PHP 8.1.3, 8.0.28, and 7.4.28 released with security and bug fixes

Published On20 Feb 2022

PHP 8.1.3, 8.0.28, and 7.4.28 released with security and bug fixes

PHP versions 8.1.3, 8.0.16, and 7.4.28 are now available to download/deploy. PHP 8.1.3 and 8.0.28 contain several bug fixes, and 8.1.3, 8.0.28, 7.4.28 all also contain a fix for a Use-After-Free security vulnerability discovered in PHP.

The Use-After-Free vulnerability, announced as CVE-2021-21708, could be exploited if a maliciously crafted string containing an integer value (commonly called a numeric string) was passed to PHP filter functions, resulting in a server crash.

Note that PHP 7.3 reached its End-Of-Life, and will not receive an update for this vulnerability, or any of the future potential security releases.

PHP.Watch verified that the particular vulnerability is not exploitable on PHP 7.3 series.

Full Changelog of PHP 8.1.3

  • Core:
    • Fix: Attribute instantiation leaves dangling pointer (#81430).
    • Fix: Environment vars may be mangled on Windows (#7896).
    • Fix: Segfault when INI file is not readable (#7883).
  • FFI:
    • Fix: FFI::cast() from pointer to array is broken (#7867).
  • Filter:
  • FPM:
    • Fix: memory leak on invalid port.
    • Fix: Invalid OpenMetrics response format returned by FPM status page (#7842).
  • MBString:
    • Fix: mb_send_mail may delimit headers with LF only (#7902).
  • MySQLnd:
    • Fix: MariaDB version prefix 5.5.5- is not stripped (#7972).
  • pcntl:
    • Fix: pcntl_rfork build for DragonFlyBSD.
  • Sockets:
    • Fix: sockets extension compilation errors (#7978).
  • Standard:
    • Fix: Regression in unpack for negative int value (#7899).
    • Fix: mails are sent even if failure to log throws exception (#7875).

Full Changelog of PHP 8.0.16

  • Core:
    • Fix: Attribute instantiation leaves dangling pointer (#81430).
    • Fix: Environment vars may be mangled on Windows (#7896).
  • FFI:
    • Fix: FFI::cast() from pointer to array is broken (#7867).
  • Filter:
  • FPM:
    • Fix: memory leak on invalid port.
  • MBString:
    • Fix: mb_send_mail may delimit headers with LF only (#7902).
  • MySQLnd:
    • Fix: MariaDB version prefix 5.5.5- is not stripped (#7972).
  • Sockets:
    • Fix: sockets extension compilation errors (#7978).
    • Fix: ext/sockets build on Haiku.
  • Standard:
    • Fix: mails are sent even if failure to log throws exception (#7875).

Full Changelog of PHP 7.4.28

In other news on PHP.Watch

All NewsFeed
PHP 8.4 Feature-freeze, first Release Candidate released

PHP 8.4 Feature-freeze, first Release Candidate released

The first release candidate of the upcoming PHP 8.4 is now out. PHP8.4-RC1 previews all new features, changes, and deprecations available on PHP 8.4, and can be used to test the compatibility of applications with PHP 8.4.
PHP Release Cycle Update

PHP Release Cycle Update

The PHP release cycle changes to extend the active support for all current and future PHP versions from one year to two years, and to align the support timelines to the end of the calendar year.
PHP 8.3 Released!

PHP 8.3 Released!

PHP 8.3 was released today, containing over 1,000 commits from over 100 contributors.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.

Support PHP.Watch — If you find the articles, version information, Codex, and other PHP.Watch contributions useful, consider supporting through GitHub Sponsors. Your sponsorship helps dedicate more time to creating valuable content and improving the PHP community. Together, we can keep the momentum going — thank you for your support!

Thanks to the highest tier sponsor: @TomasVotruba for your generous support to keep PHP.Watch moving 💜