PHP 7.3.31, 7.4.24, and 8.0.11 Released with Bug and Security Fixes

Published On2021-09-23

PHP versions 7.3.31, 7.4.24, and 8.0.11

PHP versions 7.3.31, 7.4.24, and 8.0.11 are released with several bug fixes and a security fix.

All of these versions fix a security vulnerability (CVE-2021-21706) in the Zip extension.

Prior to this fix, ZipArchive::extractTo method may extract a Zip archive outside the destination directory under certain file path names in Windows systems. This bug is now fixed in all current supported PHP versions.

Along with the security fix, PHP 7.3.31, 7.4.24, and 8.0.11 also fix several bugs. See the changelog for the list of changes.

The latest releases are available from the PHP git repository, Docker images, and repositories for Ubuntu, Fedora, etc. Compiled Windows binaries are also at windows.php.net

Changelog of 8.0.11

  • Core:
    • Fixed #81302: Stream position after stream filter removed
    • Fixed #81346: Non-seekable streams don't update position after write
    • Fixed #73122: Integer Overflow when concatenating strings
  • GD:
    • Fixed #53580: During resize gdImageCopyResampled cause colors change
  • Opcache:
    • Fixed #81353: Segfault with preloading and statically bound closure
  • Shmop:
    • Fixed #81407: shmop_open won't attach and causes php to crash
  • Standard:
    • Fixed #71542: disk_total_space does not work with relative paths
    • Fixed #81400: Unterminated string in dns_get_record() results
  • SysVMsg:
    • Fixed #78819: Heap Overflow in msg_send
  • XML:
    • Fixed #81351: xml_parse may fail, but has no error code
  • Zip:
    • Fixed #81420: ZipArchive::extractTo extracts outside of destination). (CVE-2021-21706)

Changelog of 7.4.24

  • Core:
    • Fixed #81302: Stream position after stream filter removed
    • Fixed #81346: Non-seekable streams don't update position after write
    • Fixed #73122: Integer Overflow when concatenating strings
  • GD:
    • Fixed #53580: During resize gdImageCopyResampled cause colors change
  • Opcache:
    • Fixed #81353: Segfault with preloading and statically bound closure
  • Shmop:
    • Fixed #81407: shmop_open won't attach and causes php to crash
  • Standard:
    • Fixed #71542: disk_total_space does not work with relative paths
    • Fixed #81400: Unterminated string in dns_get_record() results
  • SysVMsg:
    • Fixed #78819: Heap Overflow in msg_send
  • XML:
    • Fixed #81351: xml_parse may fail, but has no error code
  • Zip:
    • Fixed #80833: ZipArchive::getStream doesn't use setPassword
    • Fixed #81420: ZipArchive::extractTo extracts outside of destination). (CVE-2021-21706)

Changelog of 7.3.31

  • Zip:
    • Fixed #81420: ZipArchive::extractTo extracts outside of destination). (CVE-2021-21706)

In other news on PHP.Watch

All NewsFeed
Thank you, Nikita!

Thank you, Nikita!

Nikita Popov, one of the major and most impactful contributors to PHP announced that he will be shafting his focus, and will not be able to contribute to PHP on a professional capacity anymore.
PHP 7.4.25, 8.0.25 and later 7.3.32 released with security and bug fixes

PHP 7.4.25, 8.0.25 and later 7.3.32 released with security and bug fixes

PHP 7.4.25 and 8.0.25 released with security and bug fixes. A corresponding PHP 7.3 release was made later on 2021-10-28 with the fix for the security vulnerability.
Ubuntu 21.10 — Impish Indri — to be released with PHP 8.0

Ubuntu 21.10 — Impish Indri — to be released with PHP 8.0

Ubuntu 21.10 — Impish Indri — to be released on Oct 14, will contain PHP 8.0 in its default software repositories.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.