PHP Changelog

What's new in PHP 8.3.6

Apr 12, 2024

CORE:
Fixed GH-13569 (GC buffer unnecessarily grows up to GC_MAX_BUF_SIZE when scanning WeakMaps).
Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
Fixed bug GH-13446 (Restore exception handler after it finishes).
Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure).
Fixed bug GH-13670 (GC does not scale well with a lot of objects created in destructor).
DOM:
Add some missing ZPP checks.
Fix potential memory leak in XPath evaluation results.
FPM:
Fixed GH-11086 (FPM: config test runs twice in daemonised mode).
Fix incorrect check in fpm_shm_free().
GD:
Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests).
Gettext:
Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5 with category set to LC_ALL.
MySQLnd:
Fix GH-13452 (Fixed handshake response [mysqlnd]).
Fix incorrect charset length in check_mb_eucjpms().
Opcache:
Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null).
Fixed GH-13712 (Segmentation fault for enabled observers when calling trait method of internal trait when opcache is loaded).
Random:
Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown modes).
Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between requests when MT_RAND_PHP is used).
Session:
Fixed bug GH-13680 (Segfault with session_decode and compilation error).
SPL:
Fixed bug GH-13685 (Unexpected null pointer in zend_string.h).
Standard:
Fixed bug GH-11808 (Live filesystem modified by tests).
Fixed GH-13402 (Added validation of `n` in $additional_headers of mail()).
Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874)
Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)
Fixed bug GHSA-fjp9-9hwx-59fq (mb_encode_mimeheader runs endlessly for some inputs). (CVE-2024-2757)
Fix bug GH-13932 (Attempt to fix mbstring on windows build) (msvc).

New in PHP 8.3.3 (Mar 13, 2024)

New in PHP 8.3.1 (Dec 21, 2023)

New in PHP 8.3.0 (Nov 23, 2023)

Bcmath:
Fixed GH-11761 (removing trailing zeros from numbers) (jorgsowa)
CLI:
Added pdeathsig to builtin server to terminate workers when the master process is killed.
Fixed bug GH-11104 (STDIN/STDOUT/STDERR is not available for CLI without a script).
Implement GH-10024 (support linting multiple files at once using php -l).
Core:
Fix GH-11388 (Allow "final" modifier when importing a method from a trait).
Fixed bug GH-11406 (segfault with unpacking and magic method closure).
Fixed bug GH-9388 (Improve unset property and __get type incompatibility error message).
SA_ONSTACK is now set for signal handlers to be friendlier to other in-process code such as Go's cgo.
SA_ONSTACK is now set when signals are disabled.
Fix GH-9649: Signal handlers now do a no-op instead of crashing when executed on threads not managed by TSRM.
Added shadow stack support for fibers.
Fix bug GH-9965 (Fix accidental caching of default arguments with side effects).
Implement GH-10217 (Use strlen() for determining the class_name length).
Fix bug GH-8821 (Improve line numbers for errors in constant expressions).
Fix bug GH-10083 (Allow comments between & and parameter).
Zend Max Execution Timers is now enabled by default for ZTS builds on Linux.
Fix bug GH-10469 (Disallow .. in open_basedir paths set at runtime).
Fix bug GH-10168, GH-10582 (Various segfaults with destructors and VM return values).
Fix bug GH-10935 (Use of trait doesn't redeclare static property if class has inherited it from its parent).
Fix bug GH-11154 (Negative indices on empty array don't affect next chosen index).
Fix bug GH-8846 (Implement delayed early binding for classes without parents).
Fix bug #79836 (Segfault in concat_function).
Fix bug #81705 (type confusion/UAF on set_error_handler with concat operation).
Fix GH-11348 (Closure created from magic method does not accept named arguments).
Fix GH-11388 (Allow "final" modifier when importing a method from a trait).
Fixed bug GH-11406 (segfault with unpacking and magic method closure).
Fixed bug GH-11507 (String concatenation performance regression in 8.3).
Fixed GH-11488 (Missing "Optional parameter before required" deprecation on union null type).
Implement the #[Override] attribute RFC.
Fixed bug GH-11601 (Incorrect handling of unwind and graceful exit exceptions).
Added zend_call_stack_get implementation for OpenBSD.
Add stack limit check in zend_eval_const_expr().
Expose time spent collecting cycles in gc_status().
Remove WeakMap entries whose key is only reachable through the entry value.
Resolve open_basedir paths on INI update.
Fixed oss-fuzz #60741 (Leak in open_basedir).
Fixed segfault during freeing of some incompletely initialized objects due to OOM error (PDO, SPL, XSL).
Introduced Zend guard recursion protection to fix __debugInfo issue.
Fixed oss-fuzz #61712 (assertion failure with error handler during binary op).
Fixed GH-11847 (DTrace enabled build is broken).
Fixed OSS Fuzz #61865 (Undef variable in ++/-- for declared property that is unset in error handler).
Fixed warning emitted when checking if a user stream is castable.
Fixed bug GH-12123 (Compile error on MacOS with C++ extension when using ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX).
Fixed bug GH-12189 (#[Override] attribute in trait does not check for parent class implementations).
Fixed OSS Fuzz #62294 (Unsetting variable after ++/-- on string variable warning).
Fixed buffer underflow when compiling memoized expression.
Fixed oss-fuzz #63802 (OP1 leak in error path of post inc/dec).
Curl:
Added Curl options and constants up to (including) version 7.87.
Date:
Implement More Appropriate Date/Time Exceptions RFC.
DOM:
Fix bug GH-8388 (DOMAttr unescapes character reference).
Fix bug GH-11308 (getElementsByTagName() is O(N^2)).
Fix #79700 (wrong use of libxml oldNs leads to performance problem).
Fix #77894 (DOMNode::C14N() very slow on generated DOMDocuments even after normalisation).
Revert changes to DOMAttr::$value and DOMAttr::$nodeValue expansion.
Fixed bug GH-11500 (Namespace reuse in createElementNS() generates wrong output).
Implemented DOMDocument::adoptNode(). Previously this always threw a "not yet implemented" exception.
Fixed bug GH-9628 (Implicitly removing nodes from DOMDocument breaks existing references).
Added DOMNode::contains() and DOMNameSpaceNode::contains().
Added DOMElement::getAttributeNames().
Added DOMNode::getRootNode().
Added DOMElement::className and DOMElement::id.
Added DOMParentNode::replaceChildren().
Added DOMNode::isConnected and DOMNameSpaceNode::isConnected.
Added DOMNode::parentElement and DOMNameSpaceNode::parentElement.
Added DOMNode::isEqualNode().
Added DOMElement::insertAdjacentElement() and DOMElement::insertAdjacentText().
Added DOMElement::toggleAttribute().
Fixed bug GH-11792 (LIBXML_NOXMLDECL is not implemented or broken).
adoptNode now respects the strict error checking property.
Align DOMChildNode parent checks with spec.
Fixed bug #80927 (Removing documentElement after creating attribute node: possible use-after-free).
Fix various namespace prefix conflict resolution bugs.
Fix calling createAttributeNS() without prefix causing the default namespace of the element to change.
Fixed GH-11952 (Confusing warning when blocking entity loading via libxml_set_external_entity_loader).
Fix broken cache invalidation with deallocated and reallocated document node.
Fix compile error when php_libxml.h header is included in C++.
Fixed bug #47531 (No way of removing redundant xmlns: declarations).
Exif:
Removed unneeded codepaths in exif_process_TIFF_in_JPEG().
FFI:
Implement GH-11934 (Allow to pass CData into struct and/or union fields).
Fileinfo:
Upgrade bundled libmagic to 5.43.
Fix GH-11408 (Unable to build PHP 8.3.0 alpha 1 / fileinfo extension).
FPM:
The status.listen shared pool now uses the same php_values (including expose_php) and php_admin_value as the pool it is shared with.
Added warning to log when fpm socket was not registered on the expected path.
Fixed bug #76067 (system() function call leaks php-fpm listening sockets).
Fixed GH-12077 (PHP 8.3.0RC1 borked socket-close-on-exec.phpt).
GD:
Removed imagerotate "ignore_transparent" argument since it has no effect.
Intl:
Added pattern format error infos for numfmt_set_pattern.
Added MIXED_NUMBERS and HIDDEN_OVERLAY constants for the Spoofchecker's class.
Updated datefmt_set_timezone/IntlDateformatter::setTimezone returns type. (David Carlier).
Updated IntlBreakInterator::setText return type.
Updated IntlChar::enumCharNames return type.
Removed the BC break on IntlDateFormatter::construct which threw an exception with an invalid locale.
JSON:
Added json_validate().
LDAP:
Deprecate calling ldap_connect() with separate hostname and port.
LibXML:
Fix compile error with -Werror=incompatible-function-pointer-types and old libxml2.
MBString:
mb_detect_encoding is better able to identify the correct encoding for Turkish text.
mb_detect_encoding's "non-strict" mode now behaves as described in the documentation. Previously, it would return false if the same byte (for example, the first byte) of the input string was invalid in all candidate encodings. More generally, it would eliminate candidate encodings from consideration when an invalid byte was seen, and if the same input byte eliminated all remaining encodings still under consideration, it would return false. On the other hand, if all candidate encodings but one were eliminated from consideration, it would return the last remaining one without regard for how many encoding errors might be encountered later in the string. This is different from the behavior described in the documentation, which says: "If strict is set to false, the closest matching encoding will be returned." (Alex Dowad)
mb_strtolower, mb_strtotitle, and mb_convert_case implement conditional casing rules for the Greek letter sigma. For mb_convert_case, conditional casing only applies to MB_CASE_LOWER and MB_CASE_TITLE modes, not to MB_CASE_LOWER_SIMPLE and MB_CASE_TITLE_SIMPLE.
mb_detect_encoding is better able to identify UTF-8 and UTF-16 strings with a byte-order mark.
mb_decode_mimeheader interprets underscores in QPrint-encoded MIME encoded words as required by RFC 2047; they are converted to spaces. Underscores must be encoded as "=5F" in such MIME encoded words.
mb_encode_mimeheader no longer drops NUL (zero) bytes when QPrint-encoding the input string. This previously caused strings in certain text encodings, especially UTF-16 and UTF-32, to be corrupted by mb_encode_mimeheader.
Implement mb_str_pad() RFC.
Fixed bug GH-11514 (PHP 8.3 build fails with --enable-mbstring enabled).
Fix use-after-free of mb_list_encodings() return value.
Fixed bug GH-11992 (utf_encodings.phpt fails on Windows 32-bit).
mysqli:
mysqli_fetch_object raises a ValueError instead of an Exception.
Opcache:
Added start, restart and force restart time to opcache's phpinfo section.
Fix GH-9139: Allow FFI in opcache.preload when opcache.preload_user=root.
Made opcache.preload_user always optional in the cli and phpdbg SAPIs.
Allows W/X bits on page creation on FreeBSD despite system settings.
Added memfd api usage, on Linux, for zend_shared_alloc_create_lock() to create an abstract anonymous file for the opcache's lock.
Avoid resetting JIT counter handlers from multiple processes/threads.
Fixed COPY_TMP type inference for references.
OpenSSL:
Added OPENSSL_CMS_OLDMIMETYPE and PKCS7_NOOLDMIMETYPE contants to switch between mime content types.
Fixed GH-11054: Reset OpenSSL errors when using a PEM public key.
Added support for additional EC parameters in openssl_pkey_new.
PCNTL:
SA_ONSTACK is now set for pcntl_signal.
Added SIGINFO constant.
PCRE:
Update bundled libpcre2 to 10.42.
PGSQL:
pg_fetch_object raises a ValueError instead of an Exception.
pg_cancel use thread safe PQcancel api instead.
pg_trace new PGSQL_TRACE_SUPPRESS_TIMESTAMPS/PGSQL_TRACE_REGRESS_MODE contants support.
pg_set_error_verbosity adding PGSQL_ERRORS_STATE constant.
pg_convert/pg_insert E_WARNING on type errors had been converted to ValueError/TypeError exceptions.
Added pg_set_error_context_visibility to set the context's visibility within the error messages.
Phar:
Fix memory leak in phar_rename_archive().
POSIX:
Added posix_sysconf.
Added posix_pathconf.
Added posix_fpathconf.
Fixed zend_parse_arg_long's bool pointer argument assignment.
Added posix_eaccess.
Random:
Added Randomizer::getBytesFromString().
Added Randomizer::nextFloat(), ::getFloat(), and IntervalBoundary.
Enable getrandom() for NetBSD (from 10.x).
Deprecate MT_RAND_PHP.
Fix Randomizer::getFloat() returning incorrect results under certain circumstances.
Reflection:
Fix GH-9470 (ReflectionMethod constructor should not find private parent method).
Fix GH-10259 (ReflectionClass::getStaticProperties doesn't need null return type).
SAPI:
Fixed GH-11141 (Could not open input file: should be sent to stderr).
Session:
Fixed bug GH-11529 (Crash after dealing with an Apache request).
SimpleXML:
Fixed bug GH-12192 (SimpleXML infinite loop when getName() is called within foreach).
Fixed bug GH-12208 (SimpleXML infinite loop when a cast is used inside a foreach).
Fixed bug #55098 (SimpleXML iteration produces infinite loop).
Sockets:
Added SO_ATTACH_REUSEPORT_CBPF socket option, to give tighter control over socket binding for a cpu core.
Added SKF_AD_QUEUE for cbpf filters.
Added socket_atmark if send/recv needs using MSG_OOB.
Added TCP_QUICKACK constant, to give tigher control over ACK delays.
Added DONTFRAGMENT support for path MTU discovery purpose.
Added AF_DIVERT for raw socket for divert ports.
Added SOL_UPDLITE, UDPLITE_RECV_CSCOV and UDPLITE_SEND_CSCOV for updlite protocol support.
Added SO_RERROR, SO_ZEROIZE and SO_SPLICE netbsd and openbsd constants.
Added TCP_REPAIR for quietly close a connection.
Added SO_REUSEPORT_LB freebsd constant.
Added IP_BIND_ADDRESS_NO_PORT.
SPL:
Fixed GH-11573 (RecursiveDirectoryIterator::hasChildren is slow).
Standard:
E_NOTICEs emitted by unserialize() have been promoted to E_WARNING.
unserialize() now emits a new E_WARNING if the input contains unconsumed bytes.
Make array_pad's $length warning less confusing.
E_WARNING emitted by strtok in the caase both arguments are not provided when starting tokenisation.
password_hash() will now chain the original RandomException to the ValueError on salt generation failure.
Fix GH-10239 (proc_close after proc_get_status always returns -1).
Improve the warning message for unpack() in case not enough values were provided.
Fix GH-11010 (parse_ini_string() now preserves formatting of unquoted strings starting with numbers when the INI_SCANNER_TYPED flag is specified).
Fix GH-10742 (http_response_code emits no error when headers were already sent).
Added support for rounding negative places in number_format().
Prevent precision loss on formatting decimal integers in number_format().
Added usage of posix_spawn for proc_open when supported by OS.
Added $before_needle argument to strrchr().
Fixed GH-11982 (str_getcsv returns null byte for unterminated enclosure).
Fixed str_decrement() on "1".
Streams:
Fixed bug #51056: blocking fread() will block even if data is available.
Added storing of the original path used to open xport stream.
Implement GH-8641 (STREAM_NOTIFY_COMPLETED over HTTP never emitted).
Fix bug GH-10406 (fgets on a redis socket connection fails on PHP 8.3).
Implemented GH-11242 (_php_stream_copy_to_mem: Allow specifying a maximum length without allocating a buffer of that size).
Fixed bug #52335 (fseek() on memory stream behavior different than file).
Fixed bug #76857 (Can read "non-existant" files).
XSLTProcessor:
Fixed bug #69168 (DomNode::getNodePath() returns invalid path).
ZIP:
zip extension version 1.22.0 for libzip 1.10.0.
add new error macros (ER_DATA_LENGTH and ER_NOT_ALLOWED).
add new archive global flags (ER_AFL_*).
add ZipArchive::setArchiveFlag and ZipArchive::getArchiveFlag methods.

New in PHP 8.2.11 (Sep 29, 2023)

New in PHP 8.2.10 (Sep 1, 2023)

CLI:
Fixed bug GH-11716 (cli server crashes on SIGINT when compiled with ZEND_RC_DEBUG=1).
Fixed bug GH-10964 (Improve man page about the built-in server).
Date:
Fixed bug GH-11416 (Crash with DatePeriod when uninitialised objects are passed in).
Core:
Fixed strerror_r detection at configuration time.
Fixed trait typed properties using a DNF type not being correctly bound.
Fixed trait property types not being arena allocated if copied from an internal trait.
Fixed deep copy of property DNF type during lazy class load.
Fixed memory freeing of DNF types for non arena allocated types.
DOM:
Fix DOMEntity field getter bugs.
Fix incorrect attribute existence check in DOMElement::setAttributeNodeNS.
Fix DOMCharacterData::replaceWith() with itself.
Fix empty argument cases for DOMParentNode methods.
Fixed bug GH-11791 (Wrong default value of DOMDocument::xmlStandalone).
Fix json_encode result on DOMDocument.
Fix manually calling __construct() on DOM classes.
Fixed bug GH-11830 (ParentNode methods should perform their checks upfront).
Fix viable next sibling search for replaceWith.
Fix segfault when DOMParentNode::prepend() is called when the child disappears.
FFI:
Fix leaking definitions when using FFI::cdef()->new(...).
Hash:
Fix use-of-uninitialized-value in hash_pbkdf2(), fix missing $options parameter in signature.
MySQLnd:
Fixed bug GH-11440 (authentication to a sha256_password account fails over SSL).
Fixed bug GH-11438 (mysqlnd fails to authenticate with sha256_password accounts using passwords longer than 19 characters).
Fixed bug GH-11550 (MySQL Statement has a empty query result when the response field has changed, also Segmentation fault).
Fixed invalid error message "Malformed packet" when connection is dropped.
Opcache:
Fixed bug GH-11715 (opcache.interned_strings_buffer either has no effect or opcache_get_status() / phpinfo() is wrong).
Avoid adding an unnecessary read-lock when loading script from shm if restart is in progress.
PCNTL:
Revert behaviour of receiving SIGCHLD signals back to the behaviour before 8.1.22.
SPL:
Fixed bug #81992 (SplFixedArray::setSize() causes use-after-free).
Standard:
Prevent int overflow on $decimals in number_format.
Fixed bug GH-11870 (Fix off-by-one bug when truncating tempnam prefix) (athos-ribeiro)

New in PHP 8.2.9 (Sep 1, 2023)

Build:
Fixed bug GH-11522 (PHP version check fails with '-' separator).
CLI:
Fix interrupted CLI output causing the process to exit.
Core:
Fixed oss-fuzz #60011 (Mis-compilation of by-reference nullsafe operator).
Fixed line number of JMP instruction over else block.
Fixed use-of-uninitialized-value with ??= on assert.
Fixed oss-fuzz #60411 (Fix double-compilation of arrow-functions).
Fixed build for FreeBSD before the 11.0 releases.
Curl:
Fix crash when an invalid callback function is passed to CURLMOPT_PUSHFUNCTION.
Date:
Fixed bug GH-11368 (Date modify returns invalid datetime).
Fixed bug GH-11600 (Can't parse time strings which include (narrow) non-breaking space characters).
Fixed bug GH-11854 (DateTime:createFromFormat stopped parsing datetime with extra space).
DOM:
Fixed bug GH-11625 (DOMElement::replaceWith() doesn't replace node with DOMDocumentFragment but just deletes node or causes wrapping depending on libxml2 version).
Fileinfo:
Fixed bug GH-11298 (finfo returns wrong mime type for xz files).
FTP:
Fix context option check for "overwrite".
Fixed bug GH-10562 (Memory leak and invalid state with consecutive ftp_nb_fget).
GD:
Fix most of the external libgd test failures.
Intl:
Fix memory leak in MessageFormatter::format() on failure.
Libxml:
Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)
MBString:
Fix GH-11300 (license issue: restricted unicode license headers).
Opcache:
Fixed bug GH-10914 (OPCache with Enum and Callback functions results in segmentation fault).
Prevent potential deadlock if accelerated globals cannot be allocated.
PCNTL:
Fixed bug GH-11498 (SIGCHLD is not always returned from proc_open).
PDO:
Fix GH-11587 (After php8.1, when PDO::ATTR_EMULATE_PREPARES is true and PDO::ATTR_STRINGIFY_FETCHES is true, decimal zeros are no longer filled).
PDO SQLite:
Fix GH-11492 (Make test failure: ext/pdo_sqlite/tests/bug_42589.phpt).
Phar:
Add missing check on EVP_VerifyUpdate() in phar util.
Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()). (CVE-2023-3824)
PHPDBG:
Fixed bug GH-9669 (phpdbg -h options doesn't list the -z option).
Session:
Removed broken url support for transferring session ID.
Standard:
Fix serialization of RC1 objects appearing in object graph twice.
Streams:
Fixed bug GH-11735 (Use-after-free when unregistering user stream wrapper from itself).
SQLite3:
Fix replaced error handling in SQLite3Stmt::__construct.
XMLReader:
Fix GH-11548 (Argument corruption when calling XMLReader::open or XMLReader::XML non-statically with observer active).

New in PHP 8.2.8 (Jul 6, 2023)

CLI:
Fixed bug GH-11246 (cli/get_set_process_title fails on MacOS).
Core:
Fixed build for the riscv64 architecture/GCC 12.
Curl:
Fixed bug GH-11433 (Unable to set CURLOPT_ACCEPT_ENCODING to NULL).
Date:
Fixed bug GH-11455 (Segmentation fault with custom object date properties).
DOM:
Fixed bugs GH-11288 and GH-11289 and GH-11290 and GH-9142 (DOMExceptions and segfaults with replaceWith).
Fixed bug GH-10234 (Setting DOMAttr::textContent results in an empty attribute value).
Fix return value in stub file for DOMNodeList::item.
Fix spec compliance error with '*' namespace for DOMDocument::getElementsByTagNameNS.
Fix DOMElement::append() and DOMElement::prepend() hierarchy checks.
Fixed bug GH-11347 (Memory leak when calling a static method inside an xpath query).
Fixed bug #67440 (append_node of a DOMDocumentFragment does not reconcile namespaces).
Fixed bug #81642 (DOMChildNode::replaceWith() bug when replacing a node with itself).
Fixed bug #77686 (Removed elements are still returned by getElementById).
Fixed bug #70359 (print_r() on DOMAttr causes Segfault in php_libxml_node_free_list()).
Fixed bug #78577 (Crash in DOMNameSpace debug info handlers).
Fix lifetime issue with getAttributeNodeNS().
Fix "invalid state error" with cloned namespace declarations.
Fixed bug #55294 and #47530 and #47847 (various namespace reconciliation issues).
Fixed bug #80332 (Completely broken array access functionality with DOMNamedNodeMap).
Opcache:
Fix allocation loop in zend_shared_alloc_startup().
Access violation on smm_shared_globals with ALLOC_FALLBACK.
Fixed bug GH-11336 (php still tries to unlock the shared memory ZendSem with opcache.file_cache_only=1 but it was never locked).
OpenSSL:
Fixed bug GH-9356 Incomplete validation of IPv6 Address fields in subjectAltNames (James Lucas, Jakub Zelenka).
PCRE:
Fix preg_replace_callback_array() pattern validation.
PGSQL:
Fixed intermittent segfault with pg_trace.
Phar:
Fix cross-compilation check in phar generation for FreeBSD.
SPL:
Fixed bug GH-11338 (SplFileInfo empty getBasename with more than one slash).
Standard:
Fix access on NULL pointer in array_merge_recursive().
Fix exception handling in array_multisort().
SQLite3:
Fixed bug GH-11451 (Invalid associative array containing duplicate keys).

New in PHP 8.2.6 (Jun 7, 2023)

New in PHP 8.2.5 (May 10, 2023)

Core:
Added optional support for max_execution_time in ZTS/Linux builds (Kévin Dunglas)
Fixed use-after-free in recursive AST evaluation.
Fixed bug GH-8646 (Memory leak PHP FPM 8.1).
Re-add some CTE functions that were removed from being CTE by a mistake.
Remove CTE flag from array_diff_ukey(), which was added by mistake.
Fixed bug GH-10801 (Named arguments in CTE functions cause a segfault).
Fixed bug GH-8789 (PHP 8.0.20 (ZTS) zend_signal_handler_defer crashes on apache).
Fixed bug GH-10015 (zend_signal_handler_defer crashes on apache shutdown).
Fixed bug GH-10810 (Fix NUL byte terminating Exception::__toString()).
Fix potential memory corruption when mixing __callStatic() and FFI.
Date:
Fixed bug GH-10747 (Private and protected properties in serialized Date* objects throw).
FPM:
Fixed bug GH-10611 (fpm_env_init_main leaks environ).
Destroy file_handle in fpm_main.
Fixed bug #74129 (Incorrect SCRIPT_NAME with apache ProxyPassMatch when spaces are in path).
FTP:
Propagate success status of ftp_close().
Fixed bug GH-10521 (ftp_get/ftp_nb_get resumepos offset is maximum 10GB).
IMAP:
Fix build failure with Clang 16.
MySQLnd:
Fixed bug GH-8979 (Possible Memory Leak with SSL-enabled MySQL connections).
Opcache:
Fixed build for macOS to cater with pkg-config settings.
Fixed bug GH-8065 (opcache.consistency_checks > 0 causes segfaults in PHP >= 8.1.5 in fpm context).
OpenSSL:
Add missing error checks on file writing functions.
PDO Firebird:
Fixed bug GH-10908 (Bus error with PDO Firebird on RPI with 64 bit kernel and 32 bit userland).
Phar:
Fixed bug GH-10766 (PharData archive created with Phar::Zip format does not keep files metadata (datetime)).
Add missing error checks on EVP_MD_CTX_create() and EVP_VerifyInit().
PDO ODBC:
Fixed missing and inconsistent error checks on SQLAllocHandle.
PGSQL:
Fixed typo in the array returned from pg_meta_data (extended mode).
SPL:
Fixed bug GH-10519 (Array Data Address Reference Issue).
Fixed bug GH-10907 (Unable to serialize processed SplFixedArrays in PHP 8.2.4).
Fixed bug GH-10844 (ArrayIterator allows modification of readonly props).
Standard:
Fixed bug GH-10885 (stream_socket_server context leaks).
Fixed bug GH-10052 (Browscap crashes PHP 8.1.12 on request shutdown (apache2)).
Fixed oss-fuzz #57392 (Buffer-overflow in php_fgetcsv() with delimiter and enclosure).
Fixed undefined behaviour in unpack().

New in PHP 8.2.4 (Mar 19, 2023)

CORE:
Fixed incorrect check condition in ZEND_YIELD.
Fixed incorrect check condition in type inference.
Fix incorrect check in zend_internal_call_should_throw().
Fixed overflow check in OnUpdateMemoryConsumption.
Fixed bug GH-9916 (Entering shutdown sequence with a fiber suspended in a Generator emits an unavoidable fatal error or crashes).
Fixed bug GH-10437 (Segfault/assertion when using fibers in shutdown function after bailout).
Fixed SSA object type update for compound assignment opcodes.
Fixed language scanner generation build.
Fixed zend_update_static_property() calling zend_update_static_property_ex() misleadingly with the wrong return type.
Fix bug GH-10570 (Fixed unknown string hash on property fetch with integer constant name).
Fixed php_fopen_primary_script() call resulted on zend_destroy_file_handle() freeing dangling pointers on the handle as it was uninitialized.
CURL:
Fixed deprecation warning at compile time.
Fixed bug GH-10270 (Unable to return CURL_READFUNC_PAUSE in readfunc callback).
DATE:
Fix GH-10447 ('p' format specifier does not yield 'Z' for 00:00).
Fix GH-10152 (Custom properties of Date's child classes are not serialised).
Fixed bug GH-10747 (Private and protected properties in serialized Date* objects throw).
FFI:
Fixed incorrect bitshifting and masking in ffi bitfield.
FIBER:
Fixed assembly on alpine x86.
Fixed bug GH-10496 (segfault when garbage collector is invoked inside of fiber).
FPM:
Fixed bug GH-10315 (FPM unknown child alert not valid).
Fixed bug GH-10385 (FPM successful config test early exit).
GMP:
Properly implement GMP::__construct().
Intl:
Fixed bug GH-10647 (Spoolchecker isSuspicious/areConfusable methods error code's argument always returning NULL0.
JSON:
Fixed JSON scanner and parser generation build.
MBString:
ext/mbstring: fix new_value length check.
Fix bug GH-10627 (mb_convert_encoding crashes PHP on Windows).
Opcache:
Fix incorrect page_size check.
OpenSSL:
Fixed php_openssl_set_server_dh_param() DH params errors handling.
PDO OCI:
Fixed bug #60994 (Reading a multibyte CLOB caps at 8192 chars).
PHPDBG:
Fixed bug GH-10715 (heap buffer overflow on --run option misuse).
PGSQL:
Fix GH-10672 (pg_lo_open segfaults in the strict_types mode).
Phar:
Fix incorrect check in phar tar parsing.
Random:
Fix GH-10390 (Do not trust arc4random_buf() on glibc).
Fix GH-10292 (Made the default value of the first param of srand() and mt_srand() unknown).
Reflection:
Fixed bug GH-10623 (Reflection::getClosureUsedVariables opcode fix with variadic arguments).
Fix Segfault when using ReflectionFiber suspended by an internal function.
Session:
Fixed ps_files_cleanup_dir() on failure code paths with -1 instead of 0 as the latter was considered success by callers. (nielsdos).
Standard:
Fixed bug GH-8086 (Introduce mail.mixed_lf_and_crlf INI).
Fixed bug GH-10292 (Made the default value of the first param of srand() and mt_srand() unknown).
Fix incorrect check in cs_8559_5 in map_from_unicode().
Fix bug GH-9697 for reset/end/next/prev() attempting to move pointer of properties table for certain internal classes such as FFI classes
Fix incorrect error check in browsecap for pcre2_match().
Streams:
Fixed bug GH-10370 (File corruption in _php_stream_copy_to_stream_ex when using copy_file_range).
Fixed bug GH-10548 (copy() fails on cifs mounts because of incorrect copy_file_range() len).
Tidy:
Fix memory leaks when attempting to open a non-existing file or a file over 4GB.
Add missing error check on tidyLoadConfig.
Zlib:
Fixed output_handler directive value's length which counted the string terminator.

New in PHP 8.2.2 (Feb 3, 2023)

New in PHP 8.2.1 (Feb 3, 2023)

New in PHP 8.2.0 (Jan 4, 2023)

CLI:
Fixed bug #81496 (Server logs incorrect request method).
Updated the mime-type table for the builtin-server.
Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS environment variable.
Fixed GH-8575 by changing STDOUT, STDERR and STDIN to not close on resource destruction.
Implement built-in web server responding without body to HEAD request on a static resource.
Implement built-in web server responding with HTTP status 405 to DELETE/PUT/PATCH request on a static resource.
Fixed bug GH-9709 (Null pointer dereference with -w/-s options).
COM:
Fixed bug GH-8750 (Can not create VT_ERROR variant type).
Core:
Fixed bug #81380 (Observer may not be initialized properly).
Fixed bug GH-7771 (Fix filename/lineno of constant expressions).
Fixed bug GH-7792 (Improve class type in error messages).
Support huge pages on MacOS.
Fixed bug GH-8655 (Casting an object to array does not unwrap refcount=1 references).
Fixed bug GH-8661 (Nullsafe in coalesce triggers undefined variable warning).
Fixed bug GH-7821 and GH-8418 (Allow arbitrary const expressions in backed enums).
Fixed bug GH-8810 (Incorrect lineno in backtrace of multi-line function calls).
Optimised code path for newly created file with the stream plain wrapper.
Uses safe_perealloc instead of perealloc for the ZEND_PTR_STACK_RESIZE_IF_NEEDED to avoid possible overflows.
Reduced the memory footprint of strings returned by var_export(), json_encode(), serialize(), iconv_*(), mb_ereg*(), session_create_id(), http_build_query(), strstr(), Reflection*::__toString().
Fixed bug GH-8995 (WeakMap object reference offset causing TypeError).
Added error_log_mode ini setting.
Updated request startup messages.
Fixed bug GH-7900 (Arrow function with never return type compile-time errors).
Fixed incorrect double to long casting in latest clang.
Added support for defining constants in traits.
Stop incorrectly emitting false positive deprecation notice alongside unsupported syntax fatal error for `"{$g{'h'}}"`.
Fix unexpected deprecated dynamic property warning, which occurred when exit() in finally block after an exception was thrown without catching.
Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function) (Tim Starling)
Fixed bug GH-9227 (Trailing dots and spaces in filenames are ignored).
Fixed bug GH-9285 (Traits cannot be used in readonly classes).
Fixed bug GH-9186 (@strict-properties can be bypassed using unserialization).
Fixed bug GH-9500 (Using dnf type with parentheses after readonly keyword results in a parse error).
Fixed bug GH-9516 ((A&B)|D as a param should allow AB or D. Not just A).
Fixed observer class notify with Opcache file_cache_only=1.
Fixes segfault with Fiber on FreeBSD i386 architecture.
Fixed bug GH-9655 (Pure intersection types cannot be implicitly nullable) (Girgias)
Fixed bug GH-9589 (dl() segfaults when module is already loaded).
Fixed bug GH-9752 (Generator crashes when interrupted during argument evaluation with extra named params).
Fixed bug GH-9801 (Generator crashes when memory limit is exceeded during initialization).
Fixed a bug with preloaded enums possibly segfaulting.
Fixed bug GH-9823 (Don’t reset func in zend_closure_internal_handler).
Fixed potential NULL pointer dereference Windows shm*() functions.
Fix target validation for internal attributes with constructor property promotion.
Fixed bug GH-9750 (Generator memory leak when interrupted during argument evaluation.
Move observer_declared_function_notify until after pass_two().
Do not report MINIT stage internal class aliases in extensions.
Curl:
Added support for CURLOPT_XFERINFOFUNCTION.
Added support for CURLOPT_MAXFILESIZE_LARGE.
Added new constants from cURL 7.62 to 7.80.
New function curl_upkeep().
Date:
Fixed GH-8458 (DateInterval::createFromDateString does not throw if non-relative items are present).
Fixed bug #52015 (Allow including end date in DatePeriod iterations) (Daniel Egeberg, Derick)
idate() now accepts format specifiers "N" (ISO Day-of-Week) and "o" (ISO Year).
Fixed bug GH-8730 (DateTime::diff miscalculation is same time zone of different type).
Fixed bug GH-8964 (DateTime object comparison after applying delta less than 1 second).
Fixed bug GH-9106 (DateInterval 1.5s added to DateTimeInterface is rounded down since PHP 8.1.0).
Fixed bug #75035 (Datetime fails to unserialize "extreme" dates).
Fixed bug #80483 (DateTime Object with 5-digit year can't unserialized).
Fixed bug #81263 (Wrong result from DateTimeImmutable::diff).
Fixed bug GH-9431 (DateTime::getLastErrors() not returning false when no errors/warnings).
Fixed bug with parsing large negative numbers with the @ notation.
DBA:
Fixed LMDB driver hanging when attempting to delete a non-existing key (Girgias)
Fixed LMDB driver memory leak on DB creation failure (Girgias)
Fixed GH-8856 (dba: lmdb: allow to override the MDB_NOSUBDIR flag).
FFI:
Fixed bug GH-9090 (Support assigning function pointers in FFI).
Fileinfo:
Fixed bug GH-8805 (finfo returns wrong mime type for woff/woff2 files).
Filter:
Added FILTER_FLAG_GLOBAL_RANGE to filter Global IPs.
FPM:
Emit error for invalid port setting.
Added extra check for FPM proc dumpable on SELinux based systems.
Added support for listening queue on macOS.
Changed default for listen.backlog on Linux to -1.
Added listen.setfib pool option to set route FIB on FreeBSD.
Added access.suppress_path pool option to filter access log entries.
Fixed on fpm scoreboard occasional warning on acquisition failure.
Fixed bug GH-9754 (SaltStack (using Python subprocess) hangs when running php-fpm 8.1.11).
FTP:
Fix datetime format string to follow POSIX spec in ftp_mdtm().
GD:
Fixed bug #81739: OOB read due to insufficient input validation in imageloadfont(). (CVE-2022-31630)
GMP:
Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init()).
Hash:
Fixed bug #81738: buffer overflow in hash_update() on long parameter. (CVE-2022-37454)
Intl:
Update all grandfathered language tags with preferred values
Fixed GH-7939 (Cannot unserialize IntlTimeZone objects).
Fixed build for ICU 69.x and onwards.
Declared Transliterator::$id as readonly to unlock subclassing it.
Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter).
MBString:
Fixed bug GH-9248 (Segmentation fault in mb_strimwidth()).
mysqli:
Fixed bug GH-9841 (mysqli_query throws warning despite using silenced error mode).
MySQLnd:
Fixed potential heap corruption due to alignment mismatch.
OCI8:
Added oci8.prefetch_lob_size directive to tune LOB query performance
Support for building against Oracle Client libraries 10.1 and 10.2 has been dropped. Oracle Client libraries 11.2 or newer are now required.
ODBC:
Fixed bug GH-8300 (User input not escaped when building connection string).
Fixed bug GH-9347 (Current ODBC liveness checks may be inadequate).
Opcache:
Allocate JIT buffer close to PHP .text segemnt to allow using direct IP-relative calls and jumps.
Added initial support for JIT performance profiling generation for macOs Instrument.
Fixed bug GH-8030 (Segfault with JIT and large match/switch statements).
Added JIT support improvement for macOs for segments and executable permission bit handling.
Added JIT buffer allocation near the .text section on FreeNSD.
Fixed bug GH-9371 (Crash with JIT on mac arm64) (jdp1024/David Carlier)
Fixed bug GH-9259 (opcache.interned_strings_buffer setting integer overflow).
Added indirect call reduction for jit on x86 architectures.
Fixed bug GH-9164 (Segfault in zend_accel_class_hash_copy).
Fix opcache preload with observers enabled.
OpenSSL:
Discard poll calls on socket when no timeout/non blocking/MSG_DONTWAIT.
Fixed bug GH-9310 (SSL local_cert and local_pk do not respect open_basedir).
Implement FR #76935 ("chacha20-poly1305" is an AEAD but does not work like AEAD).
Added openssl_cipher_key_length function.
Fixed bug GH-9517 (Compilation error openssl extension related to PR GH-9366).
Fixed missing clean up of OpenSSL engine list - attempt to fix GH-8620.
Fixed bug GH-8430 (OpenSSL compiled with no-md2, no-md4 or no-rmd160 does not build).
PCNTL:
Fixed pcntl_(get|set)priority error handling for MacOS.
PCRE:
Implemented FR #77726 (Allow null character in regex patterns).
Updated bundled libpcre to 10.40.
PDO:
Fixed bug GH-9818 (Initialize run time cache in PDO methods).
PDO_Firebird:
Fixed bug GH-8576 (Bad interpretation of length when char is UTF-8).
PDO_ODBC:
Fixed bug #80909 (crash with persistent connections in PDO_ODBC).
Fixed bug GH-8300 (User input not escaped when building connection string).
Fixed bug GH-9347 (Current ODBC liveness checks may be inadequate).
Fixed bug GH-9372 (HY010 when binding overlong parameter).
PDO_PGSQL:
Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed).
Random:
Added new random extension.
Fixed bug GH-9067 (random extension is not thread safe).
Fixed bug GH-9055 (segmentation fault if user engine throws).
Fixed bug GH-9066 (signed integer overflow).
Fixed bug GH-9083 (undefined behavior during shifting).
Fixed bug GH-9088, GH-9056 (incorrect expansion of bytes when generating uniform integers within a given range).
Fixed bug GH-9089 (Fix memory leak on Randomizer::__construct() call twice).
Fixed bug GH-9212 (PcgOneseq128XslRr64::jump() should not allow negative $advance).
Changed Mt19937 to throw a ValueError instead of InvalidArgumentException for invalid $mode.
Splitted RandomRandomizer::getInt() (without arguments) to RandomRandomizer::nextInt().
Fixed bug GH-9235 (non-existant $sequence parameter in stub for PcgOneseq128XslRr64::__construct()).
Fixed bug GH-9190, GH-9191 (undefined behavior for MT_RAND_PHP when handling large ranges).
Fixed bug GH-9249 (Xoshiro256StarStar does not reject the invalid all-zero state).
Removed redundant RuntimeExceptions from Randomizer methods. The exceptions thrown by the engines will be exposed directly.
Added extension specific Exceptions/Errors (RandomException, RandomError, BrokenRandomEngineError).
Fixed bug GH-9415 (Randomizer::getInt(0, 2**32 - 1) with Mt19937 always returns 1).
Fixed Randomizer::getInt() consistency for 32-bit engines.
Fixed bug GH-9464 (build on older macOs releases).
Fixed bug GH-9839 (Pre-PHP 8.2 output compatibility for non-mt_rand() functions for MT_RAND_PHP).
Reflection:
Added ReflectionFunction::isAnonymous().
Added ReflectionMethod::hasPrototype().
Narrow ReflectionEnum::getBackingType() return type to ReflectionNamedType.
Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure).
Session:
Fixed bug GH-7787 (Improve session write failure message for user error handlers).
Fixed GH-9200 (setcookie has an obsolete expires date format).
Fixed GH-9584 (Avoid memory corruption when not unregistering custom session handler).
Fixed bug GH-9583 (session_create_id() fails with user defined save handler that doesn't have a validateId() method).
SOAP:
Fixed bug GH-9720 (Null pointer dereference while serializing the response).
Sockets:
Added TCP_NOTSENT_LOWAT socket option.
Added SO_MEMINFO socket option.
Added SO_RTABLE socket option (OpenBSD), equivalent of SO_MARK (Linux).
Added TCP_KEEPALIVE, TCP_KEEPIDLE, TCP_KEEPINTVL, TCP_KEEPCNT socket options.
Added ancillary data support for FreeBSD.
Added ancillary data support for NetBSD.
Added SO_BPF_EXTENSIONS socket option.
Added SO_SETFIB socket option.
Added TCP_CONGESTION socket option.
Added SO_ZEROCOPY/MSG_ZEROCOPY options.
Added SOL_FILTER socket option for Solaris.
Fixed socket constants regression as of PHP 8.2.0beta3.
Sodium:
Added sodium_crypto_stream_xchacha20_xor_ic().
SPL:
Uses safe_erealloc instead of erealloc to handle heap growth for the SplHeap::insert method to avoid possible overflows.
Widen iterator_to_array() and iterator_count()'s $iterator parameter to iterable.
Fixed bug #69181 (READ_CSV|DROP_NEW_LINE drops newlines within fields).
Fixed bug #65069 (GlobIterator incorrect handling of open_basedir check).
SQLite3:
Changed sqlite3.defensive from PHP_INI_SYSTEM to PHP_INI_USER.
Standard:
net_get_interfaces() also reports wireless network interfaces on Windows.
Finished AVIF support in getimagesize().
Fixed bug GH-7847 (stripos with large haystack has bad performance).
New function memory_reset_peak_usage().
Fixed parse_url(): can not recognize port without scheme.
Deprecated utf8_encode() and utf8_decode().
Fixed the crypt_sha256/512 api build with clang > 12.
Uses safe_erealloc instead of erealloc to handle options in getopt to avoid possible overflows.
Implemented FR GH-8924 (str_split should return empty array for empty string).
Added ini_parse_quantity function to convert ini quantities shorthand notation to int.
Enable arc4random_buf for Linux glibc 2.36 and onwards for the random_bytes.
Uses CCRandomGenerateBytes instead of arc4random_buf on macOs. (David Carlier).
Fixed bug #65489 (glob() basedir check is inconsistent).
Fixed GH-9200 (setcookie has an obsolete expires date format).
Fixed GH-9244 (Segfault with array_multisort + array_shift).
Fixed bug GH-9296 (`ksort` behaves incorrectly on arrays with mixed keys).
Marked crypt()'s $string parameter as #[SensitiveParameter].
Fixed bug GH-9464 (build on older macOs releases).
Fixed bug GH-9518 (Disabling IPv6 support disables unrelated constants).
Revert "Fixed parse_url(): can not recognize port without scheme." (andypost)
Fix crash reading module_entry after DL_UNLOAD() when module already loaded.
Streams:
Set IP_BIND_ADDRESS_NO_PORT if available when connecting to remote host.
Fixed bug GH-8548 (stream_wrapper_unregister() leaks memory).
Discard poll calls on socket when no timeout/non blocking/MSG_DONTWAIT.
Fixed bug GH-9316 ($http_response_header is wrong for long status line).
Fixed bug GH-9590 (stream_select does not abort upon exception or empty valid fd set).
Fixed bug GH-9653 (file copy between different filesystems).
Fixed bug GH-9779 (stream_copy_to_stream fails if dest in append mode).
Windows:
Added preliminary support for (cross-)building for ARM64.
XML:
Added libxml_get_external_entity_loader() function.
Zip:
add ZipArchive::clearError() method
add ZipArchive::getStreamName() method
add ZipArchive::getStreamIndex() method
On Windows, the Zip extension is now built as shared library (DLL) by default.
Implement fseek for zip stream when possible with libzip 1.9.1.

New in PHP 8.1.8 (Jul 8, 2022)

New in PHP 8.1.7 (Jun 9, 2022)

New in PHP 8.1.6 (May 11, 2022)

New in PHP 8.1.0 RC 4 (Oct 19, 2021)

New in PHP 8.0.10 (Aug 27, 2021)

New in PHP 8.0.9 (Aug 3, 2021)

New in PHP 7.3.5 (May 5, 2019)

New in PHP 7.2.12 (Nov 12, 2018)

New in PHP 7.2.6 (May 25, 2018)

New in PHP 7.2.2 (Feb 11, 2018)

New in PHP 7.1.12 (Nov 28, 2017)

New in PHP 7.1.11 (Oct 29, 2017)

New in PHP 7.2.0 RC1 (Sep 4, 2017)

New in PHP 7.1.9 (Sep 4, 2017)

New in PHP 7.1.7 (Jul 7, 2017)

New in PHP 7.1.6 (Jun 12, 2017)

New in PHP 7.1.3 (Mar 16, 2017)

New in PHP 7.1.2 (Feb 21, 2017)

Core:
Improved GENERATOR_CREATE opcode handler.
Fixed bug #73877 (readlink() returns garbage for UTF-8 paths).
Fixed bug #73876 (Crash when exporting **= in expansion of assign op).
Fixed bug #73962 (bug with symlink related to cyrillic directory).
Fixed bug #73969 (segfault in debug_print_backtrace).
Fixed bug #73994 (arginfo incorrect for unpack).
Fixed bug #73973 (assertion error in debug_zval_dump).
DOM:
Fixed bug #54382 (getAttributeNodeNS doesn't get xmlns* attributes).
DTrace:
Fixed bug #73965 (DTrace reported as enabled when disabled).
FCGI:
Fixed bug #73904 (php-cgi fails to load -c specified php.ini file).
Fixed bug #72898 (PHP_FCGI_CHILDREN is not included in phpinfo()).
FPM:
Fixed bug #69865 (php-fpm does not close stderr when using syslog).
GD:
Fixed bug #73968 (Premature failing of XBM reading).
GMP:
Fixed bug #69993 (test for gmp.h needs to test machine includes).
Hash:
Added hash_hkdf() function.
Fixed bug #73961 (environmental build dependency in hash sha3 source).
Intl:
Fix bug #73956 (Link use CC instead of CXX).
LDAP:
Fixed bug #73933 (error/segfault with ldap_mod_replace and opcache).
MySQLi:
Fixed bug #73949 (leak in mysqli_fetch_object).
Mysqlnd:
Fixed bug #69899 (segfault on close() after free_result() with mysqlnd).
Opcache:
Fixed bug #73983 (crash on finish work with phar in cli + opcache).
OpenSSL:
Fixed bug #71519 (add serial hex to return value array).
Fixed bug #73692 (Compile ext/openssl with openssl 1.1.0 on Win).
Fixed bug #73978 (openssl_decrypt triggers bug in PDO).
PDO_Firebird:
Implemented FR #72583 (All data are fetched as strings).
PDO_PgSQL:
Fixed bug #73959 (lastInsertId fails to throw an exception for wrong sequence name).
Phar:
Fixed bug #70417 (PharData::compress() doesn't close temp file).
posix:
Fixed bug #71219 (configure script incorrectly checks for ttyname_r).
Session:
Fixed bug #69582 (session not readable by root in CLI).
SPL:
Fixed bug #73896 (spl_autoload() crashes when calls magic _call()).
Standard:
Fixed bug #69442 (closing of fd incorrect when PTS enabled).
Fixed bug #47021 (SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked").
Fixed bug #72974 (imap is undefined service on AIX).
Fixed bug #72979 (money_format stores wrong length AIX).
Fixed bug #73374 (intval() with base 0 should detect binary).
Fixed bug #69061 (mail.log = syslog contains double information).
ZIP:
Fixed bug #70103 (ZipArchive::addGlob ignores remove_all_path option).

New in PHP 7.1.1 (Jan 19, 2017)

Core:
Fixed bug #73792 (invalid foreach loop hangs script).
Fixed bug #73686 (Adding settype()ed values to ArrayObject results in references).
Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created with list()).
Fixed bug #73727 (ZEND_MM_BITSET_LEN is "undefined symbol" in zend_bitset.h).
Fixed bug #73753 (unserialized array pointer not advancing).
Fixed bug #73783 (SIG_IGN doesn't work when Zend Signals is enabled).
Fixed bug #73825 (Heap out of bounds read on unserialize in finish_nested_data()).
Fixed bug #73831 (NULL Pointer Dereference while unserialize php object).
Fixed bug #73832 (Use of uninitialized memory in unserialize()).
CLI:
Fixed bug #72555 (CLI output(japanese) on Windows).
COM:
Fixed bug #73679 (DOTNET read access violation using invalid codepage).
DOM:
Fixed bug #67474 (getElementsByTagNameNS filter on default ns).
EXIF:
Fixed bug #73737 (FPE when parsing a tag format).
GD:
Fixed bug #73869 (Signed Integer Overflow gd_io.c).
Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()).
mbstring:
Fixed bug #73646 (mb_ereg_search_init null pointer dereference).
MySQLi:
Fixed bug #73462 (Persistent connections don't set $connect_errno).
mysqlnd:
Optimized handling of BIT fields - less memory copies and lower memory usage.
Fixed bug #73800 (sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
opcache:
Fixed bug #73789 (Strange behavior of class constants in switch/case block).
Fixed bug #73746 (Method that returns string returns UNKNOWN:0 instead).
Fixed bug #73654 (Segmentation fault in zend_call_function).
Fixed bug #73668 ("SIGFPE Arithmetic exception" in opcache when divide by minus 1).
Fixed bug #73847 (Recursion when a variable is redefined as array).
PDO Firebird:
Fixed bug #72931 (PDO_FIREBIRD with Firebird 3.0 not work on returning statement).
phpdbg:
Fixed bug #73794 (Crash (out of memory) when using run and # command separator).
Fixed bug #73704 (phpdbg shows the wrong line in files with shebang).
SQLite3:
Reverted fix for Fixed bug #73530 (Unsetting result set may reset other result set).
Standard:
Fixed bug #73594 (dns_get_record does not populate $additional out parameter).
Fixed bug #70213 (Unserialize context shared on double class lookup).
Fixed bug #73154 (serialize object with __sleep function crash).
Fixed bug #70490 (get_browser function is very slow).
Fixed bug #73265 (Loading browscap.ini at startup causes high memory usage).
(add subject to mail log).
Fixed bug #31875 (get_defined_functions additional param to exclude disabled functions).
zlib:
Fixed bug #73373 (deflate_add does not verify that output was not truncated).

New in PHP 7.1.0 (Dec 4, 2016)

New in PHP 7.0.11 (Sep 20, 2016)

Core:
Fixed bug #72944 (Null pointer deref in zval_delref_p).
Fixed bug #72943 (assign_dim on string doesn't reset hval).
Fixed bug #72911 (Memleak in zend_binary_assign_op_obj_helper).
Fixed bug #72813 (Segfault with __get returned by ref).
Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator).
Fixed bug #72854 (PHP Crashes on duplicate destructor call).
Fixed bug #72857 (stream_socket_recvfrom read access violation).
COM:
Fixed bug #72922 (COM called from PHP does not return out parameters).
Dba:
Fixed bug #70825 (Cannot fetch multiple values with group in ini file).
FTP:
Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with require_ssl_reuse).
GD:
Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles).
Fixed bug #66005 (imagecopy does not support 1bit transparency on truecolor images).
Fixed bug #72913 (imagecopy() loses single-color transparency on palette images).
Fixed bug #68716 (possible resource leaks in _php_image_convert()).
iconv:
Fixed bug #72320 (iconv_substr returns false for empty strings).
IMAP:
Fixed bug #72852 (imap_mail null dereference).
Intl:
Fixed bug #65732 (grapheme_*() is not Unicode compliant on CR LF sequence).
Fixed bug #73007 (add locale length check). (CVE-2016-7416)
Mysqlnd:
Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields). (CVE-2016-7412)
OCI8:
Fixed invalid handle error with Implicit Result Sets.
Fixed bug #72524 (Binding null values triggers ORA-24816 error).
Opcache:
Fixed bug #72949 (Typo in opcache error message).
PDO:
Fixed bug #72788 (Invalid memory access when using persistent PDO connection).
Fixed bug #72791 (Memory leak in PDO persistent connection handling).
Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY returns false).
PDO_DBlib:
Implemented stringify 'uniqueidentifier' fields.
PDO_pgsql:
Implemented FR #72633 (Postgres PDO lastInsertId() should work without specifying a sequence).
Fixed bug #72759 (Regression in pgo_pgsql).
Phar:
Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile). (CVE-2016-7414)
Fixed bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile).
Reflection:
Fixed bug #72846 (getConstant for a array constant with constant values returns NULL/NFC/UKNOWN).
Session:
Fixed bug #72724 (PHP7: session-uploadprogress kills httpd).
Fixed bug #72940 (SID always return "name=ID", even if session cookie exist).
SimpleXML:
Fixed bug #72971 (SimpleXML isset/unset do not respect namespace).
Fixed bug #72957 (Null coalescing operator doesn't behave as expected with SimpleXMLElement).
SPL:
Fixed bug #73029 (Missing type check when unserializing SplArray). (CVE-2016-7417)
Standard:
Fixed bug #55451 (substr_compare NULL length interpreted as 0).
Fixed bug #72278 (getimagesize returning FALSE on valid jpg).
Fixed bug #65550 (get_browser() incorrectly parses entries with "+" sign).
Streams:
Fixed bug #72853 (stream_set_blocking doesn't work).
Fixed bug #72764 (ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5).
Fixed bug #71882 (Negative ftruncate() on php://memory exhausts memory).
SQLite3:
Downgraded bundled SQLite to 3.8.10.2, see #73068
Sysvshm:
Fixed bug #72858 (shm_attach null dereference).
Wddx:
Fixed bug #72860 (wddx_deserialize use-after-free). (CVE-2016-7413)
Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element). (CVE-2016-7418)
XML:
Fixed bug #72085 (SEGV on unknown address zif_xml_parse).
Fixed bug #72714 (_xml_startElementHandler() segmentation fault).
ZIP:
Fixed bug #68302 (impossible to compile php with zip support).

New in PHP 7.0.4 (Mar 7, 2016)

New in PHP 7.0.0 (Dec 2, 2015)

New in PHP 5.6.16 (Nov 28, 2015)

New in PHP 5.6.14 (Oct 2, 2015)

New in PHP 5.6.12 (Aug 8, 2015)

Core:
Fixed bug #70012 (Exception lost with nested finally block).
Fixed bug #70002 (TS issues with temporary dir handling).
Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls).
Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref).
CLI server:
Fixed bug #69655 (php -S changes MKCALENDAR request method to MKCOL).
Fixed bug #64878 (304 responses return Content-Type header).
GD:
Fixed bug #53156 (imagerectangle problem with point ordering).
Fixed bug #66387 (Stack overflow with imagefilltoborder).
Fixed bug #70102 (imagecreatefromwebm() shifts colors).
Fixed bug #66590 (imagewebp() doesn't pad to even length).
Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px).
Fixed bug #70064 (imagescale(..., IMG_BICUBIC) leaks memory).
Fixed bug #69024 (imagescale segfault with palette based image).
Fixed bug #53154 (Zero-height rectangle has whiskers).
Fixed bug #67447 (imagecrop() add a black line when cropping).
Fixed bug #68714 (copy 'n paste error).
Fixed bug #66339 (PHP segfaults in imagexbm).
Fixed bug #70047 (gd_info() doesn't report WebP support).
ODBC:
Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns).
OpenSSL:
Fixed bug #69882 (OpenSSL error "key values mismatch" after openssl_pkcs12_read with extra cert).
Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure).
Phar:
Improved fix for bug #69441.
Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory).
SOAP:
Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions).
SPL:
Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items).
Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject).
Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage).
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList).
Standard:
Fixed bug #70096 (Repeated iptcembed() adds superfluous FF bytes).

New in PHP 5.6.11 (Jul 12, 2015)

New in PHP 7.0.0 Alpha 2 (Jun 27, 2015)

Core:
Fixed bug #69872 (uninitialised value in strtr with array). (Laruence)
Fixed bug #69868 (Invalid read of size 1 in zend_compile_short_circuiting (Laruence)
Fixed bug #69849 (Broken output of apache_request_headers). (Kalle)
Fixed bug #69840 (iconv_substr() doesn't work with UTF-16BE). (Kalle)
Fixed bug #69823 (PHP 7.0.0alpha1 segmentation fault when exactly 33 extensions are loaded). (Laruence)
Fixed bug #69805 (null ptr deref and seg fault in zend_resolve_class_name) (Laruence)
Fixed bug #69802 (Reflection on Closure::__invoke borks type hint class name). (Dmitry)
Fixed bug #69761 (Serialization of anonymous classes should be prevented) (Laruence)
Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault). (Christoph M. Becker)
Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10 as "Business"). (Christian Wenz)
Fixed bug #69835 (phpinfo() does not report many Windows SKUs). (Christian Wenz)
Fixed bug #69889 (Null coalesce operator doesn't work for string offsets). (Nikita)
Fixed bug #69891 (Unexpected array comparison result). (Nikita)
Fixed bug #69892 (Different arrays compare indentical due to integer key truncation). (Nikita)
Fixed bug #69893 (Strict comparison between integer and empty string keys crashes). (Nikita)
DOM:
Fixed bug #69846 (Segmenation fault (access violation) when iterating over DOMNodeList). (Anatol Belski)
GD:
Fixed bug #61221 (imagegammacorrect function loses alpha channel). (cmb)
mysqlnd:
Fixed Bug #69796 (mysqli_stmt::fetch doesn't assign null values to bound variables). (Laruence)
Curl:
Fixed bug #69831 (Segmentation fault in curl_getinfo). (im dot denisenko at yahoo dot com)
Opcache:
Removed opcache.load_comments configuration directive. Now doc comments loading costs nothing and always enabled. (Dmitry)
Fixed bug #69838 (Wrong size calculation for function table). (Anatol)
PCRE:
Fixed bug #69864 (Segfault in preg_replace_callback) (cmb, ab)
PDO_pgsql:
Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements when closeCuror() is u). (Philip Hofstetter)
SPL
Fixed bug #69845 (ArrayObject with ARRAY_AS_PROPS broken). (Dmitry)
SQLite3
Fixed bug #69897 (segfault when manually constructing SQLite3Result). (Kalle)
Standard
Fixed bug #62922 (Truncating entire string should result in string). (Nikita)

New in PHP 7.0.0 Alpha 1 (Jun 12, 2015)

New in PHP 5.6.10 (Jun 12, 2015)

New in PHP 5.6.8 (Apr 17, 2015)

Core:
Fixed bug #66609 (php crashes with __get() and ++ operator in some cases).
Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters).
Fixed bug #68917 (parse_url fails on some partial urls).
Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString).
Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values).
Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing).
Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator).
Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability).
Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions).
Apache2handler:
Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler).
cURL:
Implemented FR #69278 (HTTP2 support).
Fixed bug #68739 (Missing break / control flow).
Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER).
Date:
Fixed bug #69336 (Issues with "last day of ").
Enchant:
Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds).
Ereg:
Fixed bug #68740 (NULL Pointer Dereference).
Fileinfo:
Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault).
Filter:
Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used).
Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127).
OPCache:
Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function).
Fixed bug #69281 (opcache_is_script_cached no longer works).
Fixed bug #68677 (Use After Free). (CVE-2015-1351)
OpenSSL:
Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts) (Chris Wright)
Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly) (Daniel Lowrey)
Fixed bug #69215 (Crypto servers should send client CA list) (Daniel Lowrey)
Add a check for RAND_egd to allow compiling against LibreSSL (Leigh)
Phar:
Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).
Fixed bug #64931 (phar_add_file is too restrictive on filename).
Fixed bug #65467 (Call to undefined method cli_arg_typ_string).
Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar").
Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783)
Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode).
Postgres:
Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352)
SPL:
Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc).
SOAP:
Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)).
Sqlite3:
Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception).
Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3).
Fixed bug #66550 (SQLite prepared statement use-after-free).

New in PHP 5.6.7 (Mar 20, 2015)

Core:
Fixed bug #69174 (leaks when unused inner class use traits precedence).
Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize).
Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build).
Fixed bug #65593 (Segfault when calling ob_start from output buffering callback).
Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c).
Fixed bug #68166 (Exception with invalid character causes segv).
Fixed bug #69141 (Missing arguments in reflection info for some builtin functions).
Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (CVE-2015-0231)
Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
Fixed bug #69207 (move_uploaded_file allows nulls in path).
CGI:
Fixed bug #69015 (php-cgi's getopt does not see $argv).
CLI:
Fixed bug #67741 (auto_prepend_file messes up __LINE__).
cURL:
Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on Win32).
Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl.
Ereg:
Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (CVE-2015-2305)
FPM:
Fixed bug #68822 (request time is reset too early).
ODBC:
Fixed bug #68964 (Allowed memory size exhausted with odbc_exec).
Opcache:
Fixed bug #69159 (Opcache causes problem when passing a variable variable to a function).
Fixed bug #69125 (Array numeric string as key).
Fixed bug #69038 (switch(SOMECONSTANT) misbehaves).
OpenSSL:
Fixed bug #68912 (Segmentation fault at openssl_spki_new).
Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't observe socket timeouts).
Fixed bug #68920 (use strict peer_fingerprint input checks) (Daniel Lowrey)
Fixed bug #68879 (IP Address fields in subjectAltNames not used) (Daniel Lowrey)
Fixed bug #68265 (SAN match fails with trailing DNS dot) (Daniel Lowrey)
Fixed bug #67403 (Add signatureType to openssl_x509_parse) (Daniel Lowrey)
Fixed bug #69195 (Inconsistent stream crypto values across versions) (Daniel Lowrey)
pgsql:
Fixed bug #68638 (pg_update() fails to store infinite values).
Readline:
Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters).
SOAP:
Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()).
SPL:
Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage).
Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after calling getChildren()).
ZIP:
Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary). (CVE-2015-2331)

New in PHP 5.6.6 (Feb 20, 2015)

Core:
Removed support for multi-line headers, as the are deprecated by RFC 7230.
Fixed bug #67068 (getClosure returns somethings that's not a closure).
Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273)
Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow).
Fixed bug #67988 (htmlspecialchars() does not respect default_charset specified by ini_set) (Yasuo)
Added NULL byte protection to exec, system and passthru.
Dba:
Fixed bug #68711 (useless comparisons).
Enchant:
Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()).
Fileinfo:
Fixed bug #68827 (Double free with disabled ZMM).
Fixed bug #67647 (Bundled libmagic 5.17 does not detect quicktime files correctly).
Fixed bug #68731 (finfo_buffer doesn't extract the correct mime with some gifs).
FPM:
Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).
Fixed bug #68571 (core dump when webserver close the socket).
JSON:
Fixed bug #50224 (json_encode() does not always encode a float as a float) by adding JSON_PRESERVE_ZERO_FRACTION.
LIBXML:
Fixed bug #64938 (libxml_disable_entity_loader setting is shared between threads).
Mysqli:
Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support) (Keyur Govande)
Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors) (Keyur Govande)
Opcache:
Fixed bug with try blocks being removed when extended_info opcode generation is turned on.
PDO_mysql:
Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of named pipes).
Phar:
Fixed bug #68901 (use after free).
Pgsql:
Fixed bug #65199 (pg_copy_from() modifies input array variable) (Yasuo)
Session:
Fixed bug #68941 (mod_files.sh is a bash-script) (bugzilla at ii.nl, Yasuo)
Fixed bug #66623 (no EINTR check on flock) (Yasuo)
Fixed bug #68063 (Empty session IDs do still start sessions) (Yasuo)
Sqlite3:
Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args).
Standard:
Fixed bug #65272 (flock() out parameter not set correctly in windows).
Fixed bug #69033 (Request may get env. variables from previous requests if PHP works as FastCGI).
Streams:
Fixed bug which caused call after final close on streams filter.

New in PHP 5.6.3 (Dec 17, 2014)

Core:
Implemented 64-bit format codes for pack() and unpack().
Fixed bug #51800 (proc_open on Windows hangs forever).
Fixed bug #67633 (A foreach on an array returned from a function not doing copy-on-write).
Fixed bug #67739 (Windows 8.1/Server 2012 R2 OS build number reported as 6.2 (instead of 6.3)).
Fixed bug #67949 (DOMNodeList elements should be accessible through array notation) (Florian)
Fixed bug #68095 (AddressSanitizer reports a heap buffer overflow in php_getopt()).
Fixed bug #68118 ($a->foo .= 'test'; can leave $a->foo undefined).
Fixed bug #68129 (parse_url() - incomplete support for empty usernames and passwords) (Tjerk)
Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).
CURL:
Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, and CURL_SSLVERSION_TLSv1_2 constants if supported by libcurl (Rasmus)
Fileinfo:
Fixed bug #66242 (libmagic: don't assume char is signed).
Fixed bug #68224 (buffer-overflow in libmagic/readcdf.c caught by AddressSanitizer).
Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers).
FPM:
Fixed bug #65641 (PHP-FPM incorrectly defines the SCRIPT_NAME variable when using Apache, mod_proxy-fcgi and ProxyPass).
Implemented FR #55508 (listen and listen.allowed_clients should take IPv6 addresses).
GD:
Fixed bug #65171 (imagescale() fails without height param).
GMP:
Implemented gmp_random_range() and gmp_random_bits().
Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).
Mysqli:
Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support) (Keyur Govande)
ODBC:
Fixed bug #68087 (ODBC not correctly reading DATE column when preceded by a VARCHAR column) (Keyur Govande)
OpenSSL:
Fixed bug #68074 (Allow to use system cipher list instead of hardcoded value).
PDO_pgsql:
Fixed bug #68199 (PDO::pgsqlGetNotify doesn't support NOTIFY payloads) (Matteo, Alain Laporte)
Fixed bug #66584 (Segmentation fault on statement deallocation) (Matteo)
Reflection:
Fixed bug #68103 (Duplicate entry in Reflection for class alias).
SPL:
Fixed bug #68128 (Regression in RecursiveRegexIterator) (Tjerk)

New in PHP 5.6.1 (Oct 3, 2014)

New in PHP 5.5.16 (Aug 27, 2014)

New in PHP 5.6.0 Alpha 2 (Feb 17, 2014)

New in PHP 5.6.0 Alpha 1 (Jan 25, 2014)

New in PHP 5.5.8 (Jan 10, 2014)

New in PHP 5.5.7 (Dec 12, 2013)

New in PHP 5.5.7 RC1 (Nov 29, 2013)

New in PHP 5.5.6 (Nov 14, 2013)

New in PHP 5.5.5 (Oct 17, 2013)

Core:
Fixed bug #64979 (Wrong behavior of static variables in closure generators).
Fixed bug #65322 (compile time errors won't trigger auto loading).
Fixed bug #65821 (By-ref foreach on property access of string offset segfaults).
CLI Server:
Fixed bug #65633 (built-in server treat some http headers as case-sensitive).
Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding).
Added application/pdf to PHP CLI Web Server mime types
Datetime:
Fixed bug #64157 (DateTime::createFromFormat() reports confusing error message).
Fixed bug #65502 (DateTimeImmutable::createFromFormat returns DateTime).
Fixed bug #65548 (Comparison for DateTimeImmutable doesn't work).
DBA:
Fixed bug #65708 (dba functions cast $key param to string in-place, bypassing copy on write).
Filter:
Add RFC 6598 IPs to reserved addresses.
Fixed bug #64441 (FILTER_VALIDATE_URL rejects fully qualified domain names).
FTP:
Fixed bug #65667 (ftp_nb_continue produces segfault).
GD:
Ensure that the defined interpolation method is used with the generic scaling methods.
IMAP:
Fixed bug #65721 (configure script broken in 5.5.4 and 5.4.20 when enabling imap).
OPCache:
Fixed bug #65845 (Error when Zend Opcache Optimizer is fully enabled).
Fixed bug #65665 (Exception not properly caught when opcache enabled).
Fixed bug #65510 (5.5.2 crashes in _get_zval_ptr_ptr_var).
Fixed issue #135 (segfault in interned strings if initial memory is too low).
Added function opcache_compile_file() to load PHP scripts into cache without execution.
Added support for GNU Hurd.
Sockets:
Fixed bug #65808 (the socket_connect() won't work with IPv6 address).
SPL:
Fixed bug #64782 (SplFileObject constructor make $context optional / give it a default value).
Standard:
Fixed bug #61548 content-type must appear at the end of headers for 201 Location to work in http.
XMLReader:
Fixed bug #51936 Crash with clone XMLReader.
Fixed bug #64230 XMLReader does not suppress errors.
Build system:
Fixed bug #51076 Race condition in shtool's mkdir -p implementation.
Fixed bug #62396 'make test' crashes starting with 5.3.14 (missing gzencode()).

New in PHP 5.5.4 (Sep 20, 2013)

New in PHP 5.5.3 (Aug 23, 2013)

New in PHP 5.5.0 RC3 (Jun 13, 2013)

New in PHP 5.4.16 (Jun 7, 2013)

New in PHP 5.5.0 RC2 (Jun 5, 2013)

New in PHP 5.5.0 Beta 1 (Mar 22, 2013)

New in PHP 5.5.0 Alpha 4 (Jan 24, 2013)

New in PHP 5.4.10 (Dec 20, 2012)

New in PHP 5.4.9 (Nov 23, 2012)

New in PHP 5.4.8 (Oct 19, 2012)

New in PHP 5.4.5 (Jul 20, 2012)

Core:
Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)
Fixed bug #62432 (ReflectionMethod random corrupt memory on high concurrent)
Fixed bug #62373 (serialize() generates wrong reference to the object).
Fixed bug #62357 (compile failure: (S) Arguments missing for built-in function __memcmp)
Fixed bug #61998 (Using traits with method aliases appears to result in crash during execution)
Fixed bug #51094 (parse_ini_file() with INI_SCANNER_RAW cuts a value that includes a semi-colon)
Fixed potential overflow in _php_stream_scandir (CVE-2012-2688)
EXIF:
Fixed information leak in ext exi
FPM:
Fixed bug #62205 (php-fpm segfaults (null passed to strstr)
Fixed bug #62160 (Add process.priority to set nice(2) priorities)
Fixed bug #62153 (when using unix sockets, multiples FPM instances)
Fixed bug #62033 (php-fpm exits with status 0 on some failures to start)
Fixed bug #61839 (Unable to cross-compile PHP with --enable-fpm)
Fixed bug #61835 (php-fpm is not allowed to run as root)
Fixed bug #61295 (php-fpm should not fail with commented 'user'
Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI requests)
Fixed bug #61045 (fpm don't send error log to fastcgi clients). (fat) for non-root start)
Fixed bug #61026 (FPM pools can listen on the same address). (fat) can be launched without errors)
Iconv:
Fixed bug #55042 (Erealloc in iconv.c unsafe)
Intl:
Fixed bug #62083 (grapheme_extract() memory leaks)
Fixed bug #62081 (IntlDateFormatter constructor leaks memory when called twice)
Fixed bug #62070 (Collator::getSortKey() returns garbage)
Fixed bug #62017 (datefmt_create with incorrectly encoded timezone leaks pattern)
Fixed bug #60785 (memory leak in IntlDateFormatter constructor)
ResourceBundle constructor now accepts NULL for the first two arguments
JSON:
Fixed bug #61359 (json_encode() calls too many reallocs)
libxml:
Fixed bug #62266 (Custom extension segfaults during xmlParseFile with FPM SAPI)
Phar:
Fixed bug #62227 (Invalid phar stream path causes crash)
Readline:
Fixed bug #62186 (readline fails to compile - void function should not return a value)
Reflection:
Fixed bug #62384 (Attempting to invoke a Closure more than once causes segfault)
Fixed bug #62202 (ReflectionParameter::getDefaultValue() memory leaks with constant)
Sockets:
Fixed bug #62025 (__ss_family was changed on AIX 5.3)
SPL:
Fixed bug #62433 (Inconsistent behavior of RecursiveDirectoryIterator to dot files)
Fixed bug #62262 (RecursiveArrayIterator does not implement Countable)
XML Writer:
Fixed bug #62064 (memory leak in the XML Writer module)
Zip:
Upgraded libzip to 0.10.

New in PHP 5.4.4 (Jun 15, 2012)

New in PHP 5.4.0 (Mar 2, 2012)

New in PHP 5.3.10 (Feb 3, 2012)

New in PHP 5.4 RC5 (Jan 8, 2012)

New in PHP 5.4 RC4 (Dec 28, 2011)

New in PHP 5.3.3 (Jul 23, 2010)

Security Enhancements and Fixes in PHP 5.3.3:
Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531).
Fixed a possible resource destruction issues in shm_put_var().
Fixed a possible information leak because of interruption of XOR operator.
Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks.
Fixed a possible memory corruption in ArrayObject::uasort().
Fixed a possible memory corruption in parse_str().
Fixed a possible memory corruption in pack().
Fixed a possible memory corruption in substr_replace().
Fixed a possible memory corruption in addcslashes().
Fixed a possible stack exhaustion inside fnmatch().
Fixed a possible dechunking filter buffer overflow.
Fixed a possible arbitrary memory access inside sqlite extension.
Fixed string format validation inside phar extension.
Fixed handling of session variable serialization on certain prefix characters.
Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).
Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user.
Fixed possible buffer overflows when handling error packets in mysqlnd.
Key enhancements in PHP 5.3.3 include:
Upgraded bundled sqlite to version 3.6.23.1.
Upgraded bundled PCRE to version 8.02.
Added FastCGI Process Manager (FPM) SAPI.
Added stream filter support to mcrypt extension.
Added full_special_chars filter to ext/filter.
Fixed a possible crash because of recursive GC invocation.
Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).
Fixed bug #52060 (Memory leak when passing a closure to method_exists()).
Fixed bug #52001 (Memory allocation problems after using variable variables).
Fixed bug #51723 (Content-length header is limited to 32bit integer with Apache2 on Windows).
Fixed bug #48930 (__COMPILER_HALT_OFFSET__ incorrect in PHP >= 5.3).

New in PHP 5.3.2 (Mar 5, 2010)

New in PHP 5.3.2 RC1 (Dec 23, 2009)

Upgraded bundled sqlite to version 3.6.21. (Ilia)
Upgraded bundled PCRE to version 8.00. (Scott)
Changed gmp_strval() to use full range from 2 to 62, and -2 to -36. FR #50283 (David Soria Parra)
Changed "post_max_size" php.ini directive to allow unlimited post size by setting it to 0. (Rasmus)
Added INTERNALDATE support to imap_append. (nick at mailtrust dot com)
Added support for SHA-256 and SHA-512 to php's crypt. (Pierre)
Added realpath_cache_size() and realpath_cache_get() functions. (Stas)
Added FILTER_FLAG_STRIP_BACKTICK option to the filter extension. (Ilia)
Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check. (Stas)
Added LIBXML_PARSEHUGE constant to override the maximum text size of a single text node when using libxml2.7.3+. (Kalle)
Added ReflectionMethod::setAccessible() for invoking non-public methods through the Reflection API. (Sebastian)
Added Collator::getSortKey for intl extension. (Stas)
Added support for CURLOPT_POSTREDIR. FR #49571. (Sriram Natarajan)
Added support for CURLOPT_CERTINFO. FR #49253. (Linus Nielsen Feltzing )
Added client-side server name indication support in openssl. (Arnaud)
Improved fix for bug #50006 (Segfault caused by uksort()). (Stas)
Fixed mysqlnd hang when queries exactly 16777214 bytes long are sent. (Andrey)
Fixed incorrect decoding of 5-byte BIT sequences in mysqlnd. (Andrey)
Fixed error_log() to be binary safe when using message_type 3. (Jani)
Fixed unnecessary invocation of setitimer when timeouts have been disabled. (Arvind Srinivasan)
Fixed memory leak in extension loading when an error occurs on Windows. (Pierre)
Fixed bug #50540 (Crash while running ldap_next_reference test cases). (Sriram)
Fixed bug #50508 (compile failure: Conflicting HEADER type declarations). (Jani)
Fixed bug #50496 (Use of is valid only in a c99 compilation environment. (Sriram)
Fixed bug #50464 (declare encoding doesn't work within an included file). (Felipe)
Fixed bug #50458 (PDO::FETCH_FUNC fails with Closures). (Felipe, Pierrick)
Fixed bug #50445 (PDO-ODBC stored procedure call from Solaris 64-bit causes seg fault). (davbrown4 at yahoo dot com, Felipe)
Fixed bug #50394 (Reference argument converted to value in __call). (Stas)
Fixed bug #50351 (performance regression handling objects, ten times slower in 5.3 than in 5.2). (Dmitry)
Fixed bug #50392 (date_create_from_format() enforces 6 digits for 'u' format character). (Ilia)
Fixed bug #50345 (nanosleep not detected properly on some solaris versions). (Jani)
Fixed bug #50340 (php.ini parser does not allow spaces in ini keys). (Jani)
Fixed bug #50334 (crypt ignores sha512 prefix). (Pierre)
Fixed bug #50323 (Allow use of ; in values via ;; in PDO DSN). (Ilia, Pierrick)
Fixed bug #50285 (xmlrpc does not preserve keys in encoded indexed arrays). (Felipe)
Fixed bug #50282 (xmlrpc_encode_request() changes object into array in calling function). (Felipe)
Fixed bug #50267 (get_browser(null) does not use HTTP_USER_AGENT). (Jani)
Fixed bug #50266 (conflicting types for llabs). (Jani)
Fixed bug #50261 (Crash When Calling Parent Constructor with call_user_func()). (Dmitry)
Fixed bug #50255 (isset() and empty() silently casts array to object). (Felipe)
Fixed bug #50240 (pdo_mysql.default_socket in php.ini shouldn't used if it is empty). (foutrelis at gmail dot com, Ilia)
Fixed bug #50231 (Socket path passed using --with-mysql-sock is ignored when mysqlnd is enabled). (Jani)
Fixed bug #50219 (soap call Segmentation fault on a redirected url). (Pierrick)
Fixed bug #50212 (crash by ldap_get_option() with LDAP_OPT_NETWORK_TIMEOUT). (Ilia, shigeru_kitazaki at cybozu dot co dot jp)
Fixed bug #50209 (Compiling with libedit cannot find readline.h). (tcallawa at redhat dot com)
Fixed bug #50207 (segmentation fault when concatenating very large strings on 64bit linux). (Ilia)
Fixed bug #50196 (stream_copy_to_stream() produces warning when source is not file). (Stas)
Fixed bug #50195 (pg_copy_to() fails when table name contains schema. (Ilia)
Fixed bug #50185 (ldap_get_entries() return false instead of an empty array when there is no error). (Jani)
Fixed bug #50174 (Incorrectly matched docComment). (Felipe)
Fixed bug #50168 (FastCGI fails with wrong error on HEAD request to non-existant file). (Dmitry)
Fixed bug #50162 (Memory leak when fetching timestamp column from Oracle database). (Felipe)
Fixed bug #50159 (wrong working directory in symlinked files). (Dmitry)
Fixed bug #50158 (FILTER_VALIDATE_EMAIL fails with valid addresses containing = or ?). (Pierrick)
Fixed bug #50152 (ReflectionClass::hasProperty behaves like isset() not property_exists). (Felipe)
Fixed bug #50146 (property_exists: Closure object cannot have properties). (Felipe)
Fixed bug #50145 (crash while running bug35634.phpt). (Felipe)
Fixed bug #50140 (With default compilation option, php symbols are unresolved for nsapi). (Uwe Schindler)
Fixed bug #50087 (NSAPI performance improvements). (Uwe Schindler)
Fixed bug #50073 (parse_url() incorrect when ? in fragment). (Ilia)
Fixed bug #50023 (pdo_mysql doesn't use PHP_MYSQL_UNIX_SOCK_ADDR). (Ilia)
Fixed bug #50005 (Throwing through Reflection modified Exception object makes segmentation fault). (Felipe)
Fixed bug #49990 (SNMP3 warning message about security level printed twice). (Jani)
Fixed bug #49985 (pdo_pgsql prepare() re-use previous aborted transaction). (ben dot pineau at gmail dot com, Ilia, Matteo)
Fixed bug #49938 (Phar::isBuffering() returns inverted value). (Greg)
Fixed bug #49936 (crash with ftp stream in php_stream_context_get_option()). (Pierrick)
Fixed bug #49921 (Curl post upload functions changed). (Ilia)
Fixed bug #49866 (Making reference on string offsets crashes PHP). (Dmitry)
Fixed bug #49855 (import_request_variables() always returns NULL). (Ilia, sjoerd at php dot net)
Fixed bug #49851, #50451 (http wrapper breaks on 1024 char long headers). (Ilia)
Fixed bug #49800 (SimpleXML allow (un)serialize() calls without warning). (Ilia, wmeler at wp-sa dot pl)
Fixed bug #49719 (ReflectionClass::hasProperty returns true for a private property in base class). (Felipe)
Fixed bug #49677 (ini parser crashes with apache2 and using ${something} ini variables). (Jani)
Fixed bug #49660 (libxml 2.7.3+ limits text nodes to 10MB). (Felipe)
Fixed bug #49647 (DOMUserData does not exist). (Rob)
Fixed bug #49521 (PDO fetchObject sets values before calling constructor). (Pierrick)
Fixed bug #49472 (Constants defined in Interfaces can be overridden). (Felipe)
Fixed bug #49244 (Floating point NaN cause garbage characters). (Sjoerd)
Fixed bug #49224 (Compile error due to old DNS functions on AIX systems). (Scott)
Fixed bug #49174 (crash when extending PDOStatement and trying to set queryString property). (Felipe)
Fixed bug #47848 (importNode doesn't preserve attribute namespaces). (Rob)
Fixed bug #46478 (htmlentities() uses obsolete mapping table for character entity references). (Moriyoshi)
Fixed bug #45599 (strip_tags() truncates rest of string with invalid attribute). (Ilia, hradtke)
Fixed bug #45120 (PDOStatement->execute() returns true then false for same statement). (Pierrick)
Fixed bug #34852 (Failure in odbc_exec() using oracle-supplied odbc driver). (tim dot tassonis at trivadis dot com)

PHP Changelog

What's new in PHP 8.3.6

New in PHP 8.3.3 (Mar 13, 2024)

New in PHP 8.3.1 (Dec 21, 2023)

New in PHP 8.3.0 (Nov 23, 2023)

New in PHP 8.2.11 (Sep 29, 2023)

New in PHP 8.2.10 (Sep 1, 2023)

New in PHP 8.2.9 (Sep 1, 2023)

New in PHP 8.2.8 (Jul 6, 2023)

New in PHP 8.2.6 (Jun 7, 2023)

New in PHP 8.2.5 (May 10, 2023)

New in PHP 8.2.4 (Mar 19, 2023)

New in PHP 8.2.2 (Feb 3, 2023)

New in PHP 8.2.1 (Feb 3, 2023)

New in PHP 8.2.0 (Jan 4, 2023)

New in PHP 8.1.8 (Jul 8, 2022)

New in PHP 8.1.7 (Jun 9, 2022)

New in PHP 8.1.6 (May 11, 2022)

New in PHP 8.1.0 RC 4 (Oct 19, 2021)

New in PHP 8.0.10 (Aug 27, 2021)

New in PHP 8.0.9 (Aug 3, 2021)

New in PHP 7.3.5 (May 5, 2019)

New in PHP 7.2.12 (Nov 12, 2018)

New in PHP 7.2.6 (May 25, 2018)

New in PHP 7.2.2 (Feb 11, 2018)

New in PHP 7.1.12 (Nov 28, 2017)

New in PHP 7.1.11 (Oct 29, 2017)

New in PHP 7.2.0 RC1 (Sep 4, 2017)

New in PHP 7.1.9 (Sep 4, 2017)

New in PHP 7.1.7 (Jul 7, 2017)

New in PHP 7.1.6 (Jun 12, 2017)

New in PHP 7.1.3 (Mar 16, 2017)

New in PHP 7.1.2 (Feb 21, 2017)

New in PHP 7.1.1 (Jan 19, 2017)

New in PHP 7.1.0 (Dec 4, 2016)

New in PHP 7.0.11 (Sep 20, 2016)

New in PHP 7.0.4 (Mar 7, 2016)

New in PHP 7.0.0 (Dec 2, 2015)

New in PHP 5.6.16 (Nov 28, 2015)

New in PHP 5.6.14 (Oct 2, 2015)

New in PHP 5.6.12 (Aug 8, 2015)

New in PHP 5.6.11 (Jul 12, 2015)

New in PHP 7.0.0 Alpha 2 (Jun 27, 2015)

New in PHP 7.0.0 Alpha 1 (Jun 12, 2015)

New in PHP 5.6.10 (Jun 12, 2015)

New in PHP 5.6.8 (Apr 17, 2015)

New in PHP 5.6.7 (Mar 20, 2015)

New in PHP 5.6.6 (Feb 20, 2015)

New in PHP 5.6.3 (Dec 17, 2014)

New in PHP 5.6.1 (Oct 3, 2014)

New in PHP 5.5.16 (Aug 27, 2014)

New in PHP 5.6.0 Alpha 2 (Feb 17, 2014)

New in PHP 5.6.0 Alpha 1 (Jan 25, 2014)

New in PHP 5.5.8 (Jan 10, 2014)

New in PHP 5.5.7 (Dec 12, 2013)

New in PHP 5.5.7 RC1 (Nov 29, 2013)

New in PHP 5.5.6 (Nov 14, 2013)

New in PHP 5.5.5 (Oct 17, 2013)

New in PHP 5.5.4 (Sep 20, 2013)

New in PHP 5.5.3 (Aug 23, 2013)

New in PHP 5.5.0 RC3 (Jun 13, 2013)

New in PHP 5.4.16 (Jun 7, 2013)

New in PHP 5.5.0 RC2 (Jun 5, 2013)

New in PHP 5.5.0 Beta 1 (Mar 22, 2013)

New in PHP 5.5.0 Alpha 4 (Jan 24, 2013)

New in PHP 5.4.10 (Dec 20, 2012)

New in PHP 5.4.9 (Nov 23, 2012)

New in PHP 5.4.8 (Oct 19, 2012)

New in PHP 5.4.5 (Jul 20, 2012)

New in PHP 5.4.4 (Jun 15, 2012)

New in PHP 5.4.0 (Mar 2, 2012)

New in PHP 5.3.10 (Feb 3, 2012)

New in PHP 5.4 RC5 (Jan 8, 2012)

New in PHP 5.4 RC4 (Dec 28, 2011)

New in PHP 5.3.3 (Jul 23, 2010)

New in PHP 5.3.2 (Mar 5, 2010)

New in PHP 5.3.2 RC1 (Dec 23, 2009)

New in PHP 5.2.8 (Dec 9, 2008)