Release Information
- Release Type
- Security Update
- Release Status
- Latest
- Branch Status
- Supported (Latest)
Latest PHP release in the latest version. This release contains security fixes, and it is recommended to update as soon as possible.
PHP 8.3 continues to receive bug fixes and security fixes until 2025-12-31.
Downloads
Source Code
Git Clone
Use Git to clone the 8.3.12 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.3.12How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
./buildconf), configuring the build ./configure, and running make.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
php-8.3.12-x64NTS.zip (30.68 MiB)
php-8.3.12-x86NTS.zip (27.55 MiB)
Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.
php-8.3.12-x64TS.zip (30.82 MiB)
php-8.3.12-x86TS.zip (27.53 MiB)
Docker/Podman Containers
PHP CLI
PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.3.12-cli-alpineDebian-based: More compatible with other components, complete, and are widely used.
docker pull php:8.3.12-cliPHP CLI + Web Server Integration
These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.3.12-fpm-alpineDebian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.
docker pull php:8.3.12-apacheDebian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.
docker pull php:8.3.12-fpmChangeLog
CGI
- Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection Vulnerability). (CVE-2024-8926)
- Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is bypassable due to the environment variable collision). (CVE-2024-8927)
Core
- Fixed bug GH-15408 (MSan false-positve on
zend_max_execution_timer). - Fixed bug GH-15515 (Configure error grep illegal option q).
- Fixed bug GH-15514 (Configure error: genif.sh: syntax error).
- Fixed bug GH-15565 (--disable-ipv6 during compilation produces error EAI_SYSTEM not found).
- Fixed bug GH-15587 (CRC32 API build error on arm 32-bit).
- Fixed bug GH-15330 (Do not scan generator frames more than once).
- Fixed uninitialized lineno in constant AST of internal enums.
Curl
- FIxed bug GH-15547 (curl_multi_select overflow on timeout argument).
DOM
- Fixed bug GH-15551 (Segmentation fault (access null pointer) in ext/dom/
xml_common.h). - Fixed bug GH-15654 (Signed integer overflow in ext/dom/nodelist.c).
Fileinfo
- Fixed bug GH-15752 (Incorrect error message for finfo_file with an empty filename argument).
FPM
- Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered). (CVE-2024-9026)
MySQLnd
- Fixed bug GH-15432 (Heap corruption when querying a vector).
Opcache
- Fixed bug GH-15661 (Access null pointer in Zend/Optimizer/zend_inference.c).
- Fixed bug GH-15658 (Segmentation fault in Zend/zend_vm_execute.h).
SAPI
- Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data). (CVE-2024-8925)
Standard
- Fixed bug GH-15552 (Signed integer overflow in ext/standard/scanf.c).
Streams
- Fixed bug GH-15628 (
php_stream_memory_get_buffer()not zero-terminated).
Commit List
Arnaud Le Blanc
- Do not scan generator frames more than once in GH-15330
- Fix GHSA-9pqp-7h25-4f32 in dd15693e90
Bernd Kuhls
- Fix GH-15587: Autotools: fix configure check for aarch64 CRC32 API in 5947db6bb8
Christoph M. Becker
- Fix GH-15432: Heap corruption when querying a vector in b1211c1e4a
- Fix GH-15628:
php_stream_memory_get_buffer()not zero-terminated in 93021c635d - Mark
gd14930.phptas dynamicxfailin ac4039df20 - Fix GH-15552: Signed integer overflow in ext/standard/scanf.c in 08841bf79c
- Fix
run-tests.phpto propagate status code on Windows in 71b908748a
Daniel Scherzer
- Fix GH-15752:
finfo_file()- parameter validation error messages in c5e0a6aaab
David Carlier
- Checks getrandom availability on solaris in 5c9c275743
- Checks getrandom availability on solaris in f1e5c63837
- Fixed GH-15547: curl_multi_wait expects a signed int for timeout in cc67220ea3
- Fix GH-15653: fgetcsv overflow on length parameter in 7db1a5843f
Derick Rethans
- Updated to version 2024.2 (2024b) in 5fc37b1ec6
- Empty merge in d31a9474b0
- Updated to version 2024.2 (2024b) in 7023fb9d93
Dmitry Stogov
- Fix GH-15502: Crash with JIT and Excimer in GH-15601
- Fix GH-15497: Opcache with file_cache and JIT enabled crashes in GH-15635
- Restore error message incorrectly removed by commit 10d43c4 (related to GH-15497) in c15bb9afe2
- Prevent possible incorrect optimization caused by
ZEND_ASSUME()in bf98023f1a - Don't set IS_STR_PERMANENT flag for strings stored in the file cache in GH-15643
- Fix GH-15652: Segmentation fault in the Zend engine when JIT enabled in GH-15717
- Fix GH-15820: Core dumped with jit.opcache=1245 in 5cf045d357
Eric Mann
- Update versions for PHP 8.3.12 in b4ecd9aa2e
Go Kudo
- Fix MSan false-positive in
zend_max_execution_timerin GH-15408 zend_max_execution_timer: fix gcc compatibility in GH-15447zend_max_execution_timer: fix gcc compatibility in GH-15447- standard: supress msan in GH-15665
- Fix OPcache tests under specific conditions in bca5f6e74f
- Fix OPcache tests under specific conditions in d966c296d0
Ilija Tovilo
- Disable LSAN for crashing SOAP tests (GH-14562) in 65a101f3a7
- Fix uninitialized lineno in constant AST of internal enums in 08e0729c57
- Intercept strlcpy and strlcat for msan on Clang 17 in GH-12674
- Fix uouv in
array_columnin 24a294922b - Fix uninitialized EG(user_error_handler_error_reporting) in b9fdc0bdcd
- Fix uninitialized CG(
zend_lineno) in 1f35e2a999 - Fix MSAN
getservbyport()false positive in 0faa1d2017
Jakub Zelenka
- Revert fix for GH-14930: truncating readdir output in GH-15533
- Fix GHSA-865w-9rf3-2wh5: FPM: Logs from childrens may be altered in 0accd7240c
- Update NEWS with security fixes info in bbe593816a
- Skip GHSA-9pqp-7h25-4f32 test on Windows in 3ee90ab84e
Máté Kocsis
- Add missing return for DatePeriod::__unserialize in 6cab76986d
Niels Dossche
- Fix GH-15551: Segmentation fault (access null pointer) in ext/dom/
xml_common.h in 9af574c26e - Fix GH-15565:
--disable-ipv6 during compilation produces error EAI_SYSTEM not found in 4b6575a1f9 - Fix GH-15654: Signed integer overflow in ext/dom/nodelist.c in 9cb23a3dec
- Fix SOAP test failure on libxml2 2.13 in 979e68a2ec
- Fix GH-15661: Access null pointer in Zend/Optimizer/zend_inference.c in 86ef8d5466
- Fix GH-15658: Segmentation fault in Zend/zend_vm_execute.h in c1ffd4b484
- Fix buffer size configuration for AArch64 in bcd1f23b30
- Fix GHSA-p99j-rfp4-xqvq in 1c9f4d1aff
- Fix GHSA-94p6-54jq-9mwp in 61c8b7851b
Peter Kokot
- Fix GH-15515: Configure error grep illegal option q in GH-15516
- Fix bug GH-15514 (Configure error: genif.sh: syntax error) in 48a18e5be7
- Fix iconv_open basic test in GH-15611