Ondřej Surý has released PHP 8.4.10, 8.3.23, 8.2.29, and 8.3.33 packages for Debian GNU/Linux 11 (Bullseye) LTS, 12 (Bookworm), and 13 (Trixie), as well as PHP 8.0.30-15, 7.4.33-21, and 5.6.40-82 packages with the latest security fixes backported.
To add the repository:
#!/bin/bash # To add this repository please do:
if [ "$(whoami)" != "root" ]; then
SUDO=sudo
fi
${SUDO} apt-get -y install apt-transport-https lsb-release ca-certificates curl
${SUDO} wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
${SUDO} sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
${SUDO} apt-get updatePHP 8.4.10
- BcMath:
. Fixed bug GH-18641 (Accessing a BcMath\Number property by ref crashes).
(nielsdos)
- Core:
. Fixed bugs GH-17711 and GH-18022 (Infinite recursion on deprecated attribute
evaluation) and GH-18464 (Recursion protection for deprecation constants not
released on bailout). (DanielEScherzer and ilutov)
. Fixed GH-18695 (zend_ast_export() - float number is not preserved).
(Oleg Efimov)
. Fix handling of references in zval_try_get_long(). (nielsdos)
. Do not delete main chunk in zend_gc. (danog, Arnaud)
. Fix compile issues with zend_alloc and some non-default options. (nielsdos)
- Curl:
. Fix memory leak when setting a list via curl_setopt fails. (nielsdos)
- Date:
. Fix leaks with multiple calls to DatePeriod iterator current(). (nielsdos)
- DOM:
. Fixed bug GH-18744 (classList works not correctly if copy HTMLElement by
clone keyword). (nielsdos)
- FPM:
. Fixed GH-18662 (fpm_get_status segfault). (txuna)
- Hash:
. Fixed bug GH-14551 (PGO build fails with xxhash). (nielsdos)
- Intl:
. Fix memory leak in intl_datetime_decompose() on failure. (nielsdos)
. Fix memory leak in locale lookup on failure. (nielsdos)
- Opcache:
. Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22).
(nielsdos, Arnaud)
- ODBC:
. Fix memory leak on php_odbc_fetch_hash() failure. (nielsdos)
- OpenSSL:
. Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
(nielsdos)
. Fixed bug #74796 (Requests through http proxy set peer name).
(Jakub Zelenka)
- PGSQL:
. Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during
escaping). (CVE-2025-1735) (Jakub Zelenka)
- PDO ODBC:
. Fix memory leak if WideCharToMultiByte() fails. (nielsdos)
- PDO Sqlite:
. Fixed memory leak with Pdo_Sqlite::createCollation when the callback
has an incorrect return type. (David Carlier)
- Phar:
. Add missing filter cleanups on phar failure. (nielsdos)
. Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek). (nielsdos)
- PHPDBG:
. Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0. (nielsdos)
- PGSQL:
. Fix warning not being emitted when failure to cancel a query with
pg_cancel_query(). (Girgias)
- Random:
. Fix reference type confusion and leak in user random engine.
(nielsdos, timwolla)
- Readline:
. Fix memory leak when calloc() fails in php_readline_completion_cb().
(nielsdos)
- SimpleXML:
. Fixed bug GH-18597 (Heap-buffer-overflow in zend_alloc.c when assigning
string with UTF-8 bytes). (nielsdos)
- SOAP:
. Fix memory leaks in php_http.c when call_user_function() fails. (nielsdos)
. Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension
via Large XML Namespace Prefix). (CVE-2025-6491) (Lekssays, nielsdos)
- Standard:
. Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames).
(CVE-2025-1220) (Jakub Zelenka)
- Tidy:
. Fix memory leak in tidy output handler on error. (nielsdos)
. Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory. (David Carlier)PHP 8.3.23
- Core:
. Fixed GH-18695 (zend_ast_export() - float number is not preserved).
(Oleg Efimov)
. Do not delete main chunk in zend_gc. (danog, Arnaud)
. Fix compile issues with zend_alloc and some non-default options. (nielsdos)
- Curl:
. Fix memory leak when setting a list via curl_setopt fails. (nielsdos)
. Fix incorrect OpenSSL version detection. (Peter Kokot)
- Date:
. Fix leaks with multiple calls to DatePeriod iterator current(). (nielsdos)
- FPM:
. Fixed GH-18662 (fpm_get_status segfault). (txuna)
- Hash:
. Fixed bug GH-14551 (PGO build fails with xxhash). (nielsdos)
- Intl:
. Fix memory leak in intl_datetime_decompose() on failure. (nielsdos)
. Fix memory leak in locale lookup on failure. (nielsdos)
- ODBC:
. Fix memory leak on php_odbc_fetch_hash() failure. (nielsdos)
- Opcache:
. Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22).
(nielsdos, Arnaud)
- OpenSSL:
. Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
(nielsdos)
. Fixed bug #74796 (Requests through http proxy set peer name).
(Jakub Zelenka)
- PGSQL:
. Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during
escaping). (CVE-2025-1735) (Jakub Zelenka)
- Phar:
. Add missing filter cleanups on phar failure. (nielsdos)
. Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek). (nielsdos)
- PHPDBG:
. Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0. (nielsdos)
- PDO ODBC:
. Fix memory leak if WideCharToMultiByte() fails. (nielsdos)
- PGSQL:
. Fix warning not being emitted when failure to cancel a query with
pg_cancel_query(). (Girgias)
- Random:
. Fix reference type confusion and leak in user random engine.
(nielsdos, timwolla)
- Readline:
. Fix memory leak when calloc() fails in php_readline_completion_cb().
(nielsdos)
- SOAP:
. Fix memory leaks in php_http.c when call_user_function() fails. (nielsdos)
. Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension
via Large XML Namespace Prefix). (CVE-2025-6491) (Lekssays, nielsdos)
- Standard:
. Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames).
(CVE-2025-1220) (Jakub Zelenka)
- Tidy:
. Fix memory leak in tidy output handler on error. (nielsdos)
. Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory. (David Carlier)PHP 8.2.29, 8.1.33, 8.0.30-15, 7.4.33-21, and 5.6.40-82
- PGSQL:
. Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during
escaping). (CVE-2025-1735) (Jakub Zelenka)
- SOAP:
. Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension
via Large XML Namespace Prefix). (CVE-2025-6491) (Lekssays, nielsdos)
- Standard:
. Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames).
(CVE-2025-1220) (Jakub Zelenka)
