PHP 7.4.25, 8.0.25 and later 7.3.32 released with security and bug fixes
PHP versions 7.4.25, 8.0.12, and 7.3.32 are released with several bug fixes and a security fix.
A previous version of this content mentioned that there were corresponding PHP 7.3 releases. A new PHP 7.3 version was released on 2021-10-28, and this content was updated to reflect that.
PHP 7.4.25, 8.0.12 and 7.3.32 fix a security vulnerability (CVE-2021-21703) in the FastCGI Process Manager (FPM) Server API (SAPI), in that an out-of-bounds shared memory access could lead to a privilege escalation vulnerability.
All current PHP 7.3 versions (including and up to 7.3.31 are also affected. PHP 7.3 series are currently scheduled to reach their End-Of-Life on December 2021. Because of the nature of this vulnerability, there will be no immediate and official PHP 7.3 release that fixes this vulnerability.
Although there is no official PHP version, this security fix is back-ported to ondrej/php
repository and likely to other maintained PHP software repositories as well.
The latest releases are available from the PHP git repository, Docker images, and repositories for Ubuntu, Fedora, etc. Compiled Windows binaries are also at windows.php.net
Full Changelog of 8.0.12
- CLI:
- Fixed #81496 (Server logs incorrect request method).
- Core:
- DOM:
- Fixed #81433 (
DOMElement::setIdAttribute()
called twice may remove ID).
- Fixed #81433 (
- FFI:
- Fixed #79576 (
TYPE *
shows unhelpful message when type is not defined).
- Fixed #79576 (
- FPM:
- Fixed #81026 (PHP-FPM Out-of-bounds Read/Write in root process leading to privilege escalation) CVE-2021-21703.
- Fileinfo:
- Fixed #78987 (High memory usage during encoding detection).
- Filter:
- Fixed #61700 (
FILTER_FLAG_IPV6
/FILTER_FLAG_NO_PRIV|RES_RANGE
failing).
- Fixed #61700 (
- Opcache:
- Fixed bug #81472 (Cannot support large linux major/minor device number when read
/proc/self/maps
).
- Fixed bug #81472 (Cannot support large linux major/minor device number when read
- Reflection:
ReflectionAttribute
is no longer final.
- SPL:
- Standard:
- Fixed #69751 (Change Error message of
sprintf
/printf
for missing/typo position specifier).
- Fixed #69751 (Change Error message of
- Streams:
- Fixed #81475 (
stream_isatty
emits warning with attached stream wrapper).
- Fixed #81475 (
- XML:
- Fixed #70962 (
XML_OPTION_SKIP_WHITE
strips embedded white-space).
- Fixed #70962 (
- Zip:
Full Changelog of 7.4.25
- DOM:
- Fixed #81433 (
DOMElement::setIdAttribute()
called twice may remove ID).
- Fixed #81433 (
- FFI:
- Fixed #79576 (
TYPE *
shows unhelpful message when type is not defined).
- Fixed #79576 (
- Fileinfo:
- Fixed #78987 (High memory usage during encoding detection).
- Filter:
- Fixed #61700 (
FILTER_FLAG_IPV6
/FILTER_FLAG_NO_PRIV|RES_RANGE
failing).
- Fixed #61700 (
- FPM:
- Fixed #81026 (PHP-FPM Out-of-bounds Read/Write in root process leading to privilege escalation) CVE-2021-21703.
- SPL:
- Fixed #80663 (Recursive
SplFixedArray::setSize()
may cause double-free).
- Fixed #80663 (Recursive
- Streams:
- Fixed #81475 (
stream_isatty
emits warning with attached stream wrapper).
- Fixed #81475 (
- XML:
- Fixed #70962 (
XML_OPTION_SKIP_WHITE
strips embedded white-space).
- Fixed #70962 (
- Zip:
Full Changelog of 7.3.32
- FPM:
- Fixed #81026 (PHP-FPM Out-of-bounds Read/Write in root process leading to privilege escalation) CVE-2021-21703.