PHP 8.2 is currently only receiving security fixes. PHP 8.2.20 is not the latest version in the series, and using this release is not recommended. PHP 8.2.28 is the latest in the series.
Downloads
Source Code
Git Clone
Use Git to clone the 8.2.20 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.2.20How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
./buildconf), configuring the build ./configure, and running make.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
php-8.2.20-x64NTS.zip (30.31 MiB)
php-8.2.20-x86NTS.zip (27.2 MiB)
Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.
php-8.2.20-x64TS.zip (30.42 MiB)
php-8.2.20-x86TS.zip (27.18 MiB)
Docker/Podman Containers
PHP CLI
PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.2.20-cli-alpineDebian-based: More compatible with other components, complete, and are widely used.
docker pull php:8.2.20-cliPHP CLI + Web Server Integration
These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.2.20-fpm-alpineDebian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.
docker pull php:8.2.20-apacheDebian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.
docker pull php:8.2.20-fpmChangeLog
CGI
- Fixed buffer limit on Windows, replacing read call usage by _read.
- Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection in PHP-CGI). (CVE-2024-4577)
CLI
- Fixed bug GH-14189 (PHP Interactive shell input state incorrectly handles quoted heredoc literals.).
Core
- Fixed bug GH-13970 (Incorrect validation of #[Attribute] flags type for non-compile-time expressions).
- Fixed bug GH-14140 (Floating point bug in range operation on Apple Silicon hardware).
DOM
- Fix crashes when entity declaration is removed while still having entity references.
- Fix references not handled correctly in C14N.
- Fix crash when calling childNodes
next()when iterator is exhausted. - Fix crash in
ParentNode::append()when dealing with a fragment containing text nodes.
FFI
- Fixed bug GH-14215 (Cannot use
FFI::loadon CRLF header file with apache2handler).
Filter
- Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
FPM
- Fix bug GH-14175 (Show decimal number instead of scientific notation in systemd status).
Hash
ext/hash: Swap the checking order of__has_builtinand__GNUC__
Intl
- Fixed build regression on systems without C++17 compilers.
Ini
- Fixed bug GH-14100 (Corrected spelling mistake in php.ini files).
MySQLnd
- Fix bug GH-14255 (mysqli_fetch_assoc reports error from nested query).
Opcache
- Fixed bug GH-14109 (Fix accidental persisting of internal class constant in shm).
OpenSSL
- The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
Standard
- Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
XML
- Fixed bug GH-14124 (Segmentation fault with XML extension under certain memory limit).
XMLReader
- Fixed bug GH-14183 (
XMLReader::open()can't be overridden).
Commit List
Benjamin Cremer
- Fix GH-14175: Use two digit float specifier for FPM systemd format req rate in 5b6cda6523
Calvin Buckley
- Fix check for newer versions of ICU in GH-14186
David Carlier
- sapi/cgi: fix buffer limit on windows in 74843947f4
Derick Rethans
- Force ffp-contract to off in e5cb9d7df9
Dmitry Stogov
- Fix undefined behavior (left shift of negative number) in f0356612d9
- Fix prototype for trait methods in GH-14148
- Fix incorrect inheritance of private trait methods in GH-14163
Gina Peter Banyard
ext/bcmath: Fix [-Wenum-int-mismatch] compiler warning in d775ba8804ext/ffi: Fix [-Wenum-int-mismatch] compiler warning in 554541c4dbext/gd: Fix [-Wcalloc-transposed-args] compiler warning in 3c45152798ext/pdo_mysql: Fix [-Wcalloc-transposed-args] compiler warning in d4accd8b12ext/readline: Fix [-Wcalloc-transposed-args] compiler warning in 0accfd1fe1
Ilija Tovilo
- Fix __SANITIZE_ADDRESS__ redeclaration warning in d670e131df
- Delay #[Attribute] arg validation until runtime in f8d1864bbb
- Fix persisting of inherited class constants in 42ede5597e
Kamil Tekiela
- Clear mysql error in fetch_into in a59868aef8
Marcus Xavier
- Fix GH-14100: Corrected spelling mistake in php.ini files in 32d21af296
Matteo Beccati
- Stick to mysql 8.3 for the time being in 6fed9a9a7e
Niels Dossche
- Fix crashes when entity declaration is removed while still having entity references in e878b9f390
- Fix references not handled correctly in C14N in 30a0b0359e
- Fix crash when calling childNodes
next()when iterator is exhausted in 2dbe2d62b3 - Fix GH-14124: Segmentation fault on unknown address 0x0001ffff8041 with XML extension under certain memory limit in GH-14126
- Fix GH-14183:
XMLReader::open()can't be overridden in 15813d69a5 - Fix GH-14189: PHP Interactive shell input state incorrectly handles quoted heredoc literals in 217b753a3d
- Fix missing deref in C14N in GH-14203
- Fix crash in
ParentNode::append()when dealing with a fragment containing text nodes in 1e2a2d7df2 - Fix Windows
SKIPIFin GH-14219 - Fix GH-14215: Cannot use
FFI::loadon CRLF header file with apache2handler in ebd1a36670 - Fix nightly test failure in GH-14251
- Fix undefined behaviour in
fastcgi.cin GH-14269 - Skip .NET tests if mscoree is not available in GH-14281
- Fix GHSA-9fcc-425m-g385: bypass CVE-2024-1874 in 39c1a90f4a
- Fix GHSA-3qgc-jrrr-25jv in 88315f263d
- Fix GHSA-w8qr-v226-r27w in ec803292c2
Peter Kokot
- Fix tests for glibc 2.39 in GH-14097
Pierrick Charron
- Update NEWS in 0cf08b95ae
- Update versions for PHP 8.2.20 in 40298a988f
Saki Takamachi
- CI: fix oci setup in GH-14123
ext/hash: Swap the checking order of __has_builtin and GNUC in GH-14185- Added test in 0a8fbef996
Tim Düsterhus
- CI: Do not save the ccache for PRs in GH-14168