Ondřej Surý has released PHP 8.4.0RC1, 8.3.12, 8.2.24, 8.1.30, 8.0.30-9, 7.4.33-15, and 7.3.33-21 packages for both Debian GNU/Linux 11 (Bullseye) LTS and 12 (Bookworm).

To add the repository:

#!/bin/bash # To add this repository please do:

if [ "$(whoami)" != "root" ]; then
SUDO=sudo
fi

${SUDO} apt-get -y install apt-transport-https lsb-release ca-certificates curl
${SUDO} wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
${SUDO} sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
${SUDO} apt-get update

PHP 8.4.0RC1

- BcMath:
. bcpow() performance improvement. (Jorg Sowa)
. ext/bcmath: Check for scale overflow. (SakiTakamachi)
. [RFC] ext/bcmath: Added bcdivmod. (SakiTakamachi)
. Fix GH-15968 (Avoid converting objects to strings in operator calculations).
(SakiTakamachi)

- Curl:
. Added CURLOPT_DEBUGFUNCTION as a Curl option. (Ayesh Karunaratne)

- Debugging:
. Fixed bug GH-15923 (GDB: Python Exception <class 'TypeError'>:
exceptions must derive from BaseException). (nielsdos)

- DOM:
. Fix XML serializer errata: xmlns="" serialization should be allowed.
(nielsdos)
. Fixed bug GH-15910 (Assertion failure in ext/dom/element.c). (nielsdos)
. Fix unsetting DOM properties. (nielsdos)

- MBString:
. Fixed bug GH-15824 (mb_detect_encoding(): Argument $encodings contains
invalid encoding "UTF8"). (Yuya Hamada)
. Updated Unicode data tables to Unicode 16.0. (Ayesh Karunaratne)

- Opcache:
. Fixed bug GH-15657 (Segmentation fault in dasm_x86.h). (nielsdos)
. Added opcache_jit_blacklist() function. (Bob)

- PHPDBG:
. Fixed bug GH-15901 (phpdbg: Assertion failure on i funcs). (cmb)

- PCRE:
. Fix UAF issues with PCRE after request shutdown. (nielsdos)

- PDO_PGSQL:
. Fixed GH-15986 (Double-free due to Pdo\Pgsql::setNoticeCallback()). (cmb,
nielsdos)
. Fixed GH-12940 (Using PQclosePrepared when available instead of
the DEALLOCATE command to free statements resources). (David Carlier)

- Reflection:
. Add missing ReflectionProperty::hasHook[s]() methods. (ilutov)
. Add missing ReflectionProperty::isFinal() method. (ilutov)

- SimpleXML:
. Fixed bug GH-15837 (Segmentation fault in ext/simplexml/simplexml.c).
(nielsdos)

- SOAP:
. Fixed bug #73182 (PHP SOAPClient does not support stream context HTTP
headers in array form). (nielsdos)
. Fixed bug #62900 (Wrong namespace on xsd import error message). (nielsdos)
. Fixed bug GH-15711 (SoapClient can't convert BackedEnum to scalar value).
(nielsdos)

- SPL:
. Fixed bug GH-15918 (Assertion failure in ext/spl/spl_fixedarray.c).
(nielsdos)

- Standard:
. Add support for backed enums in http_build_query(). (ilutov)
. Fixed bug GH-15982 (Assertion failure with array_find when references are
involved). (nielsdos)

- Streams:
. Fixed bugs GH-15908 and GH-15026 (leak / assertion failure in streams.c).
(nielsdos)
. Fixed bug GH-15980 (Signed integer overflow in main/streams/streams.c).
(cmb)

- TSRM:
. Prevent closing of unrelated handles. (cmb)

- Windows:
. Fixed minimal Windows version. (cmb)

- Zip:
. Added ZipArchive::ER_TRUNCATED_ZIP added in libzip 1.11. (Remi)

PHP 8.3.12

- CGI:
. Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection
Vulnerability). (CVE-2024-8926) (nielsdos)
. Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is
bypassable due to the environment variable collision). (CVE-2024-8927)
(nielsdos)

- Core:
. Fixed bug GH-15408 (MSan false-positve on zend_max_execution_timer).
(zeriyoshi)
. Fixed bug GH-15515 (Configure error grep illegal option q). (Peter Kokot)
. Fixed bug GH-15514 (Configure error: genif.sh: syntax error). (Peter Kokot)
. Fixed bug GH-15565 (--disable-ipv6 during compilation produces error
EAI_SYSTEM not found). (nielsdos)
. Fixed bug GH-15587 (CRC32 API build error on arm 32-bit).
(Bernd Kuhls, Thomas Petazzoni)
. Fixed bug GH-15330 (Do not scan generator frames more than once). (Arnaud)
. Fixed uninitialized lineno in constant AST of internal enums. (ilutov)

- Curl:
. FIxed bug GH-15547 (curl_multi_select overflow on timeout argument).
(David Carlier)

- DOM:
. Fixed bug GH-15551 (Segmentation fault (access null pointer) in
ext/dom/xml_common.h). (nielsdos)
. Fixed bug GH-15654 (Signed integer overflow in ext/dom/nodelist.c).
(nielsdos)

- Fileinfo:
. Fixed bug GH-15752 (Incorrect error message for finfo_file
with an empty filename argument). (DanielEScherzer)

- FPM:
. Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered).
(CVE-2024-9026) (Jakub Zelenka)

- MySQLnd:
. Fixed bug GH-15432 (Heap corruption when querying a vector). (cmb,
Kamil Tekiela)

- Opcache:
. Fixed bug GH-15661 (Access null pointer in
Zend/Optimizer/zend_inference.c). (nielsdos)
. Fixed bug GH-15658 (Segmentation fault in Zend/zend_vm_execute.h).
(nielsdos)

- SAPI:
. Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data).
(CVE-2024-8925) (Arnaud)

- Standard:
. Fixed bug GH-15552 (Signed integer overflow in ext/standard/scanf.c). (cmb)

- Streams:
. Fixed bug GH-15628 (php_stream_memory_get_buffer() not zero-terminated).
(cmb)

PHP 8.2.24

- CGI:
. Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection
Vulnerability). (CVE-2024-8926) (nielsdos)
. Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is
bypassable due to the environment variable collision). (CVE-2024-8927)
(nielsdos)

- Core:
. Fixed bug GH-15408 (MSan false-positve on zend_max_execution_timer).
(zeriyoshi)
. Fixed bug GH-15515 (Configure error grep illegal option q). (Peter Kokot)
. Fixed bug GH-15514 (Configure error: genif.sh: syntax error). (Peter Kokot)
. Fixed bug GH-15565 (--disable-ipv6 during compilation produces error
EAI_SYSTEM not found). (nielsdos)
. Fixed bug GH-15587 (CRC32 API build error on arm 32-bit).
(Bernd Kuhls, Thomas Petazzoni)
. Fixed bug GH-15330 (Do not scan generator frames more than once). (Arnaud)
. Fixed uninitialized lineno in constant AST of internal enums. (ilutov)

- Curl:
. FIxed bug GH-15547 (curl_multi_select overflow on timeout argument).
(David Carlier)

- DOM:
. Fixed bug GH-15551 (Segmentation fault (access null pointer) in
ext/dom/xml_common.h). (nielsdos)

- Fileinfo:
. Fixed bug GH-15752 (Incorrect error message for finfo_file
with an empty filename argument). (DanielEScherzer)

- FPM:
. Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered).
(CVE-2024-9026) (Jakub Zelenka)

- MySQLnd:
. Fixed bug GH-15432 (Heap corruption when querying a vector). (cmb,
Kamil Tekiela)

- Opcache:
. Fixed bug GH-15661 (Access null pointer in
Zend/Optimizer/zend_inference.c). (nielsdos)
. Fixed bug GH-15658 (Segmentation fault in Zend/zend_vm_execute.h).
(nielsdos)

- SAPI:
. Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data).
(CVE-2024-8925) (Arnaud)

- SOAP:
. Fixed bug #73182 (PHP SOAPClient does not support stream context HTTP
headers in array form). (nielsdos)

- Standard:
. Fixed bug GH-15552 (Signed integer overflow in ext/standard/scanf.c). (cmb)

- Streams:
. Fixed bug GH-15628 (php_stream_memory_get_buffer() not zero-terminated).
(cmb)

PHP 8.1.30, 8.0.30-9, 7.4.33-15, 7.3.33-21

- CGI:
. Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection
Vulnerability). (CVE-2024-8926) (nielsdos)
. Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is
bypassable due to the environment variable collision). (CVE-2024-8927)
(nielsdos)

- FPM:
. Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered).
(CVE-2024-9026) (Jakub Zelenka)

- SAPI:
. Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data).
(CVE-2024-8925) (Arnaud)

PHP Packages
Issues Tracker