Three new versions of PHP have been released: 8.5.2, 8.4.17, and 8.3.30, all focused on resolving various issues in the language. The updates prioritize security, addressing several critical bugs, including a potential vulnerability called use-after-free in php_output_handler_free. Beyond security fixes, these releases also contain patches for everyday functional problems across different parts of PHP, such as improvements to Phar builds and handling INI input through parse_ini_string(). Additionally, the updates aim to make PHP more efficient by fixing potential memory leaks and improving performance.

PHP 8.5.2, 8.4.17, and 8.3.30 released

Three new versions of PHP have shipped: 8.5.2, 8.4.17, and 8.3.30. The main thing that ties them all together is resolving various issues.

Security was definitely high on the agenda for these updates. In particular, version 8.5.2 tackles several critical bugs reported by developer ndossche. One notable one involves a potential security flaw called use-after-free in php_output_handler_free. Certain error conditions may occur during the cleanup of re-entrant ob_start(). This vulnerability is just one example of the fixes implemented.

Beyond bolstering defenses, these releases also contain patches for everyday functional problems across different parts of PHP. For instance, 8.5.2 includes an update fixing something with SplFileInfo::openFile() when used in write mode. It also features a tweak to improve how Phar builds work on older OpenSSL 1.1.0 systems.

There's more focus on making things smoother and less memory-intensive, too. You'll discover fixes for potential leaks spread across modules, including LDAP and Intl. Efficiency got another boost as well with adjustments related to handling tricky INI input through parse_ini_string().

Release php-8.3.30

Tag for php-8.3.30

Release php-8.3.30 · php/php-src

Release php-8.4.17

Tag for php-8.4.17

Release php-8.4.17 · php/php-src

Release php-8.5.2

Tag for php-8.5.2

Release php-8.5.2 · php/php-src