PHP 7.4 reached EOL on , and all releases of this version no longer receive security or bug fixes. Using PHP 7.4.21 is not recommended. PHP 7.4.33 is the latest version in the series.
Downloads
Source Code
git clone https://github.com/php/php-src.git --depth 1 --branch php-7.4.21
./buildconf
), configuring the build ./configure
, and running make
.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Docker/Podman Containers
docker pull php:7.4.21-cli-alpine
docker pull php:7.4.21-cli
docker pull php:7.4.21-fpm-alpine
docker pull php:7.4.21-apache
docker pull php:7.4.21-fpm
ChangeLog
Core
- Fixed bug #76359 (
open_basedir
bypass through adding ".."). - Fixed bug #81068 (Double free in
realpath_cache_clean()
). - Fixed bug #81070 (Integer underflow in memory limit comparison).
- Fixed bug #81090 (Typed property performance degradation with .= operator).
- Fixed bug #81122: SSRF bypass in FILTER_VALIDATE_URL. (CVE-2021-21705)
Bzip2
- Fixed bug #81092 (fflush before
stream_filter_remove
corrupts stream).
OpenSSL
- Fixed bug #76694 (native Windows cert verification uses CN as sever name).
PDO_Firebird
- Fixed bug #76448: Stack buffer overflow in firebird_info_cb. (CVE-2021-21704)
- Fixed bug #76449: SIGSEGV in firebird_handle_doer. (CVE-2021-21704)
- Fixed bug #76450: SIGSEGV in firebird_stmt_execute. (CVE-2021-21704)
- Fixed bug #76452: Crash while parsing blob data in firebird_fetch_blob. (CVE-2021-21704)
Standard
- Fixed bug #81048 (phpinfo(INFO_VARIABLES) "Array to string conversion").
Commit List
Christoph M. Becker
- Fix #81048: phpinfo(INFO_VARIABLES) "Array to string conversion" in 36b9bdeeec
- Update version in
php_version.h
as well in 59522ba968 - Fix #76359:
open_basedir
bypass through adding ".." in ee9e07541f - Speed up
ext/dba/tests/bug78808.phpt
in c11b52de95 - Fix typo in test case (doe → die) in 4ab434fa0e
- Fix #76694: native Windows cert verification uses CN as sever name in 7fd48264de
- Fix #81092: fflush before
stream_filter_remove
corrupts stream in a1738d8bd1 - Fix test wrt. OPENSSL_CONF in d15e10d7ab
- Fix #81122: SSRF bypass in FILTER_VALIDATE_URL in 5cea97e083
- Fix #76452: Crash while parsing blob data in firebird_fetch_blob in 1d4c3114af
- Fix #76450: SIGSEGV in firebird_stmt_execute in 922ea34199
- Fix #76449: SIGSEGV in firebird_handle_doer in 08fc2960bc
- Fix #76448: Stack buffer overflow in firebird_info_cb in e92d5edeee
Derick Rethans
- The PHP 7.4 branch is now for 7.4.21 in 3938bfb564
- Prepare NEWS for 7.4.21 in 3fb79c2b6e
- Update versions for PHP 7.4.21 in bc008409df
Dimitry Andric
- Fix bug #81068: Fix possible use-after-free in
realpath_cache_clean()
in 99a208566a
Nikita Popov
- Fix handling of
open_basedir
that contains cwd in ee7a8acde9 - Fixed bug #81090 in 82f6f6da67
- Skip test without ZMM in d4f493b0b0
- Try to fix libxml 2.9.12 tests in d818edeae2
- Fixed bug #81104 in d8165c2502
- Mitigation for bug #81096 in 3f4bc94b00
Peter van Dommelen
- Fixed bug #81070 in 1b3b5c94e5
Stanislav Malyshev
- Fix warning in cece92ba66
Stéphan Kochen
- Make tests compatible with libxml2 2.9.12 in f3d1e9ed06