PHP 8.2.26: Downloads, Changelog, News

Release Information

Release: 8.2.26
PHP Version: PHP 8.2
Release Date: 2024 Nov 21
Release Type: Security Update
Release Status: Latest Release in 8.2
Branch Status: Supported

Latest release for PHP 8.2. This release contains security fixes, and it is recommended to update as soon as possible.
PHP 8.2 continues to receive bug fixes and security fixes until 2024-12-31.

PHP can be compiled by setting up the dependencies, building the configure script (./buildconf), configuring the build ./configure, and running make.
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.

Windows binaries

Non-Thread Safe Builds

Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.

php-8.2.26-x64NTS.zip (30.33 MiB)

php-8.2.26-x86NTS.zip (27.22 MiB)

Thread-Safe Builds

Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.

php-8.2.26-x64TS.zip (30.43 MiB)

php-8.2.26-x86TS.zip (27.20 MiB)

Docker/Podman Containers

PHP CLI

PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.

docker pull php:8.2.26-cli-alpine

Debian-based: More compatible with other components, complete, and are widely used.

docker pull php:8.2.26-cli

PHP CLI + Web Server Integration

These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.

docker pull php:8.2.26-fpm-alpine

Debian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.

docker pull php:8.2.26-apache

Debian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.

docker pull php:8.2.26-fpm

ChangeLog

CLI

Fixed bug GH-16373 (Shebang is not skipped for router script in cli-server started through shebang).
Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface).

COM

Fixed out of bound writes to SafeArray data.

Core

Fixed bug GH-16168 (php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15).
Fixed bug GH-16371 (Assertion failure in Zend/zend_weakrefs.c:646).
Fixed bug GH-16515 (Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline).
Fixed bug GH-16509 (Incorrect line number in function redeclaration error).
Fixed bug GH-16508 (Incorrect line number in inheritance errors of delayed early bound classes).
Fixed bug GH-16648 (Use-after-free during array sorting).
Fixed bug GH-15915 (overflow with a high value for precision INI). (David Carlier / cmb)

Curl

Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if curl_multi_add_handle fails).

Date

Fixed bug GH-16454 (Unhandled INF in date_sunset() with tiny $utcOffset).
Fixed bug GH-16037 (Assertion failure in ext/date/php_date.c).
Fixed bug GH-14732 (date_sun_info() fails for non-finite values).

DBA

Fixed bug GH-16390 (dba_open() can segfault for "pathless" streams).

DOM

Fixed bug GH-16316 (DOMXPath breaks when not initialized properly).
Fixed bug GH-16473 (dom_import_simplexml stub is wrong).
Fixed bug GH-16533 (Segfault when adding attribute to parent that is not an element).
Fixed bug GH-16535 (UAF when using document as a child).
Fixed bug GH-16593 (Assertion failure in DOM->replaceChild).
Fixed bug GH-16595 (Another UAF in DOM -> cloneNode).

EXIF

Fixed bug GH-16409 (Segfault in exif_thumbnail when not dealing with a real file).

FFI

Fixed bug GH-16397 (Segmentation fault when comparing FFI object).

Filter

Fixed bug GH-16523 (FILTER_FLAG_HOSTNAME accepts ending hyphen).

FPM

Fixed bug GH-16628 (FPM logs are getting corrupted with this log statement).

GD

Fixed bug GH-16334 (imageaffine overflow on matrix elements).
Fixed bug GH-16427 (Unchecked libavif return values).
Fixed bug GH-16559 (UBSan abort in ext/gd/libgd/gd_interpolation.c:1007).

GMP

Fixed floating point exception bug with gmp_pow when using large exposant values.
Fixed bug GH-16411 (gmp_export() can cause overflow).
Fixed bug GH-16501 (gmp_random_bits() can cause overflow).
Fixed gmp_pow() overflow bug with large base/exponents.
Fixed segfaults and other issues related to operator overloading with GMP objects.

LDAP

Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932)

MBstring

Fixed bug GH-16361 (mb_substr overflow on start/length arguments).

MySQLnd

Fixed bug GHSA-h35g-vwh6-m678 (Leak partial content of the heap through heap buffer over-read). (CVE-2024-8929)

OpenSSL

Fixed bug GH-16357 (openssl may modify member types of certificate arrays).
Fixed bug GH-16433 (Large values for openssl_csr_sign() $days overflow).
Fix various memory leaks on error conditions in openssl_x509_parse().

PDO DBLIB

Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing OOB writes). (CVE-2024-11236)

PDO Firebird

Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter causing OOB writes). (CVE-2024-11236)

PDO ODBC

Fixed bug GH-16450 (PDO_ODBC can inject garbage into field values).

Phar

Fixed bug GH-16406 (Assertion failure in ext/phar/phar.c:2808).

PHPDBG

Fixed bug GH-16174 (Empty string is an invalid expression for ev).

Reflection

Fixed bug GH-16601 (Memory leak in Reflection constructors).

Session

Fixed bug GH-16385 (Unexpected null returned by session_set_cookie_params).
Fixed bug GH-16290 (overflow on cookie_lifetime ini value).

SOAP

Fixed bug GH-16429 (Segmentation fault access null pointer in SoapClient).

Sockets

Fixed bug with overflow socket_recvfrom $length argument.

SPL

Fixed bug GH-16337 (Use-after-free in SplHeap).
Fixed bug GH-16464 (Use-after-free in SplDoublyLinkedList::offsetSet()).
Fixed bug GH-16479 (Use-after-free in SplObjectStorage::setInfo()).
Fixed bug GH-16478 (Use-after-free in SplFixedArray::unset()).
Fixed bug GH-16588 (UAF in Observer->serialize).
Fix GH-16477 (Segmentation fault when calling debugInfo() after failed SplFileObject::constructor).
Fixed bug GH-16589 (UAF in SplDoublyLinked->serialize()).
Fixed bug GH-14687 (segfault on SplObjectIterator instance).
Fixed bug GH-16604 (Memory leaks in SPL constructors).
Fixed bug GH-16646 (UAF in ArrayObject::unset() and ArrayObject::exchangeArray()).

Standard

Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with bail enabled).

Streams

Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might allow for CRLF injection in URIs). (CVE-2024-11234)
Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with convert.quoted-printable-decode filter). (CVE-2024-11233)

SysVMsg

Fixed bug GH-16592 (msg_send() crashes when a type does not properly serialized). (David Carlier / cmb)

SysVShm

Fixed bug GH-16591 (Assertion error in shm_put_var).

XMLReader

Fixed bug GH-16292 (Segmentation fault in ext/xmlreader/php_xmlreader.c).

Zlib

Fixed bug GH-16326 (Memory management is broken for bad dictionaries.)

Commit List

Arnaud Le Blanc

Fix handling of invalid iterator in zend_weakmap_iterator_get_current_key() in 1d94fb86b7

Christoph M. Becker

Fix out of bound writes to SafeArray data in 1ee56bdd5a
Fix GH-16174: Empty string is an invalid expression for phpdbg-ev in 6bcba24eb0
Fix GH-16357: openssl may modify member types of certificate arrays in 549bcdb7fb
Fix GH-16388: UB when freeing a cloned _ZendTestFiber in a3eb1fd86d
Fix GH-16326: Memory management is broken for bad dictionaries in d94be24f30
Fix GH-16427: Unchecked libavif return values in b817a4f718
Fix GH-16411: gmp_export() can cause overflow in ab595c0764
Fix GH-16433: Large values for openssl_csr_sign() $days overflow in 2bdf2f9100
Download enchant dict from downloads.php.net in 5ef3fe218c
Fix GH-16454: Unhandled INF in date_sunset() with tiny $utcOffset in 9bc34182b6
Fix GH-16390: dba_open() can segfault for "pathless" streams in d3b0efe9d7
Fix GH-16266: _ZendTestClass::test() segfaults on named parameter in b73bcaa47c
Fix GH-16523: FILTER_FLAG_HOSTNAME accepts ending hyphen in f9ce5e79da
Fix GH-16450: PDO_ODBC can inject garbage into field values in c9eafc1954
Properly initialize _override executor globals in ec68d3c608
Fix GH-14732: date_sun_info() fails for non-finite values in f9453a889d
Patch libcurl.pc for macOS builds in 15cc4424bb
Need to define BREW_OPT in 5a55ef021c
Adapt ext/intl tests for ICU 75.1 and 76.1 in 5284abd383

David Carlier

Fix GH-16322: overflow on imageaffine matrix argument in 05114265fb
Revert "Fix GH-16322: overflow on imageaffine matrix argument." in 93a2fe8aac
Fix GH-16360 mb_substr overflow on start and length arguments in c34d4fbbf4
Fix GH-16322: imageaffine overflow on affine argument in f2859a4050
Fix socket_recvfrom overflow on buffer size in e583890af0
Fix GH-16290: session cookie_lifetime ini value overflow in 84a8fea251
ext/gmp: gmp_pow fix FPE with large values in d70b7811b0
Fix GH-16501: gmp_random_bits overflow in 9ca68e037c
ext/gmp: gmp_pow fix FPE with large values in e0a0e216a9
Fix GH-14687 segfault on debugging a freed SplObjectIterator instance in eeec0939e0
Fix GH-16592 msg_send() crashes when the type does not serialize as expected in 90aac521fd

Derick Rethans

Fixed bug GH-16037 (Assertion failure in ext/date/php_date.c) in b2b294a2b2

Dmitry Stogov

Fix GH-16393: Assertion failure in ext/opcache/jit/zend_jit.c:2897 in bf786d0d28
Fix GH-16499: [JIT] Undefined to null coercion issues for return in fe513655dc

Gina Peter Banyard

Fix GH-16477 (Segmentation fault when calling debugInfo() after failed SplFileObject::constructor) in a19029fc8b
ext/gmp: Add behavioural tests for operator overloading in fe02fd5095
ext/gmp: Fix segfault when null is encountered on an overloaded operator in 5253647500

Ilija Tovilo

Skip shebang in cli-server router script in 06efe44c2e
Fix exception in assert() callback with bail enabled in b5c09b1a61
Fix segfault in zend_test_execute_internal() in 5c798415cd
Fix segfault on debug_backtrace() in _ZendTestFiber in 5955ce8987
Fix uaf in SplDoublyLinkedList::offsetSet() in 8820a10360
Fix use-after-free in SplObjectStorage::setInfo() in 12c987fae2
Fix uaf in SplFixedArray::unset() in 7fe168d855
Fix propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline in 8720063c4e
Fix handling of nested generator in zend_test observer in 69bcbdc3c5
Fix lineno in function redeclaration error in de7ef3fa66
Fix lineno for inheritance errors of early bound classes in 2d068c4f47
Backport CI fixes to security branches in 25c0993902
Fix icu dependency for macos build in e3de1a1a21
Backport nightly.yml and nightly_matrix.php to PHP-8.1 in 27e8860594
[CI] Backport usage of db service for 8.1 in 560a585117
Partial backport of e7462bf in ed041c3443
Remove -Werror for libmysql test on 8.1 only in 769947648e
Fix array going away during sorting in 2bdce61390
Postpone zend_array_sort() in ext-intl in 845cdbce67
Fix use-after-free in ArrayObject::unset() with destructor in 8910ac800d
Also fix same issue in ArrayObject::exchangeArray() in f7222bd2de
Add NEWS entry in 418f820f5d

Jakub Zelenka

Fix GHSA-c5f2-jwm7-mmq2: stream HTTP fulluri CRLF injection in cf6700e86d
Fix GHSA-h35g-vwh6-m678: Mysqlnd - various heap buffer over-reads in 6c0e2eb2f8
Make MySQLnd protocol stmt test work on 32bit in abc6de0dde
Fix MySQLnd possible buffer over read in auth_protocol in 913031c844
Update NEWS with security fixes info in ce961b52f3

Niels Dossche

Fix GH-16292: Segmentation fault in ext/xmlreader/php_xmlreader.c:1282 in 5c1249391b
Fix GH-16316: DOMXPath breaks when not initialized properly in 1d0fbdf449
Fix GH-16168: php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15 in e2e2b3ab62
Fix GH-16385: Unexpected null returned by session_set_cookie_params in 7cdd1302c3
Fix GH-16337: Use-after-free in SplHeap in a56ff4fec7
Backport 0a39890c: Fix libxml2 2.12 build due to API breaks in fa6a0f80f6
Backport e2d97314: Backport deprecation warning ignores to unbreak CI in dbde99d875
Backport 4fe82131: Backport libxml2 2.13.2 fixes in GH-14816
Backport f74f9b07: Update libxml test for the directory field behaviour change in b78618750f
Backport 3ec5919e: Update error message for libxml 2.13 in 6199289b6e
Workaround deprecation warning in zend_test on 8.1 in 5bd04acfe9
Backport 061058a9: Test fixes for libxml2 2.12.0 in 14c107371c
Fix error message for newer libxml in 2c40762b4e
Fix GH-16409: Segfault in exif_thumbnail when not dealing with a real file in 3843f0ecfe
Fix GH-16397: Segmentation fault when comparing FFI object in GH-16401
Fix GH-16429: Segmentation fault (access null pointer) in SoapClient in d613c0ed30
Fix GH-16406: Assertion failure in ext/phar/phar.c:2808 in 6a8d0a054d
Fix GH-16473: dom_import_simplexml stub is wrong in 41af9335b7
Fix GH-16533: Segfault when adding attribute to parent that is not an element in a0a7361b64
Fix GH-16535: UAF when using document as a child in 51b642f2c9
Fix GH-16559: UBSan abort in ext/gd/libgd/gd_interpolation.c:1007 in e1e1e64a32
Fix GH-16588: UAF in Observer->serialize in 144d2ee29a
Fix GH-16591: Assertion error in shm_put_var in 992ac1c25a
Fix GH-16589: UAF in SplDoublyLinked->serialize() in 8f60309a78
Fix GH-16593: Assertion failure in DOM->replaceChild in d89dd28d3b
Fix GH-16595: Another UAF in DOM -> cloneNode in 9d8983c061
Fix GH-16604: Memory leaks in SPL constructors in 886a5287ca
Fix GH-16601: Memory leak in Reflection constructors in f0f666ba3f
Fix GH-16628: FPM logs are getting corrupted with this log statement in e643129bbb
Fix various memory leaks on error conditions in openssl_x509_parse() in 5ddb75660d
Fix GHSA-5hqh-c84r-qjcv: Integer overflow in the dblib quoter causing OOB writes in 7742f79a8a
Fix GHSA-5hqh-c84r-qjcv: Integer overflow in the firebird quoter causing OOB writes in 2dbe1425c5
Fix GHSA-g665-fm4p-vhff: OOB access in ldap_escape in 90c851a8b1
Fix GHSA-r977-prxv-hc43 in a6c84cd7ef
Fix GHSA-4w77-75f9-2c8w in 3ec6ac482e

Pierrick Charron

Update versions for PHP 8.2.26 in a3695d49e8

Saki Takamachi

Backport 3237b8f4 in 8497400b23

Tim Düsterhus

curl: Prevent a CurlMultiHandle from holding onto a CurlHandle if add_handle fails in GH-16302