Release Information
- Release Type
- Security Update
- Release Status
- Latest
- Branch Status
- Security-Fixes Only
PHP 8.1 is currently only receiving security fixes, and scheduled to reach EOL on 2025-12-31
Downloads
Source Code
Git Clone
Use Git to clone the 8.1.29 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.1.29
How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
./buildconf
), configuring the build ./configure
, and running make
.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
php-8.1.29-x64NTS.zip (29.33 MiB)
php-8.1.29-x86NTS.zip (26.39 MiB)
Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.
php-8.1.29-x64TS.zip (29.44 MiB)
php-8.1.29-x86TS.zip (26.37 MiB)
Docker/Podman Containers
PHP CLI
PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.1.29-cli-alpine
Debian-based: More compatible with other components, complete, and are widely used.
docker pull php:8.1.29-cli
PHP CLI + Web Server Integration
These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.1.29-fpm-alpine
Debian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.
docker pull php:8.1.29-apache
Debian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.
docker pull php:8.1.29-fpm
ChangeLog
CGI
- Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection in PHP-CGI). (CVE-2024-4577)
Filter
- Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
OpenSSL
- The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
Standard
- Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
Commit List
Ben Ramsey
- Update NEWS in de4f7f9321
- Update NEWS in 6150156d3a
- Update versions for PHP 8.1.29 in fc4973fb0d
Jakub Zelenka
- Add
proc_open
escaping for cmd file execution in e3c784f2bf - Fix bug GHSA-q6x7-frmf-grcw: password_verify can erroneously return true in 0ba5229a3f
Niels Dossche
- Fix GHSA-wpj3-hf5j-x4v4: Host-/Secure- cookie bypass due to partial CVE-2022-31629 fix in 093c08af25
- Fix GHSA-9fcc-425m-g385: bypass CVE-2024-1874 in c8b36406c0
- Fix GHSA-3qgc-jrrr-25jv in 4dd9a36c16
- Fix GHSA-w8qr-v226-r27w in 5c6d47372c