* Fri Dec 19 2025 pgajdos@suse.com
- version update to 8.4.16
Core:
Sync all boost.context files with release 1.86.0.
Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter).
Fixed bug GH-20286 (use-after-destroy during userland stream_close()).
Bz2:
Fix assertion failures resulting in crashes with stream filter object parameters.
Date:
Fix crashes when trying to instantiate uninstantiable classes via date static constructors.
DOM:
Fix memory leak when edge case is hit when registering xpath callback.
Fixed bug GH-20395 (querySelector and querySelectorAll requires elements in $selectors to be lowercase).
Fix missing NUL byte check on C14NFile().
Fibers:
Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value).
FTP:
Fixed bug GH-20601 (ftp_connect overflow on timeout).
GD:
Fixed bug GH-20511 (imagegammacorrect out of range input/output values).
Fixed bug GH-20602 (imagescale overflow with large height values).
Intl:
Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants).
LibXML:
Fix some deprecations on newer libxml versions regarding input buffer/parser handling.
MbString:
Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma).
Fixed bug GH-20492 (mbstring compile warning due to non-strings).
MySQLnd:
Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets).
Opcache:
Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer).
PDO:
Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180)
Phar:
Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub).
Fix broken return value of fflush() for phar file entries.
Fix assertion failure when fseeking a phar file out of bounds.
PHPDBG:
Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog().
SPL:
Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization).
Standard:
Fix memory leak in array_diff() with custom type checks.
Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures).
Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()).
Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178)
Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177)
Tidy:
Fixed bug GH-20374 (PHP with tidy and custom-tags).
XML:
Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback).
Zip:
Fix crash in property existence test.
Don't truncate return value of zip_fread() with user sizes.
Zlib:
Fix assertion failures resulting in crashes with stream filter object parameters.
- fixes CVE-2025-14178 [bsc#1255711]
CVE-2025-14180 [bsc#1255712]
CVE-2025-14177 [bsc#1255710]
* Thu Dec 18 2025 pgajdos@suse.com
- main package require wwwrun:www user as it assumes it in filelist
[bsc#1255043]
* Thu Nov 20 2025 pgajdos@suse.com
- version update to 8.4.15
Core:
Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv).
Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on reference).
Fixed bug GH-20085 (Assertion failure when combining lazy object get_properties exception with foreach loop).
Fixed bug GH-19844 (Don't bail when closing resources on shutdown).
Fixed bug GH-20177 (Accessing overridden private property in get_object_vars() triggers assertion error).
Fixed bug GH-20270 (Broken parent hook call with named arguments).
Fixed bug GH-20183 (Stale EG(opline_before_exception) pointer through eval).
DOM:
Partially fixed bug GH-16317 (DOM classes do not allow __debugInfo() overrides to work).
Fixed bug GH-20281 (\Dom\Document::getElementById() is inconsistent after nodes are removed).
Exif:
Fix possible memory leak when tag is empty.
FPM:
Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel execution).
FTP:
Fixed bug GH-20240 (FTP with SSL: ftp_fput(): Connection timed out on successful writes).
GD:
Fixed bug GH-20070 (Return type violation in imagefilter when an invalid filter is provided).
Intl:
Fix memory leak on error in locale_filter_matches().
LibXML:
Fix not thread safe schema/relaxng calls.
MySQLnd:
Fixed bug GH-8978 (SSL certificate verification fails (port doubled)).
Fixed bug GH-20122 (getColumnMeta() for JSON-column in MySQL).
Opcache:
Fixed bug GH-20081 (access to uninitialized vars in preload_load()).
Fixed bug GH-20121 (JIT broken in ZTS builds on MacOS 15).
Fixed bug GH-19875 (JIT 1205 segfault on large file compiled in subprocess).
Fixed bug GH-20012 (heap buffer overflow in jit).
Partially fixed bug GH-17733 (Avoid calling wrong function when reusing file caches across differing environments).
PgSql:
Fix memory leak when first string conversion fails.
Fix segfaults when attempting to fetch row into a non-instantiable class name.
Phar:
Fix memory leak of argument in webPhar.
Fix memory leak when setAlias() fails.
Fix a bunch of memory leaks in phar_parse_zipfile() error handling.
Fix file descriptor/memory leak when opening central fp fails.
Fix memleak+UAF when opening temp stream in buildFromDirectory() fails.
Fix potential buffer length truncation due to usage of type int instead of type size_t.
Fix memory leak when openssl polyfill returns garbage.
Fix file descriptor leak in phar_zip_flush() on failure.
Fix memory leak when opening temp file fails while trying to open gzip-compressed archive.
Fixed bug GH-20302 (Freeing a phar alias may invalidate PharFileInfo objects).
Random:
Fix Randomizer::__serialize() w.r.t. INDIRECTs.
Reflection:
Fixed bug GH-20217 (ReflectionClass::isIterable() incorrectly returns true for classes with property hooks).
SimpleXML:
Partially fixed bug GH-16317 (SimpleXML does not allow __debugInfo() overrides to work).
Streams:
Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect condition for Win32/Win64.
Tidy:
Fixed GH-19021 (improved tidyOptGetCategory detection).
Fix UAF in tidy when tidySetErrorBuffer() fails.
XMLReader:
Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available.
* Thu Oct 23 2025 suse+build@de-korte.org
- version update to 8.4.14
Core:
Fixed bug GH-19765 (object_properties_load() bypasses readonly property checks).
Fixed hard_timeout with --enable-zend-max-execution-timers.
Fixed bug GH-19792 (SCCP causes UAF for return value if both warning and exception are triggered).
Fixed bug GH-19653 (Closure named argument unpacking between temporary closures can cause a crash).
Fixed bug GH-19839 (Incorrect HASH_FLAG_HAS_EMPTY_IND flag on userland array).
Fixed bug GH-19480 (error_log php.ini cannot be unset when open_basedir is configured).
Fixed bug GH-20002 (Broken build on *BSD with MSAN).
CLI:
Fix useless "Failed to poll event" error logs due to EAGAIN in CLI server with PHP_CLI_SERVER_WORKERS.
Curl:
Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead of the curl_copy_handle() function to clone a CurlHandle.
Fix curl build and test failures with version 8.16.
Date:
Fixed GH-17159: "P" format for ::createFromFormat swallows string literals.
DOM:
Fix macro name clash on macOS.
Fixed bug GH-20022 (docker-php-ext-install DOM failed).
GD:
Fixed GH-19955 (imagefttext() memory leak).
MySQLnd:
Fixed bug #67563 (mysqli compiled with mysqlnd does not take ipv6 adress as parameter).
Opcache:
Fixed bug GH-19669 (assertion failure in zend_jit_trace_type_to_info_ex).
Fixed bug GH-19831 (function JIT may not deref property value).
Fixed bug GH-19889 (race condition in zend_runtime_jit(), zend_jit_hot_func()).
Phar:
Fix memory leak and invalid continuation after tar header writing fails.
Fix memory leaks when creating temp file fails when applying zip signature.
SimpleXML:
Fixed bug GH-19988 (zend_string_init with NULL pointer in simplexml (UB)).
Soap:
Fixed bug GH-19784 (SoapServer memory leak).
Fixed bug GH-20011 (Array of SoapVar of unknown type causes crash).
Standard:
Fixed bug GH-12265 (Cloning an object breaks serialization recursion).
Fixed bug GH-19701 (Serialize/deserialize loses some data).
Fixed bug GH-19801 (leaks in var_dump() and debug_zval_dump()).
Fixed bug GH-20043 (array_unique assertion failure with RC1 array causing an exception on sort).
Fixed bug GH-19926 (reset internal pointer earlier while splicing array while COW violation flag is still set).
Fixed bug GH-19570 (unable to fseek in /dev/zero and /dev/null).
Streams:
Fixed bug GH-19248 (Use strerror_r instead of strerror in main).
Fixed bug GH-17345 (Bug #35916 was not completely fixed).
Fixed bug GH-19705 (segmentation when attempting to flush on non seekable stream.
XMLReader:
Fixed bug GH-20009 (XMLReader leak on RelaxNG schema failure).
Zip:
Fixed bug GH-19688 (Remove pattern overflow in zip addGlob()).
Fixed bug GH-19932 (Memory leak in zip setEncryptionName()/setEncryptionIndex()).
* Fri Sep 26 2025 pgajdos@suse.com
- version update to 8.4.13
Core:
Fixed bug GH-18850 (Repeated inclusion of file with __halt_compiler() triggers "Constant already defined" warning).
Partially fixed bug GH-19542 (Scanning of string literals >=2GB will fail due to signed int overflow).
Fixed bug GH-19544 (GC treats ZEND_WEAKREF_TAG_MAP references as WeakMap references).
Fixed bug GH-19613 (Stale array iterator pointer).
Fixed bug GH-19679 (zend_ssa_range_widening may fail to converge).
Fixed bug GH-19681 (PHP_EXPAND_PATH broken with bash 5.3.0).
Fixed bug GH-19720 (Assertion failure when error handler throws when accessing a deprecated constant).
CLI:
Fixed bug GH-19461 (Improve error message on listening error with IPv6 address).
Date:
Fixed date_sunrise() and date_sunset() with partial-hour UTC offset.
DBA:
Fixed bug GH-19706 (dba stream resource mismanagement).
DOM:
Fixed bug GH-19612 (Mitigate libxml2 tree dictionary bug).
FPM:
Fixed failed debug assertion when php_admin_value setting fails.
Intl:
Fixed bug GH-11952 (Fix locale strings canonicalization for IntlDateFormatter and NumberFormatter).
Opcache:
Fixed bug GH-19493 (JIT variable not stored before YIELD).
OpenSSL:
Fixed bug GH-19245 (Success error message on TLS stream accept failure).
PGSQL:
Fixed bug GH-19485 (potential use after free when using persistent pgsql connections).
Phar:
Fixed memory leaks when verifying OpenSSL signature.
Fix memory leak in phar tar temporary file error handling code.
Fix metadata leak when phar convert logic fails.
Fix memory leak on failure in phar_convert_to_other().
Fixed bug GH-19752 (Phar decompression with invalid extension can cause UAF).
Standard:
Fixed bug GH-16649 (UAF during array_splice).
Fixed bug GH-19577 (Avoid integer overflow when using a small offset and PHP_INT_MAX with LimitIterator).
Streams:
Remove incorrect call to zval_ptr_dtor() in user_wrapper_metadata().
Fix OSS-Fuzz #385993744.
Zip:
Fix memory leak in zip when encountering empty glob result.
* Thu Aug 28 2025 pgajdos@suse.com
- version update to 8.4.12
Core:
Fixed GH-19169 build issue with C++17 and ZEND_STATIC_ASSERT macro.
Fixed bug GH-19053 (Duplicate property slot with hooks and interface property).
Fixed bug GH-19044 (Protected properties are not scoped according to their prototype).
Fixed bug GH-18581 (Coerce numeric string keys from iterators when argument unpacking).
Fixed OSS-Fuzz #434346548 (Failed assertion with throwing __toString in binary const expr).
Fixed bug GH-19305 (Operands may be being released during comparison).
Fixed bug GH-19303 (Unpacking empty packed array into uninitialized array causes assertion failure).
Fixed bug GH-19306 (Generator can be resumed while fetching next value from delegated Generator).
Fixed bug GH-19326 (Calling Generator::throw() on a running generator with a non-Generator delegate crashes).
Fixed bug GH-19280 (Stale array iterator position on rehashing).
Fixed bug GH-18736 (Circumvented type check with return by ref + finally).
Fixed bug GH-19065 (Long match statement can segfault compiler during recursive SSA renaming).
Calendar:
Fixed bug GH-19371 (integer overflow in calendar.c).
FTP:
Fix theoretical issues with hrtime() not being available.
GD:
Fix incorrect comparison with result of php_stream_can_cast().
Hash:
Fix crash on clone failure.
Intl:
Fix memleak on failure in collator_get_sort_key().
Fix return value on failure for resourcebundle count handler.
LDAP:
Fixed bug GH-18529 (additional inheriting of TLS int options).
LibXML:
Fixed bug GH-19098 (libxml<2.13 segmentation fault caused by php_libxml_node_free).
MbString:
Fixed bug GH-19397 (mb_list_encodings() can cause crashes on shutdown).
Opcache:
Reset global pointers to prevent use-after-free in zend_jit_status().
Fix issue with JIT restart and hooks.
Fix crash with dynamic function defs in hooks during preload.
OpenSSL:
Fixed bug GH-18986 (OpenSSL backend: incorrect RAND_{load,write}_file() return value check).
Fix error return check of EVP_CIPHER_CTX_ctrl().
Fixed bug GH-19428 (openssl_pkey_derive segfaults for DH derive with low key_length param).
PDO Pgsql:
Fixed dangling pointer access on _pdo_pgsql_trim_message helper.
SOAP:
Fixed bug GH-18640 (heap-use-after-free ext/soap/php_encoding.c:299:32 in soap_check_zval_ref).
Sockets:
Fix some potential crashes on incorrect argument value.
Standard:
Fixed OSS Fuzz #433303828 (Leak in failed unserialize() with opcache).
Fix theoretical issues with hrtime() not being available.
Fixed bug GH-19300 (Nested array_multisort invocation with error breaks).
Windows:
Free opened_path when opened_path_len >= MAXPATHLEN.
* Fri Aug 08 2025 suse+build@de-korte.org
- version update to 8.4.11
Calendar:
Fixed jewishtojd overflow on year argument.
Core:
Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction order).
Fixed bug GH-18907 (Leak when creating cycle in hook).
Fix OSS-Fuzz #427814456.
Fix OSS-Fuzz #428983568 and #428760800.
Fixed bug GH-17204 (-Wuseless-escape warnings emitted by re2c).
Fixed bug GH-19064 (Undefined symbol 'execute_ex' on Windows ARM64).
Curl:
Fix memory leaks when returning refcounted value from curl callback.
Remove incorrect string release.
DOM:
Fixed bug GH-18979 (Dom\XMLDocument::createComment() triggers undefined behavior with null byte).
LDAP:
Fixed GH-18902 ldap_exop/ldap_exop_sync assert triggered on empty request OID.
MbString:
Fixed bug GH-18901 (integer overflow mb_split).
Opcache:
Fixed bug GH-18639 (Internal class aliases can break preloading + JIT).
Fixed bug GH-18899 (JIT function crash when emitting undefined variable warning and opline is not set yet).
Fixed bug GH-14082 (Segmentation fault on unknown address 0x600000000018 in ext/opcache/jit/zend_jit.c).
Fixed bug GH-18898 (SEGV zend_jit_op_array_hot with property hooks and preloading).
OpenSSL:
Fixed bug #80770 (It is not possible to get client peer certificate with stream_socket_server).
PCNTL:
Fixed bug GH-18958 (Fatal error during shutdown after pcntl_rfork() or pcntl_forkx() with zend-max-execution-timers).
Phar:
Fix stream double free in phar.
Fix phar crash and file corruption with SplFileObject.
SOAP:
Fixed bug GH-18990, bug #81029, bug #47314 (SOAP HTTP socket not closing on object destruction).
Fix memory leak when URL parsing fails in redirect.
SPL:
Fixed bug GH-19094 (Attaching class with no Iterator implementation to MultipleIterator causes crash).
Standard:
Fix misleading errors in printf().
Fix RCN violations in array functions.
Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value.
Streams:
Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter fatal error).
Zip:
Fix leak when path is too long in ZipArchive::extractTo().
Version: 8.4.10-160000.2.2
* Thu Jul 03 2025 pgajdos@suse.com
- version update to 8.4.10 [bsc#1246146][bsc#1246148][bsc#1246167]
BcMath:
Fixed bug GH-18641 (Accessing a BcMath\Number property by ref crashes).
Core:
Fixed bugs GH-17711 and GH-18022 (Infinite recursion on deprecated attribute evaluation) and GH-18464 (Recursion protection for deprecation constants not released on bailout).
Fixed GH-18695 (zend_ast_export() - float number is not preserved).
Fix handling of references in zval_try_get_long().
Do not delete main chunk in zend_gc.
Fix compile issues with zend_alloc and some non-default options.
Curl:
Fix memory leak when setting a list via curl_setopt fails.
Date:
Fix leaks with multiple calls to DatePeriod iterator current().
DOM:
Fixed bug GH-18744 (classList works not correctly if copy HTMLElement by clone keyword).
FPM:
Fixed GH-18662 (fpm_get_status segfault).
Hash:
Fixed bug GH-14551 (PGO build fails with xxhash).
Intl:
Fix memory leak in intl_datetime_decompose() on failure.
Fix memory leak in locale lookup on failure.
Opcache:
Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22).
ODBC:
Fix memory leak on php_odbc_fetch_hash() failure.
OpenSSL:
Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
Fixed bug #74796 (Requests through http proxy set peer name).
PGSQL:
Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during escaping). (CVE-2025-1735)
Fix warning not being emitted when failure to cancel a query with pg_cancel_query().
PDO ODBC:
Fix memory leak if WideCharToMultiByte() fails.
PDO Sqlite:
Fixed memory leak with Pdo_Sqlite::createCollation when the callback has an incorrect return type.
Phar:
Add missing filter cleanups on phar failure.
Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek).
PHPDBG:
Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0.
Random:
Fix reference type confusion and leak in user random engine.
Readline:
Fix memory leak when calloc() fails in php_readline_completion_cb().
SimpleXML:
Fixed bug GH-18597 (Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes).
SOAP:
Fix memory leaks in php_http.c when call_user_function() fails.
Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix). (CVE-2025-6491)
Standard:
Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames). (CVE-2025-1220)
Tidy:
Fix memory leak in tidy output handler on error.
Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory.
- modified patches
% php-build-reproducible-phar.patch (refreshed)
* Fri Jun 06 2025 pgajdos@suse.com
- version update to 8.4.8
Core:
Fixed GH-18480 (array_splice with large values for offset/length arguments).
Partially fixed GH-18572 (nested object comparisons leading to stack overflow).
Fixed OSS-Fuzz #417078295.
Fixed OSS-Fuzz #418106144.
Curl:
Fixed GH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/ CURLOPT_PASSWORD set the Authorization header when set to NULL).
Date:
Fixed bug GH-18076 (Since PHP 8, the date_sun_info() function returns inaccurate sunrise and sunset times, but other calculated times are correct) (JiriJozif).
Fixed bug GH-18481 (date_sunrise with unexpected nan value for the offset).
DOM:
Backport lexbor/lexbor#274.
Intl:
Fix various reference issues.
LDAP:
Fixed bug GH-18529 (ldap no longer respects TLS_CACERT from ldaprc in ldap_start_tls()).
Opcache:
Fixed bug GH-18417 (Windows SHM reattachment fails when increasing memory_consumption or jit_buffer_size).
Fixed bug GH-18297 (Exception not handled when jit guard is triggered).
Fixed bug GH-18408 (Snapshotted poly_func / poly_this may be spilled).
Fixed bug GH-18567 (Preloading with internal class alias triggers assertion failure).
Fixed bug GH-18534 (FPM exit code 70 with enabled opcache and hooked properties in traits).
Fix leak of accel_globals->key.
OpenSSL:
Fix missing checks against php_set_blocking() in xp_ssl.c.
SPL:
Fixed bug GH-18421 (Integer overflow with large numbers in LimitIterator).
Standard:
Fixed bug GH-17403 (Potential deadlock when putenv fails).
Fixed bug GH-18400 (http_build_query type error is inaccurate).
Fixed bug GH-18509 (Dynamic calls to assert() ignore zend.assertions).
Windows:
Fix leak+crash with sapi_windows_set_ctrl_handler().
Zip:
Fixed bug GH-18431 (Registering ZIP progress callback twice doesn't work).
Fixed bug GH-18438 (Handling of empty data and errors in ZipArchive::addPattern).
* Fri May 09 2025 suse+build@de-korte.org
- version update to 8.4.7
Core:
Fixed bug GH-18038 (Lazy proxy calls magic methods twice).
Fixed bug GH-18209 (Use-after-free in extract() with EXTR_REFS).
Fixed bug GH-18268 (Segfault in array_walk() on object with added property hooks).
Fixed bug GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault).
Fix some leaks in php_scandir.
DBA:
FIxed bug GH-18247 dba_popen() memory leak on invalid path.
Filter:
Fixed bug GH-18309 (ipv6 filter integer overflow).
GD:
Fixed imagecrop() overflow with rect argument with x/width y/heigh usage in gdImageCrop().
Fixed GH-18243 imagettftext() overflow/underflow on font size value.
Intl:
Fix reference support for intltz_get_offset().
LDAP:
Fixed bug GH-17776 (LDAP_OPT_X_TLS_* options can't be overridden).
Fix NULL deref on high modification key.
libxml:
Fixed custom external entity loader returning an invalid resource leading to a confusing TypeError message.
Opcache:
Fixed bug GH-18294 (assertion failure zend_jit_ir.c).
Fixed bug GH-18289 (Fix segfault in JIT).
Fixed bug GH-18136 (tracing JIT floating point register clobbering on Windows and ARM64).
OpenSSL:
Fix memory leak in openssl_sign() when passing invalid algorithm.
Fix potential leaks when writing to BIO fails.
PDO Firebird:
Fixed bug GH-18276 (persistent connection - "zend_mm_heap corrupted" with setAttribute())
Fixed bug GH-17383 (PDOException has wrong code and message since PHP 8.4)
PDO Sqlite:
Fix memory leak on error return of collation callback.
PgSql:
Fix uouv in pg_put_copy_end().
SPL:
Fixed bug GH-18322 (SplObjectStorage debug handler mismanages memory).
Standard:
Fixed bug GH-18145 (php8ts crashes in php_clear_stat_cache()).
Fix resource leak in iptcembed() on error.
Tests:
Address deprecated PHP 8.4 session options to prevent test failures.
Zip:
Fix uouv when handling empty options in ZipArchive::addGlob().
Fix memory leak when handling a too long path in ZipArchive::addGlob().
* Fri Apr 18 2025 mmanu84@outlook.de
- version update to 8.4.6
BCMath:
Fixed pointer subtraction for scale.
Core:
Fixed property hook backing value access in multi-level inheritance.
Fixed accidentally inherited default value in overridden virtual properties.
Fixed bug GH-17376 (Broken JIT polymorphism for property hooks added to child class).
Fixed bug GH-17913 (ReflectionFunction::isDeprecated() returns incorrect results for closures created from magic __call()).
Fixed bug GH-17941 (Stack-use-after-return with lazy objects and hooks).
Fixed bug GH-17988 (Incorrect handling of hooked props without get hook in get_object_vars()).
Fixed bug GH-17998 (Skipped lazy object initialization on primed SIMPLE_WRITE cache).
Fixed bug GH-17998 (Assignment to backing value in set hook of lazy proxy calls hook again).
Fixed bug GH-17961 (use-after-free during dl()'ed module class destruction).
Fixed bug GH-15367 (dl() of module with aliased class crashes in shutdown).
Fixed OSS-Fuzz #403308724.
Fixed bug GH-13193 again (Significant performance degradation in 'foreach').
DBA:
Fixed assertion violation when opening the same file with dba_open multiple times.
DOM:
Fixed bug GH-17991 (Assertion failure dom_attr_value_write).
Fix weird unpack behaviour in DOM.
Fixed bug GH-18090 (DOM: Svg attributes and tag names are being lowercased).
Fix xinclude destruction of live attributes.
Fuzzer:
Fixed bug GH-18081 (Memory leaks in error paths of fuzzer SAPI).
GD:
Fixed bug GH-17984 (calls with arguments as array with references).
LDAP:
Fixed bug GH-18015 (Error messages for ldap_mod_replace are confusing).
Mbstring:
Fixed bug GH-17989 (mb_output_handler crash with unset http_output_conv_mimetypes).
Opcache:
Fixed bug GH-15834 (Segfault with hook "simple get" cache slot and minimal JIT).
Fixed bug GH-17966 (Symfony JIT 1205 assertion failure).
Fixed bug GH-18037 (SEGV Zend/zend_execute.c).
Fixed bug GH-18050 (IN_ARRAY optimization in DFA pass is broken).
Fixed bug GH-18113 (stack-buffer-overflow ext/opcache/jit/ir/ir_sccp.c).
Fixed bug GH-18112 (NULL access with preloading and INI option).
Fixed bug GH-18107 (Opcache CFG jmp optimization with try-finally breaks the exception table).
PDO:
Fix memory leak when destroying PDORow.
Standard:
Fix memory leaks in array_any() / array_all().
SOAP:
Fixed bug #66049 (Typemap can break parsing in parse_packet_soap leading to a segfault) .
SPL:
Fixed bug GH-18018 (RC1 data returned from offsetGet causes UAF in ArrayObject).
Treewide:
Fixed bug GH-17736 (Assertion failure zend_reference_destroy()).
Windows:
Fixed bug GH-17836 (zend_vm_gen.php shouldn't break on Windows line endings).
* Wed Apr 02 2025 pgajdos@suse.com
- version update to 8.4.5
BCMath:
Fixed bug GH-17398 (bcmul memory leak).
Core:
Fixed bug GH-17623 (Broken stack overflow detection for variable compilation).
Fixed bug GH-17618 (UnhandledMatchError does not take zend.exception_ignore_args=1 into account).
Fix fallback paths in fast_long_{add,sub}_function.
Fixed bug OSS-Fuzz #391975641 (Crash when accessing property backing value by reference).
Fixed bug GH-17718 (Calling static methods on an interface that has `__callStatic` is allowed).
Fixed bug GH-17713 (ReflectionProperty::getRawValue() and related methods may call hooks of overridden properties).
Fixed bug GH-17916 (Final abstract properties should error).
Fixed bug GH-17866 (zend_mm_heap corrupted error after upgrading from 8.4.3 to 8.4.4).
Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes Use-After-Free). (CVE-2024-11235)
DOM:
Fixed bug GH-17609 (Typo in error message: Dom\NO_DEFAULT_NS instead of Dom\HTML_NO_DEFAULT_NS).
Fixed bug GH-17802 (\Dom\HTMLDocument querySelector attribute name is case sensitive in HTML).
Fixed bug GH-17847 (xinclude destroys live node).
Fix using Dom\Node with Dom\XPath callbacks.
GD:
Fixed bug GH-17703 (imagescale with both width and height negative values triggers only an Exception on width).
Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M).
FFI:
Fix FFI Parsing of Pointer Declaration Lists.
FPM:
Fixed bug GH-17643 (FPM with httpd ProxyPass encoded PATH_INFO env).
LDAP:
Fixed bug GH-17704 (ldap_search fails when $attributes contains a non-packed array with numerical keys).
LibXML:
Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714).
Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource). (CVE-2025-1219)
MBString:
Fixed bug GH-17503 (Undefined float conversion in mb_convert_variables).
Opcache:
Fixed bug GH-17654 (Multiple classes using same trait causes function JIT crash).
Fixed bug GH-17577 (JIT packed type guard crash).
Fixed bug GH-17747 (Exception on reading property in register-based FETCH_OBJ_R breaks JIT).
Fixed bug GH-17715 (Null pointer deref in observer API when calling cases() method on preloaded enum).
Fixed bug GH-17868 (Cannot allocate memory with tracing JIT on 8.4.4).
PDO_SQLite:
Fixed GH-17837 ()::getColumnMeta() on unexecuted statement segfaults).
Fix cycle leak in sqlite3 setAuthorizer().
Fix memory leaks in pdo_sqlite callback registration.
Phar:
Fixed bug GH-17808: PharFileInfo refcount bug.
PHPDBG:
Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer).
Fix memory leak in phpdbg calling registered function.
Reflection:
Fixed bug GH-15902 (Core dumped in ext/reflection/php_reflection.c).
Fixed missing final and abstract flags when dumping properties.
Standard:
Fixed bug #72666 (stat cache clearing inconsistent between file:// paths and plain paths).
Streams:
Fixed bug GH-17650 (realloc with size 0 in user_filters.c).
Fix memory leak on overflow in _php_stream_scandir().
Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736)
Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861)
Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734)
Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers). (CVE-2025-1217)
Windows:
Fixed phpize for Windows 11 (24H2).
Fixed GH-17855 (CURL_STATICLIB flag set even if linked with shared lib).
Zlib:
Fixed bug GH-17745 (zlib extension incorrectly handles object arguments).
Fix memory leak when encoding check fails.
Fix zlib support for large files.
- version update to 8.4.4
Core:
Fixed bug GH-17234 (Numeric parent hook call fails with assertion).
Fixed bug GH-16892 (ini_parse_quantity() fails to parse inputs starting with 0x0b).
Fixed bug GH-16886 (ini_parse_quantity() fails to emit warning for 0x+0).
Fixed bug GH-17222 (__PROPERTY__ magic constant does not work in all constant expression contexts).
Fixed bug GH-17214 (Relax final+private warning for trait methods with inherited final).
Fixed NULL arithmetic during system program execution on Windows.
Fixed potential OOB when checking for trailing spaces on Windows.
Fixed bug GH-17408 (Assertion failure Zend/zend_exceptions.c).
Fix may_have_extra_named_args flag for ZEND_AST_UNPACK.
Fix NULL arithmetic in System V shared memory emulation for Windows.
Fixed bug GH-17597 (#[\Deprecated] does not work for __call() and __callStatic()).
DOM:
Fixed bug GH-17397 (Assertion failure ext/dom/php_dom.c).
Fixed bug GH-17486 (Incorrect error line numbers reported in Dom\HTMLDocument::createFromString).
Fixed bug GH-17481 (UTF-8 corruption in \Dom\HTMLDocument).
Fixed bug GH-17500 (Segfault with requesting nodeName on nameless doctype).
Fixed bug GH-17485 (upstream fix, Self-closing tag on void elements shouldn't be a parse error/warning in \Dom\HTMLDocument).
Fixed bug GH-17572 (getElementsByTagName returns collections with tagName-based indexing).
Enchant:
Fix crashes in enchant when passing null bytes.
FTP:
Fixed bug GH-16800 (ftp functions can abort with EINTR).
GD:
Fixed bug GH-17349 (Tiled truecolor filling looses single color transparency).
Fixed bug GH-17373 (imagefttext() ignores clipping rect for palette images).
Ported fix for libgd 223 (gdImageRotateGeneric() does not properly interpolate).
Added support for reading GIFs without colormap to bundled libgd.
Gettext:
Fixed bug GH-17400 (bindtextdomain SEGV on invalid domain).
Intl:
Fixed bug GH-11874 (intl causing segfault in docker images).
Opcache:
Fixed bug GH-15981 (Segfault with frameless jumps and minimal JIT).
Fixed bug GH-17307 (Internal closure causes JIT failure).
Fixed bug GH-17428 (Assertion failure ext/opcache/jit/zend_jit_ir.c:8940).
Fixed bug GH-17564 (Potential UB when reading from / writing to struct padding).
PCNTL:
Fixed pcntl_setcpuaffinity exception type from ValueError to TypeError for the cpu mask argument with entries type different than int/string.
PCRE:
Fixed bug GH-17122 (memory leak in regex).
PDO:
Fixed a memory leak when the GC is used to free a PDOStatment.
Fixed a crash in the PDO Firebird Statement destructor.
Fixed UAFs when changing default fetch class ctor args.
PgSql:
Fixed build failure when the constant PGRES_TUPLES_CHUNK is not present in the system.
Phar:
Fixed bug GH-17518 (offset overflow phar extractTo()).
PHPDBG:
Fix crashes in function registration + test.
Session:
Fix type confusion with session SID constant.
Fixed bug GH-17541 (ext/session NULL pointer dereferencement during ID reset).
SimpleXML:
Fixed bug GH-17409 (Assertion failure Zend/zend_hash.c:1730).
SNMP:
Fixed bug GH-17330 (SNMP::setSecurity segfault on closed session).
SPL:
Fixed bug GH-15833 (Segmentation fault (access null pointer) in ext/spl/spl_array.c).
Fixed bug GH-17516 (SplFileTempObject::getPathInfo() Undefined behavior on invalid class).
Standard:
Fixed bug GH-17447 (Assertion failure when array popping a self addressing variable).
Windows:
Fixed clang compiler detection.
Zip:
Fixed bug GH-17139 (Fix zip_entry_name() crash on invalid entry).
- version update to 8.4.3
BcMath:
Fixed bug GH-17049 (Correctly compare 0 and -0).
Fixed bug GH-17061 (Now Number::round() does not remove trailing zeros).
Fixed bug GH-17064 (Correctly round rounding mode with zero edge case).
Fixed bug GH-17275 (Fixed the calculation logic of dividend scale).
Core:
Fixed bug OSS-Fuzz #382922236 (Duplicate dynamic properties in hooked object iterator properties table).
Fixed unstable get_iterator pointer for hooked classes in shm on Windows.
Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization).
Fixed bug GH-17162 (zend_array_try_init() with dtor can cause engine UAF).
Fixed bug GH-17101 (AST->string does not reproduce constructor property promotion correctly).
Fixed bug GH-17200 (Incorrect dynamic prop offset in hooked prop iterator).
Fixed bug GH-17216 (Trampoline crash on error).
DBA:
Skip test if inifile is disabled.
DOM:
Fixed bug GH-17145 (DOM memory leak).
Fixed bug GH-17201 (Dom\TokenList issues with interned string replace).
Fixed bug GH-17224 (UAF in importNode).
Embed:
Make build command for program using embed portable.
FFI:
Fixed bug #79075 (FFI header parser chokes on comments).
Fix memory leak on ZEND_FFI_TYPE_CHAR conversion failure.
Fixed bug GH-16013 and bug #80857 (Big endian issues).
Fileinfo:
Fixed bug GH-17039 (PHP 8.4: Incorrect MIME content type).
FPM:
Fixed bug GH-13437 (FPM: ERROR: scoreboard: failed to lock (already locked)).
Fixed bug GH-17112 (Macro redefinitions).
Fixed bug GH-17208 (bug64539-status-json-encoding.phpt fail on 32-bits).
GD:
Fixed bug GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c).
Ported fix for libgd bug 276 (Sometimes pixels are missing when storing images as BMPs).
Gettext:
Fixed bug GH-17202 (Segmentation fault ext/gettext/gettext.c bindtextdomain()).
Iconv:
Fixed bug GH-17047 (UAF on iconv filter failure).
LDAP:
Fixed bug GH-17280 (ldap_search() fails when $attributes array has holes).
LibXML:
Fixed bug GH-17223 (Memory leak in libxml encoding handling).
MBString:
Fixed bug GH-17112 (Macro redefinitions).
Opcache:
opcache_get_configuration() properly reports jit_prof_threshold.
Fixed bug GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG).
Fixed bug GH-17151 (Incorrect RC inference of op1 of FETCH_OBJ and INIT_METHOD_CALL).
Fixed bug GH-17246 (GC during SCCP causes segfault).
Fixed bug GH-17257 (UBSAN warning in ext/opcache/jit/zend_jit_vm_helpers.c).
PCNTL:
Fix memory leak in cleanup code of pcntl_exec() when a non stringable value is encountered past the first entry.
PgSql:
Fixed bug GH-17158 (pg_fetch_result Shows Incorrect ArgumentCountError Message when Called With 1 Argument).
Fixed further ArgumentCountError for calls with flexible number of arguments.
Phar:
Fixed bug GH-17137 (Segmentation fault ext/phar/phar.c).
SimpleXML:
Fixed bug GH-17040 (SimpleXML's unset can break DOM objects).
Fixed bug GH-17153 (SimpleXML crash when using autovivification on document).
Sockets:
Fixed bug GH-16276 (socket_strerror overflow handling with INT_MIN).
Fixed overflow on SO_LINGER values setting, strengthening values check on SO_SNDTIMEO/SO_RCVTIMEO for socket_set_option().
SPL:
Fixed bug GH-17198 (SplFixedArray assertion failure with get_object_vars).
Fixed bug GH-17225 (NULL deref in spl_directory.c).
Streams:
Fixed bug GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling).
Fixed bug GH-16810 (overflow on fopen HTTP wrapper timeout value).
Fixed bug GH-17067 (glob:// wrapper doesn't cater to CWD for ZTS builds).
Windows:
Hardened proc_open() against cmd.exe hijacking.
XML:
Fixed bug GH-1718 (unreachable program point in zend_hash).
- modified patches
% php-build-reproducible-phar.patch (refreshed)
- version update to 8.4.2
BcMath:
Fixed bug GH-16978 (Avoid unnecessary padding with leading zeros) (Saki Takamachi)
Calendar:
Fixed jdtogregorian overflow.
Fixed cal_to_jd julian_days argument overflow.
COM:
Fixed bug GH-16991 (Getting typeinfo of non DISPATCH variant segfaults).
Core:
Fail early in *nix configuration build script.
Fixed bug GH-16344 (setRawValueWithoutLazyInitialization() and skipLazyInitialization() may change initialized proxy).
Fixed bug GH-16727 (Opcache bad signal 139 crash in ZTS bookworm (frankenphp)).
Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469).
Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
Fix is_zend_ptr() huge block comparison.
Fixed potential OOB read in zend_dirname() on Windows.
Fixed bug GH-15964 (printf() can strip sign of -INF).
Curl:
Fixed bug GH-16802 (open_basedir bypass using curl extension).
Fix various memory leaks in curl mime handling.
DBA:
Fixed bug GH-16990 (dba_list() is now zero-indexed instead of using resource ids) (kocsismate)
DOM:
Fixed bug GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF).
Fixed bug GH-16906 (Reloading document can cause UAF in iterator).
FPM:
Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status).
Fixed bug GH-16932 (wrong FPM status output).
GD:
Fixed GH-16776 (imagecreatefromstring overflow).
GMP:
Fixed bug GH-16890 (array_sum() with GMP can loose precision (LLP64)).
Hash:
Fixed GH-16711: Segfault in mhash().
Opcache:
Fixed bug GH-16851 (JIT_G(enabled) not set correctly on other threads).
Fixed bug GH-16902 (Set of opcache tests fail zts+aarch64).
Fixed bug GH-16879 (JIT dead code skipping does not update call_level).
OpenSSL:
Prevent unexpected array entry conversion when reading key.
Fix various memory leaks related to openssl exports.
Fix memory leak in php_openssl_pkey_from_zval().
PDO:
Fixed memory leak of `setFetchMode()`.
Phar:
Fixed bug GH-16695 (phar:// tar parser and zero-length file header blocks).
PHPDBG:
Fixed bug GH-15208 (Segfault with breakpoint map and phpdbg_clear()).
SAPI:
Fixed bug GH-16998 (UBSAN warning in rfc1867).
SimpleXML:
Fixed bug GH-16808 (Segmentation fault in RecursiveIteratorIterator ->current() with a xml element input).
SOAP:
Fix make check being invoked in ext/soap.
Standard:
Fixed bug GH-16905 (Internal iterator functions can't handle UNDEF properties).
Fixed bug GH-16957 (Assertion failure in array_shift with self-referencing array).
Streams:
Fixed network connect poll interuption handling.
Windows:
Fixed bug GH-16849 (Error dialog causes process to hang).
Windows Server 2025 is now properly reported.
- version update to 8.4.1
* Property Hooks
* Asymmetric Property Visibility
* Lazy Objects
* PDO driver-specific subclasses
* BCMath object type
* details: https://www.php.net/ChangeLog-8.php#8.4.1
* upgrading notes: https://www.php.net/manual/en/migration84.php
* Fri Mar 14 2025 pgajdos@suse.com
- version update to 8.3.19
BCMath:
Fixed bug GH-17398 (bcmul memory leak).
Core:
Fixed bug GH-17623 (Broken stack overflow detection for variable compilation).
Fixed bug GH-17618 (UnhandledMatchError does not take zend.exception_ignore_args=1 into account).
Fix fallback paths in fast_long_{add,sub}_function.
Fixed bug GH-17718 (Calling static methods on an interface that has `__callStatic` is allowed).
Fixed bug GH-17797 (zend_test_compile_string crash on invalid script path).
Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes Use-After-Free). (CVE-2024-11235)
DOM:
Fixed bug GH-17847 (xinclude destroys live node).
FFI:
Fix FFI Parsing of Pointer Declaration Lists.
FPM:
Fixed bug GH-17643 (FPM with httpd ProxyPass encoded PATH_INFO env).
GD:
Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M).
LDAP:
Fixed bug GH-17704 (ldap_search fails when $attributes contains a non-packed array with numerical keys).
LibXML:
Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714).
Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource). (CVE-2025-1219)
MBString:
Fixed bug GH-17503 (Undefined float conversion in mb_convert_variables).
Opcache:
Fixed bug GH-17654 (Multiple classes using same trait causes function JIT crash).
Fixed bug GH-17577 (JIT packed type guard crash).
Fixed bug GH-17899 (zend_test_compile_string with invalid path when opcache is enabled).
Fixed bug GH-17868 (Cannot allocate memory with tracing JIT).
PDO_SQLite:
Fixed GH-17837 ()::getColumnMeta() on unexecuted statement segfaults).
Fix cycle leak in sqlite3 setAuthorizer().
Phar:
Fixed bug GH-17808: PharFileInfo refcount bug.
PHPDBG:
Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer).
Fix memory leak in phpdbg calling registered function.
Reflection:
Fixed bug GH-15902 (Core dumped in ext/reflection/php_reflection.c).
Standard:
Fixed bug #72666 (stat cache clearing inconsistent between file:// paths and plain paths).
Streams:
Fixed bug GH-17650 (realloc with size 0 in user_filters.c).
Fix memory leak on overflow in _php_stream_scandir().
Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736)
Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861)
Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734)
Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers). (CVE-2025-1217)
Windows:
Fixed phpize for Windows 11 (24H2).
Fixed GH-17855 (CURL_STATICLIB flag set even if linked with shared lib).
Zlib:
Fixed bug GH-17745 (zlib extension incorrectly handles object arguments).
Fix memory leak when encoding check fails.
Fix zlib support for large files.
- fixes: CVE-2025-1217 [bsc#1239664]
CVE-2024-11235 [bsc#1239666]
CVE-2025-1734 [bsc#1239668]
CVE-2025-1861 [bsc#1239669]
CVE-2025-1736 [bsc#1239670]
CVE-2025-1219 [bsc#1239667]
* Fri Feb 14 2025 pgajdos@suse.com
- version update to 8.3.17
Core:
Fixed bug GH-16892 (ini_parse_quantity() fails to parse inputs starting with 0x0b).
Fixed bug GH-16886 (ini_parse_quantity() fails to emit warning for 0x+0).
Fixed bug GH-17214 (Relax final+private warning for trait methods with inherited final).
Fixed NULL arithmetic during system program execution on Windows.
Fixed potential OOB when checking for trailing spaces on Windows.
Fixed bug GH-17408 (Assertion failure Zend/zend_exceptions.c).
Fix may_have_extra_named_args flag for ZEND_AST_UNPACK.
Fix NULL arithmetic in System V shared memory emulation for Windows.
DOM:
Fixed bug GH-17500 (Segfault with requesting nodeName on nameless doctype).
Enchant:
Fix crashes in enchant when passing null bytes.
FTP:
Fixed bug GH-16800 (ftp functions can abort with EINTR).
GD:
Fixed bug GH-17349 (Tiled truecolor filling looses single color transparency).
Fixed bug GH-17373 (imagefttext() ignores clipping rect for palette images).
Ported fix for libgd 223 (gdImageRotateGeneric() does not properly interpolate).
Intl:
Fixed bug GH-11874 (intl causing segfault in docker images).
Fixed bug GH-17469 (UConverter::transcode always emit E_WARNING on invalid encoding).
Opcache:
Fixed bug GH-17307 (Internal closure causes JIT failure).
Fixed bug GH-17564 (Potential UB when reading from / writing to struct padding).
PDO:
Fixed a memory leak when the GC is used to free a PDOStatment.
Fixed a crash in the PDO Firebird Statement destructor.
Fixed UAFs when changing default fetch class ctor args.
Phar:
Fixed bug GH-17518 (offset overflow phar extractTo()).
PHPDBG:
Fix crashes in function registration + test.
Session:
Fix type confusion with session SID constant.
Fixed bug GH-17541 (ext/session NULL pointer dereferencement during ID reset).
SimpleXML:
Fixed bug GH-17409 (Assertion failure Zend/zend_hash.c:1730).
SNMP:
Fixed bug GH-17330 (SNMP::setSecurity segfault on closed session).
SPL:
Fixed bug GH-17463 (crash on SplTempFileObject::ftruncate with negative value).
Zip:
Fixed bug GH-17139 (Fix zip_entry_name() crash on invalid entry).
* Fri Feb 07 2025 pgajdos@suse.com
- obsolete also apache2-mod_php7 [bsc#1236850]
* Fri Jan 17 2025 pgajdos@suse.com
- version update to 8.3.16
Core:
Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization).
Fixed bug GH-17162 (zend_array_try_init() with dtor can cause engine UAF).
Fixed bug GH-17101 (AST->string does not reproduce constructor property promotion correctly).
Fixed bug GH-17211 (observer segfault on function loaded with dl()).
Fixed bug GH-17216 (Trampoline crash on error).
Date:
Fixed bug GH-14709 DatePeriod::__construct() overflow on recurrences.
DBA:
Skip test if inifile is disabled.
DOM:
Fixed bug GH-17224 (UAF in importNode).
Embed:
Make build command for program using embed portable.
FFI:
Fixed bug #79075 (FFI header parser chokes on comments).
Fix memory leak on ZEND_FFI_TYPE_CHAR conversion failure.
Fixed bug GH-16013 and bug #80857 (Big endian issues).
Filter:
Fixed bug GH-16944 (Fix filtering special IPv4 and IPv6 ranges, by using information from RFC 6890).
FPM:
Fixed bug GH-13437 (FPM: ERROR: scoreboard: failed to lock (already locked)).
Fixed bug GH-17112 (Macro redefinitions).
Fixed bug GH-17208 (bug64539-status-json-encoding.phpt fail on 32-bits).
GD:
Fixed bug GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c).
Ported fix for libgd bug 276 (Sometimes pixels are missing when storing images as BMPs).
Gettext:
Fixed bug GH-17202 (Segmentation fault ext/gettext/gettext.c bindtextdomain()).
Iconv:
Fixed bug GH-17047 (UAF on iconv filter failure).
LDAP:
Fixed bug GH-17280 (ldap_search() fails when $attributes array has holes).
LibXML:
Fixed bug GH-17223 (Memory leak in libxml encoding handling).
MBString:
Fixed bug GH-17112 (Macro redefinitions).
Opcache:
opcache_get_configuration() properly reports jit_prof_threshold.
Fixed bug GH-17246 (GC during SCCP causes segfault).
PCNTL:
Fix memory leak in cleanup code of pcntl_exec() when a non stringable value is encountered past the first entry.
PgSql:
Fixed bug GH-17158 (pg_fetch_result Shows Incorrect ArgumentCountError Message when Called With 1 Argument).
Fixed further ArgumentCountError for calls with flexible number of arguments.
Phar:
Fixed bug GH-17137 (Segmentation fault ext/phar/phar.c).
SimpleXML:
Fixed bug GH-17040 (SimpleXML's unset can break DOM objects).
Fixed bug GH-17153 (SimpleXML crash when using autovivification on document).
Sockets:
Fixed bug GH-16276 (socket_strerror overflow handling with INT_MIN).
Fixed overflow on SO_LINGER values setting, strengthening values check on SO_SNDTIMEO/SO_RCVTIMEO for socket_set_option().
SPL:
Fixed bug GH-17225 (NULL deref in spl_directory.c).
Streams:
Fixed bug GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling).
Fixed bug GH-16810 (overflow on fopen HTTP wrapper timeout value).
Fixed bug GH-17067 (glob:// wrapper doesn't cater to CWD for ZTS builds).
Windows:
Hardened proc_open() against cmd.exe hijacking.
XML:
Fixed bug GH-1718 (unreachable program point in zend_hash).
- modified patches
% php-build-reproducible-phar.patch (refreshed)
* Fri Jan 10 2025 pgajdos@suse.com
- obsolete php7 to smooth the migration [bsc#1234788]