Release Information
- Release Type
- Security Update
- Release Status
- Latest
- Branch Status
- Security-Fixes Only
PHP 8.2 is currently only receiving security fixes, and scheduled to reach EOL on 2026-12-31
Downloads
Source Code
Git Clone
Use Git to clone the 8.2.28 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.2.28How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
./buildconf), configuring the build ./configure, and running make.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
php-8.2.28-x64NTS.zip (30.33 MiB)
php-8.2.28-x86NTS.zip (27.22 MiB)
Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.
php-8.2.28-x64TS.zip (30.44 MiB)
php-8.2.28-x86TS.zip (27.20 MiB)
Docker/Podman Containers
PHP CLI
PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.2.28-cli-alpineDebian-based: More compatible with other components, complete, and are widely used.
docker pull php:8.2.28-cliPHP CLI + Web Server Integration
These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.2.28-fpm-alpineDebian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.
docker pull php:8.2.28-apacheDebian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.
docker pull php:8.2.28-fpmChangeLog
Core
- Fixed bug GH-17211 (observer segfault on function loaded with dl()).
LibXML
- Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714).
- Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong
content-typeheader when requesting a redirected resource). (CVE-2025-1219)
Streams
- Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736)
- Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861)
- Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734)
- Fixed GHSA-v8xr-gpvj-cx9g (Header parser of
httpstream wrapper does not handle folded headers). (CVE-2025-1217)
Windows
- Fixed phpize for Windows 11 (24H2).
Commit List
Arnaud Le Blanc
- Add observer temporary to dl'ed functions in 6f579934f0
Calvin Buckley
- Attempt at ppc64 CI in GH-17945
- Skip mysqli/tests/bug73462 on PPC CI in GH-17971
- Remove "Notify Slack" on ppc nightly workflow in GH-17993
Christoph M. Becker
- Enable GHSA-9pqp-7h25-4f32.phpt on Windows in 7685fb0e1c
- Revert "Enable GHSA-9pqp-7h25-4f32.phpt on Windows" in 2285d7083e
- Skip
parse_ini_file_variation6.phpton Windows in b3b38e2d5c gh15937.phptdoes not need to be an online test in 919f1984d5- Use preinstalled MySQL for Windows CI in a403b76e88
- Relax timezone_IDforWindowsID_basic2.phpt expectations in afe8e2cdff
- Fix
curl_basic_022.phptfor libcurl 8.12.0 in 36d46a4732
Dmitry Stogov
- Backport fix for GH-9011 in GH-17052
- Backport JIT fix: set valid EX(opline) before calling
gc_possible_root()in GH-16858
Ilija Tovilo
- Drop intl on macOS + PHP 8.1 build in e675c1a467
- Backport flaky flag for phar tests in 8a9d45b86f
- Backport nightly.yml in f26250c7c7
- Skip Symfony/Wordpress in 8.1 build in 5b8c960c9f
- Fix GHA config yml error in 3e6f4702ba
- Fix mysql mysql_native_password error on CircleCI in c99fb05929
- Fix cve-2014-3538 test in d17d58a982
- Add CONFLICT all to random port test in 726cf51236
- Fix flaky DatePeriod test in 8a699372f2
- Upgrade security branches to Ubuntu 22.04 in 5fcc8d4cd1
- Suppress snmp lib memory leak, skip ASAN tests in b0858427aa
- Increase CircleCI no_output_timeout in ee7fcf2a07
Jakub Zelenka
- Use empheral port for mysqli fake server tests in 39c292b1eb
- Fix GH-16955: Use empheral ports for OpenSSL server client tests in b8731767d8
- Port OpenSSL gh10495, gh13860 and gh9310 test to use ephemeral ports in 37504f123d
- Test
stream_context_tcp_nodelay_serveron Windows in 9e1b58274e - Fix GH-17499: mysqli flaky test: ghsa-h35g-vwh6-m678-stmt-row-string in 235d1b14a3
- Fix GHSA-ghsa-v8xr-gpvj-cx9g: http header folding in bb3b9cec7c
- Fix GHSA-pcmh-g36c-qc44: http headers without colon in 45687b5ac0
- Fix GHSA-52jp-hrpf-2jff: http redirect location truncation in 4a0c42f752
- Fix GHSA-hgf5-96fm-v528: http user header check of crlf in 7af512087b
- Update NEWS with entries for security fixes in 7cfcced91f
Niels Dossche
- Backport GH-16348 in 806d2e073c
- Fix tests for libxml2 2.14 in f209eb448e
- Fix test GH-16535 for libxml2 2.14 in b5471300d2
- Fix GHSA-wg4p-4hqh-c3g9 in a5efd911e2
Pierrick Charron
- Update versions for PHP 8.2.28 in 997ec633e4
Shivam Mathur
- ci: add workflow to trigger windows builds in f4aadb5537
Tim Düsterhus
- Fix GHSA-p3x9-6h7p-cgfc: libxml streams wrong
content-typeon redirect in 6d080b98de