PHP 8.3.28 Release Announcement

The PHP development team announces the immediate availability of PHP 8.3.28. This is a bug fix release.

All PHP 8.3 users are encouraged to upgrade to this version.

For source downloads of PHP 8.3.28 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

Source Code

• PHP 8.3.28 (tar.gz)
  sha256: 2f7dda35bbef2842ec61510aaefe52c78361a61f9cfabd99a7789204d6383d9f
• PHP 8.3.28 (tar.bz2)
  sha256: d5b385ee351ec463c85d47eeb53b51156f3483eaf3ff43a7ad5080c2b6d4c557
• PHP 8.3.28 (tar.xz)
  sha256: 25e3860f30198a386242891c0bf9e2955931f7b666b96c3e3103d36a2a322326

Change Log

• core
  • Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv).
  • Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on reference).
  • Fixed bug GH-19844 (Don't bail when closing resources on shutdown).
  • Fixed bug GH-20177 (Accessing overridden private property in get_object_vars() triggers assertion error).
  • Fixed bug GH-20183 (Stale EG(opline_before_exception) pointer through eval).
• dom
  • Partially fixed bug GH-16317 (DOM classes do not allow __debugInfo() overrides to work).
• exif
  • Fix possible memory leak when tag is empty.
• fpm
  • Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel execution).
• ftp
  • Fixed bug GH-20240 (FTP with SSL: ftp_fput(): Connection timed out on successful writes).
• gd
  • Fixed bug GH-20070 (Return type violation in imagefilter when an invalid filter is provided).
• intl
  • Fix memory leak on error in locale_filter_matches().
• libxml
  • Fix not thread safe schema/relaxng calls.
• mysqlnd
  • Fixed bug GH-8978 (SSL certificate verification fails (port doubled)).
  • Fixed bug GH-20122 (getColumnMeta() for JSON-column in MySQL).
• opcache
  • Fixed bug GH-20081 (access to uninitialized vars in preload_load()).
  • Fixed bug GH-20121 (JIT broken in ZTS builds on MacOS 15).
• pgsql
  • Fix memory leak when first string conversion fails.
  • Fix segfaults when attempting to fetch row into a non-instantiable class name.
• phar
  • Fix memory leak of argument in webPhar.
  • Fix memory leak when setAlias() fails.
  • Fix a bunch of memory leaks in phar_parse_zipfile() error handling.
  • Fix file descriptor/memory leak when opening central fp fails.
  • Fix memleak+UAF when opening temp stream in buildFromDirectory() fails.
  • Fix potential buffer length truncation due to usage of type int instead of type size_t.
  • Fix memory leak when openssl polyfill returns garbage.
  • Fix file descriptor leak in phar_zip_flush() on failure.
  • Fix memory leak when opening temp file fails while trying to open gzip-compressed archive.
  • Fixed bug GH-20302 (Freeing a phar alias may invalidate PharFileInfo objects).
• random
  • Fix Randomizer::__serialize() w.r.t. INDIRECTs.
• simplexml
  • Partially fixed bug GH-16317 (SimpleXML does not allow __debugInfo() overrides to work).
• standard
  • Fix shm corruption with coercion in options of unserialize().
• streams
  • Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect condition for Win32/Win64.
  • Fixed bug GH-20370 (User stream filters could violate typed property constraints).
• tidy
  • Fixed GH-19021 (improved tidyOptGetCategory detection).
  • Fix UAF in tidy when tidySetErrorBuffer() fails.
• xmlreader
  • Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available.
• windows
  • Fix GH-19722 (_get_osfhandle asserts in debug mode when given a socket).
• zip
  • Fix memory leak when passing enc_method/enc_password is passed as option for ZipArchive::addGlob()/addPattern() and with consecutive calls.