Debian 10225 Published by

Ondřej Surý has released PHP 5.6.40-63, 7.0.33-63, 7.1.33-50, 7.2.34-35, and 7.3.33-7 packages for Debian GNU/Linux 10 and 11 with security backports from PHP 7.4 as well PHP 7.4.32, 8.0.24, 8.1.11, and 8.2.0 RC3 packages.





To add the repository:
#!/bin/bash # To add this repository please do:

if [ "$(whoami)" != "root" ]; then
SUDO=sudo
fi

${SUDO} apt-get -y install apt-transport-https lsb-release ca-certificates curl
${SUDO} wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
${SUDO} sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
${SUDO} apt-get update
PHP 8.2.0-rc3 for Debian 10

PHP Packages
Issues Tracker

PHP 5.6.40-63, 7.0.33-63, 7.1.33-50, 7.2.34-35, 7.3.33-7

* Backported from 7.4.31
CVE-2022-31628: phar wrapper: DOS when using quine gzip file.
CVE-2022-31629: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning.

PHP 7.4.32-1

* New upstream version 7.4.32
CVE-2022-31628: phar wrapper: DOS when using quine gzip file.
CVE-2022-31629: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning.

PHP 8.0.24-1

- Core:
. Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function) (Tim Starling)
. Fixed bug GH-9361 (Segmentation fault on script exit #9379). (cmb, Christian Schneider)
. Fixed bug GH-9407 (LSP error in eval'd code refers to wrong class for static type). (ilutov)
. Fix #81727 (Don't mangle semantically meaningful HTTP var names). (derick)

- DOM:
. Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free). (Nathan Freeman)

- FPM:
. Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to error_log after daemon reload). (Dmitry Menshikov)
. Fixed bug #77780 ("Headers already sent..." when previous connection was aborted). (Jakub Zelenka)

- GMP
. Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init()). (Girgias)

- Intl
. Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter). (Girgias)

- Phar:
. Fix #81726 (DOS when using quine gzip file). (cmb)

- PDO_PGSQL:
. Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed). (Yurunsoft)

- Reflection:
. Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure). (cmb, Nicolas Grekas)
. Fixed bug GH-9409 (Private method is incorrectly dumped as "overwrites"). (ilutov)

- Streams:
. Fixed bug GH-9316 ($http_response_header is wrong for long status line). (cmb, timwolla)

PHP 8.1.11-1

- Core:
. Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628). (cmb)
. Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629). (Derick)
. Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function) (Tim Starling)
. Fixed bug GH-9361 (Segmentation fault on script exit #9379). (cmb, Christian Schneider)
. Fixed bug GH-9447 (Invalid class FQN emitted by AST dump for new and class constants in constant expressions). (ilutov)

- DOM:
. Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free). (Nathan Freeman)

- FPM:
. Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to error_log after daemon reload). (Dmitry Menshikov)
. Fixed bug #77780 ("Headers already sent..." when previous connection was aborted). (Jakub Zelenka)

- GMP
. Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init()). (Girgias)

- Intl
. Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter). (Girgias)

- PCRE:
. Fixed pcre.jit on Apple Silicon. (Niklas Keller)

- PDO_PGSQL:
. Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed). (Yurunsoft)

- Reflection:
. Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure). (cmb, Nicolas Grekas)

- Streams:
. Fixed bug GH-9316 ($http_response_header is wrong for long status line). (cmb, timwolla)

PHP 8.2.0~rc3-1

- Core:
. Fixed observer class notify with Opcache file_cache_only=1. (ilutov)

- Date:
. Fixed bug with parsing large negative numbers with the @ notation. (Derick)

- Fileinfo:
. Fixed bug GH-8805 (finfo returns wrong mime type for woff/woff2 files). (Anatol)

- Opcache:
. Added indirect call reduction for jit on x86 architectures. (wxue1)

- Sockets:
. Fixed socket constants regression as of PHP 8.2.0beta3. (Bruce Dou)

- Session:
. Fixed GH-9584 (Avoid memory corruption when not unregistering custom session handler). (ilutov)
. Fixed bug GH-9583 (session_create_id() fails with user defined save handler that doesn't have a validateId() method). (Girgias)

- Standard:
. Revert "Fixed parse_url(): can not recognize port without scheme." (andypost)