Ondřej Surý has released PHP 8.0.8, 7.4.21, and 7.3.29 packages for Debian GNU/Linux 9 LTS, 10, and 11, as well PHP 5.6.40-52, 7.0.33-52, 7.1.33-39, and 7.2.34-23 packages with security backports from 7.3.29.

To add the repository:

#!/bin/bash # To add this repository please do:

if [ "$(whoami)" != "root" ]; then
SUDO=sudo
fi

${SUDO} apt-get -y install apt-transport-https lsb-release ca-certificates curl
${SUDO} wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
${SUDO} sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
${SUDO} apt-get update

PHP Packages
Issues Tracker

PHP 8.0.8

- Core:
. Fixed bug #81076 (incorrect debug info on Closures with implicit binds).
(krakjoe)
. Fixed bug #81068 (Double free in realpath_cache_clean()). (Dimitry Andric)
. Fixed bug #76359 (open_basedir bypass through adding ".."). (cmb)
. Fixed bug #81090 (Typed property performance degradation with .= operator).
(Nikita)
. Fixed bug #81070 (Integer underflow in memory limit comparison).
(Peter van Dommelen)
. Fixed bug #81122 (SSRF bypass in FILTER_VALIDATE_URL).
(CVE-2021-21705) (cmb)

- Bzip2:
. Fixed bug #81092 (fflush before stream_filter_remove corrupts stream).
(cmb)

- Fileinfo:
. Fixed bug #80197 (implicit declaration of function 'magic_stream' is
invalid). (Nikita)

- GMP:
. Fixed bug #81119 (GMP operators throw errors with wrong parameter names).
(Nikita)

- OCI8:
. Fixed bug #81088 (error in regression test for oci_fetch_object() and
oci_fetch_array()). (Máté)

- Opcache:
. Fixed bug #81051 (Broken property type handling after incrementing
reference). (Dmitry)
. Fixed bug #80968 (JIT segfault with return from required file). (Dmitry)

- OpenSSL:
. Fixed bug #76694 (native Windows cert verification uses CN as sever name).
(cmb)

- MySQLnd:
. Fixed bug #80761 (PDO uses too much memory). (Nikita)

- PDO_Firebird:
. Fixed bug #76448 (Stack buffer overflow in firebird_info_cb).
(CVE-2021-21704) (cmb)
. Fixed bug #76449 (SIGSEGV in firebird_handle_doer).
(CVE-2021-21704) (cmb)
. Fixed bug #76450 (SIGSEGV in firebird_stmt_execute).
(CVE-2021-21704) (cmb)
. Fixed bug #76452 (Crash while parsing blob data in firebird_fetch_blob).
(CVE-2021-21704) (cmb)

- readline:
. Fixed bug #72998 (invalid read in readline completion). (krakjoe)

- Standard:
. Fixed bug #81048 (phpinfo(INFO_VARIABLES) "Array to string conversion").
(cmb)
. Fixed bug #77627 (method_exists on Closure::__invoke inconsistency).
(krakjoe)

- Windows:
. Fixed bug #81120 (PGO data for main PHP DLL are not used). (cmb)

PHP 7.4.21

- Core:
. Fixed bug #81068 (Double free in realpath_cache_clean()). (Dimitry Andric)
. Fixed bug #76359 (open_basedir bypass through adding ".."). (cmb)
. Fixed bug #81090 (Typed property performance degradation with .= operator).
(Nikita)
. Fixed bug #81070 (Integer underflow in memory limit comparison).
(Peter van Dommelen)
. Fixed bug #81122 (SSRF bypass in FILTER_VALIDATE_URL).
(CVE-2021-21705) (cmb)

- Bzip2:
. Fixed bug #81092 (fflush before stream_filter_remove corrupts stream).
(cmb)

- OpenSSL:
. Fixed bug #76694 (native Windows cert verification uses CN as sever name).
(cmb)

- PDO_Firebird:
. Fixed bug #76448 (Stack buffer overflow in firebird_info_cb).
(CVE-2021-21704) (cmb)
. Fixed bug #76449 (SIGSEGV in firebird_handle_doer).
(CVE-2021-21704) (cmb)
. Fixed bug #76450 (SIGSEGV in firebird_stmt_execute).
(CVE-2021-21704) (cmb)
. Fixed bug #76452 (Crash while parsing blob data in firebird_fetch_blob).
(CVE-2021-21704) (cmb)

- Standard:
. Fixed bug #81048 (phpinfo(INFO_VARIABLES) "Array to string conversion").
(cmb)

PHP 7.3.29 and PHP 5.6.40-52, 7.0.33-52, 7.1.33-39, 7.2.34-23

- Core:
. Fixed bug #81122: SSRF bypass in FILTER_VALIDATE_URL. (CVE-2021-21705) (cmb)

- PDO_Firebird:
. Fixed bug #76448: Stack buffer overflow in firebird_info_cb.
(CVE-2021-21704) (cmb)
. Fixed bug #76449: SIGSEGV in firebird_handle_doer. (CVE-2021-21704) (cmb)
. Fixed bug #76450: SIGSEGV in firebird_stmt_execute. (CVE-2021-21704) (cmb)
. Fixed bug #76452: Crash while parsing blob data in firebird_fetch_blob.
(CVE-2021-21704) (cmb)