PHP 7.4.25, 8.0.25 and later 7.3.32 released with security and bug fixes

Published On24 Oct 2021
Updated On2021-10-28

PHP versions 7.4.25 and 8.0.12 released PHP versions 7.4.25, 8.0.12, and 7.3.32 are released with several bug fixes and a security fix.

A previous version of this content mentioned that there were corresponding PHP 7.3 releases. A new PHP 7.3 version was released on 2021-10-28, and this content was updated to reflect that.

PHP 7.4.25, 8.0.12 and 7.3.32 fix a security vulnerability (CVE-2021-21703) in the FastCGI Process Manager (FPM) Server API (SAPI), in that an out-of-bounds shared memory access could lead to a privilege escalation vulnerability.

All current PHP 7.3 versions (including and up to 7.3.31 are also affected. PHP 7.3 series are currently scheduled to reach their End-Of-Life on December 2021. Because of the nature of this vulnerability, there will be no immediate and official PHP 7.3 release that fixes this vulnerability.

Although there is no official PHP version, this security fix is back-ported to ondrej/php repository and likely to other maintained PHP software repositories as well.

The latest releases are available from the PHP git repository, Docker images, and repositories for Ubuntu, Fedora, etc. Compiled Windows binaries are also at windows.php.net

Full Changelog of 8.0.12

  • CLI:
    • Fixed #81496 (Server logs incorrect request method).
  • Core:
    • Fixed #81435 (Observer current_observed_frame may point to an old (overwritten) frame).
    • Fixed #81380 (Observer may not be initialized properly).
  • DOM:
    • Fixed #81433 (DOMElement::setIdAttribute() called twice may remove ID).
  • FFI:
    • Fixed #79576 (TYPE * shows unhelpful message when type is not defined).
  • FPM:
    • Fixed #81026 (PHP-FPM Out-of-bounds Read/Write in root process leading to privilege escalation) CVE-2021-21703.
  • Fileinfo:
    • Fixed #78987 (High memory usage during encoding detection).
  • Filter:
    • Fixed #61700 (FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing).
  • Opcache:
    • Fixed bug #81472 (Cannot support large linux major/minor device number when read /proc/self/maps).
  • Reflection:
    • ReflectionAttribute is no longer final.
  • SPL:
    • Fixed #80663 (Recursive SplFixedArray::setSize() may cause double-free).
    • Fixed #81477 (LimitIterator + SplFileObject regression in 8.0.1).
  • Standard:
    • Fixed #69751 (Change Error message of sprintf/printf for missing/typo position specifier).
  • Streams:
    • Fixed #81475 (stream_isatty emits warning with attached stream wrapper).
  • XML:
    • Fixed #70962 (XML_OPTION_SKIP_WHITE strips embedded white-space).
  • Zip:
    • Fixed #81490 (ZipArchive::extractTo() may leak memory).
    • Fixed #77978 (Directory name ending in colon unzips to wrong directory).

Full Changelog of 7.4.25

  • DOM:
    • Fixed #81433 (DOMElement::setIdAttribute() called twice may remove ID).
  • FFI:
    • Fixed #79576 (TYPE * shows unhelpful message when type is not defined).
  • Fileinfo:
    • Fixed #78987 (High memory usage during encoding detection).
  • Filter:
    • Fixed #61700 (FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing).
  • FPM:
    • Fixed #81026 (PHP-FPM Out-of-bounds Read/Write in root process leading to privilege escalation) CVE-2021-21703.
  • SPL:
    • Fixed #80663 (Recursive SplFixedArray::setSize() may cause double-free).
  • Streams:
    • Fixed #81475 (stream_isatty emits warning with attached stream wrapper).
  • XML:
    • Fixed #70962 (XML_OPTION_SKIP_WHITE strips embedded white-space).
  • Zip:
    • Fixed #81490 (ZipArchive::extractTo() may leak memory).
    • Fixed #77978 (Directory name ending in colon unzips to wrong directory).

Full Changelog of 7.3.32

  • FPM:
    • Fixed #81026 (PHP-FPM Out-of-bounds Read/Write in root process leading to privilege escalation) CVE-2021-21703.

In other news on PHP.Watch

All NewsFeed
PHP 8.4 Feature-freeze, first Release Candidate released

PHP 8.4 Feature-freeze, first Release Candidate released

The first release candidate of the upcoming PHP 8.4 is now out. PHP8.4-RC1 previews all new features, changes, and deprecations available on PHP 8.4, and can be used to test the compatibility of applications with PHP 8.4.
PHP Release Cycle Update

PHP Release Cycle Update

The PHP release cycle changes to extend the active support for all current and future PHP versions from one year to two years, and to align the support timelines to the end of the calendar year.
PHP 8.3 Released!

PHP 8.3 Released!

PHP 8.3 was released today, containing over 1,000 commits from over 100 contributors.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.

Support PHP.Watch — If you find the articles, version information, Codex, and other PHP.Watch contributions useful, consider supporting through GitHub Sponsors. Your sponsorship helps dedicate more time to creating valuable content and improving the PHP community. Together, we can keep the momentum going — thank you for your support!

Thanks to the highest tier sponsor: @TomasVotruba for your generous support to keep PHP.Watch moving 💜