PHP 8.2.20: Downloads, Changelog, News

Release Information

Release
8.2.20
PHP Version
PHP 8.2
Release Date
Release Type
Security Update
Release Status
Latest Release in 8.2
Branch Status
Supported

Latest release for PHP 8.2. This release contains security fixes, and it is recommended to update as soon as possible.
PHP 8.2 continues to receive bug fixes and security fixes until 2024-12-31.

Downloads

Source Code

Git Clone
Use Git to clone the 8.2.20 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.2.20
How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (./buildconf), configuring the build ./configure, and running make.
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.

Windows binaries

Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.

Docker/Podman Containers

PHP CLI
PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.2.20-cli-alpine

Debian-based: More compatible with other components, complete, and are widely used.
docker pull php:8.2.20-cli
PHP CLI + Web Server Integration
These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.2.20-fpm-alpine

Debian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.
docker pull php:8.2.20-apache

Debian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.
docker pull php:8.2.20-fpm

ChangeLog

CGI

CLI

  • Fixed bug GH-14189 (PHP Interactive shell input state incorrectly handles quoted heredoc literals.).

Core

  • Fixed bug GH-13970 (Incorrect validation of #[Attribute] flags type for non-compile-time expressions).
  • Fixed bug GH-14140 (Floating point bug in range operation on Apple Silicon hardware).

DOM

  • Fix crashes when entity declaration is removed while still having entity references.
  • Fix references not handled correctly in C14N.
  • Fix crash when calling childNodes next() when iterator is exhausted.
  • Fix crash in ParentNode::append() when dealing with a fragment containing text nodes.

FFI

  • Fixed bug GH-14215 (Cannot use FFI::load on CRLF header file with apache2handler).

Filter

FPM

  • Fix bug GH-14175 (Show decimal number instead of scientific notation in systemd status).

Hash

  • ext/hash: Swap the checking order of __has_builtin and __GNUC__

Intl

  • Fixed build regression on systems without C++17 compilers.

Ini

  • Fixed bug GH-14100 (Corrected spelling mistake in php.ini files).

MySQLnd

  • Fix bug GH-14255 (mysqli_fetch_assoc reports error from nested query).

Opcache

  • Fixed bug GH-14109 (Fix accidental persisting of internal class constant in shm).

OpenSSL

  • The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.

Standard

XML

  • Fixed bug GH-14124 (Segmentation fault with XML extension under certain memory limit).

XMLReader

  • Fixed bug GH-14183 (XMLReader::open() can't be overridden).

Commit List

Benjamin Cremer

  • Fix GH-14175: Use two digit float specifier for FPM systemd format req rate in 5b6cda6523

Calvin Buckley

  • Fix check for newer versions of ICU in GH-14186

David Carlier

  • sapi/cgi: fix buffer limit on windows in 74843947f4

Derick Rethans

Dmitry Stogov

  • Fix undefined behavior (left shift of negative number) in f0356612d9
  • Fix prototype for trait methods in GH-14148
  • Fix incorrect inheritance of private trait methods in GH-14163

Gina Peter Banyard

  • ext/bcmath: Fix [-Wenum-int-mismatch] compiler warning in d775ba8804
  • ext/ffi: Fix [-Wenum-int-mismatch] compiler warning in 554541c4db
  • ext/gd: Fix [-Wcalloc-transposed-args] compiler warning in 3c45152798
  • ext/pdo_mysql: Fix [-Wcalloc-transposed-args] compiler warning in d4accd8b12
  • ext/readline: Fix [-Wcalloc-transposed-args] compiler warning in 0accfd1fe1

Ilija Tovilo

  • Fix __SANITIZE_ADDRESS__ redeclaration warning in d670e131df
  • Delay #[Attribute] arg validation until runtime in f8d1864bbb
  • Fix persisting of inherited class constants in 42ede5597e

Kamil Tekiela

Marcus Xavier

Matteo Beccati

  • Stick to mysql 8.3 for the time being in 6fed9a9a7e

Niels Dossche

Peter Kokot

Pierrick Charron

Saki Takamachi

Tim Düsterhus

  • CI: Do not save the ccache for PRs in GH-14168
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.