15181 (Disabled output handler is flushed again).
Passing E_USER_ERROR to trigger_error() is now deprecated.
Fixed bugGH-15292 (Dynamic AVX detection is broken for MSVC).
Using "_" as a class name is now deprecated.
Exiting a namespace now clears seen symbols.
The exit (and die) language constructs now behave more like a function. They can be passed liked callables, are affected by the strict_types declare statement, and now perform the usual type coercions instead of casting any non-integer value to a string. As such, passing invalid types to exit/die may now result in a TypeError being thrown.
Fixed bugGH-15438 (Hooks on constructor promoted properties without visibility are ignored).
Fixed bugGH-15419 (Missing readonly+hook incompatibility check for readonly classes).
resourcebundle_get(), ResourceBundle::get(), and accessing offsets on a ResourceBundle object now throw: - TypeError for invalid offset types - ValueError for an empty string - ValueError if the integer index does not fit in a signed 32 bit integer
ResourceBundle::get() now has a tentative return type of: ResourceBundle|array|string|int|null
Added the new Grapheme function grapheme_str_split.
Added IntlDateFormatter::parseToCalendar.
Added SpoofChecker::setAllowedChars to set unicode chars ranges.
The mysqli_ping() function and mysqli::ping() method are now deprecated, as the reconnect feature was removed in PHP 8.2.
The mysqli_kill() function and mysqli::kill() method are now deprecated. If this functionality is needed a SQL "KILL" command can be used instead.
The mysqli_refresh() function and mysqli::refresh() method are now deprecated. If this functionality is needed a SQL "FLUSH" command can be used instead.
Passing explicitly the $mode parameter to mysqli_store_result() has been deprecated. As the MYSQLI_STORE_RESULT_COPY_DATA constant was only used in conjunction with this function it has also been deprecated.
Add support for clark notation for namespaces in class map.
Mitigate #51561 (SoapServer with a extented class and using sessions, lost the setPersistence()).
Fixed bug#49278 (SoapClient::__getLastResponseHeaders returns NULL if wsdl operation !has output).
Fixed bug#44383 (PHP DateTime not converted to xsd:datetime).
Fixed bugGH-11941 (soap with session persistence will silently fail when "session" built as a shared object).
Passing an int to SoapServer::addFunction() is now deprecated. If all PHP functions need to be provided flatten the array returned by get_defined_functions().
The SOAP_FUNCTIONS_ALL constant is now deprecated.
Fixed bug#61525 (SOAP functions require at least one space after HTTP header colon).
Added the SOCK_CONN_DGRAM/SOCK_DCCP netbsd constants.
Added multicast group support for ipv4 on FreeBSD.
Added the TCP_SYNCNT constant for Linux to set number of attempts to send SYN packets from the client.
Added the SO_EXCLBIND constant for exclusive socket binding on illumos/solaris.
Updated the socket_create_listen backlog argument default value to SOMAXCONN.
Added the SO_NOSIGPIPE constant to control the generation of SIGPIPE for macOs and FreeBSD.
Added SO_LINGER_SEC for macOs, true equivalent of SO_LINGER in other platforms.
Add close-on-exec on socket created with socket_accept on unixes.
Added IP_PORTRANGE* constants for BSD systems to control ephemeral port ranges.
Added SOCK_NONBLOCK/SOCK_CLOEXEC constants for socket_create and socket_create_pair to apply O_NONBLOCK/O_CLOEXEC flags to the newly created sockets.
Added SO_BINDTOIFINDEX to bind a socket to an interface index.
Sodium:
Add support for AEGIS-128L and AEGIS-256.
Enable AES-GCM on aarch64 with the ARM crypto extensions.
SPL:
Implement SeekableIterator for SplObjectStorage.
The SplFixedArray::__wakeup() method has been deprecated as it implements __serialize() and __unserialize() which need to be overwritten instead.
Passing a non-empty string for the $escape parameter of: - SplFileObject::setCsvControl() - SplFileObject::fputcsv() - SplFileObject::fgetcsv() is now deprecated.
Standard:
ImplementGH-12188 (Indication for the int size in phpinfo()).
Partly fixGH-12143 (Incorrect round() result for 0.49999999999999994).
FixGH-12252 (round(): Validate the rounding mode).
Increase the default BCrypt cost to 12.
Fixed bugGH-12592 (strcspn() odd behaviour with NUL bytes and empty mask).
Removed the deprecated inet_ntoa call support.
Cast large floats that are within int range to int in number_format so the precision is not lost.
Add support for 4 new rounding modes to the round() function.
debug_zval_dump() now indicates whether an array is packed.
Changed return type of long2ip to string from string|false.
FixGH-12143 (Extend the maximum precision round can handle by one digit).
Added the http_get_last_response_headers() and http_clear_last_response_headers() that allows retrieving the same content as the magic $http_response_header variable.
Add php_base64_encode_ex() API.
Implemented "Raising zero to the power of negative number" RFC.
Added array_find(), array_find_key(), array_all(), and array_any().
Change highlight_string() and print_r() return type to string|true.
Fix references in request_parse_body() options array.
Add RoundingMode enum.
Unserializing the uppercase 'S' tag is now deprecated.
Enables crc32 auxiliary detection on OpenBSD.
Passing a non-empty string for the $escape parameter of: - fputcsv() - fgetcsv() - str_getcsv() is now deprecated.
The str_getcsv() function now throws ValueErrors when the $separator and $enclosure arguments are not one byte long, or if the $escape is not one byte long or the empty string. This aligns the behaviour to be identical to that of fputcsv() and fgetcsv().
php_uname() now throws ValueErrors on invalid inputs.
The "allowed_classes" option for unserialize() now throws TypeErrors and ValueErrorsif it is not anarray of class names.
ImplementedGH-15685 (improve proc_open error reporting on Windows).
Add support for backed enums in http_build_query().
Fixed bugGH-15982 (Assertion failure with array_find when references are involved).
Fixed parameter names of fpow() to be identical to pow().
Streams:
ImplementedGH-15155 (Stream context is lost when custom stream wrapper is being filtered).
Tidy:
Failures in the constructor now throw exceptions rather than emitting warnings and having a broken object.
Add tidyNode::getNextSibling() and tidyNode::getPreviousSibling().
Windows:
Update the icon of the Windows executables, e.g. php.exe.
Fixed bugGH-19577 (Avoid integer overflow when using a small offset and PHP_INT_MAX with LimitIterator).
Streams:
Remove incorrect call to zval_ptr_dtor() in user_wrapper_metadata().
Fix OSS-Fuzz #385993744.
Tidy:
FixedGH-19021 build issue with libtidy in regard of tidyOptIsReadonly deprecation and TidyInternalCategory being available later than tidyOptGetCategory.
Zip:
Fix memory leak in zip when encountering empty glob result.
Version 8.3.25
Core:
FixedGH-19169 build issue with C++17 and ZEND_STATIC_ASSERT macro.
Fixed bugGH-18581 (Coerce numeric string keys from iterators when argument unpacking).
Fixed OSS-Fuzz #434346548 (Failed assertion with throwing __toString in binary const expr).
Fixed bugGH-19305 (Operands may be being released during comparison).
Fix memory leak in intl_datetime_decompose() on failure.
Fix memory leak in locale lookup on failure.
ODBC:
Fix memory leak on php_odbc_fetch_hash() failure.
Opcache:
Fixed bugGH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22).
OpenSSL:
Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
Fixed bug#74796 (Requests through http proxy set peer name).
PGSQL:
FixedGHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during escaping). (CVE-2025-1735)
Fix warning not being emitted when failure to cancel a query with pg_cancel_query().
Phar:
Add missing filter cleanups on phar failure.
Fixed bugGH-18642 (Signed integer overflow in ext/phar fseek).
PHPDBG:
Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0.
PDO ODBC:
Fix memory leak if WideCharToMultiByte() fails.
Random:
Fix reference type confusion and leak in user random engine.
Readline:
Fix memory leak when calloc() fails in php_readline_completion_cb().
SOAP:
Fix memory leaks in php_http.c when call_user_function() fails.
FixedGHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix). (CVE-2025-6491)
Standard:
FixedGHSA-3cr5-j632-f35r (Null byte termination in hostnames). (CVE-2025-1220)
Tidy:
Fix memory leak in tidy output handler on error.
Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory.
Version 8.3.22
Core:
FixedGH-18480 (array_splice with large values for offset/length arguments).
Partially fixedGH-18572 (nested object comparisons leading to stack overflow).
Fixed OSS-Fuzz #417078295.
Fixed OSS-Fuzz #418106144.
Curl:
FixedGH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/ CURLOPT_PASSWORD set the Authorization header when set to NULL).
Date:
Fixed bugGH-18076 (Since PHP 8, the date_sun_info() function returns inaccurate sunrise and sunset times, but other calculated times are correct) (JiriJozif).
Fixed bugGH-18481 (date_sunrise with unexpected nan value for the offset).
Intl:
Fix various reference issues.
LDAP:
Fixed bugGH-18529 (ldap no longer respects TLS_CACERT from ldaprc in ldap_start_tls()).
Opcache:
Fixed bugGH-18417 (Windows SHM reattachment fails when increasing memory_consumption or jit_buffer_size).
Fixed bugGH-18567 (Preloading with internal class alias triggers assertion failure).
Fix leak of accel_globals->key.
OpenSSL:
Fix missing checks against php_set_blocking() in xp_ssl.c.
PDO_OCI:
Fixed bugGH-18494 (PDO OCI segfault in statement GC).
SPL:
Fixed bugGH-18421 (Integer overflow with large numbers in LimitIterator).
Standard:
Fixed bugGH-17403 (Potential deadlock when putenv fails).
Fixed bugGH-18509 (Dynamic calls to assert() ignore zend.assertions).
Windows:
Fix leak+crash with sapi_windows_set_ctrl_handler().
Zip:
Fixed bugGH-18431 (Registering ZIP progress callback twice doesn't work).
Fixed bugGH-18438 (Handling of empty data and errors in ZipArchive::addPattern).
Version 8.3.21
Core:
Fixed bugGH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault).
Fixed bugGH-13970 (Incorrect validation of #[Attribute] flags type for non-compile-time expressions).
DOM:
Fix crashes when entity declaration is removed while still having entity references.
Fix references not handled correctly in C14N.
Fix crash when calling childNodes next() when iterator is exhausted.
Fix crash in ParentNode::append() when dealing with a fragment containing text nodes.
Filter:
Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
FPM:
Fix bugGH-14175 (Show decimal number instead of scientific notation in systemd status).
Hash:
ext/hash: Swap the checking order of `__has_builtin` and `__GNUC__` (Saki Takamachi)
Intl:
Fixed build regression on systems without C++17 compilers.
MySQLnd:
Fix bugGH-14255 (mysqli_fetch_assoc reports error from nested query).
Opcache:
Fixed bugGH-14109 (Fix accidental persisting of internal class constant in shm).
OpenSSL:
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
Standard:
Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
XML:
Fixed bugGH-14124 (Segmentation fault with XML extension under certain memory limit).
XMLReader:
Fixed bugGH-14183 (XMLReader::open() can't be overridden).
Version 8.3.7
Core:
Fixed zend_call_stack build with Linux/uclibc-ng without thread support.
Fixed bugGH-13772 (Invalid execute_data->opline pointers in observer fcall handlers when JIT is enabled).
Fixed bugGH-13931 (Applying zero offset to null pointer in Zend/zend_opcode.c).
Fixed bugGH-13942 (Align the behavior of zend-max-execution-timers with other timeout implementations).
Fixed bugGH-14003 (Broken cleanup of unfinished calls with callable convert parameters).
Fixed bugGH-14013 (Erroneous dnl appended in configure).
Fixed bugGH-10232 (If autoloading occurs during constant resolution filename and lineno are identified incorrectly).
Removed the BC break on IntlDateFormatter::construct which threw an exception with an invalid locale.
JSON:
Added json_validate().
LDAP:
Deprecate calling ldap_connect() with separate hostname and port.
LibXML:
Fix compile error with -Werror=incompatible-function-pointer-types and old libxml2.
MBString:
mb_detect_encoding is better able to identify the correct encoding for Turkish text.
mb_detect_encoding's "non-strict" mode now behaves as described in the documentation. Previously, it would return false if the same byte (for example, the first byte) of the input string was invalid in all candidate encodings. More generally, it would eliminate candidate encodings from consideration when an invalid byte was seen, and if the same input byte eliminated all remaining encodings still under consideration, it would return false. On the other hand, if all candidate encodings but one were eliminated from consideration, it would return the last remaining one without regard for how many encoding errors might be encountered later in the string. This is different from the behavior described in the documentation, which says: "If strict is set to false, the closest matching encoding will be returned." (Alex Dowad)
mb_strtolower, mb_strtotitle, and mb_convert_case implement conditional casing rules for the Greek letter sigma. For mb_convert_case, conditional casing only applies to MB_CASE_LOWER and MB_CASE_TITLE modes, not to MB_CASE_LOWER_SIMPLE and MB_CASE_TITLE_SIMPLE.
mb_detect_encoding is better able to identify UTF-8 and UTF-16 strings with a byte-order mark.
mb_decode_mimeheader interprets underscores in QPrint-encoded MIME encoded words as required by RFC 2047; they are converted to spaces. Underscores must be encoded as "=5F" in such MIME encoded words.
mb_encode_mimeheader no longer drops NUL (zero) bytes when QPrint-encoding the input string. This previously caused strings in certain text encodings, especially UTF-16 and UTF-32, to be corrupted by mb_encode_mimeheader.
Implement mb_str_pad() RFC.
Fixed bugGH-11514 (PHP 8.3 build fails with --enable-mbstring enabled).
Fix use-after-free of mb_list_encodings() return value.
Fixed bugGH-11992 (utf_encodings.phpt fails on Windows 32-bit).
mysqli:
mysqli_fetch_object raises a ValueError instead of an Exception.
Opcache:
Added start, restart and force restart time to opcache's phpinfo section.
FixGH-9139: Allow FFI in opcache.preload when opcache.preload_user=root.
Made opcache.preload_user always optional in the cli and phpdbg SAPIs.
Allows W/X bits on page creation on FreeBSD despite system settings.
Added memfd api usage, on Linux, for zend_shared_alloc_create_lock() to create an abstract anonymous file for the opcache's lock.
Avoid resetting JIT counter handlers from multiple processes/threads.
Fixed COPY_TMP type inference for references.
OpenSSL:
Added OPENSSL_CMS_OLDMIMETYPE and PKCS7_NOOLDMIMETYPE contants to switch between mime content types.
FixedGH-11054: Reset OpenSSL errors when using a PEM public key.
Added support for additional EC parameters in openssl_pkey_new.
PCNTL:
SA_ONSTACK is now set for pcntl_signal.
Added SIGINFO constant.
PCRE:
Update bundled libpcre2 to 10.42.
PGSQL:
pg_fetch_object raises a ValueError instead of an Exception.
pg_cancel use thread safe PQcancel api instead.
pg_trace new PGSQL_TRACE_SUPPRESS_TIMESTAMPS/PGSQL_TRACE_REGRESS_MODE contants support.
Fixed bugGH-13970 (Incorrect validation of #[Attribute] flags type for non-compile-time expressions).
Fixed bugGH-14140 (Floating point bug in range operation on Apple Silicon hardware).
DOM:
Fix crashes when entity declaration is removed while still having entity references.
Fix references not handled correctly in C14N.
Fix crash when calling childNodes next() when iterator is exhausted.
Fix crash in ParentNode::append() when dealing with a fragment containing text nodes.
FFI:
Fixed bugGH-14215 (Cannot use FFI::load on CRLF header file with apache2handler).
Filter:
Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
FPM:
Fix bugGH-14175 (Show decimal number instead of scientific notation in systemd status).
Hash:
ext/hash: Swap the checking order of `__has_builtin` and `__GNUC__` (Saki Takamachi)
Intl:
Fixed build regression on systems without C++17 compilers.
Ini:
Fixed bugGH-14100 (Corrected spelling mistake in php.ini files).
MySQLnd:
Fix bugGH-14255 (mysqli_fetch_assoc reports error from nested query).
Opcache:
Fixed bugGH-14109 (Fix accidental persisting of internal class constant in shm).
OpenSSL:
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
Standard:
Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
XML:
Fixed bugGH-14124 (Segmentation fault with XML extension under certain memory limit).
XMLReader:
Fixed bugGH-14183 (XMLReader::open() can't be overridden).
Version 8.2.19
Core:
Fixed bugGH-13772 (Invalid execute_data->opline pointers in observer fcall handlers when JIT is enabled).
Fixed bugGH-13931 (Applying zero offset to null pointer in Zend/zend_opcode.c).
Fixed bugGH-13942 (Align the behavior of zend-max-execution-timers with other timeout implementations).
Fixed bugGH-14003 (Broken cleanup of unfinished calls with callable convert parameters).
Fixed bugGH-14013 (Erroneous dnl appended in configure).
Fixed bugGH-10232 (If autoloading occurs during constant resolution filename and lineno are identified incorrectly).
Fixed bugGH-11600 (Can't parse time strings which include (narrow) non-breaking space characters).
Fixed bugGH-11854 (DateTime:createFromFormat stopped parsing datetime with extra space).
DOM:
Fixed bugGH-11625 (DOMElement::replaceWith() doesn't replace node with DOMDocumentFragment but just deletes node or causes wrapping <></> depending on libxml2 version).
Fileinfo:
Fixed bugGH-11298 (finfo returns wrong mime type for xz files).
FTP:
Fix context option check for "overwrite".
Fixed bugGH-10562 (Memory leak and invalid state with consecutive ftp_nb_fget).
GD:
Fix most of the external libgd test failures.
Intl:
Fix memory leak in MessageFormatter::format() on failure.
Libxml:
Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)
Updated the mime-type table for the builtin-server.
Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS environment variable.
FixedGH-8575 by changing STDOUT, STDERR and STDIN to not close on resource destruction.
Implement built-in web server responding without body to HEAD request on a static resource.
Implement built-in web server responding with HTTP status 405 to DELETE/PUT/PATCH request on a static resource.
Fixed bugGH-9709 (Null pointer dereference with -w/-s options).
COM:
Fixed bugGH-8750 (Can not create VT_ERROR variant type).
Core:
Fixed bug#81380 (Observer may not be initialized properly).
Fixed bugGH-7771 (Fix filename/lineno of constant expressions).
Fixed bugGH-7792 (Improve class type in error messages).
Support huge pages on MacOS.
Fixed bugGH-8655 (Casting an object to array does not unwrap refcount=1 references).
Fixed bugGH-8661 (Nullsafe in coalesce triggers undefined variable warning).
Fixed bugGH-7821 andGH-8418 (Allow arbitrary const expressions in backed enums).
Fixed bugGH-8810 (Incorrect lineno in backtrace of multi-line function calls).
Optimised code path for newly created file with the stream plain wrapper.
Uses safe_perealloc instead of perealloc for the ZEND_PTR_STACK_RESIZE_IF_NEEDED to avoid possible overflows.
Reduced the memory footprint of strings returned by var_export(), json_encode(), serialize(), iconv_*(), mb_ereg*(), session_create_id(), http_build_query(), strstr(), Reflection*::__toString().
Fixed bugGHSA-h35g-vwh6-m678 (Leak partial content of the heap through heap buffer over-read). (CVE-2024-8929)
PDO DBLIB:
Fixed bugGHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing OOB writes). (CVE-2024-11236)
PDO Firebird:
Fixed bugGHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter causing OOB writes). (CVE-2024-11236)
Streams:
Fixed bugGHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might allow for CRLF injection in URIs). (CVE-2024-11234)
Fixed bugGHSA-r977-prxv-hc43 (Single byte overread with convert.quoted-printable-decode filter). (CVE-2024-11233)
Version 8.1.30
CGI:
Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection Vulnerability). (CVE-2024-8926)
Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is bypassable due to the environment variable collision). (CVE-2024-8927)
FPM:
Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered). (CVE-2024-9026)
SAPI:
Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data). (CVE-2024-8925)
Version 8.1.29
CGI:
Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection in PHP-CGI). (CVE-2024-4577)
Filter:
Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
OpenSSL:
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
Standard:
Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
Version 8.1.28
Standard:
Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874)
Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)
Version 8.1.27
Core:
Fixed oss-fuzz #54325 (Use-after-free of name in var-var with malicious error handler).
Fixed oss-fuzz #64209 (In-place modification of filename in php_message_handler_for_zend).
Fixed bugGH-12758 /GH-12768 (Invalid opline in OOM handlers within ZEND_FUNC_GET_ARGS and ZEND_BIND_STATIC).
Fixed bugGH-11625 (DOMElement::replaceWith() doesn't replace node with DOMDocumentFragment but just deletes node or causes wrapping <></> depending on libxml2 version).
Fileinfo:
Fixed bugGH-11298 (finfo returns wrong mime type for xz files).
FTP:
Fix context option check for "overwrite".
Fixed bugGH-10562 (Memory leak and invalid state with consecutive ftp_nb_fget).
GD:
Fix most of the external libgd test failures.
Hash:
Fix use-of-uninitialized-value in hash_pbkdf2(), fix missing $options parameter in signature.
Intl:
Fix memory leak in MessageFormatter::format() on failure.
Libxml:
Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)
Fix wrong comparison in block optimisation pass after opcode update.
Date:
Fixed bugGH-9891 (DateTime modify with unixtimestamp (@) must work like setTimestamp).
Fixed bugGH-10218 (DateTimeZone fails to parse time zones that contain the "+" character).
Fiber:
Fix assertion on stack allocation size.
FPM:
Fixed bugGH-9981 (FPM does not reset fastcgi.error_header).
Fixed bug#67244 (Wrong owner:group for listening unix socket).
Hash:
Handle exceptions from __toString in XXH3's initialization (nielsdos)
LDAP:
Fixed bugGH-10112 (LDAP\Connection::__construct() refers to ldap_create()).
MBString:
Fixed: mb_strlen (and a couple of other mbstring functions) would wrongly treat 0x80, 0xFD, 0xFE, 0xFF, and certain other byte values as the first byte of a 2-byte SJIS character.
Opcache:
Fix inverted bailout value in zend_runtime_jit() (Max Kellermann).
Fix access to uninitialized variable in accel_preload().
Fix zend_jit_find_trace() crashes.
Added missing lock for EXIT_INVALIDATE in zend_jit_trace_exit.
Phar:
Fix wrong flags check for compression method in phar_object.c (nielsdos)
PHPDBG:
Fix undefined behaviour in phpdbg_load_module_or_extension().
Fix NULL pointer dereference in phpdbg_create_conditional_breal().
FixGH-9710: phpdbg memory leaks by option "-h" (nielsdos)
Fix phpdbg segmentation fault in case of malformed input (nielsdos)
Posix:
Fix memory leak in posix_ttyname() (girgias)
Standard:
FixGH-10187 (Segfault in stripslashes() with arm64).
Fix substr_replace with slots in repl_ht being UNDEF.
TSRM:
Fixed Windows shmget() wrt. IPC_PRIVATE.
XMLWriter:
Fix missing check for xmlTextWriterEndElement (nielsdos)
Version 8.1.14
Core:
Fixed bugGH-9905 (constant() behaves inconsistent when class is undefined).
Fixed bugGH-9918 (License information for xxHash is not included in README.REDIST.BINS file).
Revert "Fixed bug#80892 (PDO::PARAM_INT is treated the same as PDO::PARAM_STR)"
Version 8.0.5
Core:
Fixed bug#75776 (Flushing streams with compression filter is broken).
Fixed bug#80811 (Function exec without $output but with $restult_code parameter crashes).
Fixed bug#80814 (threaded mod_php won't load on FreeBSD: No space available for static Thread Local Storage).
Changed PowerPC CPU registers used by Zend VM to work around GCC bug. Old registers (r28/r29) might be clobbered by _restgpr routine used for return from C function compiled with -Os.
Dba:
Fixed bug#80817 (dba_popen() may cause segfault during RSHUTDOWN).
DOM:
Fixed bug#66783 (UAF when appending DOMDocument to element).
FFI:
Fixed bug#80847 (CData structs with fields of type struct can't be passed as C function argument).
FPM:
Fixed bug#80024 (Duplication of info about inherited socket after pool removing).
FTP:
Fixed bug#80880 (SSL_read on shutdown, ftp/proc_open).
IMAP:
Fixed bug#80800 (imap_open() fails when the flags parameter includes CL_EXPUNGE).
