PHP 8.3.28: Downloads, Changelog, News

Release Information

Release: 8.3.28
PHP Version: PHP 8.3
Release Date: 2025 Nov 20
Release Type: Bug Fix Release
Release Status: Latest Release in 8.3
Branch Status: Supported

Latest release for PHP 8.3.
PHP 8.3 continues to receive bug fixes and security fixes until 2025-12-31.

PHP can be compiled by setting up the dependencies, building the configure script (./buildconf), configuring the build ./configure, and running make.
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.

Windows binaries

Non-Thread Safe Builds

Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.

php-8.3.28-x64NTS.zip

Size: 30.72 MiB SHA256: 25530b3d001ba48bcba83c6deb22be03e5799ef66813befc079436b8e24ba666

php-8.3.28-x86NTS.zip

Size: 27.6 MiB SHA256: 07625bca71f4175e79382cf4f22d092deec9f5343caa8a359d64c5328be7818d

Thread-Safe Builds

Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.

php-8.3.28-x64TS.zip

Size: 30.87 MiB SHA256: 42a80ea0eb2581239b57d33141f1ee8a2b831cdc61033aa46799e9f28fecfefd

php-8.3.28-x86TS.zip

Size: 27.58 MiB SHA256: 6428220d42bdb7b9be1871c690e8af99b5bd9ae9c3b95125984036d5d6316f3d

Docker/Podman Containers

PHP CLI

PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.

docker pull php:8.3.28-cli-alpine

Debian-based: More compatible with other components, complete, and are widely used.

docker pull php:8.3.28-cli

PHP CLI + Web Server Integration

These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.

Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.

docker pull php:8.3.28-fpm-alpine

Debian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.

docker pull php:8.3.28-apache

Debian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.

docker pull php:8.3.28-fpm

ChangeLog

Core

Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv).
Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on reference).
Fixed bug GH-19844 (Don't bail when closing resources on shutdown).
Fixed bug GH-20177 (Accessing overridden private property in get_object_vars() triggers assertion error).
Fixed bug GH-20183 (Stale EG(opline_before_exception) pointer through eval).

DOM

Partially fixed bug GH-16317 (DOM classes do not allow __debugInfo() overrides to work).

Exif

Fix possible memory leak when tag is empty.

FPM

Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel execution).

FTP

Fixed bug GH-20240 (FTP with SSL: ftp_fput(): Connection timed out on successful writes).

GD

Fixed bug GH-20070 (Return type violation in imagefilter when an invalid filter is provided).

Intl

Fix memory leak on error in locale_filter_matches().

LibXML

Fix not thread safe schema/relaxng calls.

MySQLnd

Fixed bug GH-8978 (SSL certificate verification fails (port doubled)).
Fixed bug GH-20122 (getColumnMeta() for JSON-column in MySQL).

Opcache

Fixed bug GH-20081 (access to uninitialized vars in preload_load()).
Fixed bug GH-20121 (JIT broken in ZTS builds on MacOS 15).

PgSql

Fix memory leak when first string conversion fails.
Fix segfaults when attempting to fetch row into a non-instantiable class name.

Phar

Fix memory leak of argument in webPhar.
Fix memory leak when setAlias() fails.
Fix a bunch of memory leaks in phar_parse_zipfile() error handling.
Fix file descriptor/memory leak when opening central fp fails.
Fix memleak+UAF when opening temp stream in buildFromDirectory() fails.
Fix potential buffer length truncation due to usage of type int instead of type size_t.
Fix memory leak when openssl polyfill returns garbage.
Fix file descriptor leak in phar_zip_flush() on failure.
Fix memory leak when opening temp file fails while trying to open gzip-compressed archive.
Fixed bug GH-20302 (Freeing a phar alias may invalidate PharFileInfo objects).

Random

Fix Randomizer::__serialize() w.r.t. INDIRECTs.

SimpleXML

Partially fixed bug GH-16317 (SimpleXML does not allow __debugInfo() overrides to work).

Standard

Fix shm corruption with coercion in options of unserialize().

Streams

Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect condition for Win32/Win64.

Tidy

Fixed GH-19021 (improved tidyOptGetCategory detection).
Fix UAF in tidy when tidySetErrorBuffer() fails.

XMLReader

Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available.

Windows

Fix GH-19722 (_get_osfhandle asserts in debug mode when given a socket).

Zip

Fix memory leak when passing enc_method/enc_password is passed as option for ZipArchive::addGlob()/addPattern() and with consecutive calls.

Commit List

Arnaud Le Blanc

Fix access to uninitialized variables in preload_load() in ab9d121f48
Fix JIT TLS on MacOS in 3abebf3e31

Calvin Buckley

Move iconv const check into autoconf (8.3) in GH-20247

David Carlier

Fix GH-19021: improve tidyOptGetCategory detection in ebbb1b4295
ext/gd: Fix GH-19955 unit test in 3c063abba1
ext/zip: fix memory leak when encryption is passed as userland array option in 55f7303d73

Dmitry Stogov

Disable inlining and inter-procedure-analyses for zend_string_equal_val() function that may be overriden for valgrind in GH-13099

Dylan K. Taylor

Fix GH-19722: Windows: _get_osfhandle asserts in debug mode when given a socket in 94625a0e4c

Gina Peter Banyard

Fix GH-20070: Return type violation in imagefilter when an invalid filter is provided in 26f989313e
ext/phar: use size_t type instead of int in d36109bd71
ext/pgsql: Fix segfaults when attempting to fetch row into a non-instantiable class name in GH-20180

Ilija Tovilo

Backport more curl 8.16 fixes in 1edcce5554
Fix CGI with auto_globals_jit=0 in 9bc35f1982
Don't bail when closing resources on shutdown in e6e39e680e
Fix accessing of overridden private property in get_object_vars() in 02c67b47f7
Improve bug60602.phpt portability in 939b97219d
Create separate workflow for nightly slack notification in 90bc40ecc0
Revert "Fix Windows test for openssl-3.5 upgrade (#19384)" in 3f6c86a885
Fix stale EG(opline_before_exception) pointer through eval in 12920370e1
Fix EG(current_execute_data) introduced in 1292037 in 5518165499

Jakub Zelenka

Fix GH-19974: fpm_status_export_to_zval segfault for parallel execution in 059f9f78e5
Fix GH-19798: XP_SOCKET XP_SSL: Incorrect condition for Win in eef11e048d
Update versions for PHP 8.3.28 in 7f82d946d0

Niels Dossche

Fix GH-20073: Assertion failure in WeakMap offset operations on reference in b16761ec11
Fix Randomizer::__serialize() wrt INDIRECTs in c5fa7696e6
Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available in 40f4091256
phar: Fix memory leak of argument in webPhar in da39975001
phar: Fix memory leak when setAlias() fails in 9216b8be8b
Partially fix GH-16317: SimpleXML does not allow __debugInfo() overrides to work in efa1fafc2f
Fix memory leak in phar_parse_zipfile() error handling in 416386acc4
phar: Reduce code duplication wrt error handling in phar_parse_zipfile() in f9aeb9e57c
Update SKIPIF for bug #67563 (#20133) in 8a21d62c28
phar: Fix file descriptor/memory leak when opening central fp fails in c89f25bf69
Partially fix GH-16317: DOM classes do not allow __debugInfo() overrides to work in 8e0504c38b
phar: Fix more alias memory leaks in b529c77094
phar: Fix memleak+UAF when opening temp stream in buildFromDirectory() fails in 5a7c84f274
Fix shm corruption with coercion in options of unserialize() in 88f8c5c0bb
Fix not thread safe RelaxNG invocations in ZTS builds in 75d8449d1f
Wrap the normally lazy-initialized components in ZTS in f3cb9a81fb
exif: Fix possible memory leak when tag is empty in 56af25cc1c
Fix GH-8978: MySQLi: SSL certificate verification fails (port doubled) in 472f2fe0a3
Fix GH-20122: getColumnMeta() for JSON-column in MySQL in 94284df7b2
intl: Fix memory leak on error in locale_filter_matches() in 28ce1b04ef
pgsql: Fix memory leak when first string conversion fails in cf3b70d23c
phar: Fix memory leak when openssl polyfill returns garbage in 020bbea8fd
phar: Fix file descriptor leak in phar_zip_flush() on failure in cc83761416
phar: Fix memory leak when opening temp file fails while trying to open gzip-compressed archive in ce0df1a9d8
Use MYSQL_TYPE constants instead of FIELD_TYPE in c7fc819c2d
Fix UAF in tidy when tidySetErrorBuffer() fails in 58df9fcf98
Make bug70417.phpt less flaky in ed9529a7d3
ftp: Fix weird typo in GH-20295
Fix GH-20240: FTP with SSL: ftp_fput(): Connection timed out on successful writes in 8761c4e507
Fix GH-20302: Freeing a phar alias may invalidate PharFileInfo objects in 6fe40de6e3
Update zlib test to use separate file for flock() in c3d6bf65d5
random: Fix memory leak when serialization fails in GH-20383

Remi Collet

ensure test passes with prod config in 2f4b8e691a

Shivam Mathur

Skip lc_ctype_inheritance.phpt on macos 15+ in 2f2fb1fbf1
Fix Windows test for openssl-3.5 upgrade in GH-19384

SpencerMalone

Fix not thread safe xmlSchemaParse calls in ZTS builds in f14e5fcfbd

Tim Düsterhus

github: Bust the nightly CI cache on Sunday instead of Monday in GH-20242