ZendPHP July 2025 Releases

Community Changes

PHP Version 8.4.10 Changes

  • BcMath

    • Fixed bug GH-18641: Accessing a BcMath\Number property by ref crashes.

  • Core

    • Fixed bugs GH-17711 and GH-18022: Infinite recursion on deprecated attribute evaluation
    • Fixed GH-18464: Recursion protection for deprecation constants not released on bailout.
    • Fixed GH-18695: zend_ast_export() - float number is not preserved.
    • Fix handling of references in zval_try_get_long().
    • Do not delete main chunk in zend_gc.
    • Fix compile issues with zend_alloc and some non-default options.

  • Curl

    • Fix memory leak when setting a list via curl_setopt fails.

  • Date

    • Fix leaks with multiple calls to DatePeriod iterator current().

  • DOM

    • Fixed bug GH-18744: classList works not correctly if copy HTMLElement by clone keyword.

  • FPM

    • Fixed GH-18662: fpm_get_status segfault.

  • Hash:

    • Fixed bug GH-14551: PGO build fails with xxhash.

  • Intl

    • Fix memory leak in intl_datetime_decompose() on failure.
    • Fix memory leak in locale lookup on failure.

  • ODBC

    • Fix memory leak on php_odbc_fetch_hash() failure.

  • Opcache

    • Fixed bug GH-18743: Incompatibility in Inline TLS Assembly on Alpine 3.22.

  • OpenSSL

    • Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
    • Fixed bug #74796: Requests through http proxy set peer name.

  • PDO ODBC

    • Fix memory leak if WideCharToMultiByte() fails.

  • PDO Sqlite

    • Fixed memory leak with Pdo_Sqlite::createCollation when the callback has an incorrect return type.

  • PGSQL

    • Fix warning not being emitted when failure to cancel a query with pg_cancel_query().
    • Fixed CVE-2025-1735: pgsql extension failed to check for errors during escaping.

  • Phar

    • Add missing filter cleanups on phar failure.
    • Fixed bug GH-18642: Signed integer overflow in ext/phar fseek.

  • PHPDBG

    • Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0.

  • Random

    • Fix reference type confusion and leak in user random engine.

  • Readline

    • Fix memory leak when calloc() fails in php_readline_completion_cb().

  • SimpleXML

    • Fixed bug GH-18597: Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes.

  • SOAP

    • Fix memory leaks in php_http.c when call_user_function() fails.
    • Fixed CVE-2025-6491: NULL pointer dereference in SOAP extension via large XML namespace prefix.

  • Standard

    • Fixed CVE-2025-1220: Null byte termination in hostnames.

  • Tidy

    • Fix memory leak in tidy output handler on error.
    • Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory.

PHP Version 8.3.23 Changes

  • Core

    • Fixed GH-18695: zend_ast_export() - float number is not preserved.
    • Do not delete main chunk in zend_gc.
    • Fix compile issues with zend_alloc and some non-default options.

  • Curl

    • Fix memory leak when setting a list via curl_setopt fails.

  • Date

    • Fix leaks with multiple calls to DatePeriod iterator current().

  • FPM

    • Fixed GH-18662: fpm_get_status segfault.

  • Hash:

    • Fixed bug GH-14551: PGO build fails with xxhash.

  • Intl

    • Fix memory leak in intl_datetime_decompose() on failure.
    • Fix memory leak in locale lookup on failure.

  • ODBC

    • Fix memory leak on php_odbc_fetch_hash() failure.

  • Opcache

    • Fixed bug GH-18743: Incompatibility in Inline TLS Assembly on Alpine 3.22.

  • OpenSSL

    • Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
    • Fixed bug #74796: Requests through http proxy set peer name.

  • PDO ODBC

    • Fix memory leak if WideCharToMultiByte() fails.

  • PGSQL

    • Fix warning not being emitted when failure to cancel a query with pg_cancel_query().
    • Fixed CVE-2025-1735: pgsql extension failed to check for errors during escaping.

  • Phar

    • Add missing filter cleanups on phar failure.
    • Fixed bug GH-18642: Signed integer overflow in ext/phar fseek.

  • PHPDBG

    • Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0.

  • Random

    • Fix reference type confusion and leak in user random engine.

  • Readline

    • Fix memory leak when calloc() fails in php_readline_completion_cb().

  • SOAP

    • Fix memory leaks in php_http.c when call_user_function() fails.
    • Fixed CVE-2025-6491: NULL pointer dereference in SOAP extension via large XML namespace prefix.

  • Standard

    • Fixed CVE-2025-1220: Null byte termination in hostnames.

  • Tidy

    • Fix memory leak in tidy output handler on error.
    • Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory.

Backported CVE Fixes for ZendPHP 8.2.29, 8.1.33, 8.0.30.7, 7.4.33.11, 7.3.33.17, and 7.2.34.25

  • PGSQL

    • Fixed CVE-2025-1735: pgsql extension failed to check for errors during escaping.

  • SOAP

    • Fixed CVE-2025-6491: NULL pointer dereference in SOAP extension via large XML namespace prefix.

  • Standard

    • Fixed CVE-2025-1220: Null byte termination in hostnames.