PHP 8.2.28: Downloads, Changelog, News

Release Information

Release: 8.2.28
PHP Version: PHP 8.2
Release Date: 2025 Mar 13
Release Type: Security Update
Release Status: Latest
Branch Status: Security-Fixes Only

PHP 8.2 is currently only receiving security fixes, and scheduled to reach EOL on 2026-12-31

PHP can be compiled by setting up the dependencies, building the configure script (./buildconf), configuring the build ./configure, and running make.
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.

Windows binaries

Non-Thread Safe Builds

Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.

php-8.2.28-x64NTS.zip (30.33 MiB)

php-8.2.28-x86NTS.zip (27.22 MiB)

Thread-Safe Builds

Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.

php-8.2.28-x64TS.zip (30.44 MiB)

php-8.2.28-x86TS.zip (27.20 MiB)

Docker/Podman Containers

PHP CLI

PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.

docker pull php:8.2.28-cli-alpine

Debian-based: More compatible with other components, complete, and are widely used.

docker pull php:8.2.28-cli

PHP CLI + Web Server Integration

These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.

docker pull php:8.2.28-fpm-alpine

Debian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.

docker pull php:8.2.28-apache

Debian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.

docker pull php:8.2.28-fpm

ChangeLog

Core

Fixed bug GH-17211 (observer segfault on function loaded with dl()).

LibXML

Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714).
Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong content-type header when requesting a redirected resource). (CVE-2025-1219)

Streams

Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736)
Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861)
Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734)
Fixed GHSA-v8xr-gpvj-cx9g (Header parser of http stream wrapper does not handle folded headers). (CVE-2025-1217)

Windows

Fixed phpize for Windows 11 (24H2).

Commit List

Arnaud Le Blanc

Add observer temporary to dl'ed functions in 6f579934f0

Calvin Buckley

Attempt at ppc64 CI in GH-17945
Skip mysqli/tests/bug73462 on PPC CI in GH-17971
Remove "Notify Slack" on ppc nightly workflow in GH-17993

Christoph M. Becker

Enable GHSA-9pqp-7h25-4f32.phpt on Windows in 7685fb0e1c
Revert "Enable GHSA-9pqp-7h25-4f32.phpt on Windows" in 2285d7083e
Skip parse_ini_file_variation6.phpt on Windows in b3b38e2d5c
gh15937.phpt does not need to be an online test in 919f1984d5
Use preinstalled MySQL for Windows CI in a403b76e88
Relax timezone_IDforWindowsID_basic2.phpt expectations in afe8e2cdff
Fix curl_basic_022.phpt for libcurl 8.12.0 in 36d46a4732

Dmitry Stogov

Backport fix for GH-9011 in GH-17052
Backport JIT fix: set valid EX(opline) before calling gc_possible_root() in GH-16858

Ilija Tovilo

Drop intl on macOS + PHP 8.1 build in e675c1a467
Backport flaky flag for phar tests in 8a9d45b86f
Backport nightly.yml in f26250c7c7
Skip Symfony/Wordpress in 8.1 build in 5b8c960c9f
Fix GHA config yml error in 3e6f4702ba
Fix mysql mysql_native_password error on CircleCI in c99fb05929
Fix cve-2014-3538 test in d17d58a982
Add CONFLICT all to random port test in 726cf51236
Fix flaky DatePeriod test in 8a699372f2
Upgrade security branches to Ubuntu 22.04 in 5fcc8d4cd1
Suppress snmp lib memory leak, skip ASAN tests in b0858427aa
Increase CircleCI no_output_timeout in ee7fcf2a07

Jakub Zelenka

Use empheral port for mysqli fake server tests in 39c292b1eb
Fix GH-16955: Use empheral ports for OpenSSL server client tests in b8731767d8
Port OpenSSL gh10495, gh13860 and gh9310 test to use ephemeral ports in 37504f123d
Test stream_context_tcp_nodelay_server on Windows in 9e1b58274e
Fix GH-17499: mysqli flaky test: ghsa-h35g-vwh6-m678-stmt-row-string in 235d1b14a3
Fix GHSA-ghsa-v8xr-gpvj-cx9g: http header folding in bb3b9cec7c
Fix GHSA-pcmh-g36c-qc44: http headers without colon in 45687b5ac0
Fix GHSA-52jp-hrpf-2jff: http redirect location truncation in 4a0c42f752
Fix GHSA-hgf5-96fm-v528: http user header check of crlf in 7af512087b
Update NEWS with entries for security fixes in 7cfcced91f

Niels Dossche

Backport GH-16348 in 806d2e073c
Fix tests for libxml2 2.14 in f209eb448e
Fix test GH-16535 for libxml2 2.14 in b5471300d2
Fix GHSA-wg4p-4hqh-c3g9 in a5efd911e2

Pierrick Charron

Update versions for PHP 8.2.28 in 997ec633e4

Shivam Mathur

ci: add workflow to trigger windows builds in f4aadb5537

Tim Düsterhus

Fix GHSA-p3x9-6h7p-cgfc: libxml streams wrong content-type on redirect in 6d080b98de