PHP 8.3.8 is an old release of PHP 8.3 series. Using the latest version PHP 8.3.9 is highly recommended.
PHP 8.3 continues to receive bug fixes and security fixes until 2025-12-31.
Downloads
Source Code
Git Clone
Use Git to clone the 8.3.8 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.3.8How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
./buildconf), configuring the build ./configure, and running make.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
php-8.3.8-x64NTS.zip (30.67 MiB)
php-8.3.8-x86NTS.zip (27.54 MiB)
Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.
php-8.3.8-x64TS.zip (30.81 MiB)
php-8.3.8-x86TS.zip (27.52 MiB)
Docker/Podman Containers
PHP CLI
PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.3.8-cli-alpineDebian-based: More compatible with other components, complete, and are widely used.
docker pull php:8.3.8-cliPHP CLI + Web Server Integration
These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.3.8-fpm-alpineDebian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.
docker pull php:8.3.8-apacheDebian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.
docker pull php:8.3.8-fpmChangeLog
CGI
- Fixed buffer limit on Windows, replacing read call usage by _read.
- Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection in PHP-CGI). (CVE-2024-4577)
CLI
- Fixed bug GH-14189 (PHP Interactive shell input state incorrectly handles quoted heredoc literals.).
Core
- Fixed bug GH-13970 (Incorrect validation of #[Attribute] flags type for non-compile-time expressions).
DOM
- Fix crashes when entity declaration is removed while still having entity references.
- Fix references not handled correctly in C14N.
- Fix crash when calling childNodes
next()when iterator is exhausted. - Fix crash in
ParentNode::append()when dealing with a fragment containing text nodes.
Filter
- Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
FPM
- Fix bug GH-14175 (Show decimal number instead of scientific notation in systemd status).
Hash
ext/hash: Swap the checking order of__has_builtinand__GNUC__
Intl
- Fixed build regression on systems without C++17 compilers.
MySQLnd
- Fix bug GH-14255 (mysqli_fetch_assoc reports error from nested query).
Opcache
- Fixed bug GH-14109 (Fix accidental persisting of internal class constant in shm).
OpenSSL
- The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
Standard
- Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
XML
- Fixed bug GH-14124 (Segmentation fault with XML extension under certain memory limit).
XMLReader
- Fixed bug GH-14183 (
XMLReader::open()can't be overridden).
Commit List
Benjamin Cremer
- Fix GH-14175: Use two digit float specifier for FPM systemd format req rate in 5b6cda6523
Calvin Buckley
- Fix check for newer versions of ICU in GH-14186
David Carlier
- sapi/cgi: fix buffer limit on windows in 74843947f4
Derick Rethans
- Force ffp-contract to off in e5cb9d7df9
Dmitry Stogov
- Fix undefined behavior (left shift of negative number) in f0356612d9
- Fix prototype for trait methods in GH-14148
- Fix incorrect inheritance of private trait methods in GH-14163
Eric Mann
- Update NEWS in c0799fc3b9
- Update versions for PHP 8.3.8 in ce51bfac75
Gina Peter Banyard
ext/bcmath: Fix [-Wenum-int-mismatch] compiler warning in d775ba8804ext/ffi: Fix [-Wenum-int-mismatch] compiler warning in 554541c4dbext/gd: Fix [-Wcalloc-transposed-args] compiler warning in 3c45152798ext/pdo_mysql: Fix [-Wcalloc-transposed-args] compiler warning in d4accd8b12ext/readline: Fix [-Wcalloc-transposed-args] compiler warning in 0accfd1fe1
Ilija Tovilo
- Fix __SANITIZE_ADDRESS__ redeclaration warning in d670e131df
- Delay #[Attribute] arg validation until runtime in f8d1864bbb
- Fix attribute test on newer branches in 5aa5080ea7
- Fix persisting of inherited class constants in 42ede5597e
- Add test for GH-14109 in 2c8731db33
Kamil Tekiela
- Clear mysql error in fetch_into in a59868aef8
Marcus Xavier
- Fix GH-14100: Corrected spelling mistake in php.ini files in 32d21af296
Matteo Beccati
- Stick to mysql 8.3 for the time being in 6fed9a9a7e
Niels Dossche
- Fix crashes when entity declaration is removed while still having entity references in e878b9f390
- Fix references not handled correctly in C14N in 30a0b0359e
- Fix crash when calling childNodes
next()when iterator is exhausted in 2dbe2d62b3 - Fix GH-14124: Segmentation fault on unknown address 0x0001ffff8041 with XML extension under certain memory limit in GH-14126
- Fix GH-14183:
XMLReader::open()can't be overridden in 15813d69a5 - Fix GH-14189: PHP Interactive shell input state incorrectly handles quoted heredoc literals in 217b753a3d
- Fix missing deref in C14N in GH-14203
- Fix crash in
ParentNode::append()when dealing with a fragment containing text nodes in 1e2a2d7df2 - Fix Windows
SKIPIFin GH-14219 - Fix GH-14215: Cannot use
FFI::loadon CRLF header file with apache2handler in ebd1a36670 - Fix nightly test failure in GH-14251
- Fix undefined behaviour in
fastcgi.cin GH-14269 - Skip .NET tests if mscoree is not available in GH-14281
- Fix GHSA-9fcc-425m-g385: bypass CVE-2024-1874 in e6a82adace
- Fix GHSA-3qgc-jrrr-25jv in b6d1d3980a
- Fix GHSA-w8qr-v226-r27w in c7486130d9
Peter Kokot
- Fix tests for glibc 2.39 in GH-14097
Saki Takamachi
- CI: fix oci setup in GH-14123
ext/hash: Swap the checking order of __has_builtin and GNUC in GH-14185- Added test in 0a8fbef996
SakiTakamachi
- Cast the parameter type of arm BLOCKCONV_LOAD in GH-14159
Tim Düsterhus
- CI: Do not save the ccache for PRs in GH-14168
- CI: Do not save the ccache for PRs (8.3+) in 402f3a923f
- Make the
fccparameterconstinzend_call_known_fccin GH-14259
twosee
- Fix
zend_string_starts_with_literal_ciin GH-14137
武田 憲太郎
- Fix the MySQL Server version used for testing to in GH-14120