Ondřej Surý has released updated PHP 8.4.5, 8.3.19, 8.2.28, and 8.1.32 packages for Debian GNU/Linux 11 (Bullseye) LTS and 12 (Bookworm) as well as PHP 8.0.30-13, 7.4.33-18, 7.3.33-24, 7.2.34-54, 7.1.33-67, 7.0.33-79, 5.6.40-81 packages with security backports.

The latest versions of PHP include fixes for bugs in BCMath, Core, DOM, FFI, FPM, GD, LDAP, LibXML, MBString, Opcache, Phar, PHPDBG, Reflection, Standard, Streams, Windows, and Zlib. These fixes address issues such as BCMUL memory leaks, broken stack overflow detection for variable compilation, unhandled match errors, fallback paths in fast_long_{add,sub}_function, OSS-Fuzz, zend_mm_heap corruption, reference counting in php_request_shutdown, imagescale with both width and height negative values, FFI parsing of pointer declaration lists, FPM, GD, LDAP, LibXML, MBString, Opcache, GLXML, MBString, Phar, PHPDBG, Reflection, standard, Streams, zlib, and zlib.

To add the repository:

#!/bin/bash # To add this repository please do:

if [ "$(whoami)" != "root" ]; then
SUDO=sudo
fi

${SUDO} apt-get -y install apt-transport-https lsb-release ca-certificates curl
${SUDO} wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
${SUDO} sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
${SUDO} apt-get update

PHP 8.4.5

- BCMath:
. Fixed bug GH-17398 (bcmul memory leak). (SakiTakamachi)

- Core:
. Fixed bug GH-17623 (Broken stack overflow detection for variable compilation). (ilutov)
. Fixed bug GH-17618 (UnhandledMatchError does not take zend.exception_ignore_args=1 into account). (timwolla)
. Fix fallback paths in fast_long_{add,sub}_function. (nielsdos)
. Fixed bug OSS-Fuzz #391975641 (Crash when accessing property backing value by reference). (ilutov)
. Fixed bug GH-17718 (Calling static methods on an interface that has `__callStatic` is allowed). (timwolla)
. Fixed bug GH-17713 (ReflectionProperty::getRawValue() and related methods may call hooks of overridden properties). (Arnaud)
. Fixed bug GH-17916 (Final abstract properties should error). (DanielEScherzer)
. Fixed bug GH-17866 (zend_mm_heap corrupted error after upgrading from 8.4.3 to 8.4.4). (nielsdos)
. Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes Use-After-Free). (CVE-2024-11235) (ilutov)

- DOM:
. Fixed bug GH-17609 (Typo in error message: Dom\NO_DEFAULT_NS instead of Dom\HTML_NO_DEFAULT_NS). (nielsdos)
. Fixed bug GH-17802 (\Dom\HTMLDocument querySelector attribute name is case sensitive in HTML). (nielsdos)
. Fixed bug GH-17847 (xinclude destroys live node). (nielsdos)
. Fix using Dom\Node with Dom\XPath callbacks. (nielsdos)

- GD:
. Fixed bug GH-17703 (imagescale with both width and height negative values triggers only an Exception on width). (David Carlier)

- FFI:
. Fix FFI Parsing of Pointer Declaration Lists. (davnotdev)

- FPM:
. Fixed bug GH-17643 (FPM with httpd ProxyPass encoded PATH_INFO env). (Jakub Zelenka)

- GD:
. Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M). (David Carlier)

- LDAP:
. Fixed bug GH-17704 (ldap_search fails when $attributes contains a non-packed array with numerical keys). (nielsdos, 7u83)

- LibXML:
. Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714). (nielsdos)
. Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource). (CVE-2025-1219) (timwolla)

- MBString:
. Fixed bug GH-17503 (Undefined float conversion in mb_convert_variables). (cmb)

- Opcache:
. Fixed bug GH-17654 (Multiple classes using same trait causes function JIT crash). (nielsdos)
. Fixed bug GH-17577 (JIT packed type guard crash). (nielsdos, Dmitry)
. Fixed bug GH-17747 (Exception on reading property in register-based FETCH_OBJ_R breaks JIT). (Dmitry, nielsdos)
. Fixed bug GH-17715 (Null pointer deref in observer API when calling cases() method on preloaded enum). (Bob)
. Fixed bug GH-17868 (Cannot allocate memory with tracing JIT on 8.4.4). (nielsdos)

- PDO_SQLite:
. Fixed GH-17837 ()::getColumnMeta() on unexecuted statement segfaults). (cmb)
. Fix cycle leak in sqlite3 setAuthorizer(). (nielsdos)
. Fix memory leaks in pdo_sqlite callback registration. (nielsdos)

- Phar:
. Fixed bug GH-17808: PharFileInfo refcount bug. (nielsdos)

- PHPDBG:
. Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer). (nielsdos)
. Fix memory leak in phpdbg calling registered function. (nielsdos)

- Reflection:
. Fixed bug GH-15902 (Core dumped in ext/reflection/php_reflection.c). (DanielEScherzer)
. Fixed missing final and abstract flags when dumping properties. (DanielEScherzer)

- Standard:
. Fixed bug #72666 (stat cache clearing inconsistent between file:// paths and plain paths). (Jakub Zelenka)

- Streams:
. Fixed bug GH-17650 (realloc with size 0 in user_filters.c). (nielsdos)
. Fix memory leak on overflow in _php_stream_scandir(). (nielsdos)
. Fixed GHSA-hgf54-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736) (Jakub Zelenka)
. Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861) (Jakub Zelenka)
. Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734) (Jakub Zelenka)
. Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers). (CVE-2025-1217) (Jakub Zelenka)

- Windows:
. Fixed phpize for Windows 11 (24H2). (Bob)
. Fixed GH-17855 (CURL_STATICLIB flag set even if linked with shared lib). (cmb)

- Zlib:
. Fixed bug GH-17745 (zlib extension incorrectly handles object arguments). (nielsdos)
. Fix memory leak when encoding check fails. (nielsdos)
. Fix zlib support for large files. (nielsdos)

PHP 8.3.19

- BCMath:
. Fixed bug GH-17398 (bcmul memory leak). (SakiTakamachi)

- Core:
. Fixed bug GH-17623 (Broken stack overflow detection for variable compilation). (ilutov)
. Fixed bug GH-17618 (UnhandledMatchError does not take zend.exception_ignore_args=1 into account). (timwolla)
. Fix fallback paths in fast_long_{add,sub}_function. (nielsdos)
. Fixed bug GH-17718 (Calling static methods on an interface that has `__callStatic` is allowed). (timwolla)
. Fixed bug GH-17797 (zend_test_compile_string crash on invalid script path). (David Carlier)
. Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes Use-After-Free). (CVE-2024-11235) (ilutov)

- DOM:
. Fixed bug GH-17847 (xinclude destroys live node). (nielsdos)

- FFI:
. Fix FFI Parsing of Pointer Declaration Lists. (davnotdev)

- FPM:
. Fixed bug GH-17643 (FPM with httpd ProxyPass encoded PATH_INFO env). (Jakub Zelenka)

- GD:
. Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M). (David Carlier)

- LDAP:
. Fixed bug GH-17704 (ldap_search fails when $attributes contains a non-packed array with numerical keys). (nielsdos, 7u83)

- LibXML:
. Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714). (nielsdos)
. Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource). (CVE-2025-1219) (timwolla)

- MBString:
. Fixed bug GH-17503 (Undefined float conversion in mb_convert_variables). (cmb)

- Opcache:
. Fixed bug GH-17654 (Multiple classes using same trait causes function JIT crash). (nielsdos)
. Fixed bug GH-17577 (JIT packed type guard crash). (nielsdos, Dmitry)
. Fixed bug GH-17899 (zend_test_compile_string with invalid path when opcache is enabled). (David Carlier)
. Fixed bug GH-17868 (Cannot allocate memory with tracing JIT). (nielsdos)

- PDO_SQLite:
. Fixed GH-17837 ()::getColumnMeta() on unexecuted statement segfaults). (cmb)
. Fix cycle leak in sqlite3 setAuthorizer(). (nielsdos)

- Phar:
. Fixed bug GH-17808: PharFileInfo refcount bug. (nielsdos)

- PHPDBG:
. Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer). (nielsdos)
. Fix memory leak in phpdbg calling registered function. (nielsdos)

- Reflection:
. Fixed bug GH-15902 (Core dumped in ext/reflection/php_reflection.c). (DanielEScherzer)

- Standard:
. Fixed bug #72666 (stat cache clearing inconsistent between file:// paths and plain paths). (Jakub Zelenka)

- Streams:
. Fixed bug GH-17650 (realloc with size 0 in user_filters.c). (nielsdos)
. Fix memory leak on overflow in _php_stream_scandir(). (nielsdos)
. Fixed GHSA-hgf54-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736) (Jakub Zelenka)
. Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861) (Jakub Zelenka)
. Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734) (Jakub Zelenka)
. Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers). (CVE-2025-1217) (Jakub Zelenka)

- Windows:
. Fixed phpize for Windows 11 (24H2). (bwoebi)
. Fixed GH-17855 (CURL_STATICLIB flag set even if linked with shared lib). (cmb)

- Zlib:
. Fixed bug GH-17745 (zlib extension incorrectly handles object arguments). (nielsdos)
. Fix memory leak when encoding check fails. (nielsdos)
. Fix zlib support for large files. (nielsdos)

PHP 8.2.28, 8.1.32, 8.0.30-13, 7.4.33-18, 7.3.33-24, 7.2.34-54, 7.1.33-67, 7.0.33-79, and 5.6.40-81

- Core:
. Fixed bug GH-17211 (observer segfault on function loaded with dl()). (Arnaud)

- LibXML:
. Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714). (nielsdos)
. Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource). (CVE-2025-1219) (timwolla)

- Streams:
. Fixed GHSA-hgf54-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736) (Jakub Zelenka)
. Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861) (Jakub Zelenka)
. Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734) (Jakub Zelenka)
. Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers). (CVE-2025-1217) (Jakub Zelenka)

- Windows:
. Fixed phpize for Windows 11 (24H2). (bwoebi)

PHP Packages
Issues Tracker