Ondřej Surý has released PHP 8.5.0 RC3, PHP 8.4.14, and PHP 8.3.27 packages for Debian GNU/Linux 11 LTS, 12, and 13. The updates include improvements to core functionality, DOM parsing, FPM performance, Opcache optimization, OpenSSL security, and other areas of functionality. The packages address numerous bugs and fixes issues such as resource closing on shutdown, incorrect namespace checks in the getNamedItemNS() function, and memory leaks triggered by imagefttext() calls. 

PHP 8.5.0 RC3, PHP 8.4.14, and 8.3.27 Debian packages released

Ondřej Surý has made available new PHP 8.5.0 RC3, PHP 8.4.14, and PHP 8.3.27 packages for Debian GNU/Linux 11 (Bullseye) LTS, 12 (Bookworm), and 13 (Trixie).

Notable changes in PHP 8.5.0 RC3 include improvements to core functionality, DOM parsing, FPM performance, Opcache optimization, OpenSSL security, PDO stability, Phar integrity, SPL serialization, Tidy handling, URI parsing, and XMLReader reliability.

Core enhancements include bug fixes for issues like missing type declarations, resource closing on shutdown, deprecation warnings, and assertions triggered by get_object_vars().

The DOM parser has been improved with a fix for incorrect namespace checks in the getNamedItemNS() function.

FPM performance has been enhanced with bug fixes for decoding SCRIPT_FILENAME issues and access log lines being written to both standard output and error streams.

Opcache optimization includes fixes for uninitialized variables, broken Just-In-Time (JIT) compilation on macOS, and segfaults triggered by large file compilation in subprocesses.

OpenSSL security has been improved with a fix for inconsistent cipher method fetching.

PDO stability has been enhanced with a bug fix for incorrect class names in deprecation messages for PDO mixins.

Phar integrity includes a fix for potential buffer length truncation due to type int usage instead of size_t.

SPL serialization improvements include hardening of the __unserialize() function and fixes for exposed INDIRECTs in SplHeap and SplPriorityQueue objects.

Tidy handling has been improved with a bug fix for improved tidyOptGetCategory detection.

URI parsing reliability includes fixes for heap-use-after-free issues during malformed URL processing, inability to use external extensions, and making php_uri_parser structs available directly to extensions.

In PHP 8.4.14, several bugs have been fixed across various areas of functionality.

Core enhancements include bug fixes for issues like bypassing readonly property checks in object_properties_load(), hard_timeout with --enable-zend-max-execution-timers, SCCP causing use-after-free errors, Closure named argument unpacking between temporary closures triggering crashes, and incorrect HASH_FLAG_HAS_EMPTY_IND flags on userland arrays.

The CLI server has been improved with a fix for useless error logs due to EAGAIN in CLI servers with PHP_CLI_SERVER_WORKERS enabled.

Curl functionality includes fixes for cloning CURLOPT_POSTFIELDS when using the clone operator and curl build failures with version 8.16.

Date handling has been improved with a bug fix for swallowing string literals by the "P" format in ::createFromFormat.

DOM parsing has been enhanced with bug fixes for macro name clashes on macOS and docker-php-ext-install DOM failing.

GD image processing includes a fix for memory leaks triggered by imagefttext() calls.

MySQLnd functionality has been improved with a bug fix for mysqli compiled with mysqlnd not taking IPv6 addresses as parameters.

Phar integrity includes fixes for memory leaks when creating temp files fails while applying zip signatures and tar header writing failures.

SimpleXML handling has been improved with a bug fix for Zend_string_init triggering undefined behavior in simplexml (UB).

Soap functionality includes bug fixes for SoapServer memory leaks and arrays of SoapVar of unknown type causing crashes.

Standard library improvements include fixes for cloning objects breaking serialization recursion, Serialize/deserialize losing some data, var_dump() and debug_zval_dump() leaking resources, array_unique assertion failures with RC1 arrays causing exceptions on sort, resetting internal pointers earlier while splicing arrays triggering COW violations, inability to fseek in /dev/zero and /dev/null, and other issues.

Streams functionality has been improved with bug fixes for using strerror_r instead of strerror in main and other streaming-related issues.

XMLReader reliability includes a fix for XMLReader leaks triggered by RelaxNG schema failures.

Zip integrity includes bug fixes for removing pattern overflows in zip addGlob() calls and memory leaks triggered by setEncryptionName()/setEncryptionIndex() calls.

Zlib functionality has been improved with a bug fix for double frees on gzopen calls.

To add the repository to your Debian installation:

# To add this repository please do:

if [ "$(whoami)" != "root" ]; then
SUDO=sudo
fi

${SUDO} apt-get -y install apt-transport-https lsb-release ca-certificates curl
${SUDO} wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
${SUDO} sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
${SUDO} apt-get update

For further details, please refer to the deb.sury.org website. A dedicated bug tracker for the packages can be accessed here.