PHP 8.3.8 is an old release of PHP 8.3 series. Using the latest version PHP 8.3.12 is highly recommended.
PHP 8.3 continues to receive bug fixes and security fixes until 2025-12-31.
Downloads
Source Code
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.3.8
./buildconf
), configuring the build ./configure
, and running make
.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Docker/Podman Containers
docker pull php:8.3.8-cli-alpine
docker pull php:8.3.8-cli
docker pull php:8.3.8-fpm-alpine
docker pull php:8.3.8-apache
docker pull php:8.3.8-fpm
ChangeLog
CGI
- Fixed buffer limit on Windows, replacing read call usage by _read.
- Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection in PHP-CGI). (CVE-2024-4577)
CLI
- Fixed bug GH-14189 (PHP Interactive shell input state incorrectly handles quoted heredoc literals.).
Core
- Fixed bug GH-13970 (Incorrect validation of #[Attribute] flags type for non-compile-time expressions).
DOM
- Fix crashes when entity declaration is removed while still having entity references.
- Fix references not handled correctly in C14N.
- Fix crash when calling childNodes
next()
when iterator is exhausted. - Fix crash in
ParentNode::append()
when dealing with a fragment containing text nodes.
Filter
- Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
FPM
- Fix bug GH-14175 (Show decimal number instead of scientific notation in systemd status).
Hash
ext/hash
: Swap the checking order of__has_builtin
and__GNUC__
Intl
- Fixed build regression on systems without C++17 compilers.
MySQLnd
- Fix bug GH-14255 (mysqli_fetch_assoc reports error from nested query).
Opcache
- Fixed bug GH-14109 (Fix accidental persisting of internal class constant in shm).
OpenSSL
- The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
Standard
- Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
XML
- Fixed bug GH-14124 (Segmentation fault with XML extension under certain memory limit).
XMLReader
- Fixed bug GH-14183 (
XMLReader::open()
can't be overridden).
Commit List
Benjamin Cremer
- Fix GH-14175: Use two digit float specifier for FPM systemd format req rate in 5b6cda6523
Calvin Buckley
- Fix check for newer versions of ICU in GH-14186
David Carlier
- sapi/cgi: fix buffer limit on windows in 74843947f4
Derick Rethans
- Force ffp-contract to off in e5cb9d7df9
Dmitry Stogov
- Fix undefined behavior (left shift of negative number) in f0356612d9
- Fix prototype for trait methods in GH-14148
- Fix incorrect inheritance of private trait methods in GH-14163
Eric Mann
- Update NEWS in c0799fc3b9
- Update versions for PHP 8.3.8 in ce51bfac75
Gina Peter Banyard
ext/bcmath
: Fix [-Wenum-int-mismatch] compiler warning in d775ba8804ext/ffi
: Fix [-Wenum-int-mismatch] compiler warning in 554541c4dbext/gd
: Fix [-Wcalloc-transposed-args] compiler warning in 3c45152798ext/pdo_mysql
: Fix [-Wcalloc-transposed-args] compiler warning in d4accd8b12ext/readline
: Fix [-Wcalloc-transposed-args] compiler warning in 0accfd1fe1
Ilija Tovilo
- Fix __SANITIZE_ADDRESS__ redeclaration warning in d670e131df
- Delay #[Attribute] arg validation until runtime in f8d1864bbb
- Fix attribute test on newer branches in 5aa5080ea7
- Fix persisting of inherited class constants in 42ede5597e
- Add test for GH-14109 in 2c8731db33
Kamil Tekiela
- Clear mysql error in fetch_into in a59868aef8
Marcus Xavier
- Fix GH-14100: Corrected spelling mistake in php.ini files in 32d21af296
Matteo Beccati
- Stick to mysql 8.3 for the time being in 6fed9a9a7e
Niels Dossche
- Fix crashes when entity declaration is removed while still having entity references in e878b9f390
- Fix references not handled correctly in C14N in 30a0b0359e
- Fix crash when calling childNodes
next()
when iterator is exhausted in 2dbe2d62b3 - Fix GH-14124: Segmentation fault on unknown address 0x0001ffff8041 with XML extension under certain memory limit in GH-14126
- Fix GH-14183:
XMLReader::open()
can't be overridden in 15813d69a5 - Fix GH-14189: PHP Interactive shell input state incorrectly handles quoted heredoc literals in 217b753a3d
- Fix missing deref in C14N in GH-14203
- Fix crash in
ParentNode::append()
when dealing with a fragment containing text nodes in 1e2a2d7df2 - Fix Windows
SKIPIF
in GH-14219 - Fix GH-14215: Cannot use
FFI::load
on CRLF header file with apache2handler in ebd1a36670 - Fix nightly test failure in GH-14251
- Fix undefined behaviour in
fastcgi.c
in GH-14269 - Skip .NET tests if mscoree is not available in GH-14281
- Fix GHSA-9fcc-425m-g385: bypass CVE-2024-1874 in e6a82adace
- Fix GHSA-3qgc-jrrr-25jv in b6d1d3980a
- Fix GHSA-w8qr-v226-r27w in c7486130d9
Peter Kokot
- Fix tests for glibc 2.39 in GH-14097
Saki Takamachi
- CI: fix oci setup in GH-14123
ext/hash
: Swap the checking order of __has_builtin and GNUC in GH-14185- Added test in 0a8fbef996
SakiTakamachi
- Cast the parameter type of arm BLOCKCONV_LOAD in GH-14159
Tim Düsterhus
- CI: Do not save the ccache for PRs in GH-14168
- CI: Do not save the ccache for PRs (8.3+) in 402f3a923f
- Make the
fcc
parameterconst
inzend_call_known_fcc
in GH-14259
twosee
- Fix
zend_string_starts_with_literal_ci
in GH-14137
武田 憲太郎
- Fix the MySQL Server version used for testing to in GH-14120