ZendPHP November 2024 Releases

November 24, 2024

ZendPHP Changes

PHP version 8.4.1

Community dropped some extensions from the PHP main sources, extensions are now built from PECL sources, therefore the packaging changes on Linux and IBM i:

oci8
- have different packaging names for RPM based releases, provides old package naming for backward compatibility
pdo_oci
- to be installed separately as php8.4-zend-pdo-oci (deb) / php84zend-php-pecl-pdo-oci (RPMs). Or: zendphpctl ext install [ --php 8.4 ] pdo_oci
pspell
- have different packaging names for RPM based releases, provides old package naming for backward compatibility
imap
- have different packaging names for RPM based releases, provides old package naming for backward compatibility

RPM packages rebuilt and re-released 25 Nov 2024 as 8.4.1-1.

Fixed apache libphp and litespeed SAPI build options. Original release was built as ZTS, new build is fixed to be NTS. All loadable extensions are built as non-thread-safe, therefore sapi modules built as ZTS cannot use NTS extension modules.

Community CVE Fixes

PHP version 8.3.14, 8.2.26, 8.1.31 CVE fixes

LDAP
- Fixed bug GHSA-g665-fm4p-vhff: OOB access in ldap_escape. (CVE-2024-8932)
MySQLnd
- Fixed bug GHSA-h35g-vwh6-m678: Leak partial content of the heap through heap buffer over-read. (CVE-2024-8929)
PDO DBLIB
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the dblib quoter causing OOB writes. (CVE-2024-11236)
PDO Firebird
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the firebird quoter causing OOB writes. (CVE-2024-11236)
Streams
- Fixed bug GHSA-c5f2-jwm7-mmq2: Configuring a proxy in a stream context might allow for CRLF injection in URIs. (CVE-2024-11234)
- Fixed bug GHSA-r977-prxv-hc43: Single byte overread with convert.quoted-printable-decode filter. (CVE-2024-11233)

Backported PHP CVE Fixes

PHP version 7.2.34.21, 7.3.33.13, 7.4.33.8, 8.0.30.4 CVE fixes

CLI
- Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface.
LDAP
- Fixed bug GHSA-g665-fm4p-vhff: OOB access in ldap_escape. (CVE-2024-8932)
MySQLnd
- Fixed bug GHSA-h35g-vwh6-m678: Leak partial content of the heap through heap buffer over-read. (CVE-2024-8929)
PDO DBLIB
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the dblib quoter causing OOB writes. (CVE-2024-11236)
PDO Firebird
- Fixed bug GHSA-5hqh-c84r-qjcv: Integer overflow in the firebird quoter causing OOB writes. (CVE-2024-11236)
Streams
- Fixed bug GHSA-c5f2-jwm7-mmq2: Configuring a proxy in a stream context might allow for CRLF injection in URIs. (CVE-2024-11234)
- Fixed bug GHSA-r977-prxv-hc43: Single byte overread with convert.quoted-printable-decode filter. (CVE-2024-11233)

Community Changes

PHP version 8.4.1 changes

BcMath
- [RFC] Add bcfloor, bcceil and bcround to BCMath.
- Improve performance.
- Adjust bcround()'s $mode parameter to only accept the RoundingMode enum.
- Fixed LONG_MAX in BCMath ext.
- Fixed bcdiv() div by one.
- [RFC] Support object types in BCMath.
- bcpow() performance improvement.
- ext/bcmath: Check for scale overflow.
- [RFC] ext/bcmath: Added bcdivmod.
- Fix GH-15968: Avoid converting objects to strings in operator calculations.
- Fixed bug GH-16265: Added early return case when result is 0.
- Fixed bug GH-16262: Fixed a bug where size_t underflows.
- Fixed GH-16236: Fixed a bug in BcMath\Number::pow() and bcpow() when raising negative powers of 0
Core
- Added zend_call_stack_get implementation for NetBSD, DragonFlyBSD, Solaris and Haiku.
- Enabled ifunc checks on FreeBSD from the 12.x releases.
- Changed the type of PHP_DEBUG and PHP_ZTS constants to bool.
- Fixed bug GH-13142: Undefined variable name is shortened when contains \0.
- Fixed bug GH-13178: Iterator positions incorrect when converting packed array to hashed.
- Fixed zend fiber build for solaris default mode (32 bits).
- Fixed zend call stack size for macOs/arm64.
- Added support for Zend Max Execution Timers on FreeBSD.
- Ensure fiber stack is not backed by THP.
- Implement GH-13609: Dump wrapped object in WeakReference class.
- Added sparc64 arch assembly support for zend fiber.
- Fixed GH-13581 no space available for TLS on NetBSD.
- Added fiber Sys-V loongarch64 support.
- Adjusted closure names to include the parent function's name.
- Improve randomness of uploaded file names and files created by tempnam().
- Added gc and shutdown callbacks to zend_mm custom handlers.
- Fixed bug GH-14650: Compute the size of pages before allocating memory.
- Fixed bug GH-11928: The --enable-re2c-cgoto doesn't add the -g flag.
- Added the #[\Deprecated] attribute.
- Fixed GH-11389: Allow suspending fibers in destructors.
- Fixed bug GH-14801: Fix build for armv7.
- Implemented property hooks RFC.
- Fix GH-14978: The xmlreader extension phpize build.
- Throw Error exception when encountering recursion during comparison, rather than fatal error.
- Added missing cstddef include for C++ builds.
- Updated build system scripts config.guess to 2024-07-27 and config.sub to 2024-05-27.
- Fixed bug GH-15240: Infinite recursion in trait hook.
- Fixed bug GH-15140: Missing variance check for abstract set with asymmetric type.
- Fixed bug GH-15181: Disabled output handler is flushed again.
- Passing E_USER_ERROR to trigger_error() is now deprecated.
- Fixed bug GH-15292: Dynamic AVX detection is broken for MSVC.
- Using "_" as a class name is now deprecated.
- Exiting a namespace now clears seen symbols.
- The exit (and die) language constructs now behave more like a function. They can be passed liked callables, are affected by the strict_types declare statement, and now perform the usual type coercions instead of casting any non-integer value to a string. As such, passing invalid types to exit/die may now result in a TypeError being thrown.
- Fixed bug GH-15438: Hooks on constructor promoted properties without visibility are ignored.
- Fixed bug GH-15419: Missing readonly+hook incompatibility check for readonly classes.
- Fixed bug GH-15187: Various hooked object iterator issues.
- Fixed bug GH-15456: Crash in get_class_vars() on virtual properties.
- Fixed bug GH-15501: Windows HAVE_
  _H macros defined to 1 or undefined.
- Implemented asymmetric visibility for properties.
- Fixed bug GH-15644: Asymmetric visibility doesn't work with hooks.
- Implemented lazy objects RFC.
- Fixed bug GH-15686: Building shared iconv with external iconv library.
- Fixed missing error when adding asymmetric visibility to unilateral virtual property.
- Fixed bug GH-15693: Unnecessary include in main.c bloats binary.
- Fixed bug GH-15731: AllowDynamicProperties validation should error on enums.
- Fixed bug GH-16040: Use-after-free of object released in hook.
- Fixed bug GH-16026: Reuse of dtor fiber during shutdown.
- Fixed bug GH-15999: zend_std_write_property() assertion failure with lazy objects.
- Fixed bug GH-15960: Foreach edge cases with lazy objects.
- Fixed bug GH-16185: Various hooked object iterator issues.
- Fixed bug OSS-Fuzz #371445205: Heap-use-after-free in attr_free.
- Fixed missing error when adding asymmetric visibility to static properties.
- Fixed bug OSS-Fuzz #71407: Null-dereference WRITE in zend_lazy_object_clone.
- Fixed bug GH16574: Incorrect error "undefined method" messages.
- Fixed bug GH16577: EG(strtod_state).freelist leaks with opcache.preload.
- Fixed bug GH16574: Incorrect error "undefined method" messages.
- Fixed bug GH16577: EG(strtod_state).freelist leaks with opcache.preload.
- Fixed bug GH16615: Assertion failure in zend_std_read_property.
- Fixed bug GH16342: Added ReflectionProperty::isLazy().
- Fixed bug GH16725: Incorrect access check for non-hooked properties in hooked object iterator.
Curl
- Deprecated the CURLOPT_BINARYTRANSFER constant.
- Bumped required libcurl version to 7.61.0.
- Added feature_list key to the curl_version() return value.
- Added constants CURL_HTTP_VERSION_3 (libcurl 7.66) and CURL_HTTP_VERSION_3ONLY (libcurl 7.88) as options for CURLOPT_HTTP_VERSION.
- Added CURLOPT_TCP_KEEPCNT to set the number of probes to send before dropping the connection.
- Added CURLOPT_PREREQFUNCTION Curl option to set a custom callback after the connection is established but before the request is performed.
- Added CURLOPT_SERVER_RESPONSE_TIMEOUT, which was formerly known as CURLOPT_FTP_RESPONSE_TIMEOUT.
- The CURLOPT_DNS_USE_GLOBAL_CACHE option is now silently ignored.
- Added CURLOPT_DEBUGFUNCTION as a Curl option.
- Fixed bug GH16359: Crash with curl_setopt* CURLOPT_WRITEFUNCTION without null callback.
- Fixed bug GH16723: CURLMOPT_PUSHFUNCTION issues.
Date
- Added DateTime[Immutable]::createFromTimestamp.
- Added DateTime[Immutable]::[get|set]Microsecond.
- Constants SUNFUNCS_RET_TIMESTAMP, SUNFUNCS_RET_STRING, and SUNFUNCS_RET_DOUBLE are now deprecated.
- Fixed bug GH13773: DatePeriod not taking into account microseconds for end date.
DBA
- Passing null or false to dba_key_split() is deprecated.
Debugging
- Fixed bug GH15923: GDB: Python Exception : exceptions must derive from BaseException.
DOM
- Added DOMNode::compareDocumentPosition()
- Implemented #53655: Improve speed of DOMNode::C14N() on large XML documents.
- Fixed cloning attribute with namespace disappearing namespace.
- Implemented DOM HTML5 parsing and serialization RFC.
- Fixed DOMElement->prefix with empty string creating bogus prefix.
- Handled OOM more consistently.
- Implemented "Improve callbacks in ext/dom and ext/xsl" RFC.
- Added DOMXPath::quote() static method.
- Implemented opt-in ext/dom spec compliance RFC.
- Fixed bug #79701: getElementById does not correctly work with duplicate definitions.
- Implemented "New extdom features in PHP 8.4" RFC.
- Fixed bug GH14698: Segfault on DOM node dereference.
- Improved support for template elements.
- Fixed trampoline leak in XPath callables.
- Throws instead of silently failing when creating a too long text node in (DOM)ParentNode and (DOM)ChildNode.
- Fixed bug GH15192: Segmentation fault in DOM extension (html5_serializer).
- Deprecated DOM_PHP_ERR constant.
- Removed DOMImplementation::getFeature().
- Fixed bug GH15331: Element::$substitutedNodeValue test failed.
- Fixed bug GH15570: Segmentation fault (access null pointer) in ext/dom/html5_serializer.c.
- Fixed bug GH13988: Storing DOMElement consumes 4 times more memory in PHP 8.1 than in PHP 8.0.
- Fixed XML serializer errata: xmlns="" serialization should be allowed.
- Fixed bug GH15910: Assertion failure in ext/dom/element.c.
- Fixed unsetting of DOM properties.
- Fixed bug GH16190: Using reflection to call Dom\Node::__construct causes assertion failure.
- Fixed edge case in DOM parsing decoding.
- Fixed bug GH16465: Heap buffer overflow in DOMNode->getElementByTagName.
- Fixed bug GH16594: Assertion failure in DOM > before.
Fileinfo
- Updated to libmagic 5.45.
- Fixed bug #65106: PHP fails to compile ext/fileinfo.
FPM
- Implemented GH12385: Flush headers without body when calling flush().
- Added DragonFlyBSD system to the list which sets FPM_BACKLOG_DEFAULT to SOMAXCONN.
- /dev/poll events.mechanism for Solaris/Illumos setting has been retired.
- Added memory peak to the scoreboard/status page.
FTP
- Removed the deprecated inet_ntoa call support.
- Fixed bug #63937: Upload speed 10 times slower with PHP.
GD
- Fixed parameter numbers and missing alpha check for imagecolorset().
- imagepng, imagejpeg, imagewep, and imageavif now throw an exception on invalid quality parameter.
- Checked overflow/underflow for imagescale and imagefilter.
- Added gdImageClone to bundled libgd.
Gettext
- bind_textdomain_codeset, textdomain, and d(*)gettext functions now throw an exception on empty domain.
GMP
- The GMP class is now final and cannot be extended anymore.
- RFC: Changed GMP bool cast behavior.
Hash
- Changed return type of hash_update() to true.
- Added HashContext::__debugInfo().
IMAP
- Moved to PECL.
Intl
- Added IntlDateFormatter::PATTERN constant.
- Fixed Numberformatter::__construct when the locale is invalid, now throws an exception.
- Added NumberFormatter::ROUND_TOWARD_ZERO and ::ROUND_AWAY_FROM_ZERO as aliases for ::ROUND_DOWN and ::ROUND_UP.
- Added NumberFormatter::ROUND_HALFODD.
- Added PROPERTY_IDS_UNARY_OPERATOR, PROPERTY_ID_COMPAT_MATH_START, and PROPERTY_ID_COMPAT_MATH_CONTINUE constants.
- Added IntlDateFormatter::getIanaID/intltz_get_iana_id method/function.
- Set to C++17 standard for ICU 74 and onwards.
- resourcebundle_get(), ResourceBundle::get(), and accessing offsets on a ResourceBundle object now throw:
  - TypeError for invalid offset types.
  - ValueError for an empty string.
  - ValueError if the integer index does not fit in a signed 32-bit integer.
- ResourceBundle::get() now has a tentative return type of: ResourceBundle|array|string|int|null.
- Added the new Grapheme function grapheme_str_split.
- Added IntlDateFormatter::parseToCalendar.
- Added SpoofChecker::setAllowedChars to set Unicode character ranges.
LDAP
- Added LDAP_OPT_X_TLS_PROTOCOL_MAX/LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 constants.
LibXML
- Added LIBXML_RECOVER constant.
- libxml_set_streams_context() now throws immediately on an invalid context instead of at the use site.
- Added LIBXML_NO_XXE constant.
MBString
- Added mb_trim, mb_ltrim, and mb_rtrim.
- Added mb_ucfirst and mb_lcfirst.
- Updated Unicode data tables to Unicode 15.1.
- Fixed bug GH15824: mb_detect_encoding(): Argument $encodings contains invalid encoding "UTF8".
- Updated Unicode data tables to Unicode 16.0.
Mysqli
- The mysqli_ping() function and mysqli::ping() method are now deprecated, as the reconnect feature was removed in PHP 8.2.
- The mysqli_kill() function and mysqli::kill() method are now deprecated. If this functionality is needed, a SQL "KILL" command can be used instead.
- The mysqli_refresh() function and mysqli::refresh() method are now deprecated. If this functionality is needed, a SQL "FLUSH" command can be used instead.
- Passing explicitly the $mode parameter to mysqli_store_result() has been deprecated.
- As the MYSQLI_STORE_RESULT_COPY_DATA constant was only used in conjunction with this function, it has also been deprecated.
MySQLnd
- Fixed bug GH13440: PDO quote bottleneck.
- Fixed bug GH10599: Apache crash on Windows when using a self-referencing anonymous function inside a class with an active MySQLi connection.
Opcache
- Added large shared segments support for FreeBSD.
- If JIT is enabled, PHP will now exit with a fatal error on startup in case of JIT startup initialization issues.
- Increased the maximum value of opcache.interned_strings_buffer to 32767 on 64-bit architectures.
- Fixed bug GH13834: Applying nonzero offset 36 to null pointer in zend_jit.c.
- Fixed bug GH14361: Deep recursion in zend_cfg.c causes segfault.
- Fixed bug GH14873: PHP 8.4 min function fails on typed integer.
- Fixed bug GH15490: Building of call graph modifies preloaded symbols.
- Fixed bug GH15178: Assertion in tracing JIT on hooks.
- Fixed bug GH15657: Segmentation fault in dasm_x86.h.
- Added opcache_jit_blacklist() function.
- Fixed bug GH16009: Segmentation fault with frameless functions and undefined CVs.
- Fixed bug GH16186: Assertion failure in Zend/zend_operators.c.
- Fixed bug GH16572: Incorrect result with reflection in low-trigger JIT.
- Fixed bug GH16839: Error on building Opcache JIT for Windows ARM64.
OpenSSL
- Fixed bug #80269: OpenSSL sets Subject wrong with extraattribs parameter.
- Implemented request #48520: openssl_csr_new allows multiple values in DN.
- Introduced new serial_hex parameter to openssl_csr_sign.
- Added X509_PURPOSE_OCSP_HELPER and X509_PURPOSE_TIMESTAMP_SIGN constants.
- Bumped minimum required OpenSSL version to 1.1.1.
- Added compile-time option --with-openssl-legacy-provider to enable legacy provider.
- Added support for Curve25519 + Curve448 based keys.
- Fixed bug GH13343: openssl_x509_parse should not allow omitted seconds in UTC times.
- Bumped minimum required OpenSSL version to 1.1.0.
- Implemented GH13514: PASSWORD_ARGON2 from OpenSSL 3.2.
Output
- Clear output handler status flags during handler initialization.
- Fixed bug with url_rewriter.hosts not used by output_add_rewrite_var().
PCNTL
- Added pcntl_setns for Linux.
- Added pcntl_getcpuaffinity/pcntl_setcpuaffinity.
- Updated pcntl_get_signal_handler signal ID upper limit to be more in line with platform limits.
- Added pcntl_getcpu for Linux/FreeBSD/Solaris/Illumos.
- Added pcntl_getqos_class/pcntl_setqos_class for macOS.
- Added SIGCKPT/SIGCKPTEXIT constants for DragonFlyBSD.
- Added FreeBSD's SIGTRAP handling to pcntl_siginfo_to_zval.
- Added POSIX pcntl_waitid.
- Fixed bug GH16769: pcntl_sigwaitinfo aborts on signal value as reference.
PCRE
- Upgraded bundled pcre2lib to version 10.43.
- Added /r modifier.
- Upgraded bundled pcre2lib to version 10.44.
- Fixed GH16189: Underflow on offset argument.
- Fixed UAF issues with PCRE after request shutdown.
PDO
- Fixed setAttribute and getAttribute.
- Implemented PDO driver-specific subclasses RFC.
- Added support for PDO driver-specific SQL parsers.
- Fixed bug GH14792: Compilation failure on pdo_* extensions.
- mysqlnd supports ER_CLIENT_INTERACTION_TIMEOUT.
- The internal header php_pdo_int.h is no longer installed; it is not supposed to be used by PDO drivers.
- Fixed bug GH16167: Prevent mixing PDO subclasses with different DSN.
- Fixed bug GH16314: "Pdo\Mysql object is uninitialized" when opening a persistent connection.
PDO_DBLIB
- Fixed setAttribute and getAttribute.
- Added class Pdo\DbLib.
PDO_Firebird
- Fixed setAttribute and getAttribute.
- Added transaction isolation level and mode settings to pdo_firebird.
- Added class Pdo\Firebird.
- Added Pdo\Firebird::ATTR_API_VERSION.
- Added getApiVersion() and removed it from getAttribute().
- Supported Firebird 4.0 datatypes.
- Supported proper formatting of time zone types.
- Fixed GH15604: Always make input parameters nullable.
PDO_MYSQL
- Fixed setAttribute and getAttribute.
- Added class Pdo\Mysql.
- Added custom SQL parser.
- Fixed GH15949: PDO_MySQL not properly quoting PDO_PARAM_LOB binary data.
PDO_ODBC
- Added class Pdo\Odbc.
PDO_PGSQL
- Fixed GH12423: DSN credentials being prioritized over the user/password PDO constructor arguments.
- Fixed native float support with pdo_pgsql query results.
- Added class Pdo\Pgsql.
- Retrieve the memory usage of the query result resource.
- Added Pdo\Pgsql::setNoticeCallBack method to receive DB notices.
- Added custom SQL parser.
- Fixed GH15986: Double free due to Pdo\Pgsql::setNoticeCallback().
- Fixed GH12940: Using PQclosePrepared when available instead of the DEALLOCATE command to free statement resources.
- Removed PGSQL_ATTR_RESULT_MEMORY_SIZE constant as it is provided by the new PDO subclass as Pdo\Pgsql::ATTR_RESULT_MEMORY_SIZE.
PDO_SQLITE
- Added class Pdo\Sqlite.
- Fixed bug #81227: PDO::inTransaction reports false when in a transaction.
- Added custom SQL parser.
PHPDBG
- Array out of bounds and stack overflow handled for segfault handler on Windows.
- Fixed bug GH16041: Support stack limit in phpdbg.
PGSQL
- Added the possibility to have no conditions for pg_select.
- Persistent connections support the PGSQL_CONNECT_FORCE_RENEW flag.
- Added pg_result_memory_size to get the query result memory usage.
- Added pg_change_password to alter a user's password.
- Added pg_put_copy_data/pg_put_copy_end to send COPY commands and signal the end of the COPY.
- Added pg_socket_poll to poll on the connection.
- Added pg_jit to get information on server JIT support.
- Added pg_set_chunked_rows_size to fetch results per chunk.
  -pg_convert/pg_insert/pg_update/pg_delete: Regular expressions are now cached.
Phar
- Fixed bug GH12532: PharData created from zip has incorrect timestamp.
POSIX
- Added POSIX_SC_CHILD_MAX and POSIX_SC_CLK_TCK constants.
- Updated posix_isatty to set the error number on file descriptors.
PSpell
- Moved to PECL.
Random
- Fixed bug GH15094: php_random_default_engine() is not C++ conforming.
- lcg_value() is now deprecated.
Readline
- Fixed readline_info, rl_line_buffer_length/rl_len globals on update.
- Fixed bug #51558: Shared readline build fails.
- Fixed UAF with readline_info().
Reflection
- Implement GH12908: Show attribute name/class in ReflectionAttribute dump.
- Make ReflectionGenerator::getFunction() legal after generator termination.
- Added ReflectionGenerator::isClosed().
- Fixed bug GH15718: Segfault on ReflectionProperty::get{Hook,Hooks}() on dynamic properties.
- Fixed bug GH15694: ReflectionProperty::isInitialized() is incorrect for hooked properties.
- Add missing ReflectionProperty::hasHook[s]() methods.
- Add missing ReflectionProperty::isFinal() method.
- Fixed bug GH16122: The return value of ReflectionFunction::getNamespaceName() and ReflectionFunction::inNamespace() for closures is incorrect.
- Fixed bug GH16162: No ReflectionProperty::IS_VIRTUAL.
- Fixed the name of the second parameter of ReflectionClass::resetAsLazyGhost().
Session
- INI settings session.sid_length and session.sid_bits_per_character are now deprecated.
- Emit warnings for nonpositive values of session.gc_divisor and negative values of session.gc_probability.
- Fixed bug GH16590: UAF in session_encode().
SimpleXML
- Fix signature of simplexml_import_dom().
SNMP
- Removed the deprecated inet_ntoa call support.
SOAP
- Add support for clark notation for namespaces in class map.
- Mitigate #51561: SoapServer with an extended class and using sessions lost the setPersistence().
- Fixed bug #49278: SoapClient::__getLastResponseHeaders returns NULL if WSDL operation has no output.
- Fixed bug #44383: PHP DateTime not converted to xsd:datetime.
- Fixed bug GH11941: Soap with session persistence will silently fail when "session" is built as a shared object.
- Passing an int to SoapServer::addFunction() is now deprecated. If all PHP functions need to be provided, flatten the array returned by get_defined_functions().
- The SOAP_FUNCTIONS_ALL constant is now deprecated.
- Fixed bug #61525: SOAP functions require at least one space after HTTP header colon.
- Implement request #47317: SoapServer::__getLastResponse().
Sockets
- Removed the deprecated inet_ntoa call support.
- Added the SO_EXCLUSIVEADDRUSE windows constant.
- Added the SOCK_CONN_DGRAM/SOCK_DCCP NetBSD constants.
- Added multicast group support for IPv4 on FreeBSD.
- Added the TCP_SYNCNT constant for Linux to set the number of attempts to send SYN packets from the client.
- Added the SO_EXCLBIND constant for exclusive socket binding on illumos/Solaris.
- Updated the socket_create_listen backlog argument default value to SOMAXCONN.
- Added the SO_NOSIGPIPE constant to control the generation of SIGPIPE for macOS and FreeBSD.
- Added SO_LINGER_SEC for macOS, true equivalent of SO_LINGER in other platforms.
- Added closeonexec on socket created with socket_accept on Unix.
- Added IP_PORTRANGE* constants for BSD systems to control ephemeral port ranges.
- Added SOCK_NONBLOCK/SOCK_CLOEXEC constants for socket_create and socket_create_pair to apply O_NONBLOCK/O_CLOEXEC flags to newly created sockets.
- Added SO_BINDTOIFINDEX to bind a socket to an interface index.
Sodium
- Add support for AEGIS128L and AEGIS256.
- Enable AESGCM on aarch64 with the ARM crypto extensions.
SPL
- Implement SeekableIterator for SplObjectStorage.
- The SplFixedArray::__wakeup() method has been deprecated as it implements __serialize() and __unserialize() which need to be overwritten instead.
- Passing a nonempty string for the $escape parameter of SplFileObject::setCsvControl(), SplFileObject::fputcsv(), SplFileObject::fgetcsv() is now deprecated.
Standard
- Implement GH12188: Indication for the int size in phpinfo().
- Partly fix GH12143: Incorrect round() result for 0.49999999999999994.
- Fix GH12252: round(): Validate the rounding mode.
- Increase the default BCrypt cost to 12.
- Fixed bug GH12592: strcspn() odd behavior with NUL bytes and empty mask.
- Removed the deprecated inet_ntoa call support.
- Cast large floats that are within int range to int in number_format so the precision is not lost.
- Add support for 4 new rounding modes to the round() function.
- debug_zval_dump() now indicates whether an array is packed.
- Fix GH12143: Optimize round.
- Changed return type of long2ip to string from string|false.
- Fix GH12143: Extend the maximum precision round can handle by one digit.
- Added the http_get_last_response_headers() and http_clear_last_response_headers() that allows retrieving the same content as the magic $http_response_header variable.
- Add php_base64_encode_ex() API.
- Implemented "Raising zero to the power of a negative number" RFC.
- Added array_find(), array_find_key(), array_all(), and array_any().
- Change highlight_string() and print_r() return type to string|true.
- Fix references in request_parse_body() options array.
- Add RoundingMode enum.
- Unserializing the uppercase 'S' tag is now deprecated.
- Enables crc32 auxiliary detection on OpenBSD.
- Passing a nonempty string for the $escape parameter of fputcsv(), fgetcsv(), str_getcsv() is now deprecated.
- The str_getcsv() function now throws ValueErrors when the $separator and $enclosure arguments are not one byte long, or if the $escape is not one byte long or the empty string. This aligns the behavior to be identical to that of fputcsv() and fgetcsv().
- php_uname() now throws ValueErrors on invalid inputs.
- The allowed_classes option for unserialize() now throws TypeErrors and ValueErrors if it is not an array of class names.
- Implemented GH15685: Improve proc_open error reporting on Windows.
- Add support for backed enums in http_build_query().
- Fixed bug GH15982: Assertion failure with array_find when references are involved.
- Fixed parameter names of fpow() to be identical to pow().
Streams
- Implemented GH15155: Stream context is lost when custom stream wrapper is being filtered.
Tidy
- Failures in the constructor now throw exceptions rather than emitting warnings and having a broken object.
- Add tidyNode::getNextSibling() and tidyNode::getPreviousSibling().
Windows
- Update the icon of the Windows executables, e.g. php.exe.
- Fixed bug GH16199: GREP_HEADER() is broken.
XML
- Added XML_OPTION_PARSE_HUGE parser option.
- Fixed bug #81481: xml_get_current_byte_index limited to 32bit numbers on 64bit builds.
- The xml_set_object() function has been deprecated.
- Passing noncallable strings to the xml_set_*_handler() functions is now deprecated.
XMLReader
- Declares class constant types.
- Add XMLReader::fromStream(), XMLReader::fromUri(), XMLReader::fromString().
- Fixed bug GH15123: var_dump doesn't actually work on XMLReader.
XMLWriter
- Add XMLWriter::toStream(), XMLWriter::toUri(), XMLWriter::toMemory().
XSL
- Implement request #64137: XSLTProcessor::setParameter() should allow both quotes to be used.
- Implemented "Improve callbacks in ext/dom and ext/xsl" RFC.
- Added XSLTProcessor::$maxTemplateDepth and XSLTProcessor::$maxTemplateVars.
- Fix trampoline leak in xpath callables.
Zip
- Added ZipArchive::ER_TRUNCATED_ZIP added in libzip 1.11.

Community Fixes

PHP version 8.3.14 fixes

CLI
- Fixed bug GH-16373: Shebang is not skipped for router script in cli-server started through shebang.
- Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface.
COM
- Fixed out of bound writes to SafeArray data.
Core
- Fixed bug GH-16168: php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15.
- Fixed bug GH-16371: Assertion failure in Zend/zend_weakrefs.c:646.
- Fixed bug GH-16515: Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline.
- Fixed bug GH-16509: Incorrect line number in function redeclaration error.
- Fixed bug GH-16508: Incorrect line number in inheritance errors of delayed early bound classes.
- Fixed bug GH-16648: Use-after-free during array sorting.
Curl
- Fixed bug GH-16302: CurlMultiHandle holds a reference to CurlHandle if curl_multi_add_handle fails.
Date
- Fixed bug GH-16454: Unhandled INF in date_sunset() with tiny $utcOffset.
- Fixed bug GH-14732: date_sun_info() fails for non-finite values.
DBA
- Fixed bug GH-16390: dba_open() can segfault for "pathless" streams.
DOM
- Fixed bug GH-16316: DOMXPath breaks when not initialized properly.
- Add missing hierarchy checks to replaceChild.
- Fixed bug GH-16336: Attribute intern document mismanagement.
- Fixed bug GH-16338: Null-dereference in ext/dom/node.c.
- Fixed bug GH-16473: dom_import_simplexml stub is wrong.
- Fixed bug GH-16533: Segfault when adding attribute to parent that is not an element.
- Fixed bug GH-16535: UAF when using document as a child.
- Fixed bug GH-16593: Assertion failure in DOM->replaceChild.
- Fixed bug GH-16595: Another UAF in DOM -> cloneNode.
EXIF
- Fixed bug GH-16409: Segfault in exif_thumbnail when not dealing with a real file.
FFI
- Fixed bug GH-16397: Segmentation fault when comparing FFI object.
Filter
- Fixed bug GH-16523: FILTER_FLAG_HOSTNAME accepts ending hyphen.
FPM
- Fixed bug GH-16628: FPM logs are getting corrupted with this log statement.
GD
- Fixed bug GH-16334: imageaffine overflow on matrix elements.
- Fixed bug GH-16427: Unchecked libavif return values.
- Fixed bug GH-16559: UBSan abort in ext/gd/libgd/gd_interpolation.c:1007.
GMP
- Fixed floating point exception bug with gmp_pow when using large exposant values.
- Fixed bug GH-16411: gmp_export() can cause overflow.
- Fixed bug GH-16501: gmp_random_bits() can cause overflow.
- Fixed gmp_pow() overflow bug with large base/exponents.
- Fixed segfaults and other issues related to operator overloading with GMP objects.
MBstring
- Fixed bug GH-16361: mb_substr overflow on start/length arguments.
Opcache
- Fixed bug GH-16408: Array to string conversion warning emitted in optimizer.
OpenSSL
- Fixed bug GH-16357: openssl may modify member types of certificate arrays.
- Fixed bug GH-16433: Large values for openssl_csr_sign() $days overflow.
- Fix various memory leaks on error conditions in openssl_x509_parse().
PDO ODBC
- Fixed bug GH-16450: PDO_ODBC can inject garbage into field values.
Phar
- Fixed bug GH-16406: Assertion failure in ext/phar/phar.c:2808.
PHPDBG
- Fixed bug GH-16174: Empty string is an invalid expression for ev.
Reflection
- Fixed bug GH-16601: Memory leak in Reflection constructors.
Session
- Fixed bug GH-16385: Unexpected null returned by session_set_cookie_params.
- Fixed bug GH-16290: Overflow on cookie_lifetime ini value.
SOAP
- Fixed bug GH-16318: Recursive array segfaults soap encoding.
- Fixed bug GH-16429: Segmentation fault access null pointer in SoapClient.
Sockets
- Fixed bug with overflow socket_recvfrom $length argument.
SPL
- Fixed bug GH-16337: Use-after-free in SplHeap.
- Fixed bug GH-16464: Use-after-free in SplDoublyLinkedList::offsetSet().
- Fixed bug GH-16479: Use-after-free in SplObjectStorage::setInfo().
- Fixed bug GH-16478: Use-after-free in SplFixedArray::unset().
- Fixed bug GH-16588: UAF in Observer->serialize.
- Fix GH-16477: Segmentation fault when calling __debugInfo() after failed SplFileObject::__constructor.
- Fixed bug GH-16589: UAF in SplDoublyLinked->serialize().
- Fixed bug GH-14687: Segfault on SplObjectIterator instance.
- Fixed bug GH-16604: Memory leaks in SPL constructors.
- Fixed bug GH-16646: UAF in ArrayObject::unset() and ArrayObject::exchangeArray().
Standard
- Fixed bug GH-16293: Failed assertion when throwing in assert() callback with bail enabled.
SysVMsg
- Fixed bug GH-16592: msg_send() crashes when a type does not properly serialize.
SysVShm
- Fixed bug GH-16591: Assertion error in shm_put_var.
XMLReader
- Fixed bug GH-16292: Segmentation fault in ext/xmlreader/php_xmlreader.c.
Zlib
- Fixed bug GH-16326: Memory management is broken for bad dictionaries.

PHP version 8.2.26 fixes

CLI
- Fixed bug GH-16373: Shebang is not skipped for router script in cli-server started through shebang.
- Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface.
COM
- Fixed out of bound writes to SafeArray data.
Core
- Fixed bug GH-16168: php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15.
- Fixed bug GH-16371: Assertion failure in Zend/zend_weakrefs.c:646.
- Fixed bug GH-16515: Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline.
- Fixed bug GH-16509: Incorrect line number in function redeclaration error.
- Fixed bug GH-16508: Incorrect line number in inheritance errors of delayed early bound classes.
- Fixed bug GH-16648: Use-after-free during array sorting.
Curl
- Fixed bug GH-16302: CurlMultiHandle holds a reference to CurlHandle if curl_multi_add_handle fails.
Date
- Fixed bug GH-16454: Unhandled INF in date_sunset() with tiny $utcOffset.
- Fixed bug GH-16037: Assertion failure in ext/date/php_date.c.
- Fixed bug GH-14732: date_sun_info() fails for non-finite values.
DBA
- Fixed bug GH-16390: dba_open() can segfault for "pathless" streams.
DOM
- Fixed bug GH-16316: DOMXPath breaks when not initialized properly.
- Fixed bug GH-16473: dom_import_simplexml stub is wrong.
- Fixed bug GH-16533: Segfault when adding attribute to parent that is not an element.
- Fixed bug GH-16535: UAF when using document as a child.
- Fixed bug GH-16593: Assertion failure in DOM->replaceChild.
- Fixed bug GH-16595: Another UAF in DOM -> cloneNode.
EXIF
- Fixed bug GH-16409: Segfault in exif_thumbnail when not dealing with a real file.
FFI
- Fixed bug GH-16397: Segmentation fault when comparing FFI object.
Filter
- Fixed bug GH-16523: FILTER_FLAG_HOSTNAME accepts ending hyphen.
FPM
- Fixed bug GH-16628: FPM logs are getting corrupted with this log statement.
GD
- Fixed bug GH-16334: imageaffine overflow on matrix elements.
- Fixed bug GH-16427: Unchecked libavif return values.
- Fixed bug GH-16559: UBSan abort in ext/gd/libgd/gd_interpolation.c:1007.
GMP
- Fixed floating point exception bug with gmp_pow when using large exposant values.
- Fixed bug GH-16411: gmp_export() can cause overflow.
- Fixed bug GH-16501: gmp_random_bits() can cause overflow.
- Fixed gmp_pow() overflow bug with large base/exponents.
- Fixed segfaults and other issues related to operator overloading with GMP objects.
MBstring
- Fixed bug GH-16361: mb_substr overflow on start/length arguments.
OpenSSL
- Fixed bug GH-16357: openssl may modify member types of certificate arrays.
- Fixed bug GH-16433: Large values for openssl_csr_sign() $days overflow.
- Fix various memory leaks on error conditions in openssl_x509_parse().
PDO ODBC
- Fixed bug GH-16450: PDO_ODBC can inject garbage into field values.
Phar
- Fixed bug GH-16406: Assertion failure in ext/phar/phar.c:2808.
PHPDBG
- Fixed bug GH-16174: Empty string is an invalid expression for ev.
Reflection
- Fixed bug GH-16601: Memory leak in Reflection constructors.
Session
- Fixed bug GH-16385: Unexpected null returned by session_set_cookie_params.
- Fixed bug GH-16290: Overflow on cookie_lifetime ini value.
SOAP
- Fixed bug GH-16429: Segmentation fault access null pointer in SoapClient.
Sockets
- Fixed bug with overflow socket_recvfrom $length argument.
SPL
- Fixed bug GH-16337: Use-after-free in SplHeap.
- Fixed bug GH-16464: Use-after-free in SplDoublyLinkedList::offsetSet().
- Fixed bug GH-16479: Use-after-free in SplObjectStorage::setInfo().
- Fixed bug GH-16478: Use-after-free in SplFixedArray::unset().
- Fixed bug GH-16588: UAF in Observer->serialize.
- Fix GH-16477: Segmentation fault when calling __debugInfo() after failed SplFileObject::__constructor.
- Fixed bug GH-16589: UAF in SplDoublyLinked->serialize().
- Fixed bug GH-14687: Segfault on SplObjectIterator instance.
- Fixed bug GH-16604: Memory leaks in SPL constructors.
- Fixed bug GH-16646: UAF in ArrayObject::unset() and ArrayObject::exchangeArray().
Standard
- Fixed bug GH-16293: Failed assertion when throwing in assert() callback with bail enabled.
SysVMsg
- Fixed bug GH-16592: msg_send() crashes when a type does not properly serialize.
SysVShm
- Fixed bug GH-16591: Assertion error in shm_put_var.
XMLReader
- Fixed bug GH-16292: Segmentation fault in ext/xmlreader/php_xmlreader.c.
Zlib
- Fixed bug GH-16326: Memory management is broken for bad dictionaries.

PHP version 8.1.31 fixes

CLI
- Fixed bug GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface.

Featured Product

ZendPHP

2025 PHP Landscape Report

ZendPHP Changes

Community CVE Fixes

Backported PHP CVE Fixes

Community Changes

Community Fixes