Added the #[\DelayedTargetValidation] attribute to delay target errors for internal attributes from compile time to runtime.
Added support for `final` with constructor property promotion.
Added support for configuring the URI parser for the FTP/FTPS as well as the SSL/TLS stream wrappers as described in https://wiki.php.net/rfc/url_parsing_api#plugability.
Added PHP_BUILD_PROVIDER constant.
Added PHP_BUILD_DATE constant.
Added support for Closures and first class callables in constant expressions.
Add support for backtraces for fatal errors.
Add clone-with support to the clone() function.
Add RFC 3986 and WHATWG URL compliant APIs for URL parsing and manipulation (kocsismate, timwolla)
Fixed AST printing for immediately invoked Closure.
Properly handle __debugInfo() returning an array reference.
Properly handle reference return value from __toString().
Improved error message of UnhandledMatchError for zend.exception_string_param_max_len=0.
Fixed bug GH-15753 and GH-16198 (Bind traits before parent class).
Fixed bug GH-17951 (memory_limit is not always limited by max_memory_limit).
Fixed bug GH-20183 (Stale EG(opline_before_exception) pointer through eval).
Fixed bug GH-20113 (Missing new Foo(...) error in constant expressions).
Fixed bug GH-19844 (Don't bail when closing resources on shutdown).
Fixed bug GH-18033 (NULL-ptr dereference when using register_tick_function in destructor).
Fixed bug GH-18026 (Improve "expecting token" error for ampersand).
The report_memleaks INI directive has been deprecated.
Fixed OSS-Fuzz #439125710 (Pipe cannot be used in write context).
Fixed bug GH-19548 (Shared memory violation on property inheritance).
Fixed bug GH-19544 (GC treats ZEND_WEAKREF_TAG_MAP references as WeakMap references).
Fixed bug GH-18373 (Don't substitute self/parent with anonymous class).
Fix support for non-userland stream notifiers.
Fixed bug GH-19305 (Operands may be being released during comparison).
Fixed bug GH-19306 (Generator can be resumed while fetching next value from delegated Generator).
Fixed bug GH-19326 (Calling Generator::throw() on a running generator with a non-Generator delegate crashes).
Fix OSS-Fuzz #427814452 (pipe compilation fails with assert).
Fixed bug GH-16665 (\array and \callable should not be usable in class_alias).
Use `clock_gettime_nsec_np()` for high resolution timer on macOS if available.
Make `clone()` a function.
Introduced the TAILCALL VM, enabled by default when compiling with Clang>=19 on x86_64 or aarch64.
Enacted the follow-up phase of the "Path to Saner Increment/Decrement operators" RFC, meaning that incrementing non-numeric strings is now deprecated. (Girgias).
Various closure binding issues are now deprecated.
Constant redeclaration has been deprecated.
Marks the stack as non-executable on Haiku.
Deriving $_SERVER['argc'] and $_SERVER['argv'] from the query string is now deprecated.
Using null as an array offset or when calling array_key_exists() is now deprecated.
The disable_classes INI directive has been removed.
The locally predefined variable $http_response_header is deprecated.
Non-canonical cast names (boolean), (integer), (double), and (binary) have been deprecated.
The $exclude_disabled parameter of the get_defined_functions() function has been deprecated, as it no longer has any effect since PHP 8.0.
Terminating case statements with a semicolon instead of a colon has been deprecated.
The backtick operator as an alias for shell_exec() has been deprecated.
Returning null from __debugInfo() has been deprecated.
Support #[\Override] on properties.
Destructing non-array values (other than NULL) using [] or list() now emits a warning.
Casting floats that are not representable as ints now emits a warning.
Casting NAN to other types now emits a warning.
Implement GH-15680 (Enhance zend_dump_op_array to properly represent non-printable characters in string literals).
Fixed bug GH-17442 (Engine UAF with reference assign and dtor).
Do not use RTLD_DEEPBIND if dlmopen is available.
BCMath:
Simplify `bc_divide()` code.
If the result is 0, n_scale is set to 0.
If size of BC_VECTOR array is within 64 bytes, stack area is now used.
Fixed bug GH-20006 (Power of 0 of BcMath number causes UB).
The DATE_RFC7231 and DateTimeInterface::RFC7231 constants have been deprecated.
Fixed date_sunrise() and date_sunset() with partial-hour UTC offset.
Fixed GH-17159: "P" format for ::createFromFormat swallows string literals.
The __wakeup() magic method of DateTimeInterface, DateTime, DateTimeImmutable, DateTimeZone, DateInterval, and DatePeriod has been deprecated in favour of the __unserialize() magic method.
DOM:
Added Dom\Element::$outerHTML.
Added Dom\Element::insertAdjacentHTML().
Added $children property to ParentNode implementations.
Make cloning DOM node lists, maps, and collections fail.
Added Dom\Element::getElementsByClassName().
Fixed bug GH-18877 (\Dom\HTMLDocument querySelectorAll selecting only the first when using ~ and :has).
Fixed bug GH-11952 (Fix locale strings canonicalization for IntlDateFormatter and NumberFormatter).
Fixed bug GH-18566 ([intl] Weird numeric sort in Collator).
Fix return value on failure for resourcebundle count handler.
Fixed bug GH-19307 (PGO builds of shared ext-intl are broken).
Intl's internal error mechanism has been modernized so that it indicates more accurately which call site caused what error. Moreover, some ext/date exceptions have been wrapped inside a IntlException now.
The intl.error_level INI setting has been deprecated.
LDAP:
Allow ldap_get_option to retrieve global option by allowing NULL for connection instance ($ldap).
MBstring:
Updated Unicode data tables to Unicode 17.0.
MySQLi:
Fixed bugs GH-17900 and GH-8084 (calling mysqli::__construct twice).
The mysqli_execute() alias function has been deprecated.
MySQLnd:
Added mysqlnd.collect_memory_statistics to ini quick reference.
ODBC:
Removed driver-specific build flags and support.
Remove ODBCVER and assume ODBC 3.5.
Opcache:
Make OPcache non-optional (Arnaud, timwolla)
Added opcache.file_cache_read_only.
Updated default value of opcache.jit_hot_loop.
Log a warning when opcache lock file permissions could not be changed.
Fixed bug GH-19657 (Build fails on non-glibc/musl/freebsd/macos/win platforms).
Fixed ZTS OPcache build on Cygwin.
Fixed bug GH-19493 (JIT variable not stored before YIELD).
OpenSSL:
Added openssl.libctx INI that allows to select the OpenSSL library context type and convert various parts of the extension to use the custom libctx.
Add $digest_algo parameter to openssl_public_encrypt() and openssl_private_decrypt() functions.
Implement #81724 (openssl_cms_encrypt only allows specific ciphers).
Implement #80495 (Enable to set padding in openssl_(sign|verify).
Implement #47728 (openssl_pkcs7_sign ignores new openssl flags).
Fixed bug GH-19994 (openssl_get_cipher_methods inconsistent with fetching).
Fixed build when --with-openssl-legacy-provider set.
Fixed bug GH-19369 (8.5 | Regression in openssl_sign() - support for alias algorithms appears to be broken).
The $key_length parameter for openssl_pkey_derive() has been deprecated.
Output:
Fixed calculation of aligned buffer size.
PCNTL:
Extend pcntl_waitid with rusage parameter.
PCRE:
Remove PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK from pcre compile options.
PDO:
Fixed bug GH-20095 (Incorrect class name in deprecation message for PDO mixins).
Driver specific methods and constants in the PDO class are now deprecated.
The "uri:" DSN scheme has been deprecated due to security concerns with DSNs coming from remote URIs.
PDO_ODBC:
Fetch larger block sizes and better handle SQL_NO_TOTAL when calling SQLGetData.
PDO_PGSQL:
Added Iterable support for PDO::pgsqlCopyFromArray.
Implement GH-15387 Pdo\Pgsql::setAttribute(PDO::ATTR_PREFETCH, 0) or Pdo\Pgsql::prepare(…, [ PDO::ATTR_PREFETCH => 0 ]) make fetch() lazy instead of storing the whole result set in memory (Guillaume Outters)
Implement GH-17321: Add setAuthorizer to Pdo\Sqlite.
PDO::sqliteCreateCollation now throws a TypeError if the callback has a wrong return type.
Added Pdo_Sqlite::ATTR_BUSY_STATEMENT constant to check if a statement is currently executing.
Added Pdo_Sqlite::ATTR_EXPLAIN_STATEMENT constant to set a statement in either EXPLAIN_MODE_PREPARED, EXPLAIN_MODE_EXPLAIN, EXPLAIN_MODE_EXPLAIN_QUERY_PLAN modes.
Fix bug GH-13952 (sqlite PDO::quote silently corrupts strings with null bytes) by throwing on null bytes.
PGSQL:
Added pg_close_stmt to close a prepared statement while allowing its name to be reused.
Added Iterable support for pgsql_copy_from.
pg_connect checks if connection_string contains any null byte, pg_close_stmt check if the statement contains any null byte.
Added pg_service to get the connection current service identifier.
Fix segfaults when attempting to fetch row into a non-instantiable class name.
Phar:
Fix potential buffer length truncation due to usage of type int instead of type size_t.
Fixed memory leaks when verifying OpenSSL signature.
POSIX:
Added POSIX_SC_OPEN_MAX constant to get the number of file descriptors a process can handle.
posix_ttyname() sets last_error to EBADF on invalid file descriptors, posix_isatty() raises E_WARNING on invalid file descriptors, posix_fpathconf checks invalid file descriptors.
posix_kill and posix_setpgid throws a ValueError on invalid process_id.
posix_setpgid throws a ValueError on invalid process_group_id, posix_setrlimit throws a ValueError on invalid soft_limit and hard_limit arguments.
Random:
Moves from /dev/urandom usage to arc4random_buf on Haiku.
Reflection:
Added ReflectionConstant::getExtension() and ::getExtensionName().
Fixed bug GH-15766 (ReflectionClass::__toString() should have better output for enums).
Fix GH-19691 (getModifierNames() not reporting asymmetric visibility).
Fixed bug GH-17927 (Reflection: have some indication of property hooks in `_property_string()`).
Fixed bug GH-19187 (ReflectionNamedType::getName() prints nullable type when retrieved from ReflectionProperty::getSettableType()).
Fixed bug GH-20217 (ReflectionClass::isIterable() incorrectly returns true for classes with property hooks).
SAPI:
Fixed bug GH-18582 and #81451: http_response_code() does not override the status code generated by header().
Session:
session_start() throws a ValueError on option argument if not a hashmap or a TypeError if read_and_close value is not compatible with int.
Added support for partitioned cookies.
Fix RC violation of session SID constant deprecation attribute.
Fixed GH-19197: build broken with ZEND_STRL usage with memcpy when implemented as macro.
SimpleXML:
Fixed bug GH-12231 (SimpleXML xpath should warn when returning other return types than node lists).
SNMP:
snmpget, snmpset, snmp_get2, snmp_set2, snmp_get3, snmp_set3 and SNMP::__construct() throw an exception on invalid hostname, community timeout and retries arguments.
SOAP:
Added support for configuring the URI parser for SoapClient::__doRequest() as described in https://wiki.php.net/rfc/url_parsing_api#plugability.
Implement request #55503 (Extend __getTypes to support enumerations).
Implement request #61105 (Support Soap 1.2 SoapFault Reason Text lang attribute).
Fixed bug #49169 (SoapServer calls wrong function, although "SOAP action" header is correct).
Fix namespace handling of WSDL and XML schema in SOAP, fixing at least GH-16320 and bug #68576.
Fixed bug #70951 (Segmentation fault on invalid WSDL cache).
Fixed bug GH-19773 (SIGSEGV due to uninitialized soap_globals->lang_en).
Fixed bug GH-19226 (Segfault when spawning new thread in soap extension).
Sockets:
Added IPPROTO_ICMP/IPPROTO_ICMPV6 to create raw socket for ICMP usage.
Added TCP_FUNCTION_BLK to change the TCP stack algorithm on FreeBSD.
Added IP_BINDANY for a socket to bind to any address.
Added SO_BUSY_POOL to reduce packets poll latency.
Added UDP_SEGMENT support to optimise multiple large datagrams over UDP if the kernel and hardware supports it.
Added SHUT_RD, SHUT_WR and SHUT_RDWR constants for socket_shutdown().
Improve __unserialize() hardening for SplHeap/SplPriorityQueue.
Deprecate ArrayObject and ArrayIterator with objects.
Unregistering all autoloaders by passing the spl_autoload_call() function as a callback argument to spl_autoload_unregister() has been deprecated. Instead if this is needed, one should iterate over the return value of spl_autoload_functions() and call spl_autoload_unregister() on each value.
The SplObjectStorage::contains(), SplObjectStorage::attach(), and SplObjectStorage::detach() methods have been deprecated in favour of SplObjectStorage::offsetExists(), SplObjectStorage::offsetSet(), and SplObjectStorage::offsetUnset() respectively.
Sqlite:
Added Sqlite3Stmt::busy to check if a statement is still being executed.
Added Sqlite3Stmt::explain to produce an explain query plan from the statement.
Added Sqlite3Result::fetchAll to return all results at once from a query.
Standard:
Add HEIF/HEIC support to getimagesize.
Added support for partitioned cookies.
Implement #71517 (Implement SVG support for getimagesize() and friends).
Implement GH-19188: Add support for new INI mail.cr_lf_mode.
Optimized PHP html_entity_decode function.
Minor optimization to array_chunk().
Optimized pack().
Fixed crypt() tests on musl when using --with-external-libcrypt (Michael Orlitzky).
Fixed bug GH-18062 (is_callable(func(...), callable_name: $name) for first class callables returns wrong name).
Added array_first() and array_last().
Fixed bug GH-18823 (setlocale's 2nd and 3rd argument ignores strict_types).
Fixed exit code handling of sendmail cmd and added warnings.
Fixed bug GH-18897 (printf: empty precision is interpreted as precision 6, not as precision 0).
Fixed bug GH-20257 (mail() heap overflow with an empty message in lf mode).
Fixed bug GH-20201 (AVIF images misdetected as HEIF after introducing HEIF support in getimagesize()).
Fixed bug GH-19926 (reset internal pointer earlier while splicing array while COW violation flag is still set).
Fixed bug GH-19801 (leaks in var_dump() and debug_zval_dump()).
Fixed GH-14402 (SplPriorityQueue, SplMinHeap, and SplMaxHeap lost their data on serialize()).
Fixed GH-19610 (Deprecation warnings in functions taking as argument).
Fixed bug GH-19577 (Avoid integer overflow when using a small offset and PHP_INT_MAX with LimitIterator).
Fixed bug GH-19153 (#[\Attribute] validation should error on trait/interface/enum/abstract class).
Fixed bug GH-19070 (setlocale($type, NULL) should not be deprecated).
gzfile, gzopen and readgzfile, their "use_include_path" argument is now a boolean.
Fixed bug GH-16883 (gzopen() does not use the default stream context when opening HTTP URLs).
Implemented GH-17668 (zlib streams should support locking).
Zip:
Fixed missing zend_release_fcall_info_cache on the following methods ZipArchive::registerProgressCallback() and ZipArchive::registerCancelCallback() on failure.
Version 8.4.15
Core:
Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv).
Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on reference).
Fixed bug GH-20085 (Assertion failure when combining lazy object get_properties exception with foreach loop).
Fixed bug GH-19844 (Don't bail when closing resources on shutdown).
Fixed bug GH-18639 (Internal class aliases can break preloading + JIT).
Fixed bug GH-18899 (JIT function crash when emitting undefined variable warning and opline is not set yet).
Fixed bug GH-14082 (Segmentation fault on unknown address 0x600000000018 in ext/opcache/jit/zend_jit.c).
Fixed bug GH-18898 (SEGV zend_jit_op_array_hot with property hooks and preloading).
OpenSSL:
Fixed bug #80770 (It is not possible to get client peer certificate with stream_socket_server).
PCNTL:
Fixed bug GH-18958 (Fatal error during shutdown after pcntl_rfork() or pcntl_forkx() with zend-max-execution-timers).
Phar:
Fix stream double free in phar.
Fix phar crash and file corruption with SplFileObject.
SOAP:
Fixed bug GH-18990, bug #81029, bug #47314 (SOAP HTTP socket not closing on object destruction).
Fix memory leak when URL parsing fails in redirect.
SPL:
Fixed bug GH-19094 (Attaching class with no Iterator implementation to MultipleIterator causes crash).
Standard:
Fix misleading errors in printf().
Fix RCN violations in array functions.
Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value.
Streams:
Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter fatal error).
Zip:
Fix leak when path is too long in ZipArchive::extractTo().
Version 8.4.10
BcMath:
Fixed bug GH-18641 (Accessing a BcMath\Number property by ref crashes).
Core:
Fixed bugs GH-17711 and GH-18022 (Infinite recursion on deprecated attribute evaluation) and GH-18464 (Recursion protection for deprecation constants not released on bailout).
Fixed GH-18695 (zend_ast_export() - float number is not preserved).
Fix handling of references in zval_try_get_long().
Do not delete main chunk in zend_gc.
Fix compile issues with zend_alloc and some non-default options.
Curl:
Fix memory leak when setting a list via curl_setopt fails.
Date:
Fix leaks with multiple calls to DatePeriod iterator current().
DOM:
Fixed bug GH-18744 (classList works not correctly if copy HTMLElement by clone keyword).
Fix memory leak in intl_datetime_decompose() on failure.
Fix memory leak in locale lookup on failure.
Opcache:
Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22).
ODBC:
Fix memory leak on php_odbc_fetch_hash() failure.
OpenSSL:
Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
Fixed bug #74796 (Requests through http proxy set peer name).
PGSQL:
Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during escaping). (CVE-2025-1735)
Fix warning not being emitted when failure to cancel a query with pg_cancel_query().
PDO ODBC:
Fix memory leak if WideCharToMultiByte() fails.
PDO Sqlite:
Fixed memory leak with Pdo_Sqlite::createCollation when the callback has an incorrect return type.
Phar:
Add missing filter cleanups on phar failure.
Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek).
PHPDBG:
Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0.
Random:
Fix reference type confusion and leak in user random engine.
Readline:
Fix memory leak when calloc() fails in php_readline_completion_cb().
SimpleXML:
Fixed bug GH-18597 (Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes).
SOAP:
Fix memory leaks in php_http.c when call_user_function() fails.
Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix). (CVE-2025-6491)
Standard:
Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames). (CVE-2025-1220)
Tidy:
Fix memory leak in tidy output handler on error.
Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory.
Version 8.4.8
Core:
Fixed GH-18480 (array_splice with large values for offset/length arguments).
Partially fixed GH-18572 (nested object comparisons leading to stack overflow).
Fixed OSS-Fuzz #417078295.
Fixed OSS-Fuzz #418106144.
Curl:
Fixed GH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/ CURLOPT_PASSWORD set the Authorization header when set to NULL).
Date:
Fixed bug GH-18076 (Since PHP 8, the date_sun_info() function returns inaccurate sunrise and sunset times, but other calculated times are correct) (JiriJozif).
Fixed bug GH-18481 (date_sunrise with unexpected nan value for the offset).
DOM:
Backport lexbor/lexbor#274.
Intl:
Fix various reference issues.
LDAP:
Fixed bug GH-18529 (ldap no longer respects TLS_CACERT from ldaprc in ldap_start_tls()).
Opcache:
Fixed bug GH-18417 (Windows SHM reattachment fails when increasing memory_consumption or jit_buffer_size).
Fixed bug GH-18297 (Exception not handled when jit guard is triggered).
Fixed bug GH-18408 (Snapshotted poly_func / poly_this may be spilled).
Fixed bug GH-18567 (Preloading with internal class alias triggers assertion failure).
Fixed bug GH-18534 (FPM exit code 70 with enabled opcache and hooked properties in traits).
Fix leak of accel_globals->key.
OpenSSL:
Fix missing checks against php_set_blocking() in xp_ssl.c.
SPL:
Fixed bug GH-18421 (Integer overflow with large numbers in LimitIterator).
Standard:
Fixed bug GH-17403 (Potential deadlock when putenv fails).
Fixed bug GH-18400 (http_build_query type error is inaccurate).
Fixed bug GH-18509 (Dynamic calls to assert() ignore zend.assertions).
Windows:
Fix leak+crash with sapi_windows_set_ctrl_handler().
Zip:
Fixed bug GH-18431 (Registering ZIP progress callback twice doesn't work).
Fixed bug GH-18438 (Handling of empty data and errors in ZipArchive::addPattern).
Fix GH-14978 (The xmlreader extension phpize build).
Throw Error exception when encountering recursion during comparison, rather than fatal error.
Added missing cstddef include for C++ builds.
Updated build system scripts config.guess to 2024-07-27 and config.sub to 2024-05-27.
Fixed bug GH-15240 (Infinite recursion in trait hook).
Fixed bug GH-15140 (Missing variance check for abstract set with asymmetric type).
Fixed bug GH-15181 (Disabled output handler is flushed again).
Passing E_USER_ERROR to trigger_error() is now deprecated.
Fixed bug GH-15292 (Dynamic AVX detection is broken for MSVC).
Using "_" as a class name is now deprecated.
Exiting a namespace now clears seen symbols.
The exit (and die) language constructs now behave more like a function. They can be passed liked callables, are affected by the strict_types declare statement, and now perform the usual type coercions instead of casting any non-integer value to a string. As such, passing invalid types to exit/die may now result in a TypeError being thrown.
Fixed bug GH-15438 (Hooks on constructor promoted properties without visibility are ignored).
Fixed bug GH-15419 (Missing readonly+hook incompatibility check for readonly classes).
resourcebundle_get(), ResourceBundle::get(), and accessing offsets on a ResourceBundle object now throw: - TypeError for invalid offset types - ValueError for an empty string - ValueError if the integer index does not fit in a signed 32 bit integer
ResourceBundle::get() now has a tentative return type of: ResourceBundle|array|string|int|null
Added the new Grapheme function grapheme_str_split.
Added IntlDateFormatter::parseToCalendar.
Added SpoofChecker::setAllowedChars to set unicode chars ranges.
The mysqli_ping() function and mysqli::ping() method are now deprecated, as the reconnect feature was removed in PHP 8.2.
The mysqli_kill() function and mysqli::kill() method are now deprecated. If this functionality is needed a SQL "KILL" command can be used instead.
The mysqli_refresh() function and mysqli::refresh() method are now deprecated. If this functionality is needed a SQL "FLUSH" command can be used instead.
Passing explicitly the $mode parameter to mysqli_store_result() has been deprecated. As the MYSQLI_STORE_RESULT_COPY_DATA constant was only used in conjunction with this function it has also been deprecated.
Fixed bug #44383 (PHP DateTime not converted to xsd:datetime).
Fixed bug GH-11941 (soap with session persistence will silently fail when "session" built as a shared object).
Passing an int to SoapServer::addFunction() is now deprecated. If all PHP functions need to be provided flatten the array returned by get_defined_functions().
The SOAP_FUNCTIONS_ALL constant is now deprecated.
Fixed bug #61525 (SOAP functions require at least one space after HTTP header colon).
Added the SOCK_CONN_DGRAM/SOCK_DCCP netbsd constants.
Added multicast group support for ipv4 on FreeBSD.
Added the TCP_SYNCNT constant for Linux to set number of attempts to send SYN packets from the client.
Added the SO_EXCLBIND constant for exclusive socket binding on illumos/solaris.
Updated the socket_create_listen backlog argument default value to SOMAXCONN.
Added the SO_NOSIGPIPE constant to control the generation of SIGPIPE for macOs and FreeBSD.
Added SO_LINGER_SEC for macOs, true equivalent of SO_LINGER in other platforms.
Add close-on-exec on socket created with socket_accept on unixes.
Added IP_PORTRANGE* constants for BSD systems to control ephemeral port ranges.
Added SOCK_NONBLOCK/SOCK_CLOEXEC constants for socket_create and socket_create_pair to apply O_NONBLOCK/O_CLOEXEC flags to the newly created sockets.
Added SO_BINDTOIFINDEX to bind a socket to an interface index.
Sodium:
Add support for AEGIS-128L and AEGIS-256.
Enable AES-GCM on aarch64 with the ARM crypto extensions.
SPL:
Implement SeekableIterator for SplObjectStorage.
The SplFixedArray::__wakeup() method has been deprecated as it implements __serialize() and __unserialize() which need to be overwritten instead.
Passing a non-empty string for the $escape parameter of: - SplFileObject::setCsvControl() - SplFileObject::fputcsv() - SplFileObject::fgetcsv() is now deprecated.
Standard:
Implement GH-12188 (Indication for the int size in phpinfo()).
Partly fix GH-12143 (Incorrect round() result for 0.49999999999999994).
Fix GH-12252 (round(): Validate the rounding mode).
Increase the default BCrypt cost to 12.
Fixed bug GH-12592 (strcspn() odd behaviour with NUL bytes and empty mask).
Removed the deprecated inet_ntoa call support.
Cast large floats that are within int range to int in number_format so the precision is not lost.
Add support for 4 new rounding modes to the round() function.
debug_zval_dump() now indicates whether an array is packed.
Changed return type of long2ip to string from string|false.
Fix GH-12143 (Extend the maximum precision round can handle by one digit).
Added the http_get_last_response_headers() and http_clear_last_response_headers() that allows retrieving the same content as the magic $http_response_header variable.
Add php_base64_encode_ex() API.
Implemented "Raising zero to the power of negative number" RFC.
Added array_find(), array_find_key(), array_all(), and array_any().
Change highlight_string() and print_r() return type to string|true.
Fix references in request_parse_body() options array.
Add RoundingMode enum.
Unserializing the uppercase 'S' tag is now deprecated.
Enables crc32 auxiliary detection on OpenBSD.
Passing a non-empty string for the $escape parameter of: - fputcsv() - fgetcsv() - str_getcsv() is now deprecated.
The str_getcsv() function now throws ValueErrors when the $separator and $enclosure arguments are not one byte long, or if the $escape is not one byte long or the empty string. This aligns the behaviour to be identical to that of fputcsv() and fgetcsv().
php_uname() now throws ValueErrors on invalid inputs.
The "allowed_classes" option for unserialize() now throws TypeErrors and ValueErrors if it is not an array of class names.
Implemented GH-15685 (improve proc_open error reporting on Windows).
Add support for backed enums in http_build_query().
Fixed bug GH-15982 (Assertion failure with array_find when references are involved).
Fixed parameter names of fpow() to be identical to pow().
Streams:
Implemented GH-15155 (Stream context is lost when custom stream wrapper is being filtered).
Tidy:
Failures in the constructor now throw exceptions rather than emitting warnings and having a broken object.
Add tidyNode::getNextSibling() and tidyNode::getPreviousSibling().
Windows:
Update the icon of the Windows executables, e.g. php.exe.
Fixed bug GH-19577 (Avoid integer overflow when using a small offset and PHP_INT_MAX with LimitIterator).
Streams:
Remove incorrect call to zval_ptr_dtor() in user_wrapper_metadata().
Fix OSS-Fuzz #385993744.
Tidy:
Fixed GH-19021 build issue with libtidy in regard of tidyOptIsReadonly deprecation and TidyInternalCategory being available later than tidyOptGetCategory.
Zip:
Fix memory leak in zip when encountering empty glob result.
Version 8.3.25
Core:
Fixed GH-19169 build issue with C++17 and ZEND_STATIC_ASSERT macro.
Fixed bug GH-18581 (Coerce numeric string keys from iterators when argument unpacking).
Fixed OSS-Fuzz #434346548 (Failed assertion with throwing __toString in binary const expr).
Fixed bug GH-19305 (Operands may be being released during comparison).
Fix memory leak in intl_datetime_decompose() on failure.
Fix memory leak in locale lookup on failure.
ODBC:
Fix memory leak on php_odbc_fetch_hash() failure.
Opcache:
Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22).
OpenSSL:
Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
Fixed bug #74796 (Requests through http proxy set peer name).
PGSQL:
Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during escaping). (CVE-2025-1735)
Fix warning not being emitted when failure to cancel a query with pg_cancel_query().
Phar:
Add missing filter cleanups on phar failure.
Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek).
PHPDBG:
Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0.
PDO ODBC:
Fix memory leak if WideCharToMultiByte() fails.
Random:
Fix reference type confusion and leak in user random engine.
Readline:
Fix memory leak when calloc() fails in php_readline_completion_cb().
SOAP:
Fix memory leaks in php_http.c when call_user_function() fails.
Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix). (CVE-2025-6491)
Standard:
Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames). (CVE-2025-1220)
Tidy:
Fix memory leak in tidy output handler on error.
Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory.
Version 8.3.22
Core:
Fixed GH-18480 (array_splice with large values for offset/length arguments).
Partially fixed GH-18572 (nested object comparisons leading to stack overflow).
Fixed OSS-Fuzz #417078295.
Fixed OSS-Fuzz #418106144.
Curl:
Fixed GH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/ CURLOPT_PASSWORD set the Authorization header when set to NULL).
Date:
Fixed bug GH-18076 (Since PHP 8, the date_sun_info() function returns inaccurate sunrise and sunset times, but other calculated times are correct) (JiriJozif).
Fixed bug GH-18481 (date_sunrise with unexpected nan value for the offset).
Intl:
Fix various reference issues.
LDAP:
Fixed bug GH-18529 (ldap no longer respects TLS_CACERT from ldaprc in ldap_start_tls()).
Opcache:
Fixed bug GH-18417 (Windows SHM reattachment fails when increasing memory_consumption or jit_buffer_size).
Fixed bug GH-18567 (Preloading with internal class alias triggers assertion failure).
Fix leak of accel_globals->key.
OpenSSL:
Fix missing checks against php_set_blocking() in xp_ssl.c.
PDO_OCI:
Fixed bug GH-18494 (PDO OCI segfault in statement GC).
SPL:
Fixed bug GH-18421 (Integer overflow with large numbers in LimitIterator).
Standard:
Fixed bug GH-17403 (Potential deadlock when putenv fails).
Fixed bug GH-18509 (Dynamic calls to assert() ignore zend.assertions).
Windows:
Fix leak+crash with sapi_windows_set_ctrl_handler().
Zip:
Fixed bug GH-18431 (Registering ZIP progress callback twice doesn't work).
Fixed bug GH-18438 (Handling of empty data and errors in ZipArchive::addPattern).
Version 8.3.21
Core:
Fixed bug GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault).
Fixed bug GH-13970 (Incorrect validation of #[Attribute] flags type for non-compile-time expressions).
DOM:
Fix crashes when entity declaration is removed while still having entity references.
Fix references not handled correctly in C14N.
Fix crash when calling childNodes next() when iterator is exhausted.
Fix crash in ParentNode::append() when dealing with a fragment containing text nodes.
Filter:
Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
FPM:
Fix bug GH-14175 (Show decimal number instead of scientific notation in systemd status).
Hash:
ext/hash: Swap the checking order of `__has_builtin` and `__GNUC__` (Saki Takamachi)
Intl:
Fixed build regression on systems without C++17 compilers.
MySQLnd:
Fix bug GH-14255 (mysqli_fetch_assoc reports error from nested query).
Opcache:
Fixed bug GH-14109 (Fix accidental persisting of internal class constant in shm).
OpenSSL:
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
Standard:
Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
XML:
Fixed bug GH-14124 (Segmentation fault with XML extension under certain memory limit).
XMLReader:
Fixed bug GH-14183 (XMLReader::open() can't be overridden).
Version 8.3.7
Core:
Fixed zend_call_stack build with Linux/uclibc-ng without thread support.
Fixed bug GH-13772 (Invalid execute_data->opline pointers in observer fcall handlers when JIT is enabled).
Fixed bug GH-13931 (Applying zero offset to null pointer in Zend/zend_opcode.c).
Fixed bug GH-13942 (Align the behavior of zend-max-execution-timers with other timeout implementations).
Fixed bug GH-14003 (Broken cleanup of unfinished calls with callable convert parameters).
Fixed bug GH-14013 (Erroneous dnl appended in configure).
Fixed bug GH-10232 (If autoloading occurs during constant resolution filename and lineno are identified incorrectly).
Removed the BC break on IntlDateFormatter::construct which threw an exception with an invalid locale.
JSON:
Added json_validate().
LDAP:
Deprecate calling ldap_connect() with separate hostname and port.
LibXML:
Fix compile error with -Werror=incompatible-function-pointer-types and old libxml2.
MBString:
mb_detect_encoding is better able to identify the correct encoding for Turkish text.
mb_detect_encoding's "non-strict" mode now behaves as described in the documentation. Previously, it would return false if the same byte (for example, the first byte) of the input string was invalid in all candidate encodings. More generally, it would eliminate candidate encodings from consideration when an invalid byte was seen, and if the same input byte eliminated all remaining encodings still under consideration, it would return false. On the other hand, if all candidate encodings but one were eliminated from consideration, it would return the last remaining one without regard for how many encoding errors might be encountered later in the string. This is different from the behavior described in the documentation, which says: "If strict is set to false, the closest matching encoding will be returned." (Alex Dowad)
mb_strtolower, mb_strtotitle, and mb_convert_case implement conditional casing rules for the Greek letter sigma. For mb_convert_case, conditional casing only applies to MB_CASE_LOWER and MB_CASE_TITLE modes, not to MB_CASE_LOWER_SIMPLE and MB_CASE_TITLE_SIMPLE.
mb_detect_encoding is better able to identify UTF-8 and UTF-16 strings with a byte-order mark.
mb_decode_mimeheader interprets underscores in QPrint-encoded MIME encoded words as required by RFC 2047; they are converted to spaces. Underscores must be encoded as "=5F" in such MIME encoded words.
mb_encode_mimeheader no longer drops NUL (zero) bytes when QPrint-encoding the input string. This previously caused strings in certain text encodings, especially UTF-16 and UTF-32, to be corrupted by mb_encode_mimeheader.
Implement mb_str_pad() RFC.
Fixed bug GH-11514 (PHP 8.3 build fails with --enable-mbstring enabled).
Fix use-after-free of mb_list_encodings() return value.
Fixed bug GH-11992 (utf_encodings.phpt fails on Windows 32-bit).
mysqli:
mysqli_fetch_object raises a ValueError instead of an Exception.
Opcache:
Added start, restart and force restart time to opcache's phpinfo section.
Fix GH-9139: Allow FFI in opcache.preload when opcache.preload_user=root.
Made opcache.preload_user always optional in the cli and phpdbg SAPIs.
Allows W/X bits on page creation on FreeBSD despite system settings.
Added memfd api usage, on Linux, for zend_shared_alloc_create_lock() to create an abstract anonymous file for the opcache's lock.
Avoid resetting JIT counter handlers from multiple processes/threads.
Fixed COPY_TMP type inference for references.
OpenSSL:
Added OPENSSL_CMS_OLDMIMETYPE and PKCS7_NOOLDMIMETYPE contants to switch between mime content types.
Fixed GH-11054: Reset OpenSSL errors when using a PEM public key.
Added support for additional EC parameters in openssl_pkey_new.
PCNTL:
SA_ONSTACK is now set for pcntl_signal.
Added SIGINFO constant.
PCRE:
Update bundled libpcre2 to 10.42.
PGSQL:
pg_fetch_object raises a ValueError instead of an Exception.
pg_cancel use thread safe PQcancel api instead.
pg_trace new PGSQL_TRACE_SUPPRESS_TIMESTAMPS/PGSQL_TRACE_REGRESS_MODE contants support.
Fixed bug GH-13970 (Incorrect validation of #[Attribute] flags type for non-compile-time expressions).
Fixed bug GH-14140 (Floating point bug in range operation on Apple Silicon hardware).
DOM:
Fix crashes when entity declaration is removed while still having entity references.
Fix references not handled correctly in C14N.
Fix crash when calling childNodes next() when iterator is exhausted.
Fix crash in ParentNode::append() when dealing with a fragment containing text nodes.
FFI:
Fixed bug GH-14215 (Cannot use FFI::load on CRLF header file with apache2handler).
Filter:
Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
FPM:
Fix bug GH-14175 (Show decimal number instead of scientific notation in systemd status).
Hash:
ext/hash: Swap the checking order of `__has_builtin` and `__GNUC__` (Saki Takamachi)
Intl:
Fixed build regression on systems without C++17 compilers.
Ini:
Fixed bug GH-14100 (Corrected spelling mistake in php.ini files).
MySQLnd:
Fix bug GH-14255 (mysqli_fetch_assoc reports error from nested query).
Opcache:
Fixed bug GH-14109 (Fix accidental persisting of internal class constant in shm).
OpenSSL:
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
Standard:
Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
XML:
Fixed bug GH-14124 (Segmentation fault with XML extension under certain memory limit).
XMLReader:
Fixed bug GH-14183 (XMLReader::open() can't be overridden).
Version 8.2.19
Core:
Fixed bug GH-13772 (Invalid execute_data->opline pointers in observer fcall handlers when JIT is enabled).
Fixed bug GH-13931 (Applying zero offset to null pointer in Zend/zend_opcode.c).
Fixed bug GH-13942 (Align the behavior of zend-max-execution-timers with other timeout implementations).
Fixed bug GH-14003 (Broken cleanup of unfinished calls with callable convert parameters).
Fixed bug GH-14013 (Erroneous dnl appended in configure).
Fixed bug GH-10232 (If autoloading occurs during constant resolution filename and lineno are identified incorrectly).
Fixed bug GH-11600 (Can't parse time strings which include (narrow) non-breaking space characters).
Fixed bug GH-11854 (DateTime:createFromFormat stopped parsing datetime with extra space).
DOM:
Fixed bug GH-11625 (DOMElement::replaceWith() doesn't replace node with DOMDocumentFragment but just deletes node or causes wrapping <></> depending on libxml2 version).
Fileinfo:
Fixed bug GH-11298 (finfo returns wrong mime type for xz files).
FTP:
Fix context option check for "overwrite".
Fixed bug GH-10562 (Memory leak and invalid state with consecutive ftp_nb_fget).
GD:
Fix most of the external libgd test failures.
Intl:
Fix memory leak in MessageFormatter::format() on failure.
Libxml:
Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)
Updated the mime-type table for the builtin-server.
Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS environment variable.
Fixed GH-8575 by changing STDOUT, STDERR and STDIN to not close on resource destruction.
Implement built-in web server responding without body to HEAD request on a static resource.
Implement built-in web server responding with HTTP status 405 to DELETE/PUT/PATCH request on a static resource.
Fixed bug GH-9709 (Null pointer dereference with -w/-s options).
COM:
Fixed bug GH-8750 (Can not create VT_ERROR variant type).
Core:
Fixed bug #81380 (Observer may not be initialized properly).
Fixed bug GH-7771 (Fix filename/lineno of constant expressions).
Fixed bug GH-7792 (Improve class type in error messages).
Support huge pages on MacOS.
Fixed bug GH-8655 (Casting an object to array does not unwrap refcount=1 references).
Fixed bug GH-8661 (Nullsafe in coalesce triggers undefined variable warning).
Fixed bug GH-7821 and GH-8418 (Allow arbitrary const expressions in backed enums).
Fixed bug GH-8810 (Incorrect lineno in backtrace of multi-line function calls).
Optimised code path for newly created file with the stream plain wrapper.
Uses safe_perealloc instead of perealloc for the ZEND_PTR_STACK_RESIZE_IF_NEEDED to avoid possible overflows.
Reduced the memory footprint of strings returned by var_export(), json_encode(), serialize(), iconv_*(), mb_ereg*(), session_create_id(), http_build_query(), strstr(), Reflection*::__toString().
Fixed bug GHSA-h35g-vwh6-m678 (Leak partial content of the heap through heap buffer over-read). (CVE-2024-8929)
PDO DBLIB:
Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing OOB writes). (CVE-2024-11236)
PDO Firebird:
Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter causing OOB writes). (CVE-2024-11236)
Streams:
Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might allow for CRLF injection in URIs). (CVE-2024-11234)
Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with convert.quoted-printable-decode filter). (CVE-2024-11233)
Version 8.1.30
CGI:
Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection Vulnerability). (CVE-2024-8926)
Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is bypassable due to the environment variable collision). (CVE-2024-8927)
FPM:
Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered). (CVE-2024-9026)
SAPI:
Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data). (CVE-2024-8925)
Version 8.1.29
CGI:
Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection in PHP-CGI). (CVE-2024-4577)
Filter:
Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL). (CVE-2024-5458)
OpenSSL:
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.
Standard:
Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)
Version 8.1.28
Standard:
Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874)
Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)
Version 8.1.27
Core:
Fixed oss-fuzz #54325 (Use-after-free of name in var-var with malicious error handler).
Fixed oss-fuzz #64209 (In-place modification of filename in php_message_handler_for_zend).
Fixed bug GH-12758 / GH-12768 (Invalid opline in OOM handlers within ZEND_FUNC_GET_ARGS and ZEND_BIND_STATIC).
Fixed bug GH-11625 (DOMElement::replaceWith() doesn't replace node with DOMDocumentFragment but just deletes node or causes wrapping <></> depending on libxml2 version).
Fileinfo:
Fixed bug GH-11298 (finfo returns wrong mime type for xz files).
FTP:
Fix context option check for "overwrite".
Fixed bug GH-10562 (Memory leak and invalid state with consecutive ftp_nb_fget).
GD:
Fix most of the external libgd test failures.
Hash:
Fix use-of-uninitialized-value in hash_pbkdf2(), fix missing $options parameter in signature.
Intl:
Fix memory leak in MessageFormatter::format() on failure.
Libxml:
Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)
Fix wrong comparison in block optimisation pass after opcode update.
Date:
Fixed bug GH-9891 (DateTime modify with unixtimestamp (@) must work like setTimestamp).
Fixed bug GH-10218 (DateTimeZone fails to parse time zones that contain the "+" character).
Fiber:
Fix assertion on stack allocation size.
FPM:
Fixed bug GH-9981 (FPM does not reset fastcgi.error_header).
Fixed bug #67244 (Wrong owner:group for listening unix socket).
Hash:
Handle exceptions from __toString in XXH3's initialization (nielsdos)
LDAP:
Fixed bug GH-10112 (LDAP\Connection::__construct() refers to ldap_create()).
MBString:
Fixed: mb_strlen (and a couple of other mbstring functions) would wrongly treat 0x80, 0xFD, 0xFE, 0xFF, and certain other byte values as the first byte of a 2-byte SJIS character.
Opcache:
Fix inverted bailout value in zend_runtime_jit() (Max Kellermann).
Fix access to uninitialized variable in accel_preload().
Fix zend_jit_find_trace() crashes.
Added missing lock for EXIT_INVALIDATE in zend_jit_trace_exit.
Phar:
Fix wrong flags check for compression method in phar_object.c (nielsdos)
PHPDBG:
Fix undefined behaviour in phpdbg_load_module_or_extension().
Fix NULL pointer dereference in phpdbg_create_conditional_breal().
Fix GH-9710: phpdbg memory leaks by option "-h" (nielsdos)
Fix phpdbg segmentation fault in case of malformed input (nielsdos)
Posix:
Fix memory leak in posix_ttyname() (girgias)
Standard:
Fix GH-10187 (Segfault in stripslashes() with arm64).
Fix substr_replace with slots in repl_ht being UNDEF.
TSRM:
Fixed Windows shmget() wrt. IPC_PRIVATE.
XMLWriter:
Fix missing check for xmlTextWriterEndElement (nielsdos)
Version 8.1.14
Core:
Fixed bug GH-9905 (constant() behaves inconsistent when class is undefined).
Fixed bug GH-9918 (License information for xxHash is not included in README.REDIST.BINS file).
Revert "Fixed bug #80892 (PDO::PARAM_INT is treated the same as PDO::PARAM_STR)"
Version 8.0.5
Core:
Fixed bug #75776 (Flushing streams with compression filter is broken).
Fixed bug #80811 (Function exec without $output but with $restult_code parameter crashes).
Fixed bug #80814 (threaded mod_php won't load on FreeBSD: No space available for static Thread Local Storage).
Changed PowerPC CPU registers used by Zend VM to work around GCC bug. Old registers (r28/r29) might be clobbered by _restgpr routine used for return from C function compiled with -Os.
Dba:
Fixed bug #80817 (dba_popen() may cause segfault during RSHUTDOWN).
DOM:
Fixed bug #66783 (UAF when appending DOMDocument to element).
FFI:
Fixed bug #80847 (CData structs with fields of type struct can't be passed as C function argument).
FPM:
Fixed bug #80024 (Duplication of info about inherited socket after pool removing).
FTP:
Fixed bug #80880 (SSL_read on shutdown, ftp/proc_open).
IMAP:
Fixed bug #80800 (imap_open() fails when the flags parameter includes CL_EXPUNGE).
