Release Information
- Release Type
- Security Update
- Release Status
- Latest Release in 8.3
- Branch Status
- Supported
Latest release for PHP 8.3. This release contains security fixes, and it is recommended to update as soon as possible.
PHP 8.3 continues to receive bug fixes and security fixes until 2025-12-31.
Downloads
Source Code
Git Clone
Use Git to clone the 8.3.16 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.3.16How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
./buildconf), configuring the build ./configure, and running make.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
php-8.3.16-x64NTS.zip (30.69 MiB)
php-8.3.16-x86NTS.zip (27.56 MiB)
Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.
php-8.3.16-x64TS.zip (30.84 MiB)
php-8.3.16-x86TS.zip (27.54 MiB)
Docker/Podman Containers
PHP CLI
PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.3.16-cli-alpineDebian-based: More compatible with other components, complete, and are widely used.
docker pull php:8.3.16-cliPHP CLI + Web Server Integration
These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.3.16-fpm-alpineDebian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.
docker pull php:8.3.16-apacheDebian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.
docker pull php:8.3.16-fpmChangeLog
Core
- Fixed bug GH-17106 (
ZEND_MATCH_ERRORmisoptimization). - Fixed bug GH-17162 (
zend_array_try_init()with dtor can cause engine UAF). - Fixed bug GH-17101 (AST->string does not reproduce constructor property promotion correctly).
- Fixed bug GH-17211 (observer segfault on function loaded with dl()).
- Fixed bug GH-17216 (Trampoline crash on error).
Date
- Fixed bug GH-14709 DatePeriod::__construct() overflow on recurrences.
DBA
- Skip test if inifile is disabled.
DOM
- Fixed bug GH-17224 (UAF in importNode).
Embed
- Make build command for program using embed portable.
FFI
- Fixed bug #79075 (FFI header parser chokes on comments).
- Fix memory leak on
ZEND_FFI_TYPE_CHARconversion failure. - Fixed bug GH-16013 and bug #80857 (Big endian issues).
Filter
- Fixed bug GH-16944 (Fix filtering special IPv4 and IPv6 ranges, by using information from RFC 6890).
FPM
- Fixed bug GH-13437 (FPM: ERROR: scoreboard: failed to lock (already locked)).
- Fixed bug GH-17112 (Macro redefinitions).
- Fixed bug GH-17208 (
bug64539-status-json-encoding.phptfail on 32-bits).
GD
- Fixed bug GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c).
- Ported fix for libgd bug 276 (Sometimes pixels are missing when storing images as BMPs).
Gettext
- Fixed bug GH-17202 (Segmentation fault ext/gettext/gettext.c
bindtextdomain()).
Iconv
- Fixed bug GH-17047 (UAF on iconv filter failure).
LDAP
- Fixed bug GH-17280 (
ldap_search()fails when $attributes array has holes).
LibXML
- Fixed bug GH-17223 (Memory leak in libxml encoding handling).
MBString
- Fixed bug GH-17112 (Macro redefinitions).
Opcache
opcache_get_configuration()properly reports jit_prof_threshold.- Fixed bug GH-17246 (GC during SCCP causes segfault).
PCNTL
- Fix memory leak in cleanup code of
pcntl_exec()when a non stringable value is encountered past the first entry.
PgSql
- Fixed bug GH-17158 (pg_fetch_result Shows Incorrect ArgumentCountError Message when Called With 1 Argument).
- Fixed further ArgumentCountError for calls with flexible number of arguments.
Phar
- Fixed bug GH-17137 (Segmentation fault ext/phar/phar.c).
SimpleXML
- Fixed bug GH-17040 (SimpleXML's unset can break DOM objects).
- Fixed bug GH-17153 (SimpleXML crash when using autovivification on document).
Sockets
- Fixed bug GH-16276 (socket_strerror overflow handling with INT_MIN). (David Carlier / cmb)
- Fixed overflow on SO_LINGER values setting, strengthening values check on SO_SNDTIMEO/SO_RCVTIMEO for
socket_set_option().
SPL
- Fixed bug GH-17225 (NULL deref in
spl_directory.c).
Streams
- Fixed bug GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling).
- Fixed bug GH-16810 (overflow on fopen HTTP wrapper timeout value).
- Fixed bug GH-17067 (glob:// wrapper doesn't cater to CWD for ZTS builds).
Windows
- Hardened
proc_open()against cmd.exe hijacking.
XML
- Fixed bug GH-1718 (unreachable program point in
zend_hash).
Commit List
Arnaud Le Blanc
- NEWS for GH-17168 in a23ecc0a75
- Add observer temporary to dl'ed functions in 6f579934f0
Calvin Buckley
- Fix FD getting code on big endian in GH-17259
Christoph M. Becker
- Enable GHSA-9pqp-7h25-4f32.phpt on Windows in 7685fb0e1c
- Revert "Enable GHSA-9pqp-7h25-4f32.phpt on Windows" in 2285d7083e
- Skip
parse_ini_file_variation6.phpton Windows in b3b38e2d5c - Properly check for required icu4c libraries in 1800cad9d9
- Harden
proc_open()against cmd.exe hijacking in 5cbdd5f6de opcache_get_configuration()properly reports jit_prof_threshold in 3702f9783b- Don't run
proc_open_cmd.phptin parallel with other tests in aafa6ea386 - Fix GH-17067: glob:// wrapper doesn't cater to CWD for ZTS builds in 53b69ba8cf
- Include relevant system headers before defining fallbacks in fcbfd5a680
- Port fix for libgd bug 276 in 643a77dda3
David Carlier
- Fix GH-16809: fopen HTTP wrapper timeout stream context option overflow in 301b8e24c1
ext/sockets: socket_strerror follow-up on GH-16267 fix in 3bea6a2ddbext/pgsqlfixing further calls with flexible arguments number in 0a3442fbe6ext/sockets: socket_set_option switch from convert_to_long to zval_get_long in 8a649a8343- Fix GH-14709 overflow on recurrences for DatePeriod::__construct in 16c0e57530
Derick Rethans
- These were 6bone experimental network allocations, which have been returned to IANA (RFC 3701) in f2fdcfc8c3
- Fixed GH-16944: Refactor IP ranges by using the tables from RFC 6890 in d25aac29ce
- Include changes from RFC 6890 errata in 9d1deb97ff
- Per RFC 6890, these are explicitly not reserved ranges in e54c9e6cd3
- Consistent naming for test titles in 3b154eb88c
Dmitry Stogov
- Backport fix for GH-9011 in GH-17052
- Backport JIT fix: set valid EX(opline) before calling
gc_possible_root()in GH-16858
Eric Mann
- Update versions for PHP 8.3.16 in bce6a51a5d
Gina Peter Banyard
ext/pcntl: Fix memory leak in cleanup code ofpcntl_exec()in 2df9f32732
Ilija Tovilo
- Drop intl on macOS + PHP 8.1 build in e675c1a467
- Backport flaky flag for phar tests in 8a9d45b86f
- Fix
ZEND_MATCH_ERRORmisoptimization in cdfd960150 - Hide xfail/
xleaktest summary in e7af08d625
Jakub Zelenka
- Use empheral port for mysqli fake server tests in 39c292b1eb
- Fix GH-13437: FPM: ERROR: scoreboard: failed to lock (already locked) in 3490ac0cb3
- Introduce FPM_TEST_DEBUG_FILTER env var and extend multi request tracing in e0b79cdc5c
- Fix GH-16955: Use empheral ports for OpenSSL server client tests in b8731767d8
- Port OpenSSL gh10495, gh13860 and gh9310 test to use ephemeral ports in 37504f123d
- Port stream bug51056 and gh11418 tests to use ephemeral ports in 19e2e4d5af
Michael Orlitzky
ext/dba/tests/gh16390.phpt: skip if inifile is disabled in def271aaa7- ext/gettext/gettext.c: handle NULLs from
bindtextdomain()in 0221ceeccd - ext/gettext/tests: fix libintl return values under musl in bfb0e367f2
- ext/gettext/config.m4: symlink en_US.UTF-8 test bits to en_US for musl in 471e94ce61
Niels Dossche
- Fix GH-17037: UAF in user filter when adding existing filter name due to incorrect error handling in 00f4881e90
- Fix GH-17047: UAF on iconv filter failure in ddbd396aa2
- Fix GH-17040: SimpleXML's unset can break DOM objects in 7acc3ac808
- Backport GH-16348 in 806d2e073c
- Fix bug #79075: FFI header parser chokes on comments in 612a34cbec
- Resolve GH-17112 for lower branches in 754aa7706b
- Fix GH-17158: pg_fetch_result Shows Incorrect ArgumentCountError Message when Called With 1 Argument in 388f63c310
- Fix GH-17153: SimpleXML crash when using autovivification on document in a57a434f95
- Fix GH-17137: Segmentation fault ext/phar/phar.c in 142f85e2e1
- Fix GH-17162:
zend_array_try_init()with dtor can cause engine UAF in ee0daa59db - Fix GH-16255: Unexpected nan value in ext/gd/libgd/gd_filter.c in 6c198e380e
- Export visibility for promoted property (8.3) in 160a4a65ad
- Fix GH-17216: Trampoline crash on error in 2c3b56ded0
- Fix GH-17224: UAF in importNode in 61615d5673
- Fix GH-17225: NULL deref in
spl_directory.cin 4bfe69bbc4 - Fix memory leak on
ZEND_FFI_TYPE_CHARconversion failure in a7f7e169d6 - Fix GH-17246: GC during SCCP causes segfault in df6db27580
- Fix GH-16013 and bug #80857: Big endian issues in 99a14b805e
- Fix GH-17223: Memory leak in libxml encoding handling in 7be950f3f6
- Fix GH-17187: unreachable program point in
zend_hashin b621b3a00f - Fix GH-17208:
bug64539-status-json-encoding.phptfail on 32-bits in 847d1401a0 - Backport fix GH-17280:
ldap_search()fails when $attributes array has holes in 26f3bec63e