Release Information
- Release Type
- Security Update
- Release Status
- QA Release Latest
- Branch Status
- Upcoming Release
PHP 8.4 is a development version, and is not recommended for production use. PHP 8.4 is scheduled to reach General Availability on 2024-11-21. This is the latest QA release in the series.
Downloads
Source Code
Git Clone
Use Git to clone the 8.4.0RC2 tag from the PHP Git repository.
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.4.0RC2How to compile PHP
PHP can be compiled by setting up the dependencies, building the configure script (
Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
./buildconf), configuring the build ./configure, and running make.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Non-Thread Safe Builds
Non-Thread Safe (NTS) builds are single-threaded PHP builds. They can be used on web servers that integrate PHP over FastCGI protocol, such as Nginx, Caddy, and IIS.
php-8.4.0RC2-x64NTS.zip (31.41 MiB)
php-8.4.0RC2-x86NTS.zip (28.23 MiB)
Thread-Safe Builds
Thread-Safe (TS) builds are multi-thread PHP builds, often used to integrate PHP as a Server API for multithreaded servers. The most common use case is using PHP as an Apache module.
php-8.4.0RC2-x64TS.zip (31.56 MiB)
php-8.4.0RC2-x86TS.zip (28.29 MiB)
Docker/Podman Containers
PHP CLI
PHP CLI Containers images only include the PHP CLI, and no FPM or Apache modules. The Alpine builds are lightweight, but may introduce incompatibilities due to their musl builds. Albeit their larger size, the Debian-based (without the "-alpine" suffix) images are more complete, and widely used.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.4.0RC2-cli-alpineDebian-based: More compatible with other components, complete, and are widely used.
docker pull php:8.4.0RC2-cliPHP CLI + Web Server Integration
These container images include PHP CLI, and a web server integration. FPM container images can be integrated with web servers such as Nginx, Caddy, and Apache with Event MPM. The Apache container images include Apache web server, integrating PHP as an Apache module.
Alpine-based: Lightweight, but may introduce incompatibilities due to their musl builds.
docker pull php:8.4.0RC2-fpm-alpineDebian-based ZTS Apache: Includes Apache web server integrating PHP as an Apache module.
docker pull php:8.4.0RC2-apacheDebian-based NTS FPM: PHP-FPM, can be integrated with Nginx, Caddy, and other web servers over Fast CGI.
docker pull php:8.4.0RC2-fpmChangeLog
CGI
- Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection Vulnerability). (CVE-2024-8926)
- Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is bypassable due to the environment variable collision). (CVE-2024-8927)
Calendar
- Fixed GH-16240: jdtounix overflow on argument value.
- Fixed GH-16241: easter_days/easter_date overflow on year argument.
- Fixed GH-16263: jddayofweek overflow.
- Fixed GH-16234: jewishtojd overflow.
CLI
- Fixed bug GH-16137: duplicate http headers when set several times by the client.
Core
- Fixed bug GH-16040 (Use-after-free of object released in hook).
- Fixed bug GH-16054 (Segmentation fault when resizing hash table iterator list while adding).
- Fixed bug GH-15905 (Assertion failure for TRACK_VARS_SERVER).
- Fixed bug GH-15907 (Failed assertion when promoting Serialize deprecation to exception).
- Fixed bug GH-15851 (Segfault when printing backtrace during cleanup of nested generator frame).
- Fixed bug GH-16026 (Reuse of dtor fiber during shutdown).
- Fixed bug GH-15999 (
zend_std_write_property()assertion failure with lazy objects). - Fixed bug GH-15866 (Core dumped in Zend/zend_generators.c).
- Fixed bug GH-15960 (Foreach edge cases with lazy objects).
- Fixed bug GH-16188 (Assertion failure in Zend/zend_exceptions.c).
- Fixed bug GH-16233 (Observer segfault when calling user function in internal function via trampoline).
- Fixed bug GH-16185 (Various hooked object iterator issues).
DOM
- Fixed bug GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c).
- Fixed bug GH-16149 (Null pointer dereference in DOMElement->getAttributeNames()).
- Fixed bug GH-16151 (Assertion failure in ext/dom/parentnode/tree.c).
- Fixed bug GH-16190 (Using reflection to call Dom\Node::__construct causes assertion failure).
- Fixed bug GH-16150 (Use after free in
php_dom.c). - Fixed bug GH-16152 (Memory leak in DOMProcessingInstruction/DOMDocument).
- Fix edge-case in DOM parsing decoding.
FPM
- Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered). (CVE-2024-9026)
JSON
- Fixed bug GH-15168 (stack overflow in
json_encode()).
GD
- Fixed bug GH-16232 (bitshift overflow on wbmp file content reading / fix backport from upstream).
- Fixed bug GH-12264 (overflow/underflow on imagerotate degrees value)
- Fixed bug GH-16274 (imagescale underflow on RBG channels / fix backport from upstream).
LDAP
- Fixed bug GH-16032 (Various NULL pointer dereferencements in
ldap_modify_batch()). - Fixed bug GH-16101 (Segfault in
ldap_list(),ldap_read(), andldap_search()when LDAPs array is not a list). - Fix GH-16132 (
php_ldap_do_modify()attempts to free pointer not allocated by ZMM.). - Fix GH-16136 (Memory leak in
php_ldap_do_modify()when entry is not a proper dictionary).
MBString
- Fixed bug GH-16261 (Reference invariant broken in
mb_convert_variables()).
Opcache
- Fixed bug GH-16009 (Segmentation fault with frameless functions and undefined CVs).
- Fixed bug GH-16186 (Assertion failure in Zend/zend_operators.c).
PCRE
- Fixed bug GH-16184 (UBSan address overflowed in ext/pcre/php_pcre.c).
PHPDBG
- Fixed bug GH-16181 (phpdbg: exit in exception handler reports fatal error).
- Fixed bug GH-16041 (Support stack limit in phpdbg).
Reflection
- Fixed bug GH-16122 (The return value of
ReflectionFunction::getNamespaceName()andReflectionFunction::inNamespace()for closures is incorrect). - Fixed bug GH-16187 (Assertion failure in ext/reflection/php_reflection.c).
- Fixed bug GH-16162 (No
ReflectionProperty::IS_VIRTUAL)
SAPI
- Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data). (CVE-2024-8925)
SOAP
- Fixed bug GH-16237 (Segmentation fault when cloning SoapServer).
- Fix Soap leaking http_msg on error.
- Fixed bug GH-16256 (Assertion failure in ext/soap/php_encoding.c:460).
- Fixed bug GH-16259 (Soap segfault when classmap instantiation fails).
Standard
- Fixed bug GH-16053 (Assertion failure in Zend/zend_hash.c).
- Fixed bug GH-15169 (stack overflow when var serialization in ext/standard/var).
Windows
- Fixed bug GH-16199 (GREP_HEADER() is broken).
Commit List
Arnaud Le Blanc
- Fix GHSA-9pqp-7h25-4f32 in d65a1e6f91
- Fix reuse of dtor fiber during shutdown in GH-16026
- Fix use-after-free during lazy object initialization in GH-16004
- Fix assertion failure in generator dtor in GH-16025
- Fix
array_merge_recursive():convert_to_array()may need separation in GH-16061 - Fix handling of undef property during foreach by ref on hooked class in 4d7fcea5da
- Do not null out obj->properties when resetting object in 52fec6958c
- Ensure to initialize lazy object in foreach in 3151117987
- Deny resetting an object as lazy during property iteration in c9dfb77446
- Support stack limit in phpdbg SAPI in 443aa29dbe
- Handle references properties of the Exception class in c2115a43e3
- NEWS for GH-16196 in df4db5c1b4
- NEWS for GH-16196 in a774704aaf
- NEWS for GH-16196 in befe404419
- Use original op_array when JIT compiling a Closure in 82f70dba7d
- NEWS for GH-16200 in 6f70cd3f04
Calvin Buckley
- Fix regression on platforms without
ZEND_CHECK_STACK_LIMITset (8.4) in GH-16285 - Update versions for PHP 8.4.0RC2 in 1f914f9084
Chris Brown
- Fix small typo in UPGRADING in GH-16141
Christoph M. Becker
- Fix
bug71610.phptin de51612ba5 - Fix GH-15905: Assertion failure for TRACK_VARS_SERVER in 87d59d7fdd
- Fix failing soap tests on Windows in 5f3e6e346c
- Fix potential parallel test conflicts in f5649556ea
- Fix nightly builds regarding libavif in 258088310a
- Fix GH-16181: phpdbg: exit in exception handler reports fatal error in f14e5cfaaa
- Declare
zend_call_stack_size_error()asZEND_APIin 6f7f32c330 - Update Windows CI to use php-sdk-2.3.0 in d9d82377cc
- Install 32bit Firebird server on x86 in c3434091de
- Fix PDO_Firebird tests for 32bit in 626dc50989
Daniel Scherzer
- Fix GH-16187: ReflectionClass::__toString() with packed properties hash table in 331da7e869
- Fix GH-16162: No
ReflectionProperty::IS_VIRTUALin 76e5d82eb2
David Carlier
- Fix ubsan build on freebsd regarding float in 5feb29ea03
- Fix GH-15937: stream timeout option overflow in 332b067c5e
- Fix GH-16189: underflow on preg_match/preg_match_all start_offset in f453d1ae2a
- Fix GH-16137: "Deduplicate" http headers values but Set-Cookie in 3d80d98a10
- Fix GH-16231 jdtounix overflow on argument value in f4d2dd038b
- Fix GH-16232: bitshift overflow on wbmp file content reading in 54973c9366
- Fix GH-16228 overflow on easter_days/easter_date year argument in a3ff092c12
- fix build warning for GH-16228 in 6d9903f3e6
- Fix GH-16260: overflow/underflow on imagerotate degrees argument in 2d05da2e94
- Fix GH-16258 overflow on jddayofweek argument in a5e8ac62d9
- Fix GH-16234 jewishtojd overflow on year argument in e3015de741
- Fix GH-16267 socket_strerror overflow on argument value in 8537aa687e
- Fix GH-16257 imagescale underflow on RGB channels in a2bdfeff4f
Dmitry Stogov
- Fix possible NULL dereference in 24d5912a30
- Fix FFI prototypes (these functions can't return NULL) in GH-16075
- Improve JIT TRACE coverage in GH-16171
- Update IR in 64214d286b
- Update IR in 3fcf8caca8
Gina Peter Banyard
ext/ldap: Fix GH-16032 (Various NULL pointer dereferencements inldap_modify_batch()) in f4c45ee376ext/ldap: Fix GH-16101 (Segfaults inphp_ldap_do_search()when LDAPs is not a list) in 19bba83715ext/ldap: Fix GH-16132 (Freeing pointer not allocated by ZMM) in c910e78c39ext/ldap: Fix GH-16136 (Memory leak inphp_ldap_do_modify()) in 21260318c6- NEWS entries for LDAP bug fixes in f8b925b617
Ilija Tovilo
- Fix nightly for 8.2 in 50d5e96edb
- Add missing CI services for 8.2 in b7ee484f2b
- Fix use-after-free of object released in hook in 12844f96e2
- Fix missing libavif-dev in asan nightly in 271b9e685e
- Switch asan build to Ubuntu 24.04 in 91c06790de
- Remove now unused llvm installation in asan build in 6f7ec6a747
- Fix failed assertion when promoting Serialize deprecation to exception in 15a0c3a9d4
- Reduce regex backtracking in
phpinfo.phptin c4c45da4b9 - Fix printing backtrace of fake generator frame in 706bcdbc1a
- Fix various hooked object iterator issues in d76ef13757
Jakub Zelenka
- Fix GHSA-865w-9rf3-2wh5: FPM: Logs from childrens may be altered in 4580b8b3e1
- Update NEWS with security fixes info in 8d87bc3e26
- Skip GHSA-9pqp-7h25-4f32 test on Windows in 4bcc7d5778
- Fix stub for openssl_csr_new in dce0d97640
- Fix GH-15395: php-fpm:
zend_mm_heapcorrupted with cgi-fcgi request in 5a47f27021 - Fix FPM tester params type in ee7e21020e
- Fix failing openssl_private_decrypt tests in 53cc92c85c
Luís Cobucci
- Reproduce unexpected MySQL warnings for binary values in 93c68caeb5
Matteo Beccati
- PDO_MYSQL: Properly quote binary strings in cba92beac3
Máté Kocsis
- Fix
property_exists()andunset()for XMLReader in GH-16079
Niels Dossche
- Fix GHSA-p99j-rfp4-xqvq in 4b9cd27ff5
- Fix GHSA-94p6-54jq-9mwp in c1c14c8a0f
- Fix GH-16009: Segmentation fault with frameless functions and undefined CVs in daba40c695
- Fix GH-16039: Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c in 043b9e1f13
- Fix GH-16054: Segmentation fault when resizing hash table iterator list while adding in fdd6ba62bb
- Fix bogus fallthrough path in
firebird_handle_get_attribute(), again in b21d2ca93b - Fix GH-15168: stack overflow in
json_encode()in a551b99b2c - Fix typo in bf1021c1a8
- Fix GH-16149: Null pointer dereference in DOMElement->getAttributeNames() in 63e1ebe78d
- Fix GH-16151: Assertion failure in ext/dom/parentnode/tree.c in 066d18f2e8
- Fix GH-15169: stack overflow when var serialization in ext/standard/var in bd724bdf42
- Fix GH-16190: Using reflection to call Dom\Node::__construct causes assertion failure in 3be6ff66b8
- Fix bugs GH-16150 and GH-16152: intern document mismanagement in d4a4d2e7a9
- Fix GH-16184: UBSan address overflowed in ext/pcre/php_pcre.c in c4bb07552e
- Use standard error message for stack limit in
serialize()in 612a6ad0af - Fix GH-16237: Segmentation fault when cloning SoapServer in 809a58bc1b
- Fix edge-case in DOM parsing decoding in 1e949d189a
- Fix Soap leaking http_msg on error in a9dada29e7
- Add
SKIPIFfor ZendMM forobserver_fiber_functions_03.phptin fbb1001d84 - Fix GH-16256: Assertion failure in ext/soap/php_encoding.c:460 in 922b9d6798
- Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline in e715dd0afb
- Fix GH-16259: Soap segfault when classmap instantiation fails in 71222f799d
- Fix GH-16261: Reference invariant broken in
mb_convert_variables()in bf70d9ba0d
Peter Kokot
- Fix GH-16199: GREP_HEADER() is broken in e915ed75ea
Remi Collet
- zip extension is 1.22.4 in a1cacec067
Saki Takamachi
- Added PHP-8.4 to push workflow in GH-16045
Tim Düsterhus
- reflection: Fix the return value of ReflectionFunction::{getNamespaceName,inNamespace}() for closures in GH-16129
Yuya Hamada
- Fix GH-16229: Address overflowed in
mb_send_mailwhen empty string in d840200cea