Fedora Linux 9406 Published by

Security patches for PHP 8.2.32, 8.3.32, 8.4.23, and 8.5.8 are now live in Remi Collet's RPM repository for Fedora and Enterprise Linux. Each release addresses three shared vulnerabilities, including CVE-2026-12184 and CVE-2026-14355, across both x86_64 and aarch64 architectures. Remi also packaged PHP 8.6.0-alpha1 as a parallel Software Collection for developers wanting to test the next generation before its official rollout. Built on Collet's custom hardware and delivered ahead of upstream scheduling windows, the update continues a twenty-year tradition of prioritizing latest upstream versions over stable backports.



Remi Ships PHP 8.2.32, 8.3.32, 8.4.23, and 8.5.8 for Fedora and Enterprise Linux

Security patches for four active PHP branches just hit the remi repository. The updates are rolling out now for Fedora, RHEL 8, 9, and 10, and most of their downstream derivatives.

If you're running PHP on a Red Hat family system, there's a decent chance you're already pulling packages from Remi Collet's third-party repo. Collet has been maintaining the largest community PHP stack for Enterprise Linux since 2005, and his repository currently hosts more than 500 packages. That includes everything from core language builds to phpMyAdmin and PHPUnit.

Gnome_shell_screenshot_09fnu0

What Actually Changed This Round

This release is a straight security sweep. PHP 8.2.32, 8.3.32, 8.4.23, and 8.5.8 each patch three common vulnerabilities: CVE-2026-12184, CVE-2026-14355, plus one internal fix upstream bundled alongside them. The builds cover both x86_64 and aarch64, so whether you're on Ampere Altra servers or standard Intel boxes, the binaries are ready to install. Packages also hit Fedora Rawhide, plus the official Bodhi updates for Fedora 44 and 43.

PHP 8.6 Gets an Early SCL Entry

Remi didn't just stop at the stable releases. PHP 8.6.0-alpha1 dropped July 2, and he's already packaged it as a Software Collection under remi-safe. It lives in /opt/remi/php86, config rolls out to /etc/opt/remi/php86, and the FPM socket sits at /var/opt/remi/php86/run/php-fpm/www.sock. The alpha label is real though. Remi explicitly warns against running it in production, and he plans to formally propose it as a Fedora 46 change request when the feature freeze lifts.

You've got two paths for installation, depending on whether you want to replace the system default or keep things side by side. The modular stream route overwrites your base PHP: run dnf module switch-to php:remi-8.5/common on Enterprise Linux, or follow the reset and enable sequence on newer Fedora releases. If you need multiple versions running concurrently, the SCL approach keeps each release neatly tucked under /opt/remi/php8X/. Install php85 alongside whatever else you have, run module load php85, and php --version will confirm you are talking to the right build.

Remi's philosophy has always been latest upstream versions rather than backports, which means you get newer features faster but also inherit more breaking changes than you'd see in official RHEL errata. That's a fair tradeoff for most developers, especially given the build quality. Every RPM is GPG-signed with a rotating 2026 key, and they're compiled on Collet's own i9-13900K and Ampere Altra builders rather than some shared cloud cluster with questionable uptime. The NTS-only default since PHP 8.4 also tracks with modern deployment, where thread-safe builds are largely a legacy concern.

It's been over two decades since Collet first pushed a PHP repository for Fedora, and the repo is still somehow avoiding the graveyard that swallows most community Linux projects. That longevity matters. When a security advisory drops, most users on these distributions don't wait for Red Hat to certify a backport. They update. Fast.

Head to rpms.remirepo.net/wizard/ to grab the exact configuration snippet for your distro.