Release Information
- Release Type
- Security Update
- Release Status
- QA Release Latest
- Branch Status
- Upcoming Release
PHP 8.4 is a development version, and is not recommended for production use. PHP 8.4 is scheduled to reach General Availability on 2024-11-21. This is the latest QA release in the series.
Downloads
Source Code
git clone https://github.com/php/php-src.git --depth 1 --branch php-8.4.0RC2
./buildconf
), configuring the build ./configure
, and running make
.Detailed articles on how to compile PHP are available for Ubuntu/Debian based systems and Fedora/RHEL based systems.
Windows binaries
Docker/Podman Containers
docker pull php:8.4.0RC2-cli-alpine
docker pull php:8.4.0RC2-cli
docker pull php:8.4.0RC2-fpm-alpine
docker pull php:8.4.0RC2-apache
docker pull php:8.4.0RC2-fpm
ChangeLog
CGI
- Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection Vulnerability). (CVE-2024-8926)
- Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is bypassable due to the environment variable collision). (CVE-2024-8927)
Calendar
- Fixed GH-16240: jdtounix overflow on argument value.
- Fixed GH-16241: easter_days/easter_date overflow on year argument.
- Fixed GH-16263: jddayofweek overflow.
- Fixed GH-16234: jewishtojd overflow.
CLI
- Fixed bug GH-16137: duplicate http headers when set several times by the client.
Core
- Fixed bug GH-16040 (Use-after-free of object released in hook).
- Fixed bug GH-16054 (Segmentation fault when resizing hash table iterator list while adding).
- Fixed bug GH-15905 (Assertion failure for TRACK_VARS_SERVER).
- Fixed bug GH-15907 (Failed assertion when promoting Serialize deprecation to exception).
- Fixed bug GH-15851 (Segfault when printing backtrace during cleanup of nested generator frame).
- Fixed bug GH-16026 (Reuse of dtor fiber during shutdown).
- Fixed bug GH-15999 (
zend_std_write_property()
assertion failure with lazy objects). - Fixed bug GH-15866 (Core dumped in Zend/zend_generators.c).
- Fixed bug GH-15960 (Foreach edge cases with lazy objects).
- Fixed bug GH-16188 (Assertion failure in Zend/zend_exceptions.c).
- Fixed bug GH-16233 (Observer segfault when calling user function in internal function via trampoline).
- Fixed bug GH-16185 (Various hooked object iterator issues).
DOM
- Fixed bug GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c).
- Fixed bug GH-16149 (Null pointer dereference in DOMElement->getAttributeNames()).
- Fixed bug GH-16151 (Assertion failure in ext/dom/parentnode/tree.c).
- Fixed bug GH-16190 (Using reflection to call Dom\Node::__construct causes assertion failure).
- Fixed bug GH-16150 (Use after free in
php_dom.c
). - Fixed bug GH-16152 (Memory leak in DOMProcessingInstruction/DOMDocument).
- Fix edge-case in DOM parsing decoding.
FPM
- Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered). (CVE-2024-9026)
JSON
- Fixed bug GH-15168 (stack overflow in
json_encode()
).
GD
- Fixed bug GH-16232 (bitshift overflow on wbmp file content reading / fix backport from upstream).
- Fixed bug GH-12264 (overflow/underflow on imagerotate degrees value)
- Fixed bug GH-16274 (imagescale underflow on RBG channels / fix backport from upstream).
LDAP
- Fixed bug GH-16032 (Various NULL pointer dereferencements in
ldap_modify_batch()
). - Fixed bug GH-16101 (Segfault in
ldap_list()
,ldap_read()
, andldap_search()
when LDAPs array is not a list). - Fix GH-16132 (
php_ldap_do_modify()
attempts to free pointer not allocated by ZMM.). - Fix GH-16136 (Memory leak in
php_ldap_do_modify()
when entry is not a proper dictionary).
MBString
- Fixed bug GH-16261 (Reference invariant broken in
mb_convert_variables()
).
Opcache
- Fixed bug GH-16009 (Segmentation fault with frameless functions and undefined CVs).
- Fixed bug GH-16186 (Assertion failure in Zend/zend_operators.c).
PCRE
- Fixed bug GH-16184 (UBSan address overflowed in ext/pcre/php_pcre.c).
PHPDBG
- Fixed bug GH-16181 (phpdbg: exit in exception handler reports fatal error).
- Fixed bug GH-16041 (Support stack limit in phpdbg).
Reflection
- Fixed bug GH-16122 (The return value of
ReflectionFunction::getNamespaceName()
andReflectionFunction::inNamespace()
for closures is incorrect). - Fixed bug GH-16187 (Assertion failure in ext/reflection/php_reflection.c).
- Fixed bug GH-16162 (No
ReflectionProperty::IS_VIRTUAL
)
SAPI
- Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data). (CVE-2024-8925)
SOAP
- Fixed bug GH-16237 (Segmentation fault when cloning SoapServer).
- Fix Soap leaking http_msg on error.
- Fixed bug GH-16256 (Assertion failure in ext/soap/php_encoding.c:460).
- Fixed bug GH-16259 (Soap segfault when classmap instantiation fails).
Standard
- Fixed bug GH-16053 (Assertion failure in Zend/zend_hash.c).
- Fixed bug GH-15169 (stack overflow when var serialization in ext/standard/var).
Windows
- Fixed bug GH-16199 (GREP_HEADER() is broken).
Commit List
Arnaud Le Blanc
- Fix GHSA-9pqp-7h25-4f32 in d65a1e6f91
- Fix reuse of dtor fiber during shutdown in GH-16026
- Fix use-after-free during lazy object initialization in GH-16004
- Fix assertion failure in generator dtor in GH-16025
- Fix
array_merge_recursive()
:convert_to_array()
may need separation in GH-16061 - Fix handling of undef property during foreach by ref on hooked class in 4d7fcea5da
- Do not null out obj->properties when resetting object in 52fec6958c
- Ensure to initialize lazy object in foreach in 3151117987
- Deny resetting an object as lazy during property iteration in c9dfb77446
- Support stack limit in phpdbg SAPI in 443aa29dbe
- Handle references properties of the Exception class in c2115a43e3
- NEWS for GH-16196 in df4db5c1b4
- NEWS for GH-16196 in a774704aaf
- NEWS for GH-16196 in befe404419
- Use original op_array when JIT compiling a Closure in 82f70dba7d
- NEWS for GH-16200 in 6f70cd3f04
Calvin Buckley
- Fix regression on platforms without
ZEND_CHECK_STACK_LIMIT
set (8.4) in GH-16285 - Update versions for PHP 8.4.0RC2 in 1f914f9084
Chris Brown
- Fix small typo in UPGRADING in GH-16141
Christoph M. Becker
- Fix
bug71610.phpt
in de51612ba5 - Fix GH-15905: Assertion failure for TRACK_VARS_SERVER in 87d59d7fdd
- Fix failing soap tests on Windows in 5f3e6e346c
- Fix potential parallel test conflicts in f5649556ea
- Fix nightly builds regarding libavif in 258088310a
- Fix GH-16181: phpdbg: exit in exception handler reports fatal error in f14e5cfaaa
- Declare
zend_call_stack_size_error()
asZEND_API
in 6f7f32c330 - Update Windows CI to use php-sdk-2.3.0 in d9d82377cc
- Install 32bit Firebird server on x86 in c3434091de
- Fix PDO_Firebird tests for 32bit in 626dc50989
Daniel Scherzer
- Fix GH-16187: ReflectionClass::__toString() with packed properties hash table in 331da7e869
- Fix GH-16162: No
ReflectionProperty::IS_VIRTUAL
in 76e5d82eb2
David Carlier
- Fix ubsan build on freebsd regarding float in 5feb29ea03
- Fix GH-15937: stream timeout option overflow in 332b067c5e
- Fix GH-16189: underflow on preg_match/preg_match_all start_offset in f453d1ae2a
- Fix GH-16137: "Deduplicate" http headers values but Set-Cookie in 3d80d98a10
- Fix GH-16231 jdtounix overflow on argument value in f4d2dd038b
- Fix GH-16232: bitshift overflow on wbmp file content reading in 54973c9366
- Fix GH-16228 overflow on easter_days/easter_date year argument in a3ff092c12
- fix build warning for GH-16228 in 6d9903f3e6
- Fix GH-16260: overflow/underflow on imagerotate degrees argument in 2d05da2e94
- Fix GH-16258 overflow on jddayofweek argument in a5e8ac62d9
- Fix GH-16234 jewishtojd overflow on year argument in e3015de741
- Fix GH-16267 socket_strerror overflow on argument value in 8537aa687e
- Fix GH-16257 imagescale underflow on RGB channels in a2bdfeff4f
Dmitry Stogov
- Fix possible NULL dereference in 24d5912a30
- Fix FFI prototypes (these functions can't return NULL) in GH-16075
- Improve JIT TRACE coverage in GH-16171
- Update IR in 64214d286b
- Update IR in 3fcf8caca8
Gina Peter Banyard
ext/ldap
: Fix GH-16032 (Various NULL pointer dereferencements inldap_modify_batch()
) in f4c45ee376ext/ldap
: Fix GH-16101 (Segfaults inphp_ldap_do_search()
when LDAPs is not a list) in 19bba83715ext/ldap
: Fix GH-16132 (Freeing pointer not allocated by ZMM) in c910e78c39ext/ldap
: Fix GH-16136 (Memory leak inphp_ldap_do_modify()
) in 21260318c6- NEWS entries for LDAP bug fixes in f8b925b617
Ilija Tovilo
- Fix nightly for 8.2 in 50d5e96edb
- Add missing CI services for 8.2 in b7ee484f2b
- Fix use-after-free of object released in hook in 12844f96e2
- Fix missing libavif-dev in asan nightly in 271b9e685e
- Switch asan build to Ubuntu 24.04 in 91c06790de
- Remove now unused llvm installation in asan build in 6f7ec6a747
- Fix failed assertion when promoting Serialize deprecation to exception in 15a0c3a9d4
- Reduce regex backtracking in
phpinfo.phpt
in c4c45da4b9 - Fix printing backtrace of fake generator frame in 706bcdbc1a
- Fix various hooked object iterator issues in d76ef13757
Jakub Zelenka
- Fix GHSA-865w-9rf3-2wh5: FPM: Logs from childrens may be altered in 4580b8b3e1
- Update NEWS with security fixes info in 8d87bc3e26
- Skip GHSA-9pqp-7h25-4f32 test on Windows in 4bcc7d5778
- Fix stub for openssl_csr_new in dce0d97640
- Fix GH-15395: php-fpm:
zend_mm_heap
corrupted with cgi-fcgi request in 5a47f27021 - Fix FPM tester params type in ee7e21020e
- Fix failing openssl_private_decrypt tests in 53cc92c85c
Luís Cobucci
- Reproduce unexpected MySQL warnings for binary values in 93c68caeb5
Matteo Beccati
- PDO_MYSQL: Properly quote binary strings in cba92beac3
Máté Kocsis
- Fix
property_exists()
andunset()
for XMLReader in GH-16079
Niels Dossche
- Fix GHSA-p99j-rfp4-xqvq in 4b9cd27ff5
- Fix GHSA-94p6-54jq-9mwp in c1c14c8a0f
- Fix GH-16009: Segmentation fault with frameless functions and undefined CVs in daba40c695
- Fix GH-16039: Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c in 043b9e1f13
- Fix GH-16054: Segmentation fault when resizing hash table iterator list while adding in fdd6ba62bb
- Fix bogus fallthrough path in
firebird_handle_get_attribute()
, again in b21d2ca93b - Fix GH-15168: stack overflow in
json_encode()
in a551b99b2c - Fix typo in bf1021c1a8
- Fix GH-16149: Null pointer dereference in DOMElement->getAttributeNames() in 63e1ebe78d
- Fix GH-16151: Assertion failure in ext/dom/parentnode/tree.c in 066d18f2e8
- Fix GH-15169: stack overflow when var serialization in ext/standard/var in bd724bdf42
- Fix GH-16190: Using reflection to call Dom\Node::__construct causes assertion failure in 3be6ff66b8
- Fix bugs GH-16150 and GH-16152: intern document mismanagement in d4a4d2e7a9
- Fix GH-16184: UBSan address overflowed in ext/pcre/php_pcre.c in c4bb07552e
- Use standard error message for stack limit in
serialize()
in 612a6ad0af - Fix GH-16237: Segmentation fault when cloning SoapServer in 809a58bc1b
- Fix edge-case in DOM parsing decoding in 1e949d189a
- Fix Soap leaking http_msg on error in a9dada29e7
- Add
SKIPIF
for ZendMM forobserver_fiber_functions_03.phpt
in fbb1001d84 - Fix GH-16256: Assertion failure in ext/soap/php_encoding.c:460 in 922b9d6798
- Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline in e715dd0afb
- Fix GH-16259: Soap segfault when classmap instantiation fails in 71222f799d
- Fix GH-16261: Reference invariant broken in
mb_convert_variables()
in bf70d9ba0d
Peter Kokot
- Fix GH-16199: GREP_HEADER() is broken in e915ed75ea
Remi Collet
- zip extension is 1.22.4 in a1cacec067
Saki Takamachi
- Added PHP-8.4 to push workflow in GH-16045
Tim Düsterhus
- reflection: Fix the return value of ReflectionFunction::{getNamespaceName,inNamespace}() for closures in GH-16129
Yuya Hamada
- Fix GH-16229: Address overflowed in
mb_send_mail
when empty string in d840200cea