Ondřej Surý has released updated packages for PHP 8.4.13 and 8.3.26 specifically designed for Debian GNU/Linux 11 (Bullseye) LTS, 12 (Bookworm), and 13 (Trixie). The releases include crucial bug fixes that address long-standing problems, such as repeated file inclusion causing "Constant already defined" warnings and handling string literals larger than 2GB. These updates aim to enhance the reliability, security, and performance of web applications built using PHP by resolving potential UAF issues and memory leaks.
PHP 8.4.13 and 8.3.26 Debian packages released
Ondřej Surý has recently released updated packages for the popular scripting language, PHP 8.4.13 and 8.3.26, designed specifically for Debian GNU/Linux 11 (Bullseye) LTS, 12 (Bookworm), and 13 (Trixie). The critical bug fixes in these new releases aim to address various aspects of the PHP language.
At the heart of PHP 8.4.13 lies a series of significant improvements aimed at resolving long-standing problems. One important fix focuses on repeated file inclusion with __halt_compiler(), which can cause "Constant already defined" warnings, and another fix deals with scanning string literals larger than 2GB to avoid signed int overflow errors. Additionally, improvements have been made in how memory is managed and how garbage collection works, including better handling of Zend weak references to help avoid possible UAF (Use-After-Free) issues.
The release also includes a range of fixes for various extensions, such as CLI, Date, DBA, DOM, FPM, Intl, OpenSSL, PGSQL, Phar, Standard, Streams, and Zip. These updates cover improved error messages when listening to IPv6 addresses, enhanced support for partial-hour UTC offsets in date_sunrise() and date_sunset(), and fixes for potential memory leaks in various scenarios. Additionally, PHP 8.4.13 addresses several security problems, including use-after-free issues that happen when Phar decompression is not handled correctly with bad extensions
These updates demonstrate the importance of maintaining the reliability and integrity of web applications built using this versatile scripting language. As such, PHP developers and users worldwide can benefit from these crucial enhancements that will help maintain the stability and performance of their web applications.
In a similar vein, PHP 8.3.26 boasts numerous bug fixes across various components, marking another significant update for Debian GNU/Linux users. Core improvements include resolving repeated file inclusion causing "Constant already defined" warnings and handling string literals larger than 2GB. Moreover, the garbage collector now correctly treats ZEND_WEAKREF_TAG_MAP references as WeakMap references.
Further core enhancements involve fixing stale array iterator pointers, addressing issues with zend_ssa_range_widening convergence, and a notable fix that corrects problems with PHP_EXPAND_PATH in Bash 5.3.0 environments. Additionally, assertion failures when accessing deprecated constants have been resolved, enhancing the overall robustness of the language.
The Command Line Interface (CLI) has also received attention, with improved error messages being implemented for listening errors with IPv6 addresses. Date functions such as date_sunrise() and date_sunset() now correctly handle partial-hour UTC offsets, while other notable fixes mitigate a libxml2 tree dictionary bug in the DOM component.
Other areas of improvement include addressing failed debug assertions that occur when php_admin_value settings are not correctly configured in FPM environments, as well as resolving an underflow issue related to the width argument in the imagefilledellipse function within GD. Furthermore, the Internationalization (Intl) component has been updated to correct the canonicalization of locale strings for both IntlDateFormatter and NumberFormatter, while OpenSSL has received a fix for its error message indicating success on TLS stream accept failures.
The PostgreSQL (PGSQL) connections have also been patched to prevent potential use-after-free issues when using persistent connections, marking another crucial area of improvement. Lastly, the Phar component has undergone several memory leak fixes, including the verification of OpenSSL signatures and the Phar tar temporary file error handling code. These updates are expected to significantly enhance overall performance and security for PHP developers and users worldwide.
To add the repository to your Debian installation:
#!/bin/bash # To add this repository please do:
if [ "$(whoami)" != "root" ]; then
SUDO=sudo
fi
${SUDO} apt-get -y install apt-transport-https lsb-release ca-certificates curl
${SUDO} wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
${SUDO} sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
${SUDO} apt-get update
For further details, please refer to the deb.sury.org website. A dedicated bug tracker for the packages can be accessed here.
