PHP 8.1 is currently only receiving security fixes. PHP 8.1.29 is not the latest version in the series, and using this release is not recommended. PHP 8.1.30 is the latest in the series.
Downloads
Source Code
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.1.29
./buildconf
), configuring the build ./configure
, and running make
.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Docker/Podman Containers
docker pull php:8.1.29-cli-alpine
docker pull php:8.1.29-cli
docker pull php:8.1.29-fpm-alpine
docker pull php:8.1.29-apache
docker pull php:8.1.29-fpm
ChangeLog
CGI
- Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection in PHP-CGI). (CVE-2024-4577)
Filter
- Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
OpenSSL
- The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
Standard
- Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
Commit List
Ben Ramsey
- Update NEWS in de4f7f9321
- Update NEWS in 6150156d3a
- Update versions for PHP 8.1.29 in fc4973fb0d
Jakub Zelenka
- Add
proc_open
escaping for cmd file execution in e3c784f2bf - Fix bug GHSA-q6x7-frmf-grcw: password_verify can erroneously return true in 0ba5229a3f
Niels Dossche
- Fix GHSA-wpj3-hf5j-x4v4: Host-/Secure- cookie bypass due to partial CVE-2022-31629 fix in 093c08af25
- Fix GHSA-9fcc-425m-g385: bypass CVE-2024-1874 in c8b36406c0
- Fix GHSA-3qgc-jrrr-25jv in 4dd9a36c16
- Fix GHSA-w8qr-v226-r27w in 5c6d47372c