PHP Changelog

What's new in PHP 8.1.28

Apr 15, 2024

Standard:
Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874)
Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)

New in PHP 8.3.6 (Apr 11, 2024)

Core:
Fixed GH-13569 (GC buffer unnecessarily grows up to GC_MAX_BUF_SIZE when scanning WeakMaps).
Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
Fixed bug GH-13446 (Restore exception handler after it finishes).
Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure).
Fixed bug GH-13670 (GC does not scale well with a lot of objects created in destructor).
DOM:
Add some missing ZPP checks.
Fix potential memory leak in XPath evaluation results.
FPM:
Fixed GH-11086 (FPM: config test runs twice in daemonised mode).
Fix incorrect check in fpm_shm_free().
GD:
Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests).
Gettext:
Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5 with category set to LC_ALL.
MySQLnd:
Fix GH-13452 (Fixed handshake response [mysqlnd]).
Fix incorrect charset length in check_mb_eucjpms().
Opcache:
Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null).
Fixed GH-13712 (Segmentation fault for enabled observers when calling trait method of internal trait when opcache is loaded).
Random:
Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown modes).
Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between requests when MT_RAND_PHP is used).
Session:
Fixed bug GH-13680 (Segfault with session_decode and compilation error).
SPL:
Fixed bug GH-13685 (Unexpected null pointer in zend_string.h).
Standard:
Fixed bug GH-11808 (Live filesystem modified by tests).
Fixed GH-13402 (Added validation of `n` in $additional_headers of mail()).
Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874)
Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)
Fixed bug GHSA-fjp9-9hwx-59fq (mb_encode_mimeheader runs endlessly for some inputs). (CVE-2024-2757)
Fix bug GH-13932 (Attempt to fix mbstring on windows build) (msvc).

New in PHP 8.2.18 (Apr 11, 2024)

Core:
Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure).
Fixed bug GH-13670 (GC does not scale well with a lot of objects created in destructor).
DOM:
Add some missing ZPP checks.
Fix potential memory leak in XPath evaluation results.
Fix phpdoc for DOMDocument load methods.
FPM:
Fix incorrect check in fpm_shm_free().
GD:
Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests).
Gettext:
Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5 with category set to LC_ALL.
MySQLnd:
Fix GH-13452 (Fixed handshake response [mysqlnd]).
Fix incorrect charset length in check_mb_eucjpms().
Opcache:
Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null).
Fixed GH-13712 (Segmentation fault for enabled observers when calling trait method of internal trait when opcache is loaded).
PDO:
Fix various PDORow bugs.
Random:
Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown modes).
Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between requests when MT_RAND_PHP is used).
Session:
Fixed bug GH-13680 (Segfault with session_decode and compilation error).
Sockets:
Fixed bug GH-13604 (socket_getsockname returns random characters in the end of the socket name).
SPL:
Fixed bug GH-13531 (Unable to resize SplfixedArray after being unserialized in PHP 8.2.15).
Fixed bug GH-13685 (Unexpected null pointer in zend_string.h).
Standard:
Fixed bug GH-11808 (Live filesystem modified by tests).
Fixed GH-13402 (Added validation of `n` in $additional_headers of mail()).
Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874)
Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)
XML:
Fixed bug GH-13517 (Multiple test failures when building with --with-expat).

New in PHP 8.3.4 (Mar 15, 2024)

New in PHP 8.2.17 (Mar 14, 2024)

New in PHP 8.2.16 (Feb 16, 2024)

New in PHP 8.3.3 (Feb 15, 2024)

New in PHP 8.3.2 (Jan 18, 2024)

Core:
Fixed bug GH-12953 (false positive SSA integrity verification failed when loading composer classmaps with more than 11k elements).
Fixed bug GH-12999 (zend_strnlen build when strnlen is unsupported).
Fixed bug GH-12966 (missing cross-compiling 3rd argument so Autoconf doesn't emit warnings).
Fixed bug GH-12854 (8.3 - as final trait-used method does not correctly report visibility in Reflection).
Cli:
Fix incorrect timeout in built-in web server when using router script and max_input_time.
DOM:
Fixed bug GH-12870 (Creating an xmlns attribute results in a DOMException).
Fix crash when toggleAttribute() is used without a document.
Fix crash in adoptNode with attribute references.
Fixed bug GH-13012 (DOMNode::isEqualNode() is incorrect when attribute order is different).
FFI:
Fixed bug GH-9698 (stream_wrapper_register crashes with FFICData).
Fixed bug GH-12905 (FFI::new interacts badly with observers).
Intl:
Fixed GH-12943 (IntlDateFormatter::__construct accepts 'C' as valid locale).
Hash:
Fixed bug GH-12936 (hash() function hangs endlessly if using sha512 on strings >= 4GiB).
ODBC:
Fix crash on Apache shutdown with persistent connections.
Opcache:
Fixed oss-fuzz #64727 (JIT undefined array key warning may overwrite DIM with NULL when DIM is the same var as result).
Added workaround for SELinux mprotect execheap issue. See https://bugzilla.kernel.org/show_bug.cgi?id=218258.
OpenSSL:
Fixed bug GH-12987 (openssl_csr_sign might leak new cert on error).
PDO:
Fix GH-12969 (Fixed PDO::getAttribute() to get PDO::ATTR_STRINGIFY_FETCHES).
PDO_ODBC:
Fixed bug GH-12767 (Unable to turn on autocommit mode with setAttribute()).
PGSQL:
Fixed auto_reset_persistent handling and allow_persistent type.
Fixed bug GH-12974 (Apache crashes on shutdown when using pg_pconnect()).
Phar:
Fixed bug #77432 (Segmentation fault on including phar file).
PHPDBG:
Fixed bug GH-12962 (Double free of init_file in phpdbg_prompt.c).
SimpleXML:
Fix getting the address of an uninitialized property of a SimpleXMLElement resulting in a crash.
Fixed bug GH-12929 (SimpleXMLElement with stream_wrapper_register can segfault).
Tidy:
Fixed bug GH-12980 (tidynode.props.attribute is missing "Boolean Attributes" and empty attributes).

New in PHP 8.2.15 (Jan 18, 2024)

New in PHP 8.2.14 (Dec 22, 2023)

Core:
Fixed oss-fuzz #54325 (Use-after-free of name in var-var with malicious error handler).
Fixed oss-fuzz #64209 (In-place modification of filename in php_message_handler_for_zend).
Fixed bug GH-12758 / GH-12768 (Invalid opline in OOM handlers within ZEND_FUNC_GET_ARGS and ZEND_BIND_STATIC).
Fix various missing NULL checks.
Fixed bug GH-12835 (Leak of call->extra_named_params on internal __call).
Date:
Fixed improbably integer overflow while parsing really large (or small) Unix timestamps.
DOM:
Fixed bug GH-12616 (DOM: Removing XMLNS namespace node results in invalid default: prefix).
FPM:
Fixed bug GH-12705 (Segmentation fault in fpm_status_export_to_zval).
FTP:
Fixed bug GH-9348 (FTP & SSL session reuse).
Intl:
Fixed bug GH-12635 (Test bug69398.phpt fails with ICU 74.1).
LibXML:
Fixed bug GH-12702 (libxml2 2.12.0 issue building from src).
Fixed test failures for libxml2 2.12.0.
MySQLnd:
Avoid using uninitialised struct.
Fixed bug GH-12791 (Possible dereference of NULL in MySQLnd debug code).
Opcache:
Fixed JIT bug (Function JIT emits "Uninitialized string offset" warning at the same time as invalid offset Error).
Fixed JIT bug (JIT emits "Attempt to assign property of non-object" warning at the same time as Error is being thrown).
OpenSSL:
Fixed bug #50713 (openssl_pkcs7_verify() may ignore untrusted CAs).
PCRE:
Fixed bug GH-12628 (The gh11374 test fails on Alpinelinux).
PDO PGSQL:
Fixed the default value of $fetchMode in PDO::pgsqlGetNotify() (kocsismate)
PGSQL:
Fixed bug GH-12763 wrong argument type for pg_untrace.
PHPDBG:
Fixed bug GH-12675 (MEMORY_LEAK in phpdbg_prompt.c).
SOAP:
Fixed bug GH-12838 ([SOAP] Temporary WSDL cache files not being deleted).
SPL:
Fixed bug GH-12721 (SplFileInfo::getFilename() segfault in combination with GlobIterator and no directory separator).
SQLite3:
Fixed bug GH-12633 (sqlite3_defensive.phpt fails with sqlite 3.44.0).
Standard:
Fix memory leak in syslog device handling.
Fixed bug GH-12621 (browscap segmentation fault when configured in the vhost).
Fixed bug GH-12655 (proc_open() does not take into account references in the descriptor array).
Streams:
Fixed bug #79945 (Stream wrappers in imagecreatefrompng causes segfault).
Zip:
Fixed bug GH-12661 (Inconsistency in ZipArchive::addGlob remove_path Option Behavior).

New in PHP 8.3.1 (Dec 21, 2023)

New in PHP 8.1.27 (Dec 21, 2023)

New in PHP 8.3.0 (Nov 26, 2023)

Bcmath:
Fixed GH-11761 (removing trailing zeros from numbers) (jorgsowa)
CLI:
Added pdeathsig to builtin server to terminate workers when the master process is killed.
Fixed bug GH-11104 (STDIN/STDOUT/STDERR is not available for CLI without a script).
Implement GH-10024 (support linting multiple files at once using php -l).
Core:
Fix GH-11388 (Allow "final" modifier when importing a method from a trait).
Fixed bug GH-11406 (segfault with unpacking and magic method closure).
Fixed bug GH-9388 (Improve unset property and __get type incompatibility error message).
SA_ONSTACK is now set for signal handlers to be friendlier to other in-process code such as Go's cgo.
SA_ONSTACK is now set when signals are disabled.
Fix GH-9649: Signal handlers now do a no-op instead of crashing when executed on threads not managed by TSRM.
Added shadow stack support for fibers.
Fix bug GH-9965 (Fix accidental caching of default arguments with side effects).
Implement GH-10217 (Use strlen() for determining the class_name length).
Fix bug GH-8821 (Improve line numbers for errors in constant expressions).
Fix bug GH-10083 (Allow comments between & and parameter).
Zend Max Execution Timers is now enabled by default for ZTS builds on Linux.
Fix bug GH-10469 (Disallow .. in open_basedir paths set at runtime).
Fix bug GH-10168, GH-10582 (Various segfaults with destructors and VM return values).
Fix bug GH-10935 (Use of trait doesn't redeclare static property if class has inherited it from its parent).
Fix bug GH-11154 (Negative indices on empty array don't affect next chosen index).
Fix bug GH-8846 (Implement delayed early binding for classes without parents).
Fix bug #79836 (Segfault in concat_function).
Fix bug #81705 (type confusion/UAF on set_error_handler with concat operation).
Fix GH-11348 (Closure created from magic method does not accept named arguments).
Fix GH-11388 (Allow "final" modifier when importing a method from a trait).
Fixed bug GH-11406 (segfault with unpacking and magic method closure).
Fixed bug GH-11507 (String concatenation performance regression in 8.3).
Fixed GH-11488 (Missing "Optional parameter before required" deprecation on union null type).
Implement the #[Override] attribute RFC.
Fixed bug GH-11601 (Incorrect handling of unwind and graceful exit exceptions).
Added zend_call_stack_get implementation for OpenBSD.
Add stack limit check in zend_eval_const_expr().
Expose time spent collecting cycles in gc_status().
Remove WeakMap entries whose key is only reachable through the entry value.
Resolve open_basedir paths on INI update.
Fixed oss-fuzz #60741 (Leak in open_basedir).
Fixed segfault during freeing of some incompletely initialized objects due to OOM error (PDO, SPL, XSL).
Introduced Zend guard recursion protection to fix __debugInfo issue.
Fixed oss-fuzz #61712 (assertion failure with error handler during binary op).
Fixed GH-11847 (DTrace enabled build is broken).
Fixed OSS Fuzz #61865 (Undef variable in ++/-- for declared property that is unset in error handler).
Fixed warning emitted when checking if a user stream is castable.
Fixed bug GH-12123 (Compile error on MacOS with C++ extension when using ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX).
Fixed bug GH-12189 (#[Override] attribute in trait does not check for parent class implementations).
Fixed OSS Fuzz #62294 (Unsetting variable after ++/-- on string variable warning).
Fixed buffer underflow when compiling memoized expression.
Fixed oss-fuzz #63802 (OP1 leak in error path of post inc/dec).
Curl:
Added Curl options and constants up to (including) version 7.87.
Date:
Implement More Appropriate Date/Time Exceptions RFC.
DOM:
Fix bug GH-8388 (DOMAttr unescapes character reference).
Fix bug GH-11308 (getElementsByTagName() is O(N^2)).
Fix #79700 (wrong use of libxml oldNs leads to performance problem).
Fix #77894 (DOMNode::C14N() very slow on generated DOMDocuments even after normalisation).
Revert changes to DOMAttr::$value and DOMAttr::$nodeValue expansion.
Fixed bug GH-11500 (Namespace reuse in createElementNS() generates wrong output).
Implemented DOMDocument::adoptNode(). Previously this always threw a "not yet implemented" exception.
Fixed bug GH-9628 (Implicitly removing nodes from DOMDocument breaks existing references).
Added DOMNode::contains() and DOMNameSpaceNode::contains().
Added DOMElement::getAttributeNames().
Added DOMNode::getRootNode().
Added DOMElement::className and DOMElement::id.
Added DOMParentNode::replaceChildren().
Added DOMNode::isConnected and DOMNameSpaceNode::isConnected.
Added DOMNode::parentElement and DOMNameSpaceNode::parentElement.
Added DOMNode::isEqualNode().
Added DOMElement::insertAdjacentElement() and DOMElement::insertAdjacentText().
Added DOMElement::toggleAttribute().
Fixed bug GH-11792 (LIBXML_NOXMLDECL is not implemented or broken).
adoptNode now respects the strict error checking property.
Align DOMChildNode parent checks with spec.
Fixed bug #80927 (Removing documentElement after creating attribute node: possible use-after-free).
Fix various namespace prefix conflict resolution bugs.
Fix calling createAttributeNS() without prefix causing the default namespace of the element to change.
Fixed GH-11952 (Confusing warning when blocking entity loading via libxml_set_external_entity_loader).
Fix broken cache invalidation with deallocated and reallocated document node.
Fix compile error when php_libxml.h header is included in C++.
Fixed bug #47531 (No way of removing redundant xmlns: declarations).
Exif:
Removed unneeded codepaths in exif_process_TIFF_in_JPEG().
FFI:
Implement GH-11934 (Allow to pass CData into struct and/or union fields).
Fileinfo:
Upgrade bundled libmagic to 5.43.
Fix GH-11408 (Unable to build PHP 8.3.0 alpha 1 / fileinfo extension).
FPM:
The status.listen shared pool now uses the same php_values (including expose_php) and php_admin_value as the pool it is shared with.
Added warning to log when fpm socket was not registered on the expected path.
Fixed bug #76067 (system() function call leaks php-fpm listening sockets).
Fixed GH-12077 (PHP 8.3.0RC1 borked socket-close-on-exec.phpt).
GD:
Removed imagerotate "ignore_transparent" argument since it has no effect.
Intl:
Added pattern format error infos for numfmt_set_pattern.
Added MIXED_NUMBERS and HIDDEN_OVERLAY constants for the Spoofchecker's class.
Updated datefmt_set_timezone/IntlDateformatter::setTimezone returns type. (David Carlier).
Updated IntlBreakInterator::setText return type.
Updated IntlChar::enumCharNames return type.
Removed the BC break on IntlDateFormatter::construct which threw an exception with an invalid locale.
JSON:
Added json_validate().
LDAP:
Deprecate calling ldap_connect() with separate hostname and port.
LibXML:
Fix compile error with -Werror=incompatible-function-pointer-types and old libxml2.
MBString:
mb_detect_encoding is better able to identify the correct encoding for Turkish text.
mb_detect_encoding's "non-strict" mode now behaves as described in the documentation. Previously, it would return false if the same byte (for example, the first byte) of the input string was invalid in all candidate encodings. More generally, it would eliminate candidate encodings from consideration when an invalid byte was seen, and if the same input byte eliminated all remaining encodings still under consideration, it would return false. On the other hand, if all candidate encodings but one were eliminated from consideration, it would return the last remaining one without regard for how many encoding errors might be encountered later in the string. This is different from the behavior described in the documentation, which says: "If strict is set to false, the closest matching encoding will be returned." (Alex Dowad)
mb_strtolower, mb_strtotitle, and mb_convert_case implement conditional casing rules for the Greek letter sigma. For mb_convert_case, conditional casing only applies to MB_CASE_LOWER and MB_CASE_TITLE modes, not to MB_CASE_LOWER_SIMPLE and MB_CASE_TITLE_SIMPLE.
mb_detect_encoding is better able to identify UTF-8 and UTF-16 strings with a byte-order mark.
mb_decode_mimeheader interprets underscores in QPrint-encoded MIME encoded words as required by RFC 2047; they are converted to spaces. Underscores must be encoded as "=5F" in such MIME encoded words.
mb_encode_mimeheader no longer drops NUL (zero) bytes when QPrint-encoding the input string. This previously caused strings in certain text encodings, especially UTF-16 and UTF-32, to be corrupted by mb_encode_mimeheader.
Implement mb_str_pad() RFC.
Fixed bug GH-11514 (PHP 8.3 build fails with --enable-mbstring enabled).
Fix use-after-free of mb_list_encodings() return value.
Fixed bug GH-11992 (utf_encodings.phpt fails on Windows 32-bit).
mysqli:
mysqli_fetch_object raises a ValueError instead of an Exception.
Opcache:
Added start, restart and force restart time to opcache's phpinfo section.
Fix GH-9139: Allow FFI in opcache.preload when opcache.preload_user=root.
Made opcache.preload_user always optional in the cli and phpdbg SAPIs.
Allows W/X bits on page creation on FreeBSD despite system settings.
Added memfd api usage, on Linux, for zend_shared_alloc_create_lock() to create an abstract anonymous file for the opcache's lock.
Avoid resetting JIT counter handlers from multiple processes/threads.
Fixed COPY_TMP type inference for references.
OpenSSL:
Added OPENSSL_CMS_OLDMIMETYPE and PKCS7_NOOLDMIMETYPE contants to switch between mime content types.
Fixed GH-11054: Reset OpenSSL errors when using a PEM public key.
Added support for additional EC parameters in openssl_pkey_new.
PCNTL:
SA_ONSTACK is now set for pcntl_signal.
Added SIGINFO constant.
PCRE:
Update bundled libpcre2 to 10.42.
PGSQL:
pg_fetch_object raises a ValueError instead of an Exception.
pg_cancel use thread safe PQcancel api instead.
pg_trace new PGSQL_TRACE_SUPPRESS_TIMESTAMPS/PGSQL_TRACE_REGRESS_MODE contants support.
pg_set_error_verbosity adding PGSQL_ERRORS_STATE constant.
pg_convert/pg_insert E_WARNING on type errors had been converted to ValueError/TypeError exceptions.
Added pg_set_error_context_visibility to set the context's visibility within the error messages.
Phar:
Fix memory leak in phar_rename_archive().
POSIX:
Added posix_sysconf.
Added posix_pathconf.
Added posix_fpathconf.
Fixed zend_parse_arg_long's bool pointer argument assignment.
Added posix_eaccess.
Random:
Added Randomizer::getBytesFromString().
Added Randomizer::nextFloat(), ::getFloat(), and IntervalBoundary.
Enable getrandom() for NetBSD (from 10.x).
Deprecate MT_RAND_PHP.
Fix Randomizer::getFloat() returning incorrect results under certain circumstances.
Reflection:
Fix GH-9470 (ReflectionMethod constructor should not find private parent method).
Fix GH-10259 (ReflectionClass::getStaticProperties doesn't need null return type).
SAPI:
Fixed GH-11141 (Could not open input file: should be sent to stderr).
Session:
Fixed bug GH-11529 (Crash after dealing with an Apache request).
SimpleXML:
Fixed bug GH-12192 (SimpleXML infinite loop when getName() is called within foreach).
Fixed bug GH-12208 (SimpleXML infinite loop when a cast is used inside a foreach).
Fixed bug #55098 (SimpleXML iteration produces infinite loop).
Sockets:
Added SO_ATTACH_REUSEPORT_CBPF socket option, to give tighter control over socket binding for a cpu core.
Added SKF_AD_QUEUE for cbpf filters.
Added socket_atmark if send/recv needs using MSG_OOB.
Added TCP_QUICKACK constant, to give tigher control over ACK delays.
Added DONTFRAGMENT support for path MTU discovery purpose.
Added AF_DIVERT for raw socket for divert ports.
Added SOL_UPDLITE, UDPLITE_RECV_CSCOV and UDPLITE_SEND_CSCOV for updlite protocol support.
Added SO_RERROR, SO_ZEROIZE and SO_SPLICE netbsd and openbsd constants.
Added TCP_REPAIR for quietly close a connection.
Added SO_REUSEPORT_LB freebsd constant.
Added IP_BIND_ADDRESS_NO_PORT.
SPL:
Fixed GH-11573 (RecursiveDirectoryIterator::hasChildren is slow).
Standard:
E_NOTICEs emitted by unserialize() have been promoted to E_WARNING.
unserialize() now emits a new E_WARNING if the input contains unconsumed bytes.
Make array_pad's $length warning less confusing.
E_WARNING emitted by strtok in the caase both arguments are not provided when starting tokenisation.
password_hash() will now chain the original RandomException to the ValueError on salt generation failure.
Fix GH-10239 (proc_close after proc_get_status always returns -1).
Improve the warning message for unpack() in case not enough values were provided.
Fix GH-11010 (parse_ini_string() now preserves formatting of unquoted strings starting with numbers when the INI_SCANNER_TYPED flag is specified).
Fix GH-10742 (http_response_code emits no error when headers were already sent).
Added support for rounding negative places in number_format().
Prevent precision loss on formatting decimal integers in number_format().
Added usage of posix_spawn for proc_open when supported by OS.
Added $before_needle argument to strrchr().
Fixed GH-11982 (str_getcsv returns null byte for unterminated enclosure).
Fixed str_decrement() on "1".
Streams:
Fixed bug #51056: blocking fread() will block even if data is available.
Added storing of the original path used to open xport stream.
Implement GH-8641 (STREAM_NOTIFY_COMPLETED over HTTP never emitted).
Fix bug GH-10406 (fgets on a redis socket connection fails on PHP 8.3).
Implemented GH-11242 (_php_stream_copy_to_mem: Allow specifying a maximum length without allocating a buffer of that size).
Fixed bug #52335 (fseek() on memory stream behavior different than file).
Fixed bug #76857 (Can read "non-existant" files).
XSLTProcessor:
Fixed bug #69168 (DomNode::getNodePath() returns invalid path).
ZIP:
zip extension version 1.22.0 for libzip 1.10.0.
add new error macros (ER_DATA_LENGTH and ER_NOT_ALLOWED).
add new archive global flags (ER_AFL_*).
add ZipArchive::setArchiveFlag and ZipArchive::getArchiveFlag methods.

New in PHP 8.2.13 (Nov 26, 2023)

Core:
Fixed double-free of non-interned enum case name.
Fixed bug GH-12457 (Incorrect result of stripos with single character needle).
Fixed bug GH-12468 (Double-free of doc_comment when overriding static property via trait).
Fixed segfault caused by weak references to FFI objects.
Fixed max_execution_time: don't delete an unitialized timer.
Fixed bug GH-12558 (Arginfo soft-breaks with namespaced class return type if the class name starts with N).
DOM:
Fix registerNodeClass with abstract class crashing.
Add missing NULL pointer error check.
Fix validation logic of php:function() callbacks.
Fiber:
Fixed bug GH-11121 (ReflectionFiber segfault).
FPM:
Fixed bug GH-9921 (Loading ext in FPM config does not register module handlers).
Fixed bug GH-12232 (FPM: segfault dynamically loading extension without opcache).
Fixed bug #76922 (FastCGI terminates conn after FCGI_GET_VALUES).
Intl:
Removed the BC break on IntlDateFormatter::construct which threw an exception with an invalid locale.
Opcache:
Added warning when JIT cannot be enabled.
Fixed bug GH-8143 (Crashes in zend_accel_inheritance_cache_find since upgrading to 8.1.3 due to corrupt on-disk file cache).
OpenSSL:
Fixed bug GH-12489 (Missing sigbio creation checking in openssl_cms_verify).
PCRE:
Fixed bug GH-11374 (Backport upstream fix, Different preg_match result with -d pcre.jit=0).
SOAP:
Fixed bug GH-12392 (Segmentation fault on SoapClient::__getTypes).
Fixed bug #66150 (SOAP WSDL cache race condition causes Segmentation Fault).
Fixed bug #67617 (SOAP leaves incomplete cache file on ENOSPC).
Fix incorrect uri check in SOAP caching.
Fix segfault and assertion failure with refcounted props and arrays.
Fix potential crash with an edge case of persistent encoders.
Fixed bug #75306 (Memleak in SoapClient).
Streams:
Fixed bug #75708 (getimagesize with "&$imageinfo" fails on StreamWrappers).
XMLReader:
Add missing NULL pointer error check.
XMLWriter:
Add missing NULL pointer error check.
XSL:
Add missing module dependency.
Fix validation logic of php:function() callbacks.

New in PHP 8.1.26 (Nov 26, 2023)

New in PHP 8.1.25 (Oct 27, 2023)

New in PHP 8.2.12 (Oct 26, 2023)

New in PHP 8.2.11 (Sep 29, 2023)

New in PHP 8.1.24 (Sep 29, 2023)

New in PHP 8.1.23 (Sep 3, 2023)

New in PHP 8.2.10 (Aug 31, 2023)

CLI:
Fixed bug GH-11716 (cli server crashes on SIGINT when compiled with ZEND_RC_DEBUG=1).
Fixed bug GH-10964 (Improve man page about the built-in server).
Date:
Fixed bug GH-11416 (Crash with DatePeriod when uninitialised objects are passed in).
Core:
Fixed strerror_r detection at configuration time.
Fixed trait typed properties using a DNF type not being correctly bound.
Fixed trait property types not being arena allocated if copied from an internal trait.
Fixed deep copy of property DNF type during lazy class load.
Fixed memory freeing of DNF types for non arena allocated types.
DOM:
Fix DOMEntity field getter bugs.
Fix incorrect attribute existence check in DOMElement::setAttributeNodeNS.
Fix DOMCharacterData::replaceWith() with itself.
Fix empty argument cases for DOMParentNode methods.
Fixed bug GH-11791 (Wrong default value of DOMDocument::xmlStandalone).
Fix json_encode result on DOMDocument.
Fix manually calling __construct() on DOM classes.
Fixed bug GH-11830 (ParentNode methods should perform their checks upfront).
Fix viable next sibling search for replaceWith.
Fix segfault when DOMParentNode::prepend() is called when the child disappears.
FFI:
Fix leaking definitions when using FFI::cdef()->new(...).
Hash:
Fix use-of-uninitialized-value in hash_pbkdf2(), fix missing $options parameter in signature.
MySQLnd:
Fixed bug GH-11440 (authentication to a sha256_password account fails over SSL).
Fixed bug GH-11438 (mysqlnd fails to authenticate with sha256_password accounts using passwords longer than 19 characters).
Fixed bug GH-11550 (MySQL Statement has a empty query result when the response field has changed, also Segmentation fault).
Fixed invalid error message "Malformed packet" when connection is dropped.
Opcache:
Fixed bug GH-11715 (opcache.interned_strings_buffer either has no effect or opcache_get_status() / phpinfo() is wrong).
Avoid adding an unnecessary read-lock when loading script from shm if restart is in progress.
PCNTL:
Revert behaviour of receiving SIGCHLD signals back to the behaviour before 8.1.22.
SPL:
Fixed bug #81992 (SplFixedArray::setSize() causes use-after-free).
Standard:
Prevent int overflow on $decimals in number_format.
Fixed bug GH-11870 (Fix off-by-one bug when truncating tempnam prefix) (athos-ribeiro)

New in PHP 8.2.9 (Aug 17, 2023)

Build:
Fixed bug GH-11522 (PHP version check fails with '-' separator).
CLI:
Fix interrupted CLI output causing the process to exit.
Core:
Fixed oss-fuzz #60011 (Mis-compilation of by-reference nullsafe operator).
Fixed line number of JMP instruction over else block.
Fixed use-of-uninitialized-value with ??= on assert.
Fixed oss-fuzz #60411 (Fix double-compilation of arrow-functions).
Fixed build for FreeBSD before the 11.0 releases.
Curl:
Fix crash when an invalid callback function is passed to CURLMOPT_PUSHFUNCTION.
Date:
Fixed bug GH-11368 (Date modify returns invalid datetime).
Fixed bug GH-11600 (Can't parse time strings which include (narrow) non-breaking space characters).
Fixed bug GH-11854 (DateTime:createFromFormat stopped parsing datetime with extra space).
DOM:
Fixed bug GH-11625 (DOMElement::replaceWith() doesn't replace node with DOMDocumentFragment but just deletes node or causes wrapping depending on libxml2 version).
Fileinfo:
Fixed bug GH-11298 (finfo returns wrong mime type for xz files).
FTP:
Fix context option check for "overwrite".
Fixed bug GH-10562 (Memory leak and invalid state with consecutive ftp_nb_fget).
GD:
Fix most of the external libgd test failures.
Intl:
Fix memory leak in MessageFormatter::format() on failure.
Libxml:
Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)
MBString:
Fix GH-11300 (license issue: restricted unicode license headers).
Opcache:
Fixed bug GH-10914 (OPCache with Enum and Callback functions results in segmentation fault).
Prevent potential deadlock if accelerated globals cannot be allocated.
PCNTL:
Fixed bug GH-11498 (SIGCHLD is not always returned from proc_open).
PDO:
Fix GH-11587 (After php8.1, when PDO::ATTR_EMULATE_PREPARES is true and PDO::ATTR_STRINGIFY_FETCHES is true, decimal zeros are no longer filled).
PDO SQLite:
Fix GH-11492 (Make test failure: ext/pdo_sqlite/tests/bug_42589.phpt).
Phar:
Add missing check on EVP_VerifyUpdate() in phar util.
Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()). (CVE-2023-3824)
PHPDBG:
Fixed bug GH-9669 (phpdbg -h options doesn't list the -z option).
Session:
Removed broken url support for transferring session ID.
Standard:
Fix serialization of RC1 objects appearing in object graph twice.
Streams:
Fixed bug GH-11735 (Use-after-free when unregistering user stream wrapper from itself).
SQLite3:
Fix replaced error handling in SQLite3Stmt::__construct.
XMLReader:
Fix GH-11548 (Argument corruption when calling XMLReader::open or XMLReader::XML non-statically with observer active).

New in PHP 8.0.30 (Aug 6, 2023)

New in PHP 8.1.22 (Aug 3, 2023)

Build:
Fixed bug GH-11522 (PHP version check fails with '-' separator).
CLI:
Fix interrupted CLI output causing the process to exit.
Core:
Fixed oss-fuzz #60011 (Mis-compilation of by-reference nullsafe operator).
Fixed use-of-uninitialized-value with ??= on assert.
Fixed build for FreeBSD before the 11.0 releases.
Curl:
Fix crash when an invalid callback function is passed to CURLMOPT_PUSHFUNCTION.
Date:
Fixed bug GH-11368 (Date modify returns invalid datetime).
DOM:
Fixed bug GH-11625 (DOMElement::replaceWith() doesn't replace node with DOMDocumentFragment but just deletes node or causes wrapping depending on libxml2 version).
Fileinfo:
Fixed bug GH-11298 (finfo returns wrong mime type for xz files).
FTP:
Fix context option check for "overwrite".
Fixed bug GH-10562 (Memory leak and invalid state with consecutive ftp_nb_fget).
GD:
Fix most of the external libgd test failures.
Hash:
Fix use-of-uninitialized-value in hash_pbkdf2(), fix missing $options parameter in signature.
Intl:
Fix memory leak in MessageFormatter::format() on failure.
Libxml:
Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)
MBString:
Fix GH-11300 (license issue: restricted unicode license headers).
Opcache:
Fixed bug GH-10914 (OPCache with Enum and Callback functions results in segmentation fault).
Prevent potential deadlock if accelerated globals cannot be allocated.
PCNTL:
Fixed bug GH-11498 (SIGCHLD is not always returned from proc_open).
PCRE:
Mangle PCRE regex cache key with JIT option.
PDO:
Fix GH-11587 (After php8.1, when PDO::ATTR_EMULATE_PREPARES is true and PDO::ATTR_STRINGIFY_FETCHES is true, decimal zeros are no longer filled).
PDO SQLite:
Fix GH-11492 (Make test failure: ext/pdo_sqlite/tests/bug_42589.phpt).
Phar:
Add missing check on EVP_VerifyUpdate() in phar util.
Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()). (CVE-2023-3824)
PHPDBG:
Fixed bug GH-9669 (phpdbg -h options doesn't list the -z option).
Session:
Removed broken url support for transferring session ID.
Standard:
Fix serialization of RC1 objects appearing in object graph twice.
SQLite3:
Fix replaced error handling in SQLite3Stmt::__construct.

New in PHP 8.1.21 (Jul 7, 2023)

CLI:
Fixed bug GH-11246 (cli/get_set_process_title fails on MacOS).
Core:
Fixed build for the riscv64 architecture/GCC 12.
Curl:
Fixed bug GH-11433 (Unable to set CURLOPT_ACCEPT_ENCODING to NULL).
DOM:
Fixed bugs GH-11288 and GH-11289 and GH-11290 and GH-9142 (DOMExceptions and segfaults with replaceWith).
Fixed bug GH-10234 (Setting DOMAttr::textContent results in an empty attribute value).
Fix return value in stub file for DOMNodeList::item.
Fix spec compliance error with '*' namespace for DOMDocument::getElementsByTagNameNS.
Fix DOMElement::append() and DOMElement::prepend() hierarchy checks.
Fixed bug GH-11347 (Memory leak when calling a static method inside an xpath query).
Fixed bug #67440 (append_node of a DOMDocumentFragment does not reconcile namespaces).
Fixed bug #81642 (DOMChildNode::replaceWith() bug when replacing a node with itself).
Fixed bug #77686 (Removed elements are still returned by getElementById).
Fixed bug #70359 (print_r() on DOMAttr causes Segfault in php_libxml_node_free_list()).
Fixed bug #78577 (Crash in DOMNameSpace debug info handlers).
Fix lifetime issue with getAttributeNodeNS().
Fix "invalid state error" with cloned namespace declarations.
Fixed bug #55294 and #47530 and #47847 (various namespace reconciliation issues).
Fixed bug #80332 (Completely broken array access functionality with DOMNamedNodeMap).
Opcache:
Fix allocation loop in zend_shared_alloc_startup().
Access violation on smm_shared_globals with ALLOC_FALLBACK.
Fixed bug GH-11336 (php still tries to unlock the shared memory ZendSem with opcache.file_cache_only=1 but it was never locked).
OpenSSL:
Fixed bug GH-9356 Incomplete validation of IPv6 Address fields in subjectAltNames (James Lucas, Jakub Zelenka).
PGSQL:
Fixed intermittent segfault with pg_trace.
Phar:
Fix cross-compilation check in phar generation for FreeBSD.
SPL:
Fixed bug GH-11338 (SplFileInfo empty getBasename with more than one slash).
Standard:
Fix access on NULL pointer in array_merge_recursive().
Fix exception handling in array_multisort().

New in PHP 8.2.8 (Jul 6, 2023)

CLI:
Fixed bug GH-11246 (cli/get_set_process_title fails on MacOS).
Core:
Fixed build for the riscv64 architecture/GCC 12.
Curl:
Fixed bug GH-11433 (Unable to set CURLOPT_ACCEPT_ENCODING to NULL).
Date:
Fixed bug GH-11455 (Segmentation fault with custom object date properties).
DOM:
Fixed bugs GH-11288 and GH-11289 and GH-11290 and GH-9142 (DOMExceptions and segfaults with replaceWith).
Fixed bug GH-10234 (Setting DOMAttr::textContent results in an empty attribute value).
Fix return value in stub file for DOMNodeList::item.
Fix spec compliance error with '*' namespace for DOMDocument::getElementsByTagNameNS.
Fix DOMElement::append() and DOMElement::prepend() hierarchy checks.
Fixed bug GH-11347 (Memory leak when calling a static method inside an xpath query).
Fixed bug #67440 (append_node of a DOMDocumentFragment does not reconcile namespaces).
Fixed bug #81642 (DOMChildNode::replaceWith() bug when replacing a node with itself).
Fixed bug #77686 (Removed elements are still returned by getElementById).
Fixed bug #70359 (print_r() on DOMAttr causes Segfault in php_libxml_node_free_list()).
Fixed bug #78577 (Crash in DOMNameSpace debug info handlers).
Fix lifetime issue with getAttributeNodeNS().
Fix "invalid state error" with cloned namespace declarations.
Fixed bug #55294 and #47530 and #47847 (various namespace reconciliation issues).
Fixed bug #80332 (Completely broken array access functionality with DOMNamedNodeMap).
Opcache:
Fix allocation loop in zend_shared_alloc_startup().
Access violation on smm_shared_globals with ALLOC_FALLBACK.
Fixed bug GH-11336 (php still tries to unlock the shared memory ZendSem with opcache.file_cache_only=1 but it was never locked).
OpenSSL:
Fixed bug GH-9356 Incomplete validation of IPv6 Address fields in subjectAltNames (James Lucas, Jakub Zelenka).
PCRE:
Fix preg_replace_callback_array() pattern validation.
PGSQL:
Fixed intermittent segfault with pg_trace.
Phar:
Fix cross-compilation check in phar generation for FreeBSD.
SPL:
Fixed bug GH-11338 (SplFileInfo empty getBasename with more than one slash).
Standard:
Fix access on NULL pointer in array_merge_recursive().
Fix exception handling in array_multisort().
SQLite3:
Fixed bug GH-11451 (Invalid associative array containing duplicate keys).

New in PHP 8.2.7 (Jun 9, 2023)

Core:
Fixed bug GH-11152 (Unable to alias namespaces containing reserved class names).
Fixed bug GH-9068 (Conditional jump or move depends on uninitialised value(s)).
Fixed bug GH-11189 (Exceeding memory limit in zend_hash_do_resize leaves the array in an invalid state).
Fixed bug GH-11063 (Compilation error on old GCC versions).
Fixed bug GH-11222 (foreach by-ref may jump over keys during a rehash).
Date:
Fixed bug GH-11281 (DateTimeZone::getName() does not include seconds in offset).
Exif:
Fixed bug GH-10834 (exif_read_data() cannot read smaller stream wrapper chunk sizes).
FPM:
Fixed bug GH-10461 (PHP-FPM segfault due to after free usage of child->ev_std(out|err)).
Fixed bug #64539 (FPM status page: query_string not properly JSON encoded).
Fixed memory leak for invalid primary script file handle.
Hash:
Fixed bug GH-11180 (hash_file() appears to be restricted to 3 arguments).
LibXML:
Fixed bug GH-11160 (Few tests failed building with new libxml 2.11.0).
MBString:
Fix bug GH-11217 (Segfault in mb_strrpos / mb_strripos when using negative offset and ASCII encoding).
Opcache:
Fixed bug GH-11134 (Incorrect match default branch optimization).
Fixed too wide OR and AND range inference.
Fixed missing class redeclaration error with OPcache enabled.
Fixed bug GH-11245 (In some specific cases SWITCH with one default statement will cause segfault).
PCNTL:
Fixed maximum argument count of pcntl_forkx().
PGSQL:
Fixed parameter parsing of pg_lo_export().
Phar:
Fixed bug GH-11099 (Generating phar.php during cross-compile can't be done).
Soap:
Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP).
Fixed bug GH-8426 (make test fail while soap extension build).
SPL:
Fixed bug GH-11178 (Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18)).
Standard:
Fixed bug GH-11138 (move_uploaded_file() emits open_basedir warning for source file).
Fixed bug GH-11274 (POST/PATCH request switches to GET after a HTTP 308 redirect).
Streams:
Fixed bug GH-10031 ([Stream] STREAM_NOTIFY_PROGRESS over HTTP emitted irregularly for last chunk of data).
Fixed bug GH-11175 (Stream Socket Timeout).
Fixed bug GH-11177 (ASAN UndefinedBehaviorSanitizer when timeout = -1 passed to stream_socket_accept/stream_socket_client).

New in PHP 8.1.20 (Jun 9, 2023)

New in PHP 8.0.29 (Jun 8, 2023)

New in PHP 8.1.19 (May 12, 2023)

New in PHP 8.2.6 (May 11, 2023)

New in PHP 8.2.5 (Apr 18, 2023)

Core:
Added optional support for max_execution_time in ZTS/Linux builds (Kévin Dunglas)
Fixed use-after-free in recursive AST evaluation.
Fixed bug GH-8646 (Memory leak PHP FPM 8.1).
Re-add some CTE functions that were removed from being CTE by a mistake.
Remove CTE flag from array_diff_ukey(), which was added by mistake.
Fixed bug GH-10801 (Named arguments in CTE functions cause a segfault).
Fixed bug GH-8789 (PHP 8.0.20 (ZTS) zend_signal_handler_defer crashes on apache).
Fixed bug GH-10015 (zend_signal_handler_defer crashes on apache shutdown).
Fixed bug GH-10810 (Fix NUL byte terminating Exception::__toString()).
Fix potential memory corruption when mixing __callStatic() and FFI.
Date:
Fixed bug GH-10747 (Private and protected properties in serialized Date* objects throw).
FPM:
Fixed bug GH-10611 (fpm_env_init_main leaks environ).
Destroy file_handle in fpm_main.
Fixed bug #74129 (Incorrect SCRIPT_NAME with apache ProxyPassMatch when spaces are in path).
FTP:
Propagate success status of ftp_close().
Fixed bug GH-10521 (ftp_get/ftp_nb_get resumepos offset is maximum 10GB).
IMAP:
Fix build failure with Clang 16.
MySQLnd:
Fixed bug GH-8979 (Possible Memory Leak with SSL-enabled MySQL connections).
Opcache:
Fixed build for macOS to cater with pkg-config settings.
Fixed bug GH-8065 (opcache.consistency_checks > 0 causes segfaults in PHP >= 8.1.5 in fpm context).
OpenSSL:
Add missing error checks on file writing functions.
PDO Firebird:
Fixed bug GH-10908 (Bus error with PDO Firebird on RPI with 64 bit kernel and 32 bit userland).
Phar:
Fixed bug GH-10766 (PharData archive created with Phar::Zip format does not keep files metadata (datetime)).
Add missing error checks on EVP_MD_CTX_create() and EVP_VerifyInit().
PDO ODBC:
Fixed missing and inconsistent error checks on SQLAllocHandle.
PGSQL:
Fixed typo in the array returned from pg_meta_data (extended mode).
SPL:
Fixed bug GH-10519 (Array Data Address Reference Issue).
Fixed bug GH-10907 (Unable to serialize processed SplFixedArrays in PHP 8.2.4).
Fixed bug GH-10844 (ArrayIterator allows modification of readonly props).
Standard:
Fixed bug GH-10885 (stream_socket_server context leaks).
Fixed bug GH-10052 (Browscap crashes PHP 8.1.12 on request shutdown (apache2)).
Fixed oss-fuzz #57392 (Buffer-overflow in php_fgetcsv() with delimiter and enclosure).
Fixed undefined behaviour in unpack().

New in PHP 8.1.18 (Apr 18, 2023)

Core:
Added optional support for max_execution_time in ZTS/Linux builds.
Fixed use-after-free in recursive AST evaluation.
Fixed bug GH-8646 (Memory leak PHP FPM 8.1).
Fixed bug GH-10801 (Named arguments in CTE functions cause a segfault).
Fixed bug GH-8789 (PHP 8.0.20 (ZTS) zend_signal_handler_defer crashes on apache).
Fixed bug GH-10015 (zend_signal_handler_defer crashes on apache shutdown).
Fixed bug GH-10810 (Fix NUL byte terminating Exception::__toString()).
Fix potential memory corruption when mixing __callStatic() and FFI.
Date:
Fixed bug GH-10583 (DateTime modify with tz pattern should not update linked timezone).
FPM:
Fixed bug GH-10611 (fpm_env_init_main leaks environ).
Destroy file_handle in fpm_main.
Fixed bug #74129 (Incorrect SCRIPT_NAME with apache ProxyPassMatch when spaces are in path).
FTP:
Propagate success status of ftp_close().
Fixed bug GH-10521 (ftp_get/ftp_nb_get resumepos offset is maximum 10GB).
IMAP:
Fix build failure with Clang 16.
MySQLnd:
Fixed bug GH-8979 (Possible Memory Leak with SSL-enabled MySQL connections).
Opcache:
Fixed build for macOS to cater with pkg-config settings.
Fixed bug GH-8065 (opcache.consistency_checks > 0 causes segfaults in PHP >= 8.1.5 in fpm context).
OpenSSL:
Add missing error checks on file writing functions.
PDO Firebird:
Fixed bug GH-10908 (Bus error with PDO Firebird on RPI with 64 bit kernel and 32 bit userland).
PDO ODBC:
Fixed missing and inconsistent error checks on SQLAllocHandle.
Phar:
Fixed bug GH-10766 (PharData archive created with Phar::Zip format does not keep files metadata (datetime)).
Add missing error checks on EVP_MD_CTX_create() and EVP_VerifyInit().
PGSQL:
Fixed typo in the array returned from pg_meta_data (extended mode).
SPL:
Fixed bug GH-10519 (Array Data Address Reference Issue).
Fixed bug GH-10844 (ArrayIterator allows modification of readonly props).
Standard:
Fixed bug GH-10885 (stream_socket_server context leaks).
Fixed bug GH-10052 (Browscap crashes PHP 8.1.12 on request shutdown (apache2)).
Fixed oss-fuzz #57392 (Buffer-overflow in php_fgetcsv() with delimiter and enclosure).
Fixed undefined behaviour in unpack().

New in PHP 8.2.4 (Mar 16, 2023)

Core:
Fixed incorrect check condition in ZEND_YIELD.
Fixed incorrect check condition in type inference.
Fix incorrect check in zend_internal_call_should_throw().
Fixed overflow check in OnUpdateMemoryConsumption.
Fixed bug GH-9916 (Entering shutdown sequence with a fiber suspended in a Generator emits an unavoidable fatal error or crashes).
Fixed bug GH-10437 (Segfault/assertion when using fibers in shutdown function after bailout).
Fixed SSA object type update for compound assignment opcodes.
Fixed language scanner generation build.
Fixed zend_update_static_property() calling zend_update_static_property_ex() misleadingly with the wrong return type.
Fix bug GH-10570 (Fixed unknown string hash on property fetch with integer constant name).
Fixed php_fopen_primary_script() call resulted on zend_destroy_file_handle() freeing dangling pointers on the handle as it was uninitialized.
Curl:
Fixed deprecation warning at compile time.
Fixed bug GH-10270 (Unable to return CURL_READFUNC_PAUSE in readfunc callback).
Date:
Fix GH-10447 ('p' format specifier does not yield 'Z' for 00:00).
Fix GH-10152 (Custom properties of Date's child classes are not serialised).
Fixed bug GH-10747 (Private and protected properties in serialized Date* objects throw).
FFI:
Fixed incorrect bitshifting and masking in ffi bitfield.
Fiber:
Fixed assembly on alpine x86.
Fixed bug GH-10496 (segfault when garbage collector is invoked inside of fiber).
FPM:
Fixed bug GH-10315 (FPM unknown child alert not valid).
Fixed bug GH-10385 (FPM successful config test early exit).
GMP:
Properly implement GMP::__construct().
Intl:
Fixed bug GH-10647 (Spoolchecker isSuspicious/areConfusable methods error code's argument always returning NULL0.
JSON:
Fixed JSON scanner and parser generation build.
MBString:
ext/mbstring: fix new_value length check.
Fix bug GH-10627 (mb_convert_encoding crashes PHP on Windows).
Opcache:
Fix incorrect page_size check.
OpenSSL:
Fixed php_openssl_set_server_dh_param() DH params errors handling.
PDO OCI:
Fixed bug #60994 (Reading a multibyte CLOB caps at 8192 chars).
PHPDBG:
Fixed bug GH-10715 (heap buffer overflow on --run option misuse).
PGSQL:
Fix GH-10672 (pg_lo_open segfaults in the strict_types mode).
Phar:
Fix incorrect check in phar tar parsing.
Random:
Fix GH-10390 (Do not trust arc4random_buf() on glibc).
Fix GH-10292 (Made the default value of the first param of srand() and mt_srand() unknown).
Reflection:
Fixed bug GH-10623 (Reflection::getClosureUsedVariables opcode fix with variadic arguments).
Fix Segfault when using ReflectionFiber suspended by an internal function.
Session:
Fixed ps_files_cleanup_dir() on failure code paths with -1 instead of 0 as the latter was considered success by callers. (nielsdos).
Standard:
Fixed bug GH-8086 (Introduce mail.mixed_lf_and_crlf INI).
Fixed bug GH-10292 (Made the default value of the first param of srand() and mt_srand() unknown).
Fix incorrect check in cs_8559_5 in map_from_unicode().
Fix bug GH-9697 for reset/end/next/prev() attempting to move pointer of properties table for certain internal classes such as FFI classes
Fix incorrect error check in browsecap for pcre2_match().
Streams:
Fixed bug GH-10370 (File corruption in _php_stream_copy_to_stream_ex when using copy_file_range).
Fixed bug GH-10548 (copy() fails on cifs mounts because of incorrect copy_file_range() len).
Tidy:
Fix memory leaks when attempting to open a non-existing file or a file over 4GB.
Add missing error check on tidyLoadConfig.
Zlib:
Fixed output_handler directive value's length which counted the string terminator.

New in PHP 8.1.17 (Mar 16, 2023)

Core:
Fixed incorrect check condition in ZEND_YIELD.
Fixed incorrect check condition in type inference.
Fixed overflow check in OnUpdateMemoryConsumption.
Fixed bug GH-9916 (Entering shutdown sequence with a fiber suspended in a Generator emits an unavoidable fatal error or crashes).
Fixed bug GH-10437 (Segfault/assertion when using fibers in shutdown function after bailout).
Fixed SSA object type update for compound assignment opcodes.
Fixed language scanner generation build.
Fixed zend_update_static_property() calling zend_update_static_property_ex() misleadingly with the wrong return type.
Fix bug GH-10570 (Fixed unknown string hash on property fetch with integer constant name).
Fixed php_fopen_primary_script() call resulted on zend_destroy_file_handle() freeing dangling pointers on the handle as it was uninitialized.
Curl:
Fixed deprecation warning at compile time.
Fixed bug GH-10270 (Unable to return CURL_READFUNC_PAUSE in readfunc callback).
Date:
Fix GH-10447 ('p' format specifier does not yield 'Z' for 00:00).
FFI:
Fixed incorrect bitshifting and masking in ffi bitfield.
Fiber:
Fixed assembly on alpine x86.
Fixed bug GH-10496 (segfault when garbage collector is invoked inside of fiber).
FPM:
Fixed bug GH-10315 (FPM unknown child alert not valid).
Fixed bug GH-10385 (FPM successful config test early exit).
Intl:
Fixed bug GH-10647 (Spoolchecker isSuspicious/areConfusable methods error code's argument always returning NULL0.
JSON:
Fixed JSON scanner and parser generation build.
MBString:
ext/mbstring: fix new_value length check.
Fix bug GH-10627 (mb_convert_encoding crashes PHP on Windows).
Opcache:
Fix incorrect page_size check.
OpenSSL:
Fixed php_openssl_set_server_dh_param() DH params errors handling.
PDO OCI:
Fixed bug #60994 (Reading a multibyte CLOB caps at 8192 chars).
PHPDBG:
Fixed bug GH-10715 (heap buffer overflow on --run option misuse).
PGSQL:
Fix GH-10672 (pg_lo_open segfaults in the strict_types mode).
Phar:
Fix incorrect check in phar tar parsing.
Reflection:
Fixed bug GH-10623 (Reflection::getClosureUsedVariables opcode fix with variadic arguments).
Fix Segfault when using ReflectionFiber suspended by an internal function.
Session:
Fixed ps_files_cleanup_dir() on failure code paths with -1 instead of 0 as the latter was considered success by callers. (nielsdos).
Standard:
Fixed bug GH-10292 (Made the default value of the first param of srand() and mt_srand() unknown).
Fix incorrect check in cs_8559_5 in map_from_unicode().
Fix bug GH-9697 for reset/end/next/prev() attempting to move pointer of properties table for certain internal classes such as FFI classes
Fix incorrect error check in browsecap for pcre2_match().
Tidy:
Fix memory leaks when attempting to open a non-existing file or a file over 4GB.
Add missing error check on tidyLoadConfig.
Zlib:
Fixed output_handler directive value's length which counted the string terminator.

New in PHP 8.2.3 (Feb 15, 2023)

New in PHP 8.1.16 (Feb 15, 2023)

New in PHP 8.0.28 (Feb 14, 2023)

New in PHP 8.1.15 (Feb 3, 2023)

New in PHP 8.2.2 (Feb 2, 2023)

New in PHP 8.2.1 (Jan 6, 2023)

New in PHP 8.1.14 (Jan 6, 2023)

New in PHP 8.0.27 (Jan 6, 2023)

New in PHP 8.2.0 (Dec 8, 2022)

CLI:
Fixed bug #81496 (Server logs incorrect request method).
Updated the mime-type table for the builtin-server.
Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS environment variable.
Fixed GH-8575 by changing STDOUT, STDERR and STDIN to not close on resource destruction.
Implement built-in web server responding without body to HEAD request on a static resource.
Implement built-in web server responding with HTTP status 405 to DELETE/PUT/PATCH request on a static resource.
Fixed bug GH-9709 (Null pointer dereference with -w/-s options).
COM:
Fixed bug GH-8750 (Can not create VT_ERROR variant type).
Core:
Fixed bug #81380 (Observer may not be initialized properly).
Fixed bug GH-7771 (Fix filename/lineno of constant expressions).
Fixed bug GH-7792 (Improve class type in error messages).
Support huge pages on MacOS.
Fixed bug GH-8655 (Casting an object to array does not unwrap refcount=1 references).
Fixed bug GH-8661 (Nullsafe in coalesce triggers undefined variable warning).
Fixed bug GH-7821 and GH-8418 (Allow arbitrary const expressions in backed enums).
Fixed bug GH-8810 (Incorrect lineno in backtrace of multi-line function calls).
Optimised code path for newly created file with the stream plain wrapper.
Uses safe_perealloc instead of perealloc for the ZEND_PTR_STACK_RESIZE_IF_NEEDED to avoid possible overflows.
Reduced the memory footprint of strings returned by var_export(), json_encode(), serialize(), iconv_*(), mb_ereg*(), session_create_id(), http_build_query(), strstr(), Reflection*::__toString().
Fixed bug GH-8995 (WeakMap object reference offset causing TypeError).
Added error_log_mode ini setting.
Updated request startup messages.
Fixed bug GH-7900 (Arrow function with never return type compile-time errors).
Fixed incorrect double to long casting in latest clang.
Added support for defining constants in traits.
Stop incorrectly emitting false positive deprecation notice alongside unsupported syntax fatal error for `"{$g{'h'}}"`.
Fix unexpected deprecated dynamic property warning, which occurred when exit() in finally block after an exception was thrown without catching.
Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function) (Tim Starling)
Fixed bug GH-9227 (Trailing dots and spaces in filenames are ignored).
Fixed bug GH-9285 (Traits cannot be used in readonly classes).
Fixed bug GH-9186 (@strict-properties can be bypassed using unserialization).
Fixed bug GH-9500 (Using dnf type with parentheses after readonly keyword results in a parse error).
Fixed bug GH-9516 ((A&B)|D as a param should allow AB or D. Not just A).
Fixed observer class notify with Opcache file_cache_only=1.
Fixes segfault with Fiber on FreeBSD i386 architecture.
Fixed bug GH-9655 (Pure intersection types cannot be implicitly nullable) (Girgias)
Fixed bug GH-9589 (dl() segfaults when module is already loaded).
Fixed bug GH-9752 (Generator crashes when interrupted during argument evaluation with extra named params).
Fixed bug GH-9801 (Generator crashes when memory limit is exceeded during initialization).
Fixed a bug with preloaded enums possibly segfaulting.
Fixed bug GH-9823 (Don’t reset func in zend_closure_internal_handler).
Fixed potential NULL pointer dereference Windows shm*() functions.
Fix target validation for internal attributes with constructor property promotion.
Fixed bug GH-9750 (Generator memory leak when interrupted during argument evaluation.
Move observer_declared_function_notify until after pass_two().
Do not report MINIT stage internal class aliases in extensions.
Curl:
Added support for CURLOPT_XFERINFOFUNCTION.
Added support for CURLOPT_MAXFILESIZE_LARGE.
Added new constants from cURL 7.62 to 7.80.
New function curl_upkeep().
Date:
Fixed GH-8458 (DateInterval::createFromDateString does not throw if non-relative items are present).
Fixed bug #52015 (Allow including end date in DatePeriod iterations) (Daniel Egeberg, Derick)
idate() now accepts format specifiers "N" (ISO Day-of-Week) and "o" (ISO Year).
Fixed bug GH-8730 (DateTime::diff miscalculation is same time zone of different type).
Fixed bug GH-8964 (DateTime object comparison after applying delta less than 1 second).
Fixed bug GH-9106 (DateInterval 1.5s added to DateTimeInterface is rounded down since PHP 8.1.0).
Fixed bug #75035 (Datetime fails to unserialize "extreme" dates).
Fixed bug #80483 (DateTime Object with 5-digit year can't unserialized).
Fixed bug #81263 (Wrong result from DateTimeImmutable::diff).
Fixed bug GH-9431 (DateTime::getLastErrors() not returning false when no errors/warnings).
Fixed bug with parsing large negative numbers with the @ notation.
DBA:
Fixed LMDB driver hanging when attempting to delete a non-existing key (Girgias)
Fixed LMDB driver memory leak on DB creation failure (Girgias)
Fixed GH-8856 (dba: lmdb: allow to override the MDB_NOSUBDIR flag).
FFI:
Fixed bug GH-9090 (Support assigning function pointers in FFI).
Fileinfo:
Fixed bug GH-8805 (finfo returns wrong mime type for woff/woff2 files).
Filter:
Added FILTER_FLAG_GLOBAL_RANGE to filter Global IPs.
FPM:
Emit error for invalid port setting.
Added extra check for FPM proc dumpable on SELinux based systems.
Added support for listening queue on macOS.
Changed default for listen.backlog on Linux to -1.
Added listen.setfib pool option to set route FIB on FreeBSD.
Added access.suppress_path pool option to filter access log entries.
Fixed on fpm scoreboard occasional warning on acquisition failure.
Fixed bug GH-9754 (SaltStack (using Python subprocess) hangs when running php-fpm 8.1.11).
FTP:
Fix datetime format string to follow POSIX spec in ftp_mdtm().
GD:
Fixed bug #81739: OOB read due to insufficient input validation in imageloadfont(). (CVE-2022-31630)
GMP:
Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init()).
Hash:
Fixed bug #81738: buffer overflow in hash_update() on long parameter. (CVE-2022-37454)
Intl:
Update all grandfathered language tags with preferred values
Fixed GH-7939 (Cannot unserialize IntlTimeZone objects).
Fixed build for ICU 69.x and onwards.
Declared Transliterator::$id as readonly to unlock subclassing it.
Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter).
MBString:
Fixed bug GH-9248 (Segmentation fault in mb_strimwidth()).
mysqli:
Fixed bug GH-9841 (mysqli_query throws warning despite using silenced error mode).
MySQLnd:
Fixed potential heap corruption due to alignment mismatch.
OCI8:
Added oci8.prefetch_lob_size directive to tune LOB query performance
Support for building against Oracle Client libraries 10.1 and 10.2 has been dropped. Oracle Client libraries 11.2 or newer are now required.
ODBC:
Fixed bug GH-8300 (User input not escaped when building connection string).
Fixed bug GH-9347 (Current ODBC liveness checks may be inadequate).
Opcache:
Allocate JIT buffer close to PHP .text segemnt to allow using direct IP-relative calls and jumps.
Added initial support for JIT performance profiling generation for macOs Instrument.
Fixed bug GH-8030 (Segfault with JIT and large match/switch statements).
Added JIT support improvement for macOs for segments and executable permission bit handling.
Added JIT buffer allocation near the .text section on FreeNSD.
Fixed bug GH-9371 (Crash with JIT on mac arm64) (jdp1024/David Carlier)
Fixed bug GH-9259 (opcache.interned_strings_buffer setting integer overflow).
Added indirect call reduction for jit on x86 architectures.
Fixed bug GH-9164 (Segfault in zend_accel_class_hash_copy).
Fix opcache preload with observers enabled.
OpenSSL:
Discard poll calls on socket when no timeout/non blocking/MSG_DONTWAIT.
Fixed bug GH-9310 (SSL local_cert and local_pk do not respect open_basedir).
Implement FR #76935 ("chacha20-poly1305" is an AEAD but does not work like AEAD).
Added openssl_cipher_key_length function.
Fixed bug GH-9517 (Compilation error openssl extension related to PR GH-9366).
Fixed missing clean up of OpenSSL engine list - attempt to fix GH-8620.
Fixed bug GH-8430 (OpenSSL compiled with no-md2, no-md4 or no-rmd160 does not build).
PCNTL:
Fixed pcntl_(get|set)priority error handling for MacOS.
PCRE:
Implemented FR #77726 (Allow null character in regex patterns).
Updated bundled libpcre to 10.40.
PDO:
Fixed bug GH-9818 (Initialize run time cache in PDO methods).
PDO_Firebird:
Fixed bug GH-8576 (Bad interpretation of length when char is UTF-8).
PDO_ODBC:
Fixed bug #80909 (crash with persistent connections in PDO_ODBC).
Fixed bug GH-8300 (User input not escaped when building connection string).
Fixed bug GH-9347 (Current ODBC liveness checks may be inadequate).
Fixed bug GH-9372 (HY010 when binding overlong parameter).
PDO_PGSQL:
Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed).
Random:
Added new random extension.
Fixed bug GH-9067 (random extension is not thread safe).
Fixed bug GH-9055 (segmentation fault if user engine throws).
Fixed bug GH-9066 (signed integer overflow).
Fixed bug GH-9083 (undefined behavior during shifting).
Fixed bug GH-9088, GH-9056 (incorrect expansion of bytes when generating uniform integers within a given range).
Fixed bug GH-9089 (Fix memory leak on Randomizer::__construct() call twice).
Fixed bug GH-9212 (PcgOneseq128XslRr64::jump() should not allow negative $advance).
Changed Mt19937 to throw a ValueError instead of InvalidArgumentException for invalid $mode.
Splitted RandomRandomizer::getInt() (without arguments) to RandomRandomizer::nextInt().
Fixed bug GH-9235 (non-existant $sequence parameter in stub for PcgOneseq128XslRr64::__construct()).
Fixed bug GH-9190, GH-9191 (undefined behavior for MT_RAND_PHP when handling large ranges).
Fixed bug GH-9249 (Xoshiro256StarStar does not reject the invalid all-zero state).
Removed redundant RuntimeExceptions from Randomizer methods. The exceptions thrown by the engines will be exposed directly.
Added extension specific Exceptions/Errors (RandomException, RandomError, BrokenRandomEngineError).
Fixed bug GH-9415 (Randomizer::getInt(0, 2**32 - 1) with Mt19937 always returns 1).
Fixed Randomizer::getInt() consistency for 32-bit engines.
Fixed bug GH-9464 (build on older macOs releases).
Fixed bug GH-9839 (Pre-PHP 8.2 output compatibility for non-mt_rand() functions for MT_RAND_PHP).
Reflection:
Added ReflectionFunction::isAnonymous().
Added ReflectionMethod::hasPrototype().
Narrow ReflectionEnum::getBackingType() return type to ReflectionNamedType.
Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure).
Session:
Fixed bug GH-7787 (Improve session write failure message for user error handlers).
Fixed GH-9200 (setcookie has an obsolete expires date format).
Fixed GH-9584 (Avoid memory corruption when not unregistering custom session handler).
Fixed bug GH-9583 (session_create_id() fails with user defined save handler that doesn't have a validateId() method).
SOAP:
Fixed bug GH-9720 (Null pointer dereference while serializing the response).
Sockets:
Added TCP_NOTSENT_LOWAT socket option.
Added SO_MEMINFO socket option.
Added SO_RTABLE socket option (OpenBSD), equivalent of SO_MARK (Linux).
Added TCP_KEEPALIVE, TCP_KEEPIDLE, TCP_KEEPINTVL, TCP_KEEPCNT socket options.
Added ancillary data support for FreeBSD.
Added ancillary data support for NetBSD.
Added SO_BPF_EXTENSIONS socket option.
Added SO_SETFIB socket option.
Added TCP_CONGESTION socket option.
Added SO_ZEROCOPY/MSG_ZEROCOPY options.
Added SOL_FILTER socket option for Solaris.
Fixed socket constants regression as of PHP 8.2.0beta3.
Sodium:
Added sodium_crypto_stream_xchacha20_xor_ic().
SPL:
Uses safe_erealloc instead of erealloc to handle heap growth for the SplHeap::insert method to avoid possible overflows.
Widen iterator_to_array() and iterator_count()'s $iterator parameter to iterable.
Fixed bug #69181 (READ_CSV|DROP_NEW_LINE drops newlines within fields).
Fixed bug #65069 (GlobIterator incorrect handling of open_basedir check).
SQLite3:
Changed sqlite3.defensive from PHP_INI_SYSTEM to PHP_INI_USER.
Standard:
net_get_interfaces() also reports wireless network interfaces on Windows.
Finished AVIF support in getimagesize().
Fixed bug GH-7847 (stripos with large haystack has bad performance).
New function memory_reset_peak_usage().
Fixed parse_url(): can not recognize port without scheme.
Deprecated utf8_encode() and utf8_decode().
Fixed the crypt_sha256/512 api build with clang > 12.
Uses safe_erealloc instead of erealloc to handle options in getopt to avoid possible overflows.
Implemented FR GH-8924 (str_split should return empty array for empty string).
Added ini_parse_quantity function to convert ini quantities shorthand notation to int.
Enable arc4random_buf for Linux glibc 2.36 and onwards for the random_bytes.
Uses CCRandomGenerateBytes instead of arc4random_buf on macOs. (David Carlier).
Fixed bug #65489 (glob() basedir check is inconsistent).
Fixed GH-9200 (setcookie has an obsolete expires date format).
Fixed GH-9244 (Segfault with array_multisort + array_shift).
Fixed bug GH-9296 (`ksort` behaves incorrectly on arrays with mixed keys).
Marked crypt()'s $string parameter as #[SensitiveParameter].
Fixed bug GH-9464 (build on older macOs releases).
Fixed bug GH-9518 (Disabling IPv6 support disables unrelated constants).
Revert "Fixed parse_url(): can not recognize port without scheme." (andypost)
Fix crash reading module_entry after DL_UNLOAD() when module already loaded.
Streams:
Set IP_BIND_ADDRESS_NO_PORT if available when connecting to remote host.
Fixed bug GH-8548 (stream_wrapper_unregister() leaks memory).
Discard poll calls on socket when no timeout/non blocking/MSG_DONTWAIT.
Fixed bug GH-9316 ($http_response_header is wrong for long status line).
Fixed bug GH-9590 (stream_select does not abort upon exception or empty valid fd set).
Fixed bug GH-9653 (file copy between different filesystems).
Fixed bug GH-9779 (stream_copy_to_stream fails if dest in append mode).
Windows:
Added preliminary support for (cross-)building for ARM64.
XML:
Added libxml_get_external_entity_loader() function.
Zip:
add ZipArchive::clearError() method
add ZipArchive::getStreamName() method
add ZipArchive::getStreamIndex() method
On Windows, the Zip extension is now built as shared library (DLL) by default.
Implement fseek for zip stream when possible with libzip 1.9.1.

New in PHP 8.1.13 (Nov 27, 2022)

New in PHP 8.0.26 (Nov 27, 2022)

New in PHP 7.4.33 (Nov 4, 2022)

New in PHP 8.1.12 (Oct 30, 2022)

New in PHP 8.0.25 (Oct 28, 2022)

New in PHP 8.0.24 (Sep 30, 2022)

New in PHP 8.1.11 (Sep 29, 2022)

New in PHP 7.4.32 (Sep 29, 2022)

New in PHP 8.0.23 (Sep 2, 2022)

New in PHP 8.1.10 (Sep 1, 2022)

New in PHP 8.1.9 (Aug 5, 2022)

New in PHP 8.0.22 (Aug 5, 2022)

New in PHP 8.1.8 (Jul 8, 2022)

New in PHP 8.0.21 (Jul 7, 2022)

New in PHP 8.1.7 (Jun 11, 2022)

New in PHP 8.0.20 (Jun 11, 2022)

New in PHP 7.4.30 (Jun 11, 2022)

New in PHP 8.1.6 (May 13, 2022)

New in PHP 8.0.19 (May 13, 2022)

New in PHP 8.0.18 (Apr 15, 2022)

New in PHP 8.1.5 (Apr 14, 2022)

New in PHP 7.4.29 (Apr 14, 2022)

New in PHP 8.1.4 (Mar 18, 2022)

New in PHP 8.0.17 (Mar 17, 2022)

New in PHP 8.1.3 (Feb 18, 2022)

New in PHP 8.0.16 (Feb 18, 2022)

New in PHP 7.4.28 (Feb 18, 2022)

New in PHP 8.1.2 (Jan 21, 2022)

New in PHP 8.0.15 (Jan 21, 2022)

New in PHP 8.1.0 (Dec 2, 2021)

Core:
Fixed inclusion order for phpize builds on Windows.
Added missing hashtable insertion APIs for arr/obj/ref.
Implemented FR #77372 (Relative file path is removed from uploaded file).
Fixed bug #81607 (CE_CACHE allocation with concurrent access).
Fixed bug #81507 (Fiber does not compile on AIX).
Fixed bug #78647 (SEGFAULT in zend_do_perform_implementation_check).
Fixed bug #81518 (Header injection via default_mimetype / default_charset).
Fixed bug #75941 (Fix compile failure on Solaris with clang).
Fixed bug #81380 (Observer may not be initialized properly).
Fixed bug #81514 (Using Enum as key in WeakMap triggers GC + SegFault).
Fixed bug #81520 (TEST_PHP_CGI_EXECUTABLE badly set in run-tests.php).
Fixed bug #81377 (unset() of $GLOBALS sub-key yields warning).
Fixed bug #81342 (New ampersand token parsing depends on new line after it).
Fixed bug #81280 (Unicode characters in cli.prompt causes segfault).
Fixed bug #81192 ("Declaration should be compatible with" gives incorrect line number with traits).
Fixed bug #78919 (CLI server: insufficient cleanup if request startup fails).
Fixed bug #81303 (match error message improvements).
Fixed bug #81238 (Fiber support missing for Solaris Sparc).
Fixed bug #81237 (Comparison of fake closures doesn't work).
Fixed bug #81202 (powerpc64 build fails on fibers).
Fixed bug #80072 (Cyclic unserialize in TMPVAR operand may leak).
Fixed bug #81163 (__sleep allowed to return non-array).
Fixed bug #75474 (function scope static variables are not bound to a unique function).
Fixed bug #53826 (__callStatic fired in base class through a parent call if the method is private).
Fixed bug #81076 (incorrect debug info on Closures with implicit binds).
CLI:
Fixed bug #81496 (Server logs incorrect request method).
COM:
Dispatch using LANG_NEUTRAL instead of LOCALE_SYSTEM_DEFAULT.
Curl:
Fixed bug #81085 (Support CURLOPT_SSLCERT_BLOB for cert strings).
Date:
Fixed bug #81458 (Regression Incorrect difference after timezone change).
Fixed bug #81500 (Interval serialization regression since 7.3.14 / 7.4.2).
Fixed bug #81504 (Incorrect timezone transition details for POSIX data).
Fixed bug #80998 (Missing second with inverted interval).
Speed up finding timezone offset information.
Fixed bug #79580 (date_create_from_format misses leap year).
Fixed bug #80963 (DateTimeZone::getTransitions() truncated).
Fixed bug #80974 (Wrong diff between 2 dates in different timezones).
Fixed bug #80998 (Missing second with inverted interval).
Fixed bug #81097 (DateTimeZone silently falls back to UTC when providing an offset with seconds).
Fixed bug #81106 (Regression in 8.1: add() now truncate ->f).
Fixed bug #81273 (Date interval calculation not correct).
Fixed bug #52480 (Incorrect difference using DateInterval).
Fixed bug #62326 (date_diff() function returns false result).
Fixed bug #64992 (dst not handled past 2038).
Fixed bug #65003 (Wrong date diff).
Fixed bug #66545 (DateTime. diff returns negative values).
Fixed bug #68503 (date_diff on two dates with timezone set localised returns wrong results).
Fixed bug #69806 (Incorrect date from timestamp).
Fixed bug #71700 (Extra day on diff between begin and end of march 2016).
Fixed bug #71826 (DateTime::diff confuse on timezone 'Asia/Tokyo').
Fixed bug #73460 (Datetime add not realising it already applied DST change).
Fixed bug #74173 (DateTimeImmutable::getTimestamp() triggers DST switch in incorrect time).
Fixed bug #74274 (Handling DST transitions correctly).
Fixed bug #74524 (Date diff is bad calculated, in same time zone).
Fixed bug #75167 (DateTime::add does only care about backward DST transition, not forward).
Fixed bug #76032 (DateTime->diff having issues with leap days for timezones ahead of UTC).
Fixed bug #76374 (Date difference varies according day time).
Fixed bug #77571 (DateTime's diff DateInterval incorrect in timezones from UTC+01:00 to UTC+12:00).
Fixed bug #78452 (diff makes wrong in hour for Asia/Tehran).
Fixed bug #79452 (DateTime::diff() generates months differently between time zones).
Fixed bug #79698 (timelib mishandles future timestamps (triggered by 'zic -b slim')).
Fixed bug #79716 (Invalid date time created (with day "00")).
Fixed bug #80610 (DateTime calculate wrong with DateInterval).
Fixed bug #80664 (DateTime objects behave incorrectly around DST transition).
Fixed bug #80913 (DateTime(Immutable)::sub around DST yield incorrect time).
DBA:
Fixed bug #81588 (TokyoCabinet driver leaks memory).
DOM:
Fixed bug #81433 (DOMElement::setIdAttribute() called twice may remove ID).
FFI:
Fixed bug #79576 ("TYPE *" shows unhelpful message when type is not defined).
Filter:
Fixed bug #61700 (FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing).
FPM:
Fixed bug #81513 (Future possibility for heap overflow in FPM zlog).
Fixed bug #81026 (PHP-FPM oob R/W in root process leading to privilege escalation) (CVE-2021-21703).
Added openmetrics status format.
Enable process renaming on macOS.
Added pm.max_spawn_rate option to configure max spawn child processes rate.
Fixed bug #65800 (Events port mechanism).
FTP:
Convert resource to object FTPConnection.
GD:
Fixed bug #71316 (libpng warning from imagecreatefromstring).
Convert resource to object GdFont.
Added support for Avif images
hash:
Implemented FR #68109 (Add MurmurHash V3).
Implemented FR #73385 (Add xxHash support).
JSON:
Fixed bug #81532 (Change of $depth behaviour in json_encode() on PHP 8.1).
LDAP:
Convert resource to object LDAPConnection.
Convert resource to object LDAPResult.
Convert resource to object LDAPResultEntry.
MBString:
Fixed bug #76167 (mbstring may use pointer from some previous request).
Fixed bug #81390 (mb_detect_encoding() regression).
Fixed bug #81349 (mb_detect_encoding misdetcts ASCII in some cases).
Fixed bug #81298 (mb_detect_encoding() segfaults when 7bit encoding is specified).
MySQLi:
Fixed bug #70372 (Emulate mysqli_fetch_all() for libmysqlclient).
Fixed bug #80330 (Replace language in APIs and source code/docs).
Fixed bug #80329 (Add option to specify LOAD DATA LOCAL white list folder (including libmysql)).
MySQLnd:
Fixed bug #63327 (Crash (Bus Error) in mysqlnd due to wrong alignment).
Fixed bug #80761 (PDO uses too much memory).
Opcache:
Fixed bug #81409 (Incorrect JIT code for ADD with a reference to array).
Fixed bug #81255 (Memory leak in PHPUnit with functional JIT).
Fixed bug #80959 (infinite loop in building cfg during JIT compilation).
Fixed bug #81225 (Wrong result with pow operator with JIT enabled).
Fixed bug #81249 (Intermittent property assignment failure with JIT enabled).
Fixed bug #81256 (Assertion `zv != ((void *)0)' failed for "preload" with JIT).
Fixed bug #81133 (building opcache with phpize fails).
Fixed bug #81136 (opcache header not installed).
Added inheritance cache.
OpenSSL:
Fixed bug #81502 ($tag argument of openssl_decrypt() should accept null/empty string).
Bump minimal OpenSSL version to 1.0.2.
PCRE:
Fixed bug #81424 (PCRE2 10.35 JIT performance regression).
Bundled PCRE2 is 10.37.
PDO:
Fixed bug #40913 (PDO_MYSQL: PDO::PARAM_LOB does not bind to a stream for fetching a BLOB).
PDO MySQL:
Fixed bug #80908 (PDO::lastInsertId() return wrong).
Fixed bug #81037 (PDO discards error message text from prepared statement).
PDO OCI:
Fixed bug #77120 (Support 'success with info' at connection).
PDO ODBC:
Implement PDO_ATTR_SERVER_VERSION and PDO_ATTR_SERVER_INFO for PDO::getAttribute().
PDO PgSQL:
Fixed bug #81343 (pdo_pgsql: Inconsitent boolean conversion after calling closeCursor()).
PDO SQLite:
Fixed bug #38334 (Proper data-type support for PDO_SQLITE).
PgSQL:
Fixed bug #81509 (pg_end_copy still expects a resource).
Convert resource to object PgSqlConnection.
Convert resource to object PgSqlResult.
Convert resource to object PgSqlLob.
Phar:
Use SHA256 by default for signature.
Add support for OpenSSL_SHA256 and OpenSSL_SHA512 signature.
phpdbg:
Fixed bug #81135 (unknown help topic causes assertion failure).
PSpell:
Convert resource to object PSpellDictionary.
Convert resource to object PSpellConfig.
readline:
Fixed bug #72998 (invalid read in readline completion).
Reflection:
Fixed bug #81611 (ArgumentCountError when getting default value from ReflectionParameter with new).
Fixed bug #81630 (PHP 8.1: ReflectionClass->getTraitAliases() crashes with Internal error).
Fixed bug #81457 (Enum: ReflectionMethod->getDeclaringClass() return a ReflectionClass).
Fixed bug #81474 (Make ReflectionEnum and related class non-final).
Fixed bug #80821 (ReflectionProperty::getDefaultValue() returns current value for statics).
Fixed bug #80564 (ReflectionProperty::__toString() renders current value, not default value).
Fixed bug #80097 (ReflectionAttribute is not a Reflector).
Fixed bug #81200 (no way to determine if Closure is static).
Implement ReflectionFunctionAbstract::getClosureUsedVariables.
Shmop:
Fixed bug #81407 (shmop_open won't attach and causes php to crash).
SimpleXML:
Fixed bug #81325 (Segfault in zif_simplexml_import_dom).
SNMP:
Implement SHA256 and SHA512 for security protocol.
Sodium:
Added the XChaCha20 stream cipher functions.
Added the Ristretto255 functions, which are available in libsodium 1.0.18.
SPL:
Fixed bug #66588 (SplFileObject::fgetcsv incorrectly returns a row on premature EOF).
Fixed bug #80663 (Recursive SplFixedArray::setSize() may cause double-free).
Fixed bug #81477 (LimitIterator + SplFileObject regression in 8.0.1).
Fixed bug #81112 (Special json_encode behavior for SplFixedArray).
Fixed bug #80945 ("Notice: Undefined index" on unset() ArrayObject non-existing key).
Fixed bug #80724 (FilesystemIterator::FOLLOW_SYMLINKS remove KEY_AS_FILE from bitmask).
Standard:
Fixed bug #81441 (gethostbyaddr('::1') returns ip instead of name after calling some other method).
Fixed bug #81491 (Incorrectly using libsodium for argon2 hashing).
Fixed bug #81142 (PHP 7.3+ memory leak when unserialize() is used on an associative array).
Fixed bug #81111 (Serialization is unexpectedly allowed on anonymous classes with __serialize()).
Fixed bug #81137 (hrtime breaks build on OSX before Sierra).
Fixed bug #77627 (method_exists on Closure::__invoke inconsistency).
Streams:
Fixed bug #81475 (stream_isatty emits warning with attached stream wrapper).
XML:
Fixed bug #79971 (special character is breaking the path in xml function) (CVE-2021-21707).
Fixed bug #70962 (XML_OPTION_SKIP_WHITE strips embedded whitespace).
Zip:
Fixed bug #81490 (ZipArchive::extractTo() may leak memory).
Fixed bug #77978 (Dirname ending in colon unzips to wrong dir).
Fixed bug #81420 (ZipArchive::extractTo extracts outside of destination) (CVE-2021-21706).
Fixed bug #80833 (ZipArchive::getStream doesn't use setPassword).

New in PHP 8.0.13 (Nov 24, 2021)

New in PHP 7.4.26 (Nov 18, 2021)

New in PHP 7.3.33 (Nov 18, 2021)

New in PHP 8.0.12 (Nov 2, 2021)

New in PHP 7.4.25 (Nov 2, 2021)

New in PHP 7.3.32 (Nov 2, 2021)

New in PHP 8.0.11 (Sep 30, 2021)

New in PHP 7.4.24 (Sep 30, 2021)

New in PHP 7.3.31 (Sep 23, 2021)

New in PHP 8.0.10 (Sep 1, 2021)

New in PHP 7.4.23 (Sep 1, 2021)

New in PHP 7.3.30 (Sep 1, 2021)

New in PHP 8.0.9 (Jul 30, 2021)

New in PHP 7.4.22 (Jul 30, 2021)

New in PHP 8.0.8 (Jul 7, 2021)

New in PHP 7.4.21 (Jul 7, 2021)

New in PHP 7.3.29 (Jul 7, 2021)

New in PHP 8.0.7 (Jun 15, 2021)

New in PHP 7.4.20 (Jun 15, 2021)

New in PHP 8.0.6 (May 18, 2021)

New in PHP 7.4.19 (May 6, 2021)

New in PHP 8.0.5 (May 4, 2021)

Core:
Fixed bug #75776 (Flushing streams with compression filter is broken).
Fixed bug #80811 (Function exec without $output but with $restult_code parameter crashes).
Fixed bug #80814 (threaded mod_php won't load on FreeBSD: No space available for static Thread Local Storage).
Changed PowerPC CPU registers used by Zend VM to work around GCC bug. Old registers (r28/r29) might be clobbered by _restgpr routine used for return from C function compiled with -Os.
Dba:
Fixed bug #80817 (dba_popen() may cause segfault during RSHUTDOWN).
DOM:
Fixed bug #66783 (UAF when appending DOMDocument to element).
FFI:
Fixed bug #80847 (CData structs with fields of type struct can't be passed as C function argument).
FPM:
Fixed bug #80024 (Duplication of info about inherited socket after pool removing).
FTP:
Fixed bug #80880 (SSL_read on shutdown, ftp/proc_open).
IMAP:
Fixed bug #80800 (imap_open() fails when the flags parameter includes CL_EXPUNGE).
Fixed bug #80710 (imap_mail_compose() header injection).
Intl:
Fixed bug #80763 (msgfmt_format() does not accept DateTime references).
LibXML:
Fixed bug #73533 (Invalid memory access in php_libxml_xmlCheckUTF8).
Fixed bug #51903 (simplexml_load_file() doesn't use HTTP headers).
MySQLnd:
Fixed bug #80837 (Calling stmt_store_result after fetch doesn't throw an error).
Opcache:
Fixed bug #80839 (PHP problem with JIT).
Fixed bug #80861 (erronous array key overflow in 2D array with JIT).
Fixed bug #80786 (PHP crash using JIT).
Fixed bug #80782 (DASM_S_RANGE_VREG on PHP_INT_MIN-1).
Pcntl:
Fixed bug #79812 (Potential integer overflow in pcntl_exec()).
PCRE:
Fixed bug #80866 (preg_split ignores limit flag when pattern with K has 0-width fullstring match).
PDO_ODBC:
Fixed bug #80783 (PDO ODBC truncates BLOB records at every 256th byte).
PDO_pgsql:
Fixed bug #80892 (PDO::PARAM_INT is treated the same as PDO::PARAM_STR).
Session:
Fixed bug #80889 (Cannot set save handler when save_handler is invalid).
Fixed bug #80774 (session_name() problem with backslash).
SOAP:
Fixed bug #69668 (SOAP special XML characters in namespace URIs not encoded).
Standard:
Fixed bug #80915 (Taking a reference to $_SERVER hides its values from phpinfo()).
Fixed bug #80914 ('getdir' accidentally defined as an alias of 'dir').
Fixed bug #80771 (phpinfo(INFO_CREDITS) displays nothing in CLI).
Fixed bug #78719 (http wrapper silently ignores long Location headers).
Fixed bug #80838 (HTTP wrapper waits for HTTP 1 response after HTTP 101).
Zip:
Fixed bug #80825 (ZipArchive::isCompressionMethodSupported does not exist).

New in PHP 7.4.18 (May 4, 2021)

Core:
Fixed bug #80781 (Error handler that throws ErrorException infinite loop).
Fixed bug #75776 (Flushing streams with compression filter is broken). (cmb) 04 Mar 2021, php 7.4.16
Fixed #80706 (mail(): Headers after Bcc headers may be ignored).
Dba:
Fixed bug #80817 (dba_popen() may cause segfault during RSHUTDOWN).
DOM:
Fixed bug #66783 (UAF when appending DOMDocument to element).
FPM:
Fixed bug #80024 (Duplication of info about inherited socket after pool removing).
FTP:
Fixed bug #80880 (SSL_read on shutdown, ftp/proc_open).
Imap:
Fixed bug #80710 (imap_mail_compose() header injection).
Intl:
Fixed bug #80763 (msgfmt_format() does not accept DateTime references).
LibXML:
Fixed bug #51903 (simplexml_load_file() doesn't use HTTP headers).
Fixed bug #73533 (Invalid memory access in php_libxml_xmlCheckUTF8).
MySQLnd:
Fixed bug #80713 (SegFault when disabling ATTR_EMULATE_PREPARES and MySQL 8.0).
Fixed bug #80837 (Calling stmt_store_result after fetch doesn't throw an error).
Fixed bug #78680 (mysqlnd's mysql_clear_password does not transmit null-terminated password).
Opcache:
Fixed bug #80805 (create simple class and get error in opcache.so).
Fixed bug #80950 (Variables become null in if statements).
Pcntl:
Fixed bug #79812 (Potential integer overflow in pcntl_exec()).
PCRE:
Fixed bug #80866 (preg_split ignores limit flag when pattern with K has 0-width fullstring match).
PDO_ODBC:
Fixed bug #80783 (PDO ODBC truncates BLOB records at every 256th byte).
PDO_pgsql:
Fixed bug #80892 (PDO::PARAM_INT is treated the same as PDO::PARAM_STR).
phpdbg:
Fixed bug #80757 (Exit code is 0 when could not open file).
Session:
Fixed bug #80774 (session_name() problem with backslash).
Fixed bug #80889 (Cannot set save handler when save_handler is invalid).
SOAP:
Fixed bug #69668 (SOAP special XML characters in namespace URIs not encoded).
Standard:
Fixed bug #78719 (http wrapper silently ignores long Location headers).
Fixed bug #80771 (phpinfo(INFO_CREDITS) displays nothing in CLI).
Fixed bug #80838 (HTTP wrapper waits for HTTP 1 response after HTTP 101).
Fixed bug #80915 (Taking a reference to $_SERVER hides its values from phpinfo()).
Fixed bug #80654 (file_get_contents() maxlen fails above (2**31)-1 bytes).
MySQLi:
Fixed bug #74779 (x() and y() truncating floats to integers).
OPcache:
Fixed bug #80682 (opcache doesn't honour pcre.jit option).
OpenSSL:
Fixed bug #80747 (Providing RSA key size < 512 generates key that crash PHP).
Phar:
Fixed bug #75850 (Unclear error message wrt. __halt_compiler() w/o semicolon) (cmb)
Fixed bug #70091 (Phar does not mark UTF-8 filenames in ZIP archives).
Fixed bug #53467 (Phar cannot compress large archives).
SPL:
Fixed bug#80719 (Iterating after failed ArrayObject::setIteratorClass() causes Segmentation fault).
Zip:
Fixed bug #80648 (Fix for bug 79296 should be based on runtime version).

New in PHP 7.3.28 (May 4, 2021)

New in PHP 7.3.27 (May 4, 2021)

New in PHP 8.0.3 (Mar 17, 2021)

New in PHP 7.4.16 (Mar 17, 2021)

New in PHP 8.0.2 (Feb 4, 2021)

New in PHP 7.4.15 (Feb 4, 2021)

New in PHP 7.3.27 (Feb 4, 2021)

New in PHP 8.0.1 (Jan 19, 2021)

Core:
Fixed bug #80345 (PHPIZE configuration has outdated PHP_RELEASE_VERSION).
Fixed bug #72964 (White space not unfolded for CC/Bcc headers).
Fixed bug #80391 (Iterable not covariant to mixed).
Fixed bug #80393 (Build of PHP extension fails due to configuration gap with libtool).
Fixed bug #77069 (stream filter loses final block of data).
Fileinfo:
Fixed bug #77961 (finfo_open crafted magic parsing SIGABRT).
FPM:
Fixed bug #69625 (FPM returns 200 status on request without SCRIPT_FILENAME env).
IMAP:
Fixed bug #80438 (imap_msgno() incorrectly warns and return false on valid UIDs in PHP 8).
Fix a regression with valid UIDs in imap_savebody().
Make warnings for invalid message numbers/UIDs between functions consistent.
Intl:
Fixed bug #80425 (MessageFormatAdapter::getArgTypeList redefined).
Opcache:
Fixed bug #80404 (Incorrect range inference result when division results in float).
Fixed bug #80377 (Opcache misses executor_globals).
Fixed bug #80433 (Unable to disable the use of the AVX command when using JIT).
Fixed bug #80447 (Strange out of memory error when running with JIT).
Fixed bug #80480 (Segmentation fault with JIT enabled).
Fixed bug #80506 (Immediate SIGSEGV upon ini_set("opcache.jit_debug", 1)).
OpenSSL:
Fixed bug #80368 (OpenSSL extension fails to build against LibreSSL due to lack of OCB support).
PDO MySQL:
Fixed bug #80458 (PDOStatement::fetchAll() throws for upsert queries).
Fixed bug #63185 (nextRowset() ignores MySQL errors with native prepared statements).
Fixed bug #78152 (PDO::exec() - Bad error handling with multiple commands).
Fixed bug #66878 (Multiple rowsets not returned unless PDO statement object is unset()).
Fixed bug #70066 (Unexpected "Cannot execute queries while other unbuffered queries").
Fixed bug #71145 (Multiple statements in init command triggers unbuffered query error).
Fixed bug #76815 (PDOStatement cannot be GCed/closeCursor-ed when a PROCEDURE resultset SIGNAL).
Fixed bug #79872 (Can't execute query with pending result sets).
Fixed bug #79131 (PDO does not throw an exception when parameter values are missing).
Fixed bug #72368 (PdoStatement->execute() fails but does not throw an exception).
Fixed bug #62889 (LOAD DATA INFILE broken).
Fixed bug #67004 (Executing PDOStatement::fetch() more than once prevents releasing resultset).
Fixed bug #79132 (PDO re-uses parameter values from earlier calls to execute()).
Phar:
Fixed bug #73809 (Phar Zip parse crash - mmap fail).
Fixed bug #75102 (`PharData` says invalid checksum for valid tar).
Fixed bug #77322 (PharData::addEmptyDir('/') Possible integer overflow).
Phpdbg:
Fixed bug #76813 (Access violation near NULL on source operand).
SPL:
Fixed bug #62004 (SplFileObject: fgets after seek returns wrong line).
Standard:
Fixed bug #80366 (Return Value of zend_fstat() not Checked).
Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071)
Tidy:
Fixed bug #77594 (ob_tidyhandler is never reset).
Tokenizer:
Fixed bug #80462 (Nullsafe operator tokenize with TOKEN_PARSE flag fails).
XML:
XmlParser opaque object renamed to XMLParser for consistency with other XML objects.
Zlib:
Fixed bug #48725 (Support for flushing in zlib stream).

New in PHP 7.4.14 (Jan 19, 2021)

New in PHP 7.3.26 (Jan 19, 2021)

New in PHP 8.0.0 (Dec 17, 2020)

BZ2:
Fixed bug #71263 (fread() does not report bzip2.decompress errors).
CLI:
Allow debug server binding to an ephemeral port via `-S localhost:0`.
COM:
Fixed bug #55847 (DOTNET .NET 4.0 GAC new location).
Fixed bug #62474 (com_event_sink crashes on certain arguments).
Calendar:
Fixed bug #80007 (Potential type confusion in unixtojd() parameter parsing).
Core:
Fixed bug #36365 (scandir duplicates file name at every 65535th file).
Fixed bug #49555 (Fatal error "Function must be a string" message should be renamed).
Fixed bug #62294 (register_shutdown_function() does not correctly handle exit code).
Fixed bug #62609 (Allow implementing Traversable on abstract classes).
Fixed bug #65274 (Enhance undefined class constant error with class name).
Fixed bug #65275 (Calling exit() in a shutdown function does not change the exit value in CLI).
Fixed bug #69084 (Unclear error message when not implementing a renamed abstract trait function).
Fixed bug #70839 (Converting optional argument to variadic forbidden by LSP checks).
Fixed bug #74558 (Can't rebind closure returned by Closure::fromCallable()).
Fixed bug #77561 (Shebang line not stripped for non-primary script).
Fixed bug #77619 (Wrong reflection on MultipleIterator::__construct).
Fixed bug #77966 (Cannot alias a method named "namespace").
Fixed bug #78236 (convert error on receiving variables when duplicate [).
Fixed bug #78770 (Incorrect callability check inside internal methods).
Fixed bug #79108 (Referencing argument in a function makes it a reference in the stack trace).
Fixed bug #79368 ("Unexpected end of file" is not an acceptable error message).
Fixed bug #79462 (method_exists and property_exists incoherent behavior).
Fixed bug #79467 (data:// wrappers are writable).
Fixed bug #79521 (Check __set_state structure).
Fixed bug #79790 ("Illegal offset type" exception during AST evaluation not handled properly).
Fixed bug #79791 (Assertion failure when unsetting variable during binary op).
Fixed bug #79828 (Segfault when trying to access non-existing variable).
Fixed bug #79841 (Syntax error in configure / unescaped "[]" in php.m4).
Fixed bug #79852 (count(DOMNodeList) doesn't match count(IteratorIterator(DOMNodeList))).
Fixed bug #79867 (Promoted untyped properties should get null default value).
Fixed bug #79897 (Promoted constructor params with attribs cause crash).
Fixed bug #79927 (Generator doesn't throw exception after multiple yield from iterable).
Fixed bug #79946 (Build fails due to undeclared UINT32_C).
Fixed bug #79948 (Exit in auto-prepended file does not abort PHP execution).
Fixed bug #80045 (memleak after two set_exception_handler calls with __call).
Fixed bug #80096 (Segmentation fault with named arguments in nested call).
Fixed bug #80109 (Cannot skip arguments when extended debug is enabled).
Fixed bug #80225 (broken namespace usage in eval code).
Fixed bug #80258 (Windows Deduplication Enabled, randon permission errors).
Fixed bug #80280 (ADD_EXTENSION_DEP() fails for ext/standard and ext/date).
Fixed bug #80334 (assert() vs named parameters - confusing error).
Fixed bug #80055 (Abstract trait methods returning "self" cannot be fulfilled by traits).
Fixed faulty generator cleanup with yield from.
Implement #[Attr] Attribute syntax as per final vote in RFC https://wiki.php.net/rfc/shorter_attribute_syntax_change
Implemented FR #47074 (phpinfo() reports "On" as 1 for the some extensions).
Implemented FR #72089 (require() throws fatal error instead of exception).
Removed the pdo_odbc.db2_instance_name php.ini directive.
Use SSE2 instructions do locale independent strtolower.
Curl:
Bumped required libcurl version to 7.29.0.
Fixed bug #80121 (Null pointer deref if CurlHandle directly instantiated).
DOM:
Add property DOMXPath::$registerNodeNamespaces and constructor argument that allow global flag to configure query() or evaluate() calls.
Fixed bug #79968 (DOMChildNode API crash on unattached nodes).
Fixed bug #80268 (loadHTML() truncates at NUL bytes).
Date:
Fixed bug #60302 (DateTime::createFromFormat should new static(), not new self()).
Fixed bug #65547 (Default value for sunrise/sunset zenith still wrong).
Fixed bug #69044 (discrepancy between time and microtime).
Fixed bug #80057 (DateTimeImmutable::createFromFormat() does not populate time).
Implemented FR #79903 (datetime: new format "p", same as "P" but returning "Z" for UTC).
Enchant:
Add LIBENCHANT_VERSION macro.
Add enchant_dict_add and enchant_dict_is_added functions.
Deprecate enchant_broker_set_dict_path, enchant_broker_get_dict_path, enchant_dict_add_to_personal and enchant_dict_is_in_session.
Use libenchant-2 when available.
FFI:
Added FFICType::getName() method.
Fixed bug #79177 (FFI doesn't handle well PHP exceptions within callback).
Fixed bug #79749 (Converting FFI instances to bool fails).
FPM:
Add pm.status_listen option.
Fileinfo:
Upgrade to libmagic 5.39.
GD:
Added imagegetinterpolation().
Fixed bug #55005 (imagepolygon num_points requirement).
Made the $num_points parameter of php_imagepolygon optional.
Removed deprecated image2wbmp().
Removed deprecated png2wbmp() and jpeg2wbmp().
Replaced gd resources with objects.
IMAP:
Fixed bug #64076 (imap_sort() does not return FALSE on failure).
Fixed bug #76618 (segfault on imap_reopen).
Fixed bug #80213 (imap_mail_compose() segfaults on certain $bodies).
Fixed bug #80215 (imap_mail_compose() may modify by-val parameters).
Fixed bug #80216 (imap_mail_compose() does not validate types/encodings).
Fixed bug #80220 (imap_mail_compose() may leak memory).
Fixed bug #80223 (imap_mail_compose() leaks envelope on malformed bodies).
Fixed bug #80226 (imap_sort() leaks sortpgm memory).
Fixed bug #80239 (imap_rfc822_write_address() leaks memory).
Fixed bug #80242 (imap_mail_compose() segfaults for multipart with rfc822).
Fixed minor regression caused by fixing bug #80220.
Iconv:
Dropped support for iconv without proper errno setting.
Intl:
Removed deprecated INTL_IDNA_VARIANT_2003.
JIT:
Fixed bug #77857 (Wrong result if executed with JIT).
Fixed bug #79255 (PHP cannot be compiled with enable JIT).
Fixed bug #79582 (Crash seen when opcache.jit=1235 and opcache.jit_debug=2).
Fixed bug #79743 (Fatal error when assigning to array property with JIT enabled).
Fixed bug #79864 (JIT segfault in Symfony OptionsResolver).
Fixed bug #79888 (Incorrect execution with JIT enabled).
JSON:
The JSON extension is now an integral part of PHP and cannot be disabled as per RFC: https://wiki.php.net/rfc/always_enable_json (tandre)
LDAP:
Fixed memory leaks.
Removed deprecated ldap_sort.
MBString:
Fixed bug #76999 (mb_regex_set_options() return current options).
Removed the unused $is_hex parameter from mb_decode_numericentity().
MySQLi:
Fixed bug #76809 (SSL settings aren't respected when persistent connections are used).
Mysqlnd:
Fixed #60594 (mysqlnd exposes 160 lines of stats in phpinfo).
OCI8:
Deprecated old OCI8 function aliases.
Modernized oci_register_taf_callback() callable argument parsing implementation.
Removed obsolete no-op function oci_internal_debug().
ODBC:
Fixed bug #22986 (odbc_connect() may reuse persistent connection).
Fixed bug #44618 (Fetching may rely on uninitialized data).
Opcache:
Fixed bug #76535 (Opcache does not replay compile-time warnings).
Fixed bug #78654 (Incorrectly computed opcache checksum on files with non-ascii characters).
Fixed bug #79665 (ini_get() and opcache_get_configuration() inconsistency).
Fixed bug #80030 (Optimizer segfault with isset on static property with undef dynamic class name).
Fixed bug #80175 (PHP8 RC1 - JIT Buffer not working).
Fixed bug #80184 (Complex expression in while / if statements resolves to false incorrectly).
Fixed bug #80255 (Opcache bug (bad condition result) in 8.0.0rc1).
Fixed run-time binding of preloaded dynamically declared function.
OpenSSL:
Added Cryptographic Message Syntax (CMS) support.
PCRE:
Don't ignore invalid escape sequences.
Updated to PCRE2 10.35.
PDO:
Changed default PDO error mode to exceptions.
Fixed bug #77849 (Disable cloning of PDO handle/connection objects).
PDO_Firebird:
Fixed bug #64937 (Firebird PDO preprocessing sql).
PDO_OCI:
Added support for setting and getting the oracle OCI 18c call timeout.
PDO_PGSQL:
Bumped required libpq version to 9.1.
PGSQL:
Bumped required libpq version to 9.1.
Phpdbg:
Fixed bug #76596 (phpdbg support for display_errors=stderr).
Fixed bug #76801 (too many open files).
Fixed bug #77800 (phpdbg segfaults on listing some conditional breakpoints).
Fixed bug #77805 (phpdbg build fails when readline is shared).
Reflection:
Fixed bug #64592 (ReflectionClass::getMethods() returns methods out of scope).
Fixed bug #69180 (Reflection does not honor trait conflict resolution / method aliasing).
Fixed bug #74939 (Nested traits' aliased methods are lowercased).
Fixed bug #77325 (ReflectionClassConstant::$class returns wrong class when extending).
Fixed bug #78697 (ReflectionClass::implementsInterface - inaccurate error message with traits).
Fixed bug #80190 (ReflectionMethod::getReturnType() does not handle static as part of union type).
Fixed bug #80299 (ReflectionFunction->invokeArgs confused in arguments).
Fixed bug #80370 (getAttributes segfault on dynamic properties).
Implement #79628 (Add $filter parameter for ReflectionClass::getConstants and ReflectionClass::getReflectionConstants) (carusogabriel)
Implement ReflectionProperty::hasDefaultValue and Reflection::getDefaultValue (beberlei)
SNMP:
Fixed bug #70461 (disable md5 code when it is not supported in net-snmp).
SPL:
Fixed bug #65006 (spl_autoload_register fails with multiple callables using self, same method).
Fixed bug #65387 (Circular references in SPL iterators are not garbage collected).
Fixed bug #71236 (Second call of spl_autoload_register() does nothing if it has no arguments).
Fixed bug #79987 (Memory leak in SplFileInfo because of missing zend_restore_error_handling()).
SplFixedArray is now IteratorAggregate rather than Iterator.
SQLite3:
Added SQLite3::setAuthorizer() and respective class constants.
Session:
Fixed bug #73529 (session_decode() silently fails on wrong input).
Fixed bug #78624 (session_gc return value for user defined session handlers).
Shmop:
Converted shmop resources to objects.
SimpleXML:
Fixed bug #63575 (Root elements are not properly cloned).
Fixed bug #75245 (Don't set content of elements with only whitespaces).
Sodium:
Fixed bug #77646 (sign_detached() strings not terminated).
Standard:
Don't force rebuild of symbol table, when populating $http_response_header variable by the HTTP stream wrapper.
Fixed bug #47983 (mixed LF and CRLF line endings in mail()).
Fixed bug #64060 (lstat_stat_variation7.phpt fails on certain file systems).
Fixed bug #75902 (str_replace should warn when misused with nested arrays).
Fixed bug #76859 (stream_get_line skips data if used with data-generating filter).
Fixed bug #77204 (getimagesize(): Read error! should mention file path).
Fixed bug #78385 (parse_url() does not include 'query' when question mark is the last char).
Fixed bug #79868 (Sorting with array_unique gives unwanted result).
Fixed bug #80256 (file_get_contents strip first line with chunked encoding redirect).
Fixed bug #80266 (parse_url silently drops port number 0).
Fixed bug #80290 (Double free when ASSERT_CALLBACK is used with a dynamic message).
Implemented FR #78638 (__PHP_Incomplete_Class should be final).
Made quoting of cmd execution functions consistent.
Tidy:
Removed the unused $use_include_path parameter from tidy_repair_string().
Tokenizer:
Fixed bug #80328 (PhpToken::getAll() confusing name).
XML:
Fixed bug #76874 (xml_parser_free() should never leak memory).
XMLWriter:
Changed functions to accept/return XMLWriter objects instead of resources.
Implemented FR #79344 (xmlwriter_write_attribute_ns: $prefix should be nullable).
Removed return types from XMLWriter stubs.
Zip:
Add "flags" options to ZipArchive::addGlob and addPattern methods keeping previous behavior having FL_OVERWRITE by default.
Add ZipArchive::EM_UNKNOWN and ZipArchive::EM_TRAD_PKWARE constants.
Add ZipArchive::isCompressionMethodSupported() and ZipArchive::isEncryptionMethodSupported() method (libzip 1.7.0).
Add ZipArchive::replaceFile() method.
Add ZipArchive::setCancelCallback method (since libzip 1.6.0).
Add ZipArchive::setMtimeName and ZipArchive::setMtimeIndex methods.
Add ZipArchive::setProgressCallback method (since libzip 1.3.0).
Add lastId property to ZipArchive.
Add optional "flags" parameter to ZipArchive::addEmptyDir, addFile and addFromString methods.
Fixed bug #50678 (files extracted by ZipArchive class lost their original modified time).
Fixed bug #72374 (remove_path strips first char of filename).
Implemented FR #77960 (add compression / encryption options for ZipArchive::addGlob and ZipArchive::addPattern).
ZipArchive::status and ZipArchive::statusSys properties and ZipArchive::getStatusString() method stay valid after the archive is closed.
Zlib:
Fixed bug #71417 (fread() does not report zlib.inflate errors).
Fixed bug #78792 (zlib.output_compression disabled by Content-Type: image/).

New in PHP 7.4.13 (Dec 17, 2020)

New in PHP 7.3.25 (Dec 17, 2020)

New in PHP 7.4.12 (Oct 30, 2020)

New in PHP 7.3.24 (Oct 29, 2020)

New in PHP 7.4.11 (Oct 13, 2020)

New in PHP 7.3.23 (Oct 13, 2020)

New in PHP 7.4.10 (Sep 6, 2020)

New in PHP 7.3.22 (Sep 6, 2020)

New in PHP 7.4.9 (Aug 6, 2020)

New in PHP 7.3.21 (Aug 6, 2020)

New in PHP 7.2.33 (Aug 6, 2020)

New in PHP 7.4.8 (Jul 21, 2020)

New in PHP 7.3.20 (Jul 21, 2020)

New in PHP 7.2.32 (Jul 21, 2020)

New in PHP 7.4.7 (Jun 23, 2020)

New in PHP 7.3.19 (Jun 23, 2020)

New in PHP 7.4.6 (Jun 10, 2020)

New in PHP 7.3.18 (Jun 10, 2020)

New in PHP 7.2.31 (Jun 10, 2020)

New in PHP 7.2.30 (Apr 19, 2020)

New in PHP 7.4.5 (Apr 16, 2020)

New in PHP 7.3.17 (Apr 16, 2020)

New in PHP 7.4.4 (Mar 19, 2020)

Core:
Fixed bug #79329 (get_headers() silently truncates after a null byte) (CVE-2020-7066)
Fixed bug #79244 (php crashes during parsing INI file).
Fixed bug #63206 (restore_error_handler does not restore previous errors mask).
COM:
Fixed bug #66322 (COMPersistHelper::SaveToFile can save to wrong location).
Fixed bug #79242 (COM error constants don't match com_exception codes on x86).
Fixed bug #79247 (Garbage collecting variant objects segfaults).
Fixed bug #79248 (Traversing empty VT_ARRAY throws com_exception).
Fixed bug #79299 (com_print_typeinfo prints duplicate variables).
Fixed bug #79332 (php_istreams are never freed).
Fixed bug #79333 (com_print_typeinfo() leaks memory).
CURL:
Fixed bug #79019 (Copied cURL handles upload empty file).
Fixed bug #79013 (Content-Length missing when posting a curlFile with curl).
DOM:
Fixed bug #77569: (Write Access Violation in DomImplementation).
Fixed bug #79271 (DOMDocumentType::$childNodes is NULL).
Enchant:
Fixed bug #79311 (enchant_dict_suggest() fails on big endian architecture).
EXIF:
Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064).
Fileinfo:
Fixed bug #79283 (Segfault in libmagic patch contains a buffer overflow).
FPM:
Fixed bug #77653 (operator displayed instead of the real error message).
Fixed bug #79014 (PHP-FPM & Primary script unknown).
MBstring:
Fixed bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full) (CVE-2020-7065).
MySQLi:
Fixed bug #64032 (mysqli reports different client_version).
MySQLnd:
Implemented FR #79275 (Support auth_plugin_caching_sha2_password on Windows).
Opcache:
Fixed bug #79252 (preloading causes php-fpm to segfault during exit).
PCRE:
Fixed bug #79188 (Memory corruption in preg_replace/preg_replace_callback and unicode).
Fixed bug #79241 (Segmentation fault on preg_match()).
Fixed bug #79257 (Duplicate named groups (?J) prefer last alternative even if not matched).
PDO_ODBC:
Fixed bug #79038 (PDOStatement::nextRowset() leaks column values).
Reflection:
Fixed bug #79062 (Property with heredoc default value returns false for getDocComment).
SQLite3:
Fixed bug #79294 (::columnType() may fail after SQLite3Stmt::reset()).
Standard:
Fixed bug #79254 (getenv() w/o arguments not showing changes).
Fixed bug #79265 (Improper injection of Host header when using fopen for http requests).
Zip:
Fixed bug #79315 (ZipArchive::addFile doesn't honor start/length parameters).

New in PHP 7.3.16 (Mar 19, 2020)

New in PHP 7.2.29 (Mar 19, 2020)

New in PHP 7.4.3 (Feb 20, 2020)

Core:
Fixed bug #79146 (cscript can fail to run on some systems).
Fixed bug #79155 (Property nullability lost when using multiple property definition).
Fixed bug #78323 (Code 0 is returned on invalid options).
Fixed bug #78989 (Delayed variance check involving trait segfaults).
Fixed bug #79174 (cookie values with spaces fail to round-trip).
Fixed bug #76047 (Use-after-free when accessing already destructed backtrace arguments).
COM:
Fixed bug #79247 (Garbage collecting variant objects segfaults).
CURL:
Fixed bug #79078 (Hypothetical use-after-free in curl_multi_add_handle()).
FFI:
Fixed bug #79096 (FFI Struct Segfault).
IMAP:
Fixed bug #79112 (IMAP extension can't find OpenSSL libraries at configure time).
Intl:
Fixed bug #79212 (NumberFormatter::format() may detect wrong type).
Libxml:
Fixed bug #79191 (Error in SoapClient ctor disables DOMDocument::save()).
MBString:
Fixed bug #79149 (SEGV in mb_convert_encoding with non-string encodings).
MySQLi:
Fixed bug #78666 (Properties may emit a warning on var_dump()).
MySQLnd:
Fixed bug #79084 (mysqlnd may fetch wrong column indexes with MYSQLI_BOTH).
Fixed bug #79011 (MySQL caching_sha2_password Access denied for password with more than 20 chars).
Opcache:
Fixed bug #79114 (Eval class during preload causes class to be only half available).
Fixed bug #79128 (Preloading segfaults if preload_user is used).
Fixed bug #79193 (Incorrect type inference for self::$field =& $field).
OpenSSL:
Fixed bug #79145 (openssl memory leak).
Phar:
Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have all-access permissions). (CVE-2020-7063)
Fixed bug #79171 (heap-buffer-overflow in phar_extract_file). (CVE-2020-7061)
Fixed bug #76584 (PharFileInfo::decompress not working).
Reflection:
Fixed bug #79115 (ReflectionClass::isCloneable call reflected class __destruct).
Session:
Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress). (CVE-2020-7062)
Standard:
Fixed bug #78902 (Memory leak when using stream_filter_append).
Fixed bug #78969 (PASSWORD_DEFAULT should match PASSWORD_BCRYPT instead of being null).
Testing:
Fixed bug #78090 (bug45161.phpt takes forever to finish).
XSL:
Fixed bug #70078 (XSL callbacks with nodes as parameter leak memory).
Zip:
Add ZipArchive::CM_LZMA2 and ZipArchive::CM_XZ constants (since libzip 1.6.0).
Add ZipArchive::RDONLY (since libzip 1.0.0).
Add ZipArchive::ER_* missing constants.
Add ZipArchive::LIBZIP_VERSION constant.
Fixed bug #73119 (Wrong return for ZipArchive::addEmptyDir Method).

New in PHP 7.3.15 (Feb 20, 2020)

New in PHP 7.2.28 (Feb 20, 2020)

New in PHP 7.3.14 (Jan 24, 2020)

New in PHP 7.2.27 (Jan 23, 2020)

New in PHP 7.4.2 (Jan 23, 2020)

Core:
Preloading support on Windows has been disabled.
Fixed bug #79022 (class_exists returns True for classes that are not ready to be used).
Fixed bug #78929 (plus signs in cookie values are converted to spaces).
Fixed bug #78973 (Destructor during CV freeing causes segfault if opline never saved).
Fixed bug #78776 (Abstract method implementation from trait does not check "static").
Fixed bug #78999 (Cycle leak when using function result as temporary).
Fixed bug #79008 (General performance regression with PHP 7.4 on Windows).
Fixed bug #79002 (Serializing uninitialized typed properties with __sleep makes unserialize throw).
CURL:
Fixed bug #79033 (Curl timeout error with specific url and post).
Fixed bug #79063 (curl openssl does not respect PKG_CONFIG_PATH).
Date:
Fixed bug #79015 (undefined-behavior in php_date.c).
DBA:
Fixed bug #78808 ([LMDB] MDB_MAP_FULL: Environment mapsize limit reached).
Exif:
Fixed bug #79046 (NaN to int cast undefined behavior in exif).
Fileinfo:
Fixed bug #74170 (locale information change after mime_content_type).
GD:
Fixed bug #79067 (gdTransformAffineCopy() may use unitialized values).
Fixed bug #79068 (gdTransformAffineCopy() changes interpolation method).
Libxml:
Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter).
Mbstring:
Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`). (CVE-2020-7060)
OPcache:
Fixed bug #78961 (erroneous optimization of re-assigned $GLOBALS).
Fixed bug #78950 (Preloading trait method with static variables).
Fixed bug #78903 (Conflict in RTD key for closures results in crash).
Fixed bug #78986 (Opcache segfaults when inheriting ctor from immutable into mutable class).
Fixed bug #79040 (Warning Opcode handlers are unusable due to ASLR).
Fixed bug #79055 (Typed property become unknown with OPcache file cache).
Pcntl:
Fixed bug #78402 (Converting null to string in error message is bad DX).
PDO_PgSQL:
Fixed bug #78983 (pdo_pgsql config.w32 cannot find libpq-fe.h).
Fixed bug #78980 (pgsqlGetNotify() overlooks dead connection).
Fixed bug #78982 (pdo_pgsql returns dead persistent connection).
Session:
Fixed bug #79091 (heap use-after-free in session_create_id()).
Fixed bug #79031 (Session unserialization problem).
Shmop:
Fixed bug #78538 (shmop memory leak).
Sqlite3:
Fixed bug #79056 (sqlite does not respect PKG_CONFIG_PATH during compilation).
Spl:
Fixed bug #78976 (SplFileObject::fputcsv returns -1 on failure).
Standard:
Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059)
Fixed bug #79000 (Non-blocking socket stream reports EAGAIN as error).
Fixed bug #54298 (Using empty additional_headers adding extraneous CRLF).

New in PHP 7.4.1 (Dec 18, 2019)

Bcmath:
Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046).
Core:
Fixed bug #78862 (link() silently truncates after a null byte on Windows). (CVE-2019-11044).
Fixed bug #78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045).
Fixed bug #78943 (mail() may release string with refcount==1 twice). (CVE-2019-11049).
Fixed bug #78810 (RW fetches do not throw "uninitialized property" exception).
Fixed bug #78868 (Calling __autoload() with incorrect EG(fake_scope) value).
Fixed bug #78296 (is_file fails to detect file).
Fixed bug #78883 (fgets(STDIN) fails on Windows).
Fixed bug #78898 (call_user_func(['parent', ...]) fails while other succeed).
Fixed bug #78904 (Uninitialized property triggers __get()).
Fixed bug #78926 (Segmentation fault on Symfony cache:clear).
GD:
Fixed bug #78849 (GD build broken with -D SIGNED_COMPARE_SLOW).
Fixed bug #78923 (Artifacts when convoluting image with transparency).
EXIF:
Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer). (CVE-2019-11050).
Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047).
FPM:
Fixed bug #76601 (Partially working php-fpm ater incomplete reload).
Fixed bug #78889 (php-fpm service fails to start).
Fixed bug #78916 (php-fpm 7.4.0 don't send mail via mail()).
Intl:
Implemented FR #78912 (INTL Support for accounting format).
Mysqlnd:
Fixed bug #78823 (ZLIB_LIBS not added to EXTRA_LIBS).
OPcache:
Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice).
Fixed bug #78935 (Preloading removes classes that have dependencies).
PCRE:
Fixed bug #78853 (preg_match() may return integer > 1).
Reflection:
Fixed bug #78895 (Reflection detects abstract non-static class as abstract static. IS_IMPLICIT_ABSTRACT is not longer used).
Standard:
Fixed bug #77638 (var_export'ing certain class instances segfaults).
Fixed bug #78840 (imploding $GLOBALS crashes).
Fixed bug #78833 (Integer overflow in pack causes out-of-bound access).
Fixed bug #78814 (strip_tags allows / in tag name => whitelist bypass).

New in PHP 7.3.13 (Dec 18, 2019)

New in PHP 7.2.26 (Dec 18, 2019)

New in PHP 7.4.0 (Nov 28, 2019)

Core:
Implemented RFC: Deprecate curly brace syntax for accessing array elements and string offsets.
Implemented RFC: Deprecations for PHP 7.4.
Fixed bug #52752 (Crash when lexing).
Fixed bug #60677 (CGI doesn't properly validate shebang line contains #!).
Fixed bug #71030 (Self-assignment in list() may have inconsistent behavior).
Fixed bug #72530 (Use After Free in GC with Certain Destructors).
Fixed bug #75921 (Inconsistent: No warning in some cases when stdObj is created on the fly).
Implemented FR #76148 (Add array_key_exists() to the list of specially compiled functions).
Fixed bug #76430 (__METHOD__ inconsistent outside of method).
Fixed bug #76451 (Aliases during inheritance type checks affected by opcache).
Implemented FR #77230 (Support custom CFLAGS and LDFLAGS from environment).
Fixed bug #77345 (Stack Overflow caused by circular reference in garbage collection).
Fixed bug #77812 (Interactive mode does not support PHP 7.3-style heredoc).
Fixed bug #77877 (call_user_func() passes $this to static methods).
Fixed bug #78066 (PHP eats the first byte of a program that comes from process substitution).
Fixed bug #78151 (Segfault caused by indirect expressions in PHP 7.4a1).
Fixed bug #78154 (SEND_VAR_NO_REF does not always send reference).
Fixed bug #78182 (Segmentation fault during by-reference property assignment).
Fixed bug #78212 (Segfault in built-in webserver).
Fixed bug #78220 (Can't access OneDrive folder).
Fixed bug #78226 (Unexpected __set behavior with typed properties).
Fixed bug #78239 (Deprecation notice during string conversion converted to exception hangs).
Fixed bug #78335 (Static properties/variables containing cycles report as leak).
Fixed bug #78340 (Include of stream wrapper not reading whole file).
Fixed bug #78344 (Segmentation fault on zend_check_protected).
Fixed bug #78356 (Array returned from ArrayAccess is incorrectly unpacked as argument).
Fixed bug #78379 (Cast to object confuses GC, causes crash).
Fixed bug #78386 (fstat mode has unexpected value on PHP 7.4).
Fixed bug #78396 (Second file_put_contents in Shutdown hangs script).
Fixed bug #78406 (Broken file includes with user-defined stream filters).
Fixed bug #78438 (Corruption when __unserializing deeply nested structures).
Fixed bug #78441 (Parse error due to heredoc identifier followed by digit).
Fixed bug #78454 (Consecutive numeric separators cause OOM error).
Fixed bug #78460 (PEAR installation failure).
Fixed bug #78531 (Crash when using undefined variable as object).
Fixed bug #78535 (auto_detect_line_endings value not parsed as bool).
Fixed bug #78604 (token_get_all() does not properly tokenize FOOstat modifies $dbc->affected_rows).
Fixed bug #76809 (SSL settings aren't respected when persistent connections are used).
Fixed bug #78179 (MariaDB server version incorrectly detected).
Fixed bug #78213 (Empty row pocket).
MySQLnd:
Fixed connect_attr issues and added the _server_host connection attribute.
Fixed bug #60594 (mysqlnd exposes 160 lines of stats in phpinfo).
ODBC:
Fixed bug #78473 (odbc_close() closes arbitrary resources).
Opcache:
Implemented preloading RFC.
Add opcache.preload_user INI directive.
Added new INI directive opcache.cache_id (Windows only).
Fixed bug #78106 (Path resolution fails if opcache disabled during request).
Fixed bug #78175 (Preloading segfaults at preload time and at runtime).
Fixed bug #78202 (Opcache stats for cache hits are capped at 32bit NUM).
Fixed bug #78271 (Invalid result of if-else).
Fixed bug #78341 (Failure to detect smart branch in DFA pass).
Fixed bug #78376 (Incorrect preloading of constant static properties).
Fixed bug #78429 (opcache_compile_file(__FILE__); segfaults).
Fixed bug #78512 (Cannot make preload work).
Fixed bug #78514 (Preloading segfaults with inherited typed property).
Fixed bug #78654 (Incorrectly computed opcache checksum on files with non-ascii characters).
OpenSSL:
Added TLS 1.3 support to streams including new tlsv1.3 stream.
Added openssl_x509_verify function.
openssl_random_pseudo_bytes() now throws in error conditions.
Changed the default config path (Windows only).
Fixed bug #78231 (Segmentation fault upon stream_socket_accept of exported socket-to-stream).
Fixed bug #78391 (Assertion failure in openssl_random_pseudo_bytes).
Fixed bug #78775 (TLS issues from HTTP request affecting other encrypted connections).
Pcntl:
Fixed bug #77335 (PHP is preventing SIGALRM from specifying SA_RESTART).
PCRE:
Implemented FR #77094 (Support flags in preg_replace_callback).
Fixed bug #72685 (Repeated UTF-8 validation of same string in UTF-8 mode).
Fixed bug #73948 (Preg_match_all should return NULLs on trailing optional capture groups).
Fixed bug #78338 (Array cross-border reading in PCRE).
Fixed bug #78349 (Bundled pcre2 library missing LICENCE file).
PDO:
Implemented FR #71885 (Allow escaping question mark placeholders). https://wiki.php.net/rfc/pdo_escape_placeholders
Fixed bug #77849 (Disable cloning of PDO handle/connection objects).
Implemented FR #78033 (PDO - support username and password specified in DSN).
PDO_Firebird:
Implemented FR #65690 (PDO_Firebird should also support dialect 1).
Implemented FR #77863 (PDO firebird support type Boolean in input parameters).
PDO_MySQL:
Fixed bug #41997 (SP call yields additional empty result set).
Fixed bug #78623 (Regression caused by "SP call yields additional empty result set").
PDO_OCI:
Support Oracle Database tracing attributes ACTION, MODULE, CLIENT_INFO, and CLIENT_IDENTIFIER.
Implemented FR #76908 (PDO_OCI getColumnMeta() not implemented).
PDO_SQLite:
Implemented sqlite_stmt_readonly in PDO_SQLite.
Raised requirements to SQLite 3.5.0.
Fixed bug #78192 (SegFault when reuse statement after schema has changed).
Fixed bug #78348 (Remove -lrt from pdo_sqlite.so).
Phar:
Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN).
phpdbg:
Fixed bug #76596 (phpdbg support for display_errors=stderr).
Fixed bug #76801 (too many open files).
Fixed bug #77800 (phpdbg segfaults on listing some conditional breakpoints).
Fixed bug #77805 (phpdbg build fails when readline is shared).
Recode:
Unbundled the recode extension.
Reflection:
Fixed bug #76737 (Unserialized reflection objects are broken, they shouldn't be serializable).
Fixed bug #78263 (ReflectionReference::fromArrayElement() returns null while item is a reference).
Fixed bug #78410 (Cannot "manually" unserialize class that is final and extends an internal one).
Fixed bug #78697 (ReflectionClass::implementsInterface - inaccurate error message with traits).
Fixed bug #78774 (ReflectionNamedType on Typed Properties Crash).
Session:
Fixed bug #78624 (session_gc return value for user defined session handlers).
SimpleXML:
Implemented FR #65215 (SimpleXMLElement could register as implementing Countable).
Fixed bug #75245 (Don't set content of elements with only whitespaces).
Sockets:
Fixed bug #67619 (Validate length on socket_write).
Fixed bug #78665 (Multicasting may leak memory).
sodium:
Fixed bug #77646 (sign_detached() strings not terminated).
Fixed bug #78510 (Partially uninitialized buffer returned by sodium_crypto_generichash_init()).
Fixed bug #78516 (password_hash(): Memory cost is not in allowed range).
SPL:
Fixed bug #77518 (SeekableIterator::seek() should accept 'int' typehint as documented).
Fixed bug #78409 (Segfault when creating instance of ArrayIterator without constructor).
Fixed bug #78436 (Missing addref in SplPriorityQueue EXTR_BOTH mode).
Fixed bug #78456 (Segfault when serializing SplDoublyLinkedList).
SQLite3:
Unbundled libsqlite.
Raised requirements to SQLite 3.7.4.
Forbid (un)serialization of SQLite3, SQLite3Stmt and SQLite3Result.
Added support for the SQLite @name notation.
Added SQLite3Stmt::getSQL() to retrieve the SQL of the statement.
Implement FR ##70950 (Make SQLite3 Online Backup API available).
Standard:
Implemented RFC password hashing registry.
Implemented RFC where password_hash() has argon2i(d) implementations from ext/sodium when PHP is built without libargon.
Implemented FR #38301 (field enclosure behavior in fputcsv).
Implemented FR #51496 (fgetcsv should take empty string as an escape).
Fixed bug #73535 (php_sockop_write() returns 0 on error, can be used to trigger Denial of Service).
Fixed bug #74764 (Bindto IPv6 works with file_get_contents but fails with stream_socket_client).
Fixed bug #76859 (stream_get_line skips data if used with data-generating filter).
Implemented FR #77377 (No way to handle CTRL+C in Windows).
Fixed bug #77930 (stream_copy_to_stream should use mmap more often).
Implemented FR #78177 (Make proc_open accept command array).
Fixed bug #78208 (password_needs_rehash() with an unknown algo should always return true).
Fixed bug #78241 (touch() does not handle dates after 2038 in PHP 64-bit).
Fixed bug #78282 (atime and mtime mismatch).
Fixed bug #78326 (improper memory deallocation on stream_get_contents() with fixed length buffer).
Fixed bug #78346 (strip_tags no longer handling nested php tags).
Fixed bug #78506 (Error in a php_user_filter::filter() is not reported).
Fixed bug #78549 (Stack overflow due to nested serialized input).
Fixed bug #78759 (array_search in $GLOBALS).
Testing:
Fixed bug #78684 (PCRE bug72463_2 test is sending emails on Linux).
Tidy:
Added TIDY_TAG_* constants for HTML5 elements.
Fixed bug #76736 (wrong reflection for tidy_get_head, tidy_get_html, tidy_get_root, and tidy_getopt)
WDDX:
Deprecated and unbundled the WDDX extension.
Zip:
Fixed bug #78641 (addGlob can modify given remove_path value).

New in PHP 7.3.12 (Nov 22, 2019)

New in PHP 7.3.11 (Oct 24, 2019)

New in PHP 7.2.24 (Oct 24, 2019)

New in PHP 7.2.23 (Sep 27, 2019)

New in PHP 7.3.10 (Sep 26, 2019)

New in PHP 7.1.32 (Aug 30, 2019)

New in PHP 7.2.22 (Aug 30, 2019)

New in PHP 7.3.9 (Aug 29, 2019)

New in PHP 7.1.31 (Aug 2, 2019)

New in PHP 7.3.8 (Aug 1, 2019)

New in PHP 7.2.21 (Aug 1, 2019)

New in PHP 7.3.7 (Jul 4, 2019)

New in PHP 7.2.20 (Jul 4, 2019)

New in PHP 7.1.30 (May 31, 2019)

New in PHP 7.2.19 (May 31, 2019)

New in PHP 7.3.6 (May 30, 2019)

New in PHP 7.1.29 (May 3, 2019)

New in PHP 7.2.18 (May 2, 2019)

New in PHP 7.3.5 (May 2, 2019)

New in PHP 7.1.28 (Apr 5, 2019)

New in PHP 7.2.17 (Apr 5, 2019)

New in PHP 7.3.4 (Apr 4, 2019)

New in PHP 7.1.27 (Mar 7, 2019)

New in PHP 7.2.16 (Mar 7, 2019)

New in PHP 7.3.3 (Mar 7, 2019)

New in PHP 7.2.15 (Feb 7, 2019)

New in PHP 7.3.2 (Feb 7, 2019)

Core:
Fixed bug #77369 (memcpy with negative length via crafted DNS response).
Fixed bug #77387 (Recursion detection broken when printing GLOBALS).
Fixed bug #77376 ("undefined function" message no longer includes namespace).
Fixed bug #77357 (base64_encode / base64_decode doest not work on nested VM).
Fixed bug #77339 (__callStatic may get incorrect arguments).
Fixed bug #77317 (__DIR__, __FILE__, realpath() reveal physical path for subst virtual drive).
Fixed bug #77263 (Segfault when using 2 RecursiveFilterIterator).
Fixed bug #77447 (PHP 7.3 built with ASAN crashes in zend_cpu_supports_avx2).
Fixed bug #77484 (Zend engine crashes when calling realpath in invalid working dir).
Curl:
Fixed bug #76675 (Segfault with H2 server push).
Fileinfo:
Fixed bug #77346 (webm files incorrectly detected as application/octet-stream).
FPM:
Fixed bug #77430 (php-fpm crashes with Main process exited, code=dumped, status=11/SEGV).
GD:
Fixed bug #73281 (imagescale(…, IMG_BILINEAR_FIXED) can cause black border).
Fixed bug #73614 (gdImageFilledArc() doesn't properly draw pies).
Fixed bug #77272 (imagescale() may return image resource on failure).
Fixed bug #77391 (1bpp BMPs may fail to be loaded).
Fixed bug #77479 (imagewbmp() segfaults with very large images).
ldap:
Fixed bug #77440 (ldap_bind using ldaps or ldap_start_tls()=exception in libcrypto-1_1-x64.dll).
Mbstring:
Fixed bug #77428 (mb_ereg_replace() doesn't replace a substitution variable).
Fixed bug #77454 (mb_scrub() silently truncates after a null byte).
MySQLnd:
Fixed bug #77308 (Unbuffered queries memory leak).
Fixed bug #75684 (In mysqlnd_ext_plugin.h the plugin methods family has no external visibility).
Opcache:
Fixed bug #77266 (Assertion failed in dce_live_ranges).
Fixed bug #77257 (value of variable assigned in a switch() construct gets lost).
Fixed bug #77434 (php-fpm workers are segfaulting in zend_gc_addre).
Fixed bug #77361 (configure fails on 64-bit AIX when opcache enabled).
Fixed bug #77287 (Opcache literal compaction is incompatible with EXT opcodes).
PCRE:
Fixed bug #77338 (get_browser with empty string).
PDO:
Fixed bug #77273 (array_walk_recursive corrupts value types leading to PDO failure).
PDO MySQL:
Fixed bug #77289 (PDO MySQL segfaults with persistent connection).
SOAP:
Fixed bug #77410 (Segmentation Fault when executing method with an empty parameter).
Sockets:
Fixed bug #76839 (socket_recvfrom may return an invalid 'from' address on MacOS).
SPL:
Fixed bug #77298 (segfault occurs when add property to unserialized empty ArrayObject).
Standard:
Fixed bug #77395 (segfault about array_multisort).
Fixed bug #77439 (parse_str segfaults when inserting item into existing array).

New in PHP 7.1.26 (Jan 11, 2019)

New in PHP 7.3.1 (Jan 10, 2019)

Core:
Fixed bug #76654 (Build failure on Mac OS X on 32-bit Intel).
Fixed bug #71041 (zend_signal_startup() needs ZEND_API).
Fixed bug #76046 (PHP generates "FE_FREE" opcode on the wrong line).
Fixed bug #77291 (magic methods inherited from a trait may be ignored).
CURL:
Fixed bug #77264 (curl_getinfo returning microseconds, not seconds).
COM:
Fixed bug #77177 (Serializing or unserializing COM objects crashes).
Exif:
Fixed bug #77184 (Unsigned rational numbers are written out as signed rationals).
GD:
Fixed bug #77195 (Incorrect error handling of imagecreatefromjpeg()).
Fixed bug #77198 (auto cropping has insufficient precision).
Fixed bug #77200 (imagecropauto(…, GD_CROP_SIDES) crops left but not right).
Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free).
Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap).
MBString:
Fixed bug #77367 (Negative size parameter in mb_split).
Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token).
Fixed bug #77371 (heap buffer overflow in mb regex functions - compile_string_node).
Fixed bug #77381 (heap buffer overflow in multibyte match_at).
Fixed bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string).
Fixed bug #77385 (buffer overflow in fetch_token).
Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode).
Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code).
OCI8:
Fixed bug #76804 (oci_pconnect with OCI_CRED_EXT not working).
Added oci_set_call_timeout() for call timeouts.
Added oci_set_db_operation() for the DBOP end-to-end-tracing attribute.
Opcache:
Fixed bug #77215 (CFG assertion failure on multiple finalizing switch frees in one block).
Fixed bug #77275 (OPcache optimization problem for ArrayAccess->offsetGet).
PCRE:
Fixed bug #77193 (Infinite loop in preg_replace_callback).
PDO:
Handle invalid index passed to PDOStatement::fetchColumn() as error.
Phar:
Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
Soap:
Fixed bug #77088 (Segfault when using SoapClient with null options).
Sockets:
Fixed bug #77136 (Unsupported IPV6_RECVPKTINFO constants on macOS).
Sodium:
Fixed bug #77297 (SodiumException segfaults on PHP 7.3).
SPL:
Fixed bug #77359 (spl_autoload causes segfault).
Fixed bug #77360 (class_uses causes segfault).
SQLite3:
Fixed bug #77051 (Issue with re-binding on SQLite3).
Xmlrpc:
Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()).
Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code).

New in PHP 7.2.14 (Jan 10, 2019)

Core:
Fixed bug #77369 (memcpy with negative length via crafted DNS response).
Fixed bug #71041 (zend_signal_startup() needs ZEND_API).
Fixed bug #76046 (PHP generates "FE_FREE" opcode on the wrong line).
COM:
Fixed bug #77177 (Serializing or unserializing COM objects crashes).
Date:
Fixed bug #77097 (DateTime::diff gives wrong diff when the actual diff is less than 1 second).
Exif:
Fixed bug #77184 (Unsigned rational numbers are written out as signed rationals).
GD:
Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free).
Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap).
Fixed bug #77195 (Incorrect error handling of imagecreatefromjpeg()).
Fixed bug #77198 (auto cropping has insufficient precision).
Fixed bug #77200 (imagecropauto(…, GD_CROP_SIDES) crops left but not right).
IMAP:
Fixed bug #77020 (null pointer dereference in imap_mail).
Mbstring:
Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token).
Fixed bug #77371 (heap buffer overflow in mb regex functions - compile_string_node).
Fixed bug #77381 (heap buffer overflow in multibyte match_at).
Fixed bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string).
Fixed bug #77385 (buffer overflow in fetch_token).
Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode).
Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code).
OCI8:
Fixed bug #76804 (oci_pconnect with OCI_CRED_EXT not working).
Added oci_set_call_timeout() for call timeouts.
Added oci_set_db_operation() for the DBOP end-to-end-tracing attribute.
Opcache:
Fixed bug #77215 (CFG assertion failure on multiple finalizing switch frees in one block).
PDO:
Handle invalid index passed to PDOStatement::fetchColumn() as error.
Phar:
Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
Sockets:
Fixed bug #77136 (Unsupported IPV6_RECVPKTINFO constants on macOS).
SQLite3:
Fixed bug #77051 (Issue with re-binding on SQLite3).
Xmlrpc:
Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()).
Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code).

New in PHP 7.0.33 (Dec 7, 2018)

New in PHP 7.3.0 (Dec 7, 2018)

Core:
Improved PHP GC.
Redesigned the old ext_skel program written in PHP, run: 'php ext_skel.php' for all options. This means there are no dependencies, thus making it work on Windows out of the box.
Removed support for BeOS.
Add PHP_VERSION to phpinfo() .
Add net_get_interfaces().
Implemented flexible heredoc and nowdoc syntax, per RFC https://wiki.php.net/rfc/flexible_heredoc_nowdoc_syntaxes.
Added support for references in list() and array destructuring, per RFC https://wiki.php.net/rfc/list_reference_assignment.
Improved effectiveness of ZEND_SECURE_ZERO for NetBSD and systems without native similar feature.
Added syslog.facility and syslog.ident INI entries for customizing syslog logging.
Fixed bug #75683 (Memory leak in zend_register_functions() in ZTS mode).
Fixed bug #75031 (support append mode in temp/memory streams).
Fixed bug #74860 (Uncaught exceptions not being formatted properly when error_log set to "syslog").
Fixed bug #75220 (Segfault when calling is_callable on parent).
Fixed bug #69954 (broken links and unused config items in distributed ini files).
Fixed bug #74922 (Composed class has fatal error with duplicate, equal const properties).
Fixed bug #63911 (identical trait methods raise errors during composition).
Fixed bug #75677 (Clang ignores fastcall calling convention on variadic function).
Fixed bug #54043 (Remove inconsitency of internal exceptions and user defined exceptions).
Fixed bug #53033 (Mathematical operations convert objects to integers).
Fixed bug #73108 (Internal class cast handler uses integer instead of float).
Fixed bug #75765 (Fatal error instead of Error exception when base class is not found).
Fixed bug #76198 (Wording: "iterable" is not a scalar type).
Fixed bug #76137 (config.guess/config.sub do not recognize RISC-V).
Fixed bug #76427 (Segfault in zend_objects_store_put).
Fixed bug #76422 (ftruncate fails on files > 2GB).
Fixed bug #76509 (Inherited static properties can be desynchronized from their parent by ref).
Fixed bug #76439 (Changed behaviour in unclosed HereDoc).
Fixed bug #63217 (Constant numeric strings become integers when used as ArrayAccess offset).
Fixed bug #33502 (Some nullary functions don't check the number of arguments).
Fixed bug #76392 (Error relocating sapi/cli/php: unsupported relocation type 37).
The declaration and use of case-insensitive constants has been deprecated.
Added syslog.filter INI entry for syslog filtering.
Fixed bug #76667 (Segfault with divide-assign op and __get + __set).
Fixed bug #76030 (RE2C_FLAGS rarely honoured) (Cristian Rodríguez)
Fixed broken zend_read_static_property (Laruence)
Fixed bug #76773 (Traits used on the parent are ignored for child classes).
Fixed bug #76767 (‘asm’ operand has impossible constraints in zend_operators.h).
Fixed bug #76752 (Crash in ZEND_COALESCE_SPEC_TMP_HANDLER - assertion in _get_zval_ptr_tmp failed).
Fixed bug #76820 (Z_COPYABLE invalid definition).
Fixed bug #76510 (file_exists() stopped working for phar://).
Fixed bug #76869 (Incorrect bypassing protected method accessibilty check).
Fixed bug #72635 (Undefined class used by class constant in constexpr generates fatal error).
Fixed bug #76947 (file_put_contents() blocks the directory of the file (__DIR__)).
Fixed bug #76979 (define() error message does not mention resources as valid values).
Fixed bug #76825 (Undefined symbols ___cpuid_count).
Fixed bug #77110 (undefined symbol zend_string_equal_val in C++ build).
Fixed bug #77231 (Segfault when using convert.quoted-printable-encode filter).
BCMath:
Implemented FR #67855 (No way to get current scale in use).
Fixed bug #66364 (BCMath bcmul ignores scale parameter).
Fixed bug #75164 (split_bc_num() is pointless).
Fixed bug #75169 (BCMath errors/warnings bypass PHP's error handling).
CLI:
Fixed bug #44217 (Output after stdout/stderr closed cause immediate exit with status 0).
Fixed bug #77111 (php-win.exe corrupts unicode symbols from cli parameters).
cURL:
Expose curl constants from curl 7.50 to 7.61.
Fixed bug #74125 (Fixed finding CURL on systems with multiarch support).
Date:
Implemented FR #74668: Add DateTime::createFromImmutable() method.
Fixed bug #75222 (DateInterval microseconds property always 0).
Fixed bug #68406 (calling var_dump on a DateTimeZone object modifies it).
Fixed bug #76131 (mismatch arginfo for date_create).
Updated timelib to 2018.01RC1 to address several bugs:
Fixed bug #75577 (DateTime::createFromFormat does not accept 'v' format specifier).
Fixed bug #75642 (Wrap around behaviour for microseconds is not working).
Fixed bug #77097 (DateTime::diff gives wrong diff when the actual diff is less than 1 second).
DBA:
Fixed bug #75264 (compiler warnings emitted).
DOM:
Fixed bug #76285 (DOMDocument::formatOutput attribute sometimes ignored).
Fileinfo:
Fixed bug #77095 (slowness regression in 7.2/7.3 (compared to 7.1)).
Filter:
Added the 'add_slashes' sanitization mode (FILTER_SANITIZE_ADD_SLASHES).
FPM:
Added fpm_get_status function.
Fixed bug #62596 (getallheaders() missing with PHP-FPM).
Fixed bug #69031 (Long messages into stdout/stderr are truncated incorrectly) - added new log related FPM configuration options: log_limit, log_buffering and decorate_workers_output.
ftp:
Fixed bug #77151 (ftp_close(): SSL_read on shutdown).
GD:
Added support for WebP in imagecreatefromstring().
GMP:
Export internal structures and accessor helpers for GMP object.
Added gmp_binomial(n, k).
Added gmp_lcm(a, b).
Added gmp_perfect_power(a).
Added gmp_kronecker(a, b).
iconv:
Fixed bug #53891 (iconv_mime_encode() fails to Q-encode UTF-8 string).
Fixed bug #77147 (Fixing 60494 ignored ICONV_MIME_DECODE_CONTINUE_ON_ERROR).
IMAP:
Fixed bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter).
Fixed bug #77020 (null pointer dereference in imap_mail).
Interbase:
Fixed bug #75453 (Incorrect reflection for ibase_[p]connect).
Fixed bug #76443 (php+php_interbase.dll crash on module_shutdown).
intl:
Fixed bug #75317 (UConverter::setDestinationEncoding changes source instead of destination).
Fixed bug #76829 (Incorrect validation of domain on idn_to_utf8() function).
JSON:
Added JSON_THROW_ON_ERROR flag.
LDAP:
Added ldap_exop_refresh helper for EXOP REFRESH operation with dds overlay.
Added full support for sending and parsing ldap controls.
Fixed bug #49876 (Fix LDAP path lookup on 64-bit distros).
libxml2:
Fixed bug #75871 (use pkg-config where available).
litespeed:
Fixed bug #75248 (Binary directory doesn't get created when building only litespeed SAPI).
Fixed bug #75251 (Missing program prefix and suffix).
MBstring:
Updated to Oniguruma 6.9.0.
Fixed bug #65544 (mb title case conversion-first word in quotation isn't capitalized).
Fixed bug #71298 (MB_CASE_TITLE misbehaves with curled apostrophe/quote).
Fixed bug #73528 (Crash in zif_mb_send_mail).
Fixed bug #74929 (mbstring functions version 7.1.1 are slow compared to 5.3 on Windows).
Fixed bug #76319 (mb_strtolower with invalid UTF-8 causes segmentation fault).
Fixed bug #76574 (use of undeclared identifiers INT_MAX and LONG_MAX).
Fixed bug #76594 (Bus Error due to unaligned access in zend_ini.c OnUpdateLong).
Fixed bug #76706 (mbstring.http_output_conv_mimetypes is ignored).
Fixed bug #76958 (Broken UTF7-IMAP conversion).
Fixed bug #77025 (mb_strpos throws Unknown encoding or conversion error).
Fixed bug #77165 (mb_check_encoding crashes when argument given an empty array).
Mysqlnd:
Fixed bug #76386 (Prepared Statement formatter truncates fractional seconds from date/time column).
ODBC:
Removed support for ODBCRouter.
Removed support for Birdstep.
Fixed bug #77079 (odbc_fetch_object has incorrect type signature).
Opcache:
Fixed bug #76466 (Loop variable confusion).
Fixed bug #76463 (var has array key type but not value type).
Fixed bug #76446 (zend_variables.c:73: zend_string_destroy: Assertion `!(zval_gc_flags((str)->gc)).
Fixed bug #76711 (OPcache enabled triggers false-positive "Illegal string offset").
Fixed bug #77058 (Type inference in opcache causes side effects).
Fixed bug #77092 (array_diff_key() - segmentation fault).
OpenSSL:
Added openssl_pkey_derive function.
Add min_proto_version and max_proto_version ssl stream options as well as related constants for possible TLS protocol values.
PCRE:
Implemented https://wiki.php.net/rfc/pcre2-migration.
Upgrade PCRE2 to 10.32.
Fixed bug #75355 (preg_quote() does not quote # control character).
Fixed bug #76512 (w no longer includes unicode characters).
Fixed bug #76514 (Regression in preg_match makes it fail with PREG_JIT_STACKLIMIT_ERROR).
Fixed bug #76909 (preg_match difference between 7.3 and < 7.3).
PDO_DBlib:
Implemented FR #69592 (allow 0-column rowsets to be skipped automatically).
Expose TDS version as PDO::DBLIB_ATTR_TDS_VERSION attribute on PDO instance.
Treat DATETIME2 columns like DATETIME.
Fixed bug #74243 (allow locales.conf to drive datetime format).
PDO_Firebird:
Fixed bug #74462 (PDO_Firebird returns only NULLs for results with boolean for FIREBIRD >= 3.0).
PDO_OCI:
Fixed bug #74631 (PDO_PCO with PHP-FPM: OCI environment initialized before PHP-FPM sets it up).
PDO SQLite:
Add support for additional open flags
pgsql:
Added new error constants for pg_result_error(): PGSQL_DIAG_SCHEMA_NAME, PGSQL_DIAG_TABLE_NAME, PGSQL_DIAG_COLUMN_NAME, PGSQL_DIAG_DATATYPE_NAME, PGSQL_DIAG_CONSTRAINT_NAME and PGSQL_DIAG_SEVERITY_NONLOCALIZED.
Fixed bug #77047 (pg_convert has a broken regex for the 'TIME WITHOUT TIMEZONE' data type).
phar:
Fixed bug #74991 (include_path has a 4096 char limit in some cases).
Fixed bug #65414 (deal with leading slash when adding files correctly).
Fixed bug #77022 (PharData always creates new files with mode 0666).
Fixed bug #77143 (Heap Buffer Overflow (READ: 4) in phar_parse_pharfile).
readline:
Added completion_append_character and completion_suppress_append options to readline_info() if linked against libreadline.
Session:
Fixed bug #74941 (session fails to start after having headers sent).
SimpleXML:
Fixed bug #54973 (SimpleXML casts integers wrong).
Fixed bug #76712 (Assignment of empty string creates extraneous text node).
Sockets:
Fixed bug #67619 (Validate length on socket_write).
SOAP:
Fixed bug #75464 (Wrong reflection on SoapClient::__setSoapHeaders).
Fixed bug #70469 (SoapClient generates E_ERROR even if exceptions=1 is used).
Fixed bug #50675 (SoapClient can't handle object references correctly).
Fixed bug #76348 (WSDL_CACHE_MEMORY causes Segmentation fault).
Fixed bug #77141 (Signedness issue in SOAP when precision=-1).
SPL:
Fixed bug #74977 (Appending AppendIterator leads to segfault).
Fixed bug #75173 (incorrect behavior of AppendIterator::append in foreach loop).
Fixed bug #74372 (autoloading file with syntax error uses next autoloader, may hide parse error).
Fixed bug #75878 (RecursiveTreeIterator::setPostfix has wrong signature).
Fixed bug #74519 (strange behavior of AppendIterator).
Fixed bug #76131 (mismatch arginfo for splarray constructor).
SQLite3:
Updated bundled libsqlite to 3.24.0.
Standard:
Added is_countable() function.
Added support for the SameSite cookie directive, including an alternative signature for setcookie(), setrawcookie() and session_set_cookie_params().
Remove superfluous warnings from inet_ntop()/inet_pton().
Fixed bug #75916 (DNS_CAA record results contain garbage).
Fixed unserialize(), to disable creation of unsupported data structures through manually crafted strings.
Fixed bug #75409 (accept EFAULT in addition to ENOSYS as indicator that getrandom() is missing).
Fixed bug #74719 (fopen() should accept NULL as context).
Fixed bug #69948 (path/domain are not sanitized in setcookie).
Fixed bug #75996 (incorrect url in header for mt_rand).
Added hrtime() function, to get high resolution time.
Fixed bug #48016 (stdClass::__setState is not defined although var_export() uses it).
Fixed bug #76136 (stream_socket_get_name should enclose IPv6 in brackets).
Fixed bug #76688 (Disallow excessive parameters after options array).
Fixed bug #76713 (Segmentation fault caused by property corruption).
Fixed bug #76755 (setcookie does not accept "double" type for expire time).
Fixed bug #76674 (improve array_* failure messages exposing what was passed instead of an array).
Fixed bug #76803 (ftruncate changes file pointer).
Fixed bug #76818 (Memory corruption and segfault).
Fixed bug #77081 (ftruncate() changes seek pointer in c mode).
Testing:
Implemented FR #62055 (Make run-tests.php support --CGI-- sections).
Tidy:
Support using tidyp instead of tidy.
Fixed bug #74707 (Tidy has incorrect ReflectionFunction param counts for functions taking tidy).
Fixed arginfo for tidy::__construct().
Tokenizer:
Fixed bug #76437 (token_get_all with TOKEN_PARSE flag fails to recognise close tag).
Fixed bug #75218 (Change remaining uncatchable fatal errors for parsing into ParseError).
Fixed bug #76538 (token_get_all with TOKEN_PARSE flag fails to recognise close tag with newline).
Fixed bug #76991 (Incorrect tokenization of multiple invalid flexible heredoc strings).
XML:
Fixed bug #71592 (External entity processing never fails).
Zlib:
Added zlib/level context option for compress.zlib wrapper.

New in PHP 7.1.24 (Nov 9, 2018)

New in PHP 7.2.12 (Nov 8, 2018)

New in PHP 7.2.11 (Oct 16, 2018)

New in PHP 7.1.23 (Oct 16, 2018)

New in PHP 7.3.0 RC 2 (Sep 28, 2018)

New in PHP 7.3.0 RC 1 (Sep 14, 2018)

New in PHP 7.2.10 (Sep 14, 2018)

New in PHP 7.1.22 (Sep 14, 2018)

New in PHP 7.0.32 (Sep 14, 2018)

New in PHP 7.2.9 (Aug 15, 2018)

New in PHP 7.3.0 Beta 2 (Aug 14, 2018)

New in PHP 7.2.8 (Jul 17, 2018)

New in PHP 7.2.6 (May 25, 2018)

New in PHP 7.2.6 RC 1 (May 11, 2018)

New in PHP 7.2.5 (Apr 25, 2018)

New in PHP 7.2.4 RC 1 (Mar 16, 2018)

New in PHP 7.2.3 (Mar 1, 2018)

New in PHP 7.2.2 (Feb 1, 2018)

New in PHP 7.2.2 RC 1 (Jan 16, 2018)

Core:
Fixed bug #75742 (potential memleak in internal classes's static members). (Laruence)
Fixed bug #75679 (Path 260 character problem). (Anatol)
Fixed bug #75614 (Some non-portable == in shell scripts). (jdolecek)
Fixed bug #75786 (segfault when using spread operator on generator passed by reference). (Nikita)
Fixed bug #75799 (arg of get_defined_functions is optional). (carusogabriel)
Fixed bug #75396 (Exit inside generator finally results in fatal error). (Nikita)
FCGI:
Fixed bug #75794 (getenv() crashes on Windows 7.2.1 when second parameter is false). (Anatol)
IMAP:
Fixed bug #75774 (imap_append HeapCorruction). (Anatol)
Opcache:
Fixed bug #75687 (var 8 (TMP) has array key type but not value type). (Nikita, Laruence)
Fixed bug #75698 (Using @ crashes php7.2-fpm). (Nikita)
PDO:
Fixed bug #75616 (PDO extension doesn't allow to be built shared on Darwin). (jdolecek)
PDO MySQL:
Fixed bug #75615 (PDO Mysql module can't be built as module). (jdolecek)
Opcache:
Fixed bug #75720 (File cache not populated after SHM runs full). (Dmitry)
Fixed bug #75579 (Interned strings buffer overflow may cause crash). (Dmitry)
PGSQL:
Fixed bug #75671 (pg_version() crashes when called on a connection to cockroach). (magicaltux at gmail dot com)
Readline:
Fixed bug #75775 (readline_read_history segfaults with empty file). (Anatol)
SAPI:
Fixed bug #75735 ([embed SAPI] Segmentation fault in sapi_register_post_entry). (Laruence)
SOAP:
Fixed bug #70469 (SoapClient generates E_ERROR even if exceptions=1 is used). (Anton Artamonov)
Fixed bug #75502 (Segmentation fault in zend_string_release). (Nikita)
SPL:
Fixed bug #75717 (RecursiveArrayIterator does not traverse arrays by reference). (Nikita)
Fixed bug #75242 (RecursiveArrayIterator doesn't have constants from parent class). (Nikita)
Fixed bug #73209 (RecursiveArrayIterator does not iterate object properties). (Nikita)
Standard:
Fixed bug #75781 (substr_count incorrect result). (Laruence)
Fixed bug #75653 (array_values don't work on empty array). (Nikita)
Zip:
Display headers (buildtime) and library (runtime) versions in phpinfo (with libzip >= 1.3.1). (Remi)

New in PHP 7.2.1 (Jan 5, 2018)

New in PHP 7.2.1 RC 1 (Dec 15, 2017)

New in PHP 7.2.0 (Dec 4, 2017)

New in PHP 7.1.12 (Nov 24, 2017)

New in PHP 7.2.0 RC 6 (Nov 21, 2017)

New in PHP 7.2.0 RC 5 (Oct 29, 2017)

New in PHP 7.1.11 (Oct 25, 2017)

New in PHP 7.1.10 (Sep 29, 2017)

New in PHP 7.1.10 RC 1 (Sep 17, 2017)

New in PHP 7.2.0 RC 2 (Sep 17, 2017)

New in PHP 7.1.9 (Sep 1, 2017)

New in PHP 7.1.8 (Aug 2, 2017)

New in PHP 7.1.7 (Jul 5, 2017)

New in PHP 7.2.0 Alpha 3 (Jul 4, 2017)

New in PHP 7.1.7 RC (Jun 23, 2017)

New in PHP 7.2.0 Alpha 2 (Jun 20, 2017)

New in PHP 7.1.6 (Jun 9, 2017)

New in PHP 7.2.0 Alpha 1 (Jun 7, 2017)

Core:
Added ZEND_COUNT, ZEND_GET_CLASS, ZEND_GET_CALLED_CLASS, ZEND_GET_TYPE, ZEND_FUNC_NUM_ARGS, ZEND_FUNC_GET_ARGS instructions, to implement corresponding builtin functions. (Dmitry)
"Countable" interface is moved from SPL to Core. (Dmitry)
Added ZEND_IN_ARRAY instruction, implementing optimized in_array() builtin function, through hash lookup in flipped array. (Dmitry)
Removed IS_TYPE_IMMUTABLE (it's the same as COPYABLE & !REFCOUNTED). (Dmitry)
Removed the sql.safe_mode directive. (Kalle)
Removed support for Netware. (Kalle)
Renamed ReflectionClass::isIterateable() to ReflectionClass::isIterable() (alias original name for BC). (Sara)
Fixed bug #54535 (WSA cleanup executes before MSHUTDOWN). (Kalle)
Implemented FR #69791 (Disallow mail header injections by extra headers) (Yasuo)
Implemented FR #49806 (proc_nice() for Windows). (Kalle)
Fix pthreads detection when cross-compiling (ffontaine)
Fixed memory leaks caused by exceptions thrown from destructors. (Bob, Dmitry).
Fixed bug #73215 (uniqid() should use better random source). (Yasuo)
Fixed bug #73337 (try/catch not working with two exceptions inside a same operation). (Dmitry)
Implemented FR #72768 (Add ENABLE_VIRTUAL_TERMINAL_PROCESSING flag for php.exe). (Michele Locati)
Implemented "Convert numeric keys in object/array casts" RFC, fixes bugs #53838, #61655, #66173, #70925, #72254, etc. (Andrea)
Implemented "Deprecate and Remove Bareword (Unquoted) Strings" RFC. (Rowan Collins)
Raised minimum supported Windows versions to Windows 7/Server 2008 R2. (Anatol)
Implemented minor optimization in array_keys/array_values(). (Sara)
Fixed bug #73969 (segfault in debug_print_backtrace). (andrewnester)
Added PHP_OS_FAMILY constant to determine on which OS we are. (Jan Altensen)
Fixed bug #73994 (arginfo incorrect for unpack). (krakjoe)
Fixed bug #73973 (assertion error in debug_zval_dump). (andrewnester)
Fixed bug #73987 (Method compatibility check looks to original definition and not parent). (pmmaga)
Fixed bug #73991 (JSON_OBJECT_AS_ARRAY not respected). (Sara)
Fixed bug #74053 (Corrupted class entries on shutdown when a destructor spawns another object). (jim at commercebyte dot com)
Fixed bug #73971 (Filename got limited to MAX_PATH on Win32 when scan directory). (Anatol)
Fixed bug #74149 (static embed SAPI linkage error). (krakjoe)
Fixed bug #72359, bug #72451, bug #73706, bug #71115 and others related to interned strings handling in TS builds. (Anatol, Dmitry)
Implemented "Trailing Commas In List Syntax" RFC for group use lists only. (Sammy Kaye Powers)
Fixed bug #74269 (It's possible to override trait property with different loosely-equal value). (pmmaga)
Fixed bug #61970 (Restraining __construct() access level in subclass gives a fatal error). (pmmaga)
Fixed bug #63384 (Cannot override an abstract method with an abstract method). (pmmaga, wes)
Fixed bug #74607 (Traits enforce different inheritance rules). (pmmaga)
Fixed misparsing of abstract unix domain socket names. (Sara)
BCMath:
Fixed bug #46564 (bcmod truncates fractionals). (liborm85)
Calendar:
Fix integer overflows (Joshua Rogers)
Date:
Fixed bug #55407 (Impossible to prototype DateTime::createFromFormat). (kelunik)
Fixed bug #69587 (DateInterval properties and isset). (jhdxr)
Fixed bug #74404 (Wrong reflection on DateTimeZone::getTransitions). (krakjoe)
Fixed bug #74080 (add constant for RFC7231 format datetime). (duncan3dc)
Fixed bug #74639 (implement clone for DatePeriod and DateInterval). (andrewnester)
Implemented FR #71520 (Adding the DateTime constants to the DateTimeInterface interface). (Majkl578)
Dba:
Fixed bug #72885 (flatfile: dba_fetch() fails to read replaced entry). (Anatol)
DOM:
Fixed bug #67474 (getElementsByTagNameNS filter on default ns). (aboks)
Fixed bug #54382 (getAttributeNodeNS doesn't get xmlns* attributes). (aboks)
Fixed bug #74004 (LIBXML_NOWARNING (etc) ignored by DOMDocument::loadHTML). (somedaysummer)
EXIF:
Added support for vendor specific tags for the following formats: Samsung, DJI, Panasonic, Sony, Pentax, Minolta, Sigma/Foveon, AGFA, Kyocera, Ricoh & Epson. (Kalle)
Fixed bug #72682 (exif_read_data() fails to read all data for some images). (Kalle)
Fixed bug #71534 (Type confusion in exif_read_data() leading to heap overflow in debug mode). (hlt99 at blinkenshell dot org, Kalle)
Fixed bug #68547 (Exif Header component value check error). (sjh21a at gmail dot com, Kalle)
Fixed bug #66443 (Corrupt EXIF header: maximum directory nesting level reached for some cameras). (Kalle)
Fixed Redhat bug #1362571 (PHP not returning full results for exif_read_data function). (Kalle)
FPM:
Configuration to limit fpm slow log trace callers. (Sannis)
Fixed bug #69865 (php-fpm does not close stderr when using syslog). (Mike)
FTP:
Fixed bug #74598 (ftp:// wrapper ignores context arg). (Sara)
Implement MLSD for structured listing of directories. (blar)
GD:
Implemented imageresolution as getter and setter (Christoph)
Fixed bug #74343 (compile fails on solaris 11 with system gd2 library). (krakjoe)
GMP:
Fixed bug #70896 (gmp_fact() silently ignores non-integer input). (Sara)
hash:
Fixed bug #73961 (environmental build dependency in hash sha3 source). (krakjoe)
Changed HashContext from resource to object. (Rouven Weßling, Sara)
intl:
Fixed bug #74433 (wrong reflection for Normalizer methods). (villfa)
Fixed bug #74439 (wrong reflection for Locale methods). (villfa)
Fixed bug #74468 (wrong reflection on Collator::sortWithSortKeys). (villfa)
Fixed bug #63790 (test using Spoofchecker which may be unavailable). (Sara)
Mbstring:
Implemented request #66024 (mb_chr() and mb_ord()). (Masakielastic, Yasuo)
Implemented request #65081 (mb_scrub()). (Masakielastic, Yasuo)
Implemented request #69086 (enhancement for mb_convert_encoding() that handles multibyte replacement char nicely). (Masakielastic, Yasuo)
Added array input support to mb_convert_encoding(). (Yasuo)
Added array input support to mb_check_encoding(). (Yasuo)
Fixed bug #69079 (enhancement for mb_substitute_character). (masakielastic)
Update to oniguruma version 6.3.0. (Remi)
Mcrypt:
The deprecated mcrypt extension has been moved to PECL. (leigh)
MySQLi:
Fixed bug #73949 (leak in mysqli_fetch_object). (krakjoe)
mysqlnd:
Fixed bug #73800 (sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE). (vanviegen)
OpenSSL:
Fixed bug #71519 (add serial hex to return value array). (xrobau)
PCRE:
Added support for PCRE JIT fast path API. (dmitry)
Fixed bug #61780 (Inconsistent PCRE captures in match results). (cmb)
PDO:
Add "Sent SQL" to debug dump for emulated prepares. (Adam Baratz)
Add parameter types for national character set strings. (Adam Baratz)
PDO_DBlib:
Fixed bug #73234 (Emulated statements let value dictate parameter type). (Adam Baratz)
Fixed bug #73396 (bigint columns are returned as strings). (Adam Baratz)
Expose DB-Library version as PDO::DBLIB_ATTR_VERSION attribute on PDO instance. (Adam Baratz)
Add test coverage for bug #72969. (Jeff Farr)
PDO_OCI:
Fixed bug #54379 (PDO_OCI: UTF-8 output gets truncated). (gureedo / Oracle)
PDO_PgSQL:
Fixed bug #73959 (lastInsertId fails to throw an exception for wrong sequence name). (andrewnester)
PDO_Sqlite
Switch to sqlite3_prepare_v2() and sqlite3_close_v2() functions (rasmus)
phar:
Fixed bug #74383 (phar method parameters reflection correction). (mhagstrand)
Fixed bug #74196 (phar does not correctly handle names containing dots). (mhagstrand)
Fixed bug #74386 (Phar::__construct reflection incorrect). (villfa)
PHPDBG
Added extended_value to opcode dump output. (Sara)
posix:
Fixed bug #71219 (configure script incorrectly checks for ttyname_r). (atoh)
Session:
Fixed bug #73461 (Prohibit session save handler recursion). (Yasuo)
PR #2233 Removed register_globals related code and "!" can be used as $_SESSION key name. (Yasuo)
Improved bug #73100 fix. 'user' save handler can only be set by session_set_save_handler()
Fixed bug #69582 (session not readable by root in CLI). (EvgeniySpinov)
SOAP:
Fixed bug #69137 (Peer verification fails when using a proxy with SoapClient) (Keith Smiley)
SQLite3:
Update to Sqlite 3.18.0. (cmb)
Fixed bug #74413 (incorrect reflection for SQLite3::enableExceptions). (krakjoe)
Standard:
Add subject to mail log. (tomsommer)
Fixed bug #31875 (get_defined_functions additional param to exclude disabled functions). (willianveiga)
Fixed bug #69442 (closing of fd incorrect when PTS enabled). (jaytaph)
Fixed bug #72974 (imap is undefined service on AIX). (matthieu.sarter)
Fixed bug #72979 (money_format stores wrong length AIX). (matthieu.sarter)
Fixed bug #74300 (unserialize accepts two plus/minus signs for float number exponent part). (xKerman)
Fixed bug #74556 (stream_socket_get_name() returns ''). (Sara)
XML:
Moved utf8_encode() and utf8_decode() to the Standard extension. (Andrea)
Fixed bug #72135 (malformed XML causes fault) (edgarsandi)
xmlreader:
Fixed bug #74457 (Wrong reflection on XMLReader::expand). (villfa)
XMLRPC:
Use Zend MM for allocation in bundled libxmlrpc (Joe)
ZIP:
Add support for encrypted archives. (Remi)
Use of bundled libzip is deprecated, --with-libzip option is recommended. (Remi)
Fixed Bug #73803 (Reflection of ZipArchive does not show public properties). (Remi)

New in PHP 7.1.6 RC 1 (May 24, 2017)

New in PHP 7.1.5 (May 9, 2017)

Core:
Fixed bug #74408 (Endless loop bypassing execution time limit). (Laruence)
Fixed bug #74353 (Segfault when killing within bash script trap code). (Laruence)
Fixed bug #74340 (Magic function __get has different behavior in php 7.1.x). (Nikita)
Fixed bug #74188 (Null coalescing operator fails for undeclared static class properties). (tpunt)
Fixed bug #74444 (multiple catch freezes in some cases). (David Matějka)
Fixed bug #74410 (stream_select() is broken on Windows Nanoserver). (Matt Ficken)
Fixed bug #74337 (php-cgi.exe crash on facebook callback). (Anton Serbulov)
Date:
Fixed bug #74404 (Wrong reflection on DateTimeZone::getTransitions). (krakjoe)
Fixed bug #74080 (add constant for RFC7231 format datetime). (duncan3dc)
DOM:
Fixed bug #74416 (Wrong reflection on DOMNode::cloneNode). (Remi, Fabien Villepinte)
Fileinfo:
Fixed bug #74379 (syntax error compile error in libmagic/apprentice.c). (Laruence)
GD:
Fixed bug #74343 (compile fails on solaris 11 with system gd2 library). (krakjoe)
MySQLnd:
Fixed bug #74376 (Invalid free of persistent results on error/connection loss). (Yussuf Khalil)
Intl:
Fixed bug #65683 (Intl does not support DateTimeImmutable). (Ben Scholzen)
Fixed bug #74298 (IntlDateFormatter->format() doesn't return microseconds/fractions). (Andrew Nester)
Fixed bug #74433 (wrong reflection for Normalizer methods). (villfa)
Fixed bug #74439 (wrong reflection for Locale methods). (villfa)
Opcache:
Fixed bug #74456 (Segmentation error while running a script in CLI mode). (Laruence)
Fixed bug #74431 (foreach infinite loop). (Nikita)
Fixed bug #74442 (Opcached version produces a nested array). (Nikita)
OpenSSL:
Fixed bug #73833 (null character not allowed in openssl_pkey_get_private). (Jakub Zelenka)
Fixed bug #73711 (Segfault in openssl_pkey_new when generating DSA or DH key). (Jakub Zelenka)
Fixed bug #74341 (openssl_x509_parse fails to parse ASN.1 UTCTime without seconds). (Moritz Fain)
phar:
Fixed bug #74383 (phar method parameters reflection correction). (mhagstrand)
Readline:
Fixed bug #74489 (readline() immediately returns false in interactive console mode). (Anatol)
Standard:
Fixed bug #72071 (setcookie allows max-age to be negative). (Craig Duncan)
Fixed bug #74361 (Compaction in array_rand() violates COW). (Nikita)
Streams:
Fixed bug #74429 (Remote socket URI with unique persistence identifier broken). (Sara)

New in PHP 7.1.5 RC 1 (Apr 26, 2017)

Core:
Fixed bug #74408 (Endless loop bypassing execution time limit). (Laruence)
Fixed bug #74353 (Segfault when killing within bash script trap code). (Laruence)
Fixed bug #74340 (Magic function __get has different behavior in php 7.1.x). (Nikita)
Fixed bug #74188 (Null coalescing operator fails for undeclared static class properties). (tpunt)
Fixed bug #74444 (multiple catch freezes in some cases). (David Matějka)
Fixed bug #74410 (stream_select() is broken on Windows Nanoserver). (Matt Ficken)
Fixed bug #74337 (php-cgi.exe crash on facebook callback). (Anton Serbulov)
Date:
Fixed bug #74404 (Wrong reflection on DateTimeZone::getTransitions). (krakjoe)
Fixed bug #74080 (add constant for RFC7231 format datetime). (duncan3dc)
DOM:
Fixed bug #74416 (Wrong reflection on DOMNode::cloneNode). (Remi, Fabien Villepinte)
Fileinfo:
Fixed bug #74379 (syntax error compile error in libmagic/apprentice.c). (Laruence)
GD:
Fixed bug #74343 (compile fails on solaris 11 with system gd2 library). (krakjoe)
MySQLnd:
Fixed bug #74376 (Invalid free of persistent results on error/connection loss). (Yussuf Khalil)
Intl:
Fixed bug #65683 (Intl does not support DateTimeImmutable). (Ben Scholzen)
Fixed bug #74298 (IntlDateFormatter->format() doesn't return microseconds/fractions). (Andrew Nester)
Fixed bug #74433 (wrong reflection for Normalizer methods). (villfa)
Fixed bug #74439 (wrong reflection for Locale methods). (villfa)
Opcache:
Fixed bug #74456 (Segmentation error while running a script in CLI mode). (Laruence)
Fixed bug #74431 (foreach infinite loop). (Nikita)
Fixed bug #74442 (Opcached version produces a nested array). (Nikita)
OpenSSL:
Fixed bug #73833 (null character not allowed in openssl_pkey_get_private). (Jakub Zelenka)
Fixed bug #73711 (Segfault in openssl_pkey_new when generating DSA or DH key). (Jakub Zelenka)
Fixed bug #74341 (openssl_x509_parse fails to parse ASN.1 UTCTime without seconds). (Moritz Fain)
phar:
Fixed bug #74383 (phar method parameters reflection correction). (mhagstrand)
Readline:
Fixed bug #74489 (readline() immediately returns false in interactive console mode). (Anatol)
Standard:
Fixed bug #72071 (setcookie allows max-age to be negative). (Craig Duncan)
Fixed bug #74361 (Compaction in array_rand() violates COW). (Nikita)
Streams:
Fixed bug #74429 (Remote socket URI with unique persistence identifier broken). (Sara)

New in PHP 7.1.4 (Apr 12, 2017)

New in PHP 7.1.4 RC 1 (Mar 29, 2017)

New in PHP 7.1.3 (Mar 15, 2017)

Core:
Fixed bug #74157 (Segfault with nested generators). (Laruence)
Fixed bug #74164 (PHP hangs when an invalid value is dynamically passed to typehinted by-ref arg). (Laruence)
Fixed bug #74093 (Maximum execution time of n+2 seconds exceed not written in error_log). (Laruence)
Fixed bug #73989 (PHP 7.1 Segfaults within Symfony test suite). (Dmitry, Laruence)
Fixed bug #74084 (Out of bound read zend_mm_alloc_small). (Laruence)
Fixed bug #73807 (Performance problem with processing large post request). (Nikita)
Fixed bug #73998 (array_key_exists fails on arrays created by get_object_vars). (mhagstrand)
Fixed bug #73954 (NAN check fails on Alpine Linux with musl). (Andrea)
Fixed bug #73677 (Generating phar.phar core dump with gcc ASAN enabled build). (ondrej)
Apache:
Fixed bug #61471 (Incomplete POST does not timeout but is passed to PHP). (Zheng Shao)
Date:
Fixed bug #73837 ("new DateTime()" sometimes returns 1 second ago value). (Derick)
FPM:
Fixed bug #69860 (php-fpm process accounting is broken with keepalive). (Denis Yeldandi)
Hash:
Fixed bug #73127 (gost-crypto hash incorrect if input data contains long 0xFF sequence). (Grundik)
GD:
Fixed bug #74031 (ReflectionFunction for imagepng is missing last two parameters). (finwe)
Mysqlnd:
Fixed bug #74021 (fetch_array broken data. Data more then MEDIUMBLOB). (Andrew Nester, Nikita)
Opcache:
Fixed bug #74019 (Segfault with list). (Laruence)
OpenSSL:
Fixed bug #74022 (PHP Fast CGI crashes when reading from a pfx file). (Anatol)
Fixed bug #74099 (Memory leak with openssl_encrypt()). (Andrew Nester)
Standard:
Fixed bug #74005 (mail.add_x_header causes RFC-breaking lone line feed). (Anatol)
Fixed bug #74041 (substr_count with length=0 broken). (Nikita)
Fixed bug #73118 (is_callable callable name reports misleading value for anonymous classes). (Adam Saponara)
Fixed bug #74105 (PHP on Linux should use /dev/urandom when getrandom is not available). (Benjamin Robin)
Streams:
Fixed bug #73496 (Invalid memory access in zend_inline_hash_func). (Laruence)
Fixed bug #74090 (stream_get_contents maxlength>-1 returns empty string). (Anatol)

New in PHP 7.1.3 RC 1 (Feb 28, 2017)

Core:
Fixed bug #74157 (Segfault with nested generators). (Laruence)
Fixed bug #74164 (PHP hangs when an invalid value is dynamically passed to typehinted by-ref arg). (Laruence)
Fixed bug #74093 (Maximum execution time of n+2 seconds exceed not written in error_log). (Laruence)
Fixed bug #73989 (PHP 7.1 Segfaults within Symfony test suite). (Dmitry, Laruence)
Fixed bug #74084 (Out of bound read zend_mm_alloc_small). (Laruence)
Fixed bug #73807 (Performance problem with processing large post request). (Nikita)
Fixed bug #73998 (array_key_exists fails on arrays created by get_object_vars). (mhagstrand)
Fixed bug #73954 (NAN check fails on Alpine Linux with musl). (Andrea)
Fixed bug #73677 (Generating phar.phar core dump with gcc ASAN enabled build). (ondrej)
Apache:
Fixed bug #61471 (Incomplete POST does not timeout but is passed to PHP). (Zheng Shao)
Date:
Fixed bug #73837 ("new DateTime()" sometimes returns 1 second ago value). (Derick)
FPM:
Fixed bug #69860 (php-fpm process accounting is broken with keepalive). (Denis Yeldandi)
Hash:
Fixed bug #73127 (gost-crypto hash incorrect if input data contains long 0xFF sequence). (Grundik)
GD:
Fixed bug #74031 (ReflectionFunction for imagepng is missing last two parameters). (finwe)
Mysqlnd:
Fixed bug #74021 (fetch_array broken data. Data more then MEDIUMBLOB). (Andrew Nester, Nikita)
Opcache:
Fixed bug #74019 (Segfault with list). (Laruence)
OpenSSL:
Fixed bug #74022 (PHP Fast CGI crashes when reading from a pfx file). (Anatol)
Fixed bug #74099 (Memory leak with openssl_encrypt()). (Andrew Nester)
Fixed bug #74159 (Writing a large buffer to a non-blocking encrypted stream fails with "bad write retry"). (trowski)
Standard:
Fixed bug #74005 (mail.add_x_header causes RFC-breaking lone line feed). (Anatol)
Fixed bug #74041 (substr_count with length=0 broken). (Nikita)
Fixed bug #73118 (is_callable callable name reports misleading value for anonymous classes). (Adam Saponara)
Fixed bug #74105 (PHP on Linux should use /dev/urandom when getrandom is not available). (Benjamin Robin)
Streams:
Fixed bug #73496 (Invalid memory access in zend_inline_hash_func). (Laruence)
Fixed bug #74090 (stream_get_contents maxlength>-1 returns empty string). (Anatol)

New in PHP 7.1.2 (Feb 15, 2017)

Core:
Improved GENERATOR_CREATE opcode handler. (Bob, Dmitry)
Fixed bug #73877 (readlink() returns garbage for UTF-8 paths). (Anatol)
Fixed bug #73876 (Crash when exporting **= in expansion of assign op).
(Sara)
Fixed bug #73962 (bug with symlink related to cyrillic directory). (Anatol)
Fixed bug #73969 (segfault in debug_print_backtrace). (andrewnester)
Fixed bug #73994 (arginfo incorrect for unpack). (krakjoe)
Fixed bug #73973 (assertion error in debug_zval_dump). (andrewnester)
DOM:
Fixed bug #54382 (getAttributeNodeNS doesn't get xmlns* attributes).
(aboks)
DTrace:
Fixed bug #73965 (DTrace reported as enabled when disabled). (Remi)
FCGI:
Fixed bug #73904 (php-cgi fails to load -c specified php.ini file). (Anatol)
Fixed bug #72898 (PHP_FCGI_CHILDREN is not included in phpinfo()). (Anatol)
FPM:
Fixed bug #69865 (php-fpm does not close stderr when using syslog). (m6w6)
GD:
Fixed bug #73968 (Premature failing of XBM reading). (cmb)
GMP:
Fixed bug #69993 (test for gmp.h needs to test machine includes).
(Jordan Gigov)
Hash:
Added hash_hkdf() function. (Andrey Andreev)
Fixed bug #73961 (environmental build dependency in hash sha3 source).
(krakjoe)
Intl:
Fix bug #73956 (Link use CC instead of CXX). (Remi)
LDAP:
Fixed bug #73933 (error/segfault with ldap_mod_replace and opcache).
(Laruence)
MySQLi:
Fixed bug #73949 (leak in mysqli_fetch_object). (krakjoe)
Mysqlnd:
Fixed bug #69899 (segfault on close() after free_result() with mysqlnd).
(Richard Fussenegger)
Opcache:
Fixed bug #73983 (crash on finish work with phar in cli + opcache).
(Anatol)
OpenSSL:
Fixed bug #71519 (add serial hex to return value array). (xrobau)
Fixed bug #73692 (Compile ext/openssl with openssl 1.1.0 on Win). (Anatol)
Fixed bug #73978 (openssl_decrypt triggers bug in PDO). (Jakub Zelenka)
PDO_Firebird:
Implemented FR #72583 (All data are fetched as strings). (Dorin Marcoci)
PDO_PgSQL:
Fixed bug #73959 (lastInsertId fails to throw an exception for wrong sequence name). (andrewnester)
Phar:
Fixed bug #70417 (PharData::compress() doesn't close temp file). (cmb)
posix:
Fixed bug #71219 (configure script incorrectly checks for ttyname_r). (atoh)
Session:
Fixed bug #69582 (session not readable by root in CLI). (EvgeniySpinov)
SPL:
Fixed bug #73896 (spl_autoload() crashes when calls magic _call()). (Dmitry)
Standard:
Fixed bug #69442 (closing of fd incorrect when PTS enabled). (jaytaph)
Fixed bug #47021 (SoapClient stumbles over WSDL delivered with
"Transfer-Encoding: chunked"). (Rowan Collins)
Fixed bug #72974 (imap is undefined service on AIX). (matthieu.sarter)
Fixed bug #72979 (money_format stores wrong length AIX). (matthieu.sarter)
Fixed bug #73374 (intval() with base 0 should detect binary). (Leigh)
Fixed bug #69061 (mail.log = syslog contains double information).
(Tom Sommer)
ZIP:
Fixed bug #70103 (ZipArchive::addGlob ignores remove_all_path option). (cmb,
Mitch Hagstrand)

New in PHP 7.1.2 RC 1 (Jan 31, 2017)

Core:
Improved GENERATOR_CREATE opcode handler. (Bob, Dmitry)
Fixed bug #73877 (readlink() returns garbage for UTF-8 paths). (Anatol)
Fixed bug #73876 (Crash when exporting **= in expansion of assign op). (Sara)
Fixed bug #73962 (bug with symlink related to cyrillic directory). (Anatol)
Fixed bug #73969 (segfault in debug_print_backtrace). (andrewnester)
Fixed bug #73994 (arginfo incorrect for unpack). (krakjoe)
Fixed bug #73973 (assertion error in debug_zval_dump). (andrewnester)
Fixed bug #73987 (Method compatibility check looks to original definition and not parent). (pmmaga)
DOM:
Fixed bug #54382 (getAttributeNodeNS doesn't get xmlns* attributes). (aboks)
Fixed bug #50989 (support for LIBXML_NOXMLDECL). (jhdxr)
DTrace:
Fixed bug #73965 (DTrace reported as enabled when disabled). (Remi)
FCGI:
Fixed bug #73904 (php-cgi fails to load -c specified php.ini file). (Anatol)
Fixed bug #72898 (PHP_FCGI_CHILDREN is not included in phpinfo()). (Anatol)
FPM:
Fixed bug #69865 (php-fpm does not close stderr when using syslog). (m6w6)
GD:
Fixed bug #73968 (Premature failing of XBM reading). (cmb)
GMP:
Fixed bug #69993 (test for gmp.h needs to test machine includes). (Jordan Gigov)
Hash:
Added hash_hkdf() function. (Andrey Andreev)
Fixed bug #73961 (environmental build dependency in hash sha3 source). (krakjoe)
Intl:
Fix bug #73956 (Link use CC instead of CXX). (Remi)
LDAP:
Fixed bug #73933 (error/segfault with ldap_mod_replace and opcache). (Laruence)
MySQLi:
Fixed bug #73949 (leak in mysqli_fetch_object). (krakjoe)
Mysqlnd:
Fixed bug #69899 (segfault on close() after free_result() with mysqlnd). (Richard Fussenegger)
Opcache:
Fixed bug #73983 (crash on finish work with phar in cli + opcache). (Anatol)
OpenSSL:
Fixed bug #71519 (add serial hex to return value array). (xrobau)
Fixed bug #73692 (Compile ext/openssl with openssl 1.1.0 on Win). (Anatol)
Fixed bug #73978 (openssl_decrypt triggers bug in PDO). (Jakub Zelenka)
PDO_Firebird:
Implemented FR #72583 (All data are fetched as strings). (Dorin Marcoci)
PDO_PgSQL:
Fixed bug #73959 (lastInsertId fails to throw an exception for wrong sequence name). (andrewnester)
Phar:
Fixed bug #70417 (PharData::compress() doesn't close temp file). (cmb)
posix:
Fixed bug #71219 (configure script incorrectly checks for ttyname_r). (atoh)
Session:
Fixed bug #69582 (session not readable by root in CLI). (EvgeniySpinov)
SPL:
Fixed bug #73896 (spl_autoload() crashes when calls magic _call()). (Dmitry)
Standard:
Fixed bug #69442 (closing of fd incorrect when PTS enabled). (jaytaph)
Fixed bug #47021 (SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked"). (Rowan Collins)
Fixed bug #72974 (imap is undefined service on AIX). (matthieu.sarter)
Fixed bug #72979 (money_format stores wrong length AIX). (matthieu.sarter)
Fixed bug #73374 (intval() with base 0 should detect binary). (Leigh)
Fixed bug #69061 (mail.log = syslog contains double information). (Tom Sommer)
ZIP:
Fixed bug #70103 (ZipArchive::addGlob ignores remove_all_path option). (cmb, Mitch Hagstrand)

New in PHP 7.1.1 (Jan 18, 2017)

Core:
Fixed bug #73792 (invalid foreach loop hangs script). (Dmitry)
Fixed bug #73686 (Adding settype()ed values to ArrayObject results in references). (Nikita, Laruence)
Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created with list()). (Laruence)
Fixed bug #73727 (ZEND_MM_BITSET_LEN is "undefined symbol" in zend_bitset.h). (Nikita)
Fixed bug #73753 (unserialized array pointer not advancing). (David Walker)
Fixed bug #73783 (SIG_IGN doesn't work when Zend Signals is enabled). (David Walker)
Fixed bug #73825 (Heap out of bounds read on unserialize in finish_nested_data()). (Stas)
Fixed bug #73831 (NULL Pointer Dereference while unserialize php object). (Stas)
Fixed bug #73832 (Use of uninitialized memory in unserialize()). (Stas)
CLI:
Fixed bug #72555 (CLI output(japanese) on Windows). (Anatol)
COM:
Fixed bug #73679 (DOTNET read access violation using invalid codepage). (Anatol)
DOM:
Fixed bug #67474 (getElementsByTagNameNS filter on default ns). (aboks)
EXIF:
Bug bug #73737 (FPE when parsing a tag format). (Stas)
GD:
Fixed bug #73869 (Signed Integer Overflow gd_io.c). (cmb)
Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (cmb)
Mbstring:
Fixed bug #73646 (mb_ereg_search_init null pointer dereference). (Laruence)
Mysqli:
Fixed bug #73462 (Persistent connections don't set $connect_errno). (darkain)
Mysqlnd:
Optimized handling of BIT fields less memory copies and lower memory usage. (Andrey)
Fixed bug #73800 (sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE). (vanviegen)
Opcache:
Fixed bug #73789 (Strange behavior of class constants in switch/case block). (Laruence)
Fixed bug #73746 (Method that returns string returns UNKNOWN:0 instead). (Laruence)
Fixed bug #73654 (Segmentation fault in zend_call_function). (Nikita)
Fixed bug #73668 ("SIGFPE Arithmetic exception" in opcache when divide by minus 1). (Nikita)
Fixed bug #73847 (Recursion when a variable is redefined as array). (Nikita)
PDO_Firebird:
Fixed bug #72931 (PDO_FIREBIRD with Firebird 3.0 not work on returning statement). (Dorin Marcoci)
Phar:
Fixed bug #73773 (Seg fault when loading hostile phar). (Stas)
Fixed bug #73768 (Memory corruption when loading hostile phar). (Stas)
Fixed bug #73764 (Crash while loading hostile phar archive). (Stas)
phpdbg:
Fixed bug #73794 (Crash (out of memory) when using run and # command separator). (Bob)
Fixed bug #73704 (phpdbg shows the wrong line in files with shebang). (Bob)
SQLite3:
Reverted fix for bug #73530 (Unsetting result set may reset other result set). (cmb)
Standard:
Fixed bug #73594 (dns_get_record does not populate $additional out parameter). (Bruce Weirdan)
Fixed bug #70213 (Unserialize context shared on double class lookup). (Taoguang Chen)
Fixed bug #73154 (serialize object with __sleep function crash). (Nikita)
Fixed bug #70490 (get_browser function is very slow). (Nikita)
Fixed bug #73265 (Loading browscap.ini at startup causes high memory usage). (Nikita)
Add subject to mail log. (tomsommer)
Fixed bug #31875 (get_defined_functions additional param to exclude disabled functions). (willianveiga)
Zlib
Fixed bug #73373 (deflate_add does not verify that output was not truncated). (Matt Bonneau)

New in PHP 7.1.1 RC 1 (Jan 5, 2017)

Core:
Fixed bug #73792 (invalid foreach loop hangs script). (Dmitry)
Fixed bug #73686 (Adding settype()ed values to ArrayObject results in references). (Nikita, Laruence)
Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created with list()). (Laruence)
Fixed bug #73727 (ZEND_MM_BITSET_LEN is "undefined symbol" in zend_bitset.h). (Nikita)
Fixed bug #73753 (unserialized array pointer not advancing). (David Walker)
Fixed bug #73783 (SIG_IGN doesn't work when Zend Signals is enabled). (David Walker)
CLI:
Fixed bug #72555 (CLI output(japanese) on Windows). (Anatol)
COM:
Fixed bug #73679 (DOTNET read access violation using invalid codepage). (Anatol)
DOM:
Fixed bug #67474 (getElementsByTagNameNS filter on default ns). (aboks)
Mbstring:
Fixed bug #73646 (mb_ereg_search_init null pointer dereference). (Laruence)
Mysqli:
Fixed bug #73462 (Persistent connections don't set $connect_errno). (darkain)
Mysqlnd:
Optimized handling of BIT fields less memory copies and lower memory usage. (Andrey)
Fixed bug #73800 (sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE). (vanviegen)
Opcache:
Fixed bug #73789 (Strange behavior of class constants in switch/case block). (Laruence)
Fixed bug #73746 (Method that returns string returns UNKNOWN:0 instead). (Laruence)
Fixed bug #73654 (Segmentation fault in zend_call_function). (Nikita)
Fixed bug #73668 ("SIGFPE Arithmetic exception" in opcache when divide by minus 1). (Nikita)
Fixed bug #73847 (Recursion when a variable is redefined as array). (Nikita)
PDO_Firebird:
Fixed bug #72931 (PDO_FIREBIRD with Firebird 3.0 not work on returning statement). (Dorin Marcoci)
phpdbg:
Fixed bug #73794 (Crash (out of memory) when using run and # command separator). (Bob)
Fixed bug #73704 (phpdbg shows the wrong line in files with shebang). (Bob)
SQLite3:
Reverted fix for bug #73530 (Unsetting result set may reset other result set). (cmb)
Standard:
Fixed bug #73594 (dns_get_record does not populate $additional out parameter). (Bruce Weirdan)
Fixed bug #70213 (Unserialize context shared on double class lookup). (Taoguang Chen)
Fixed bug #73154 (serialize object with __sleep function crash). (Nikita)
Fixed bug #70490 (get_browser function is very slow). (Nikita)
Fixed bug #73265 (Loading browscap.ini at startup causes high memory usage). (Nikita)
Add subject to mail log. (tomsommer)
Fixed bug #31875 (get_defined_functions additional param to exclude disabled functions). (willianveiga)
Zlib
Fixed bug #73373 (deflate_add does not verify that output was not truncated). (Matt Bonneau)

New in PHP 7.1.0 (Dec 2, 2016)

Core:
Added nullable types.
Added DFA optimization framework based on e-SSA form.
Added specialized opcode handlers (e.g. ZEND_ADD_LONG_NO_OVERFLOW).
Added [] = as alternative construct to list() =.
Added void return type.
Added support for negative string offsets in string offset syntax and various string functions.
Added a form of the list() construct where keys can be specified.
Implemented safe execution timeout handling, that prevents random crashes after "Maximum execution time exceeded" error.
Implemented the RFC `Support Class Constant Visibility`.
Implemented the RFC `Catching multiple exception types`.
Implemented logging to syslog with dynamic error levels.
Implemented FR #72614 (Support "nmake test" on building extensions by phpize).
Implemented RFC: Iterable.
Implemented RFC: Closure::fromCallable (Danack)
Implemented RFC: Replace "Missing argument" warning with "ArgumentCountError" exception.
Implemented RFC: Fix inconsistent behavior of $this variable.
Fixed bug #73585 (Logging of "Internal Zend error - Missing class information" missing class name).
Fixed memory leak(null coalescing operator with Spl hash).
Fixed bug #72736 (Slow performance when fetching large dataset with mysqli / PDO).
Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow).
Fixed bug #72696 (imagefilltoborder stackoverflow on truecolor images).
Fixed bug #73350 (Exception::__toString() cause circular references).
Fixed bug #73329 ((Float)"Nano" == NAN).
Fixed bug #73288 (Segfault in __clone > Exception.toString > __get).
Fixed for #73240 (Write out of bounds at number_format).
Fix pthreads detection when cross-compiling (ffontaine)
Fixed bug #73337 (try/catch not working with two exceptions inside a same operation).
Fixed bug #73156 (segfault on undefined function).
Fixed bug #73163 (PHP hangs if error handler throws while accessing undef const in default value).
Fixed bug #73172 (parse error: Invalid numeric literal).
Fixed bug #73181 (parse_str() without a second argument leads to crash).
Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c).
Fixed bug #73058 (crypt broken when salt is 'too' long).
Fixed bug #72944 (Null pointer deref in zval_delref_p).
Fixed bug #72943 (assign_dim on string doesn't reset hval).
Fixed bug #72598 (Reference is lost after array_slice()) (Nikita)
Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by password_verify).
Fixed bug #72813 (Segfault with __get returned by ref).
Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator).
TypeError messages for arg_info type checks will now say "must be ... or null" where the parameter or return type accepts null.
Fixed bug #72857 (stream_socket_recvfrom read access violation).
Fixed bug #72663 (Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization).
Fixed bug #72681 (PHP Session Data Injection Vulnerability).
Fixed bug #72742 (memory allocator fails to realloc small block to large one).
Fixed URL rewriter. It would not rewrite '//example.com/' URL unconditionally. URL rewrite target hosts whitelist is implemented.
Fixed bug #72641 (phpize (on Windows) ignores PHP_PREFIX).
Fixed bug #72683 (getmxrr broken).
Fixed bug #72629 (Caught exception assignment to variables ignores references).
Fixed bug #72594 (Calling an earlier instance of an included anonymous class fatals).
Fixed bug #72581 (previous property undefined in Exception after deserialization).
Fixed bug #72543 (Different references behavior comparing to PHP 5) (Laruence, Dmitry, Nikita)
Fixed bug #72347 (VERIFY_RETURN type casts visible in finally).
Fixed bug #72216 (Return by reference with finally is not memory safe).
Fixed bug #72215 (Wrong return value if var modified in finally).
Fixed bug #71818 (Memory leak when array altered in destructor).
Fixed bug #71539 (Memory error on $arr[$a] =& $arr[$b] if RHS rehashes) (Dmitry, Nikita)
Added new constant PHP_FD_SETSIZE.
Added optind parameter to getopt().
Added PHP to SAPI error severity mapping for logs.
Fixed bug #71911 (Unable to set --enable-debug on building extensions by phpize on Windows).
Fixed bug #29368 (The destructor is called when an exception is thrown from the constructor).
Implemented RFC: RNG Fixes.
Implemented email validation as per RFC 6531.
Fixed bug #72513 (Stack-based buffer overflow vulnerability in virtual_file_ex).
Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications).
Fixed bug #72523 (dtrace issue with reflection (failed test)).
Fixed bug #72508 (strange references after recursive function call and "switch" statement).
Fixed bug #72441 (Segmentation fault: RFC list_keys).
Fixed bug #72395 (list() regression).
Fixed bug #72373 (TypeError after Generator function w/declared return type finishes).
Fixed bug #69489 (tempnam() should raise notice if falling back to temp dir).
Fixed UTF-8 and long path support on Windows.
Fixed bug #53432 (Assignment via string index access on an empty string converts to array).
Fixed bug #62210 (Exceptions can leak temporary variables).
Fixed bug #62814 (It is possible to stiffen child class members visibility).
Fixed bug #69989 (Generators don't participate in cycle GC).
Fixed bug #70228 (Memleak if return in finally block).
Fixed bug #71266 (Missing separation of properties HT in foreach etc).
Fixed bug #71604 (Aborted Generators continue after nested finally).
Fixed bug #71572 (String offset assignment from an empty string inserts null byte).
Fixed bug #71897 (ASCII 0x7F Delete control character permitted in identifiers).
Fixed bug #72188 (Nested try/finally blocks losing return value).
Fixed bug #72213 (Finally leaks on nested exceptions).
Fixed bug #47517 (php-cgi.exe missing UAC manifest).
Change statement and fcall extension handlers to accept frame.
Number operators taking numeric strings now emit E_NOTICEs or E_WARNINGs when given malformed numeric strings.
(int), intval() where $base is 10 or unspecified, settype(), decbin(), decoct(), dechex(), integer operators and other conversions now always respect scientific notation in numeric strings.
Raise a compile-time warning on octal escape sequence overflow.
Apache2handler:
Enable per-module logging in Apache 2.4+.
BCmath:
Fix bug #73190 (memcpy negative parameter _bc_new_num_ex).
Bz2:
Fixed bug #72837 (integer overflow in bzdecompress caused heap corruption).
Fixed bug #72613 (Inadequate error handling in bzread()).
Calendar:
Fix integer overflows (Joshua Rogers)
Fixed bug #67976 (cal_days_month() fails for final month of the French calendar).
Fixed bug #71894 (AddressSanitizer: global-buffer-overflow in zif_cal_from_jd).
CLI Server:
Fixed bug #73360 (Unable to work in root with unicode chars).
Fixed bug #71276 (Built-in webserver does not send Date header).
COM:
Fixed bug #73126 (Cannot pass parameter 1 by reference).
Fixed bug #69579 (Invalid free in extension trait).
Fixed bug #72922 (COM called from PHP does not return out parameters).
Fixed bug #72569 (DOTNET/COM array parameters broke in PHP7).
Fixed bug #72498 (variant_date_from_timestamp null dereference).
Curl:
Implement support for handling HTTP/2 Server Push.
Add curl_multi_errno(), curl_share_errno() and curl_share_strerror() functions.
Fixed bug #72674 (Heap overflow in curl_escape).
Fixed bug #72541 (size_t overflow lead to heap corruption). (Stas).
Fixed bug #71709 (curl_setopt segfault with empty CURLOPT_HTTPHEADER).
Fixed bug #71929 (CURLINFO_CERTINFO data parsing error).
Date:
Fixed bug #69587 (DateInterval properties and isset).
Fixed bug #73426 (createFromFormat with 'z' format char results in incorrect time).
Fixed bug #45554 (Inconsistent behavior of the u format char).
Fixed bug #48225 (DateTime parser doesn't set microseconds for "now").
Fixed bug #52514 (microseconds are missing in DateTime class).
Fixed bug #52519 (microseconds in DateInterval are missing).
Fixed bug #60089 (DateTime::createFromFormat() U after u nukes microtime).
Fixed bug #64887 (Allow DateTime modification with subsecond items).
Fixed bug #68506 (General DateTime improvments needed for microseconds to become useful).
Fixed bug #73109 (timelib_meridian doesn't parse dots correctly).
Fixed bug #73247 (DateTime constructor does not initialise microseconds property).
Fixed bug #73147 (Use After Free in PHP7 unserialize()).
Fixed bug #73189 (Memcpy negative size parameter php_resolve_path).
Fixed bug #66836 (DateTime::createFromFormat 'U' with pre 1970 dates fails parsing).
Invalid serialization data for a DateTime or DatePeriod object will now throw an instance of Error from __wakeup() or __set_state() instead of resulting in a fatal error.
Timezone initialization failure from serialized data will now throw an instance of Error from __wakeup() or __set_state() instead of resulting in a fatal error.
Export date_get_interface_ce() for extension use.
Fixed bug #63740 (strtotime seems to use both sunday and monday as start of week).
Dba:
Fixed bug #70825 (Cannot fetch multiple values with group in ini file).
Data modification functions (e.g.: dba_insert()) now throw an instance of Error instead of triggering a catchable fatal error if the key is does not contain exactly two elements.
DOM:
Fixed bug #73150 (missing NULL check in dom_document_save_html).
Fixed bug #66502 (DOM document dangling reference).
Invalid schema or RelaxNG validation contexts will throw an instance of Error instead of resulting in a fatal error.
Attempting to register a node class that does not extend the appropriate base class will now throw an instance of Error instead of resulting in a fatal error.
Attempting to read an invalid or write to a readonly property will throw an instance of Error instead of resulting in a fatal error.
DTrace:
Disabled PHP call tracing by default (it makes significant overhead). This may be enabled again using envirionment variable USE_ZEND_DTRACE=1.
EXIF:
Fixed bug #72735 (Samsung picture thumb not read (zero size)).
Fixed bug #72627 (Memory Leakage In exif_process_IFD_in_TIFF).
Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).
Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).
Filter:
Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE).
Fixed bug #73054 (default option ignored when object passed to int filter).
Fixed bug #71745 (FILTER_FLAG_NO_RES_RANGE does not cover whole 127.0.0.0/8 range).
FPM:
Fixed bug #72575 (using --allow-to-run-as-root should ignore missing user).
FTP:
Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with require_ssl_reuse).
Implemented FR #55651 (Option to ignore the returned FTP PASV address).
GD:
Fixed bug #73213 (Integer overflow in imageline() with antialiasing).
Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()).
Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()).
Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf).
Fixed bug #50194 (imagettftext broken on transparent background w/o alphablending).
Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c).
Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box).
Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given).
Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries).
Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted files).
Fixed bug #73161 (imagecreatefromgd2() may leak memory).
Fixed bug #67325 (imagetruecolortopalette: white is duplicated in palette).
Fixed bug #66005 (imagecopy does not support 1bit transparency on truecolor images).
Fixed bug #72913 (imagecopy() loses single-color transparency on palette images).
Fixed bug #68716 (possible resource leaks in _php_image_convert()).
Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles).
Fixed bug #72697 (select_colors write out-of-bounds).
Fixed bug #72730 (imagegammacorrect allows arbitrary write access).
Fixed bug #72596 (imagetypes function won't advertise WEBP support).
Fixed bug #72604 (imagearc() ignores thickness for full arcs).
Fixed bug #70315 (500 Server Error but page is fully rendered).
Fixed bug #43828 (broken transparency of imagearc for truecolor in blendingmode).
Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).
Fixed bug #72519 (imagegif/output out-of-bounds access).
Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).
Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow).
Fixed bug #72494 (imagecropauto out-of-bounds access).
Fixed bug #72404 (imagecreatefromjpeg fails on selfie).
Fixed bug #43475 (Thick styled lines have scrambled patterns).
Fixed bug #53640 (XBM images require width to be multiple of 8).
Fixed bug #64641 (imagefilledpolygon doesn't draw horizontal line).
Hash:
Added SHA3 fixed mode algorithms (224, 256, 384, and 512 bit).
Added SHA512/256 and SHA512/224 algorithms.
iconv:
Fixed bug #72320 (iconv_substr returns false for empty strings).
IMAP:
Fixed bug #73418 (Integer Overflow in "_php_imap_mail" leads to crash).
An email address longer than 16385 bytes will throw an instance of Error instead of resulting in a fatal error.
Interbase:
Fixed bug #73512 (Fails to find firebird headers as don't use fb_config output).
Intl:
Fixed bug #73007 (add locale length check).
Fixed bug #73218 (add mitigation for ICU int overflow).
Fixed bug #65732 (grapheme_*() is not Unicode compliant on CR LF sequence).
Fixed bug #73007 (add locale length check).
Fixed bug #72639 (Segfault when instantiating class that extends IntlCalendar and adds a property).
Fixed bug #72658 (Locale::lookup() / locale_lookup() hangs if no match found).
Partially fixed #72506 (idn_to_ascii for UTS #46 incorrect for long domain names).
Fixed bug #72533 (locale_accept_from_http out-of-bounds access).
Failure to call the parent constructor in a class extending Collator before invoking the parent methods will throw an instance of Error instead of resulting in a recoverable fatal error.
Cloning a Transliterator object may will now throw an instance of Error instead of resulting in a fatal error if cloning the internal transliterator fails.
Added IntlTimeZone::getWindowsID() and IntlTimeZone::getIDForWindowsID().
Fixed bug #69374 (IntlDateFormatter formatObject returns wrong utf8 value).
Fixed bug #69398 (IntlDateFormatter formatObject returns wrong value when time style is NONE).
JSON:
Introduced encoder struct instead of global which fixes bugs #66025 and #73254 related to pretty print indentation.
Fixed bug #73113 (Segfault with throwing JsonSerializable).
Implemented earlier return when json_encode fails, fixes bugs #68992 (Stacking exceptions thrown by JsonSerializable) and #70275 (On recursion error, json_encode can eat up all system memory).
Implemented FR #46600 ("_empty_" key in objects).
Exported JSON parser API including json_parser_method that can be used for implementing custom logic when parsing JSON.
Escaped U+2028 and U+2029 when JSON_UNESCAPED_UNICODE is supplied as json_encode options and added JSON_UNESCAPED_LINE_TERMINATORS to restore the previous behaviour.
LDAP:
Providing an unknown modification type to ldap_batch_modify() will now throw an instance of Error instead of resulting in a fatal error.
Mbstring:
Fixed bug #73532 (Null pointer dereference in mb_eregi).
Fixed bug #66964 (mb_convert_variables() cannot detect recursion) (Yasuo)
Fixed bug #72992 (mbstring.internal_encoding doesn't inherit default_charset).
Fixed bug #66797 (mb_substr only takes 32-bit signed integer).
Fixed bug #72711 (`mb_ereg` does not clear the `$regs` parameter on failure).
Fixed bug #72691 (mb_ereg_search raises a warning if a match zero-width).
Fixed bug #72693 (mb_ereg_search increments search position when a match zero-width).
Fixed bug #72694 (mb_ereg_search_setpos does not accept a string's last position).
Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error).
Deprecated mb_ereg_replace() eval option.
Fixed bug #69151 (mb_ereg should reject ill-formed byte sequence).
Fixed bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) - oob read access).
Fixed bug #72399 (Use-After-Free in MBString (search_re)).
mb_ereg() and mb_eregi() will now throw an instance of ParseError if an invalid PHP expression is provided and the 'e' option is used.
Mcrypt:
Deprecated ext/mcrypt.
Fixed bug #72782 (Heap Overflow due to integer overflows).
Fixed bug #72551, bug #72552 (In correct casting from size_t to int lead to heap overflow in mdecrypt_generic).
mcrypt_encrypt() and mcrypt_decrypt() will throw an instance of Error instead of resulting in a fatal error if mcrypt cannot be initialized.
Mysqli:
Attempting to read an invalid or write to a readonly property will throw an instance of Error instead of resulting in a fatal error.
Mysqlnd:
Fixed bug #64526 (Add missing mysqlnd.* parameters to php.ini-*).
Fixed bug #71863 (Segfault when EXPLAIN with "Unknown column" error when using MariaDB).
Fixed bug #72701 (mysqli_get_host_info() wrong output).
OCI8:
Fixed bug #71148 (Bind reference overwritten on PHP 7).
Fixed invalid handle error with Implicit Result Sets.
Fixed bug #72524 (Binding null values triggers ORA-24816 error).
ODBC:
Fixed bug #73448 (odbc_errormsg returns trash, always 513 bytes).
Opcache:
Fixed bug #73583 (Segfaults when conditionally declared class and function have the same name).
Fixed bug #69090 (check cached files permissions)
Fixed bug #72982 (Memory leak in zend_accel_blacklist_update_regexp() function).
Fixed bug #72949 (Typo in opcache error message).
Fixed bug #72762 (Infinite loop while parsing a file with opcache enabled).
Fixed bug #72590 (Opcache restart with kill_all_lockers does not work).
OpenSSL:
Fixed bug #73478 (openssl_pkey_new() generates wrong pub/priv keys with Diffie Hellman).
Fixed bug #73276 (crash in openssl_random_pseudo_bytes function).
Fixed bug #73072 (Invalid path SNI_server_certs causes segfault).
Fixed bug #72360 (ext/openssl build failure with OpenSSL 1.1.0).
Bumped a minimal version to 1.0.1.
Dropped support for SSL2.
Implemented FR #61204 (Add elliptic curve support for OpenSSL).
Implemented FR #67304 (Added AEAD support [CCM and GCM modes] to openssl_encrypt and openssl_decrypt).
Implemented error storing to the global queue and cleaning up the OpenSSL error queue (resolves bugs #68276 and #69882).
Pcntl:
Implemented asynchronous signal handling without TICKS.
Added pcntl_signal_get_handler() that returns the current signal handler for a particular signal. Addresses FR #72409.
Add signinfo to pcntl_signal() handler args (Bishop Bettini, David Walker)
PCRE:
Fixed bug #73483 (Segmentation fault on pcre_replace_callback).
Fixed bug #73612 (preg_*() may leak memory).
Fixed bug #73392 (A use-after-free in zend allocator management).
Fixed bug #73121 (Bundled PCRE doesn't compile because JIT isn't supported on s390).
Fixed bug #72688 (preg_match missing group names in matches).
Downgraded to PCRE 8.38.
Fixed bug #72476 (Memleak in jit_stack).
Fixed bug #72463 (mail fails with invalid argument).
Upgraded to PCRE 8.39.
PDO:
Fixed bug #72788 (Invalid memory access when using persistent PDO connection).
Fixed bug #72791 (Memory leak in PDO persistent connection handling).
Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY returns false).
PDO_DBlib:
Fixed bug #72414 (Never quote values as raw binary data).
Allow PDO::setAttribute() to set query timeouts.
Handle SQLDECIMAL/SQLNUMERIC types, which are used by later TDS versions.
Add common PDO test suite.
Free error and message strings when cleaning up PDO instances.
Fixed bug #67130 (PDOStatement::nextRowset() should succeed when all rows in current rowset haven't been fetched).
Ignore potentially misleading dberr values.
Implemented stringify 'uniqueidentifier' fields.
PDO_Firebird:
Fixed bug #73087, #61183, #71494 (Memory corruption in bindParam).
Fixed bug #60052 (Integer returned as a 64bit integer on X86_64).
PDO_pgsql:
Fixed bug #70313 (PDO statement fails to throw exception).
Fixed bug #72570 (Segmentation fault when binding parameters on a query without placeholders).
Implemented FR #72633 (Postgres PDO lastInsertId() should work without specifying a sequence).
Phar:
Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile).
Fixed bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile).
phpdbg:
Added generator command for inspection of currently alive generators.
Postgres:
Fixed bug #73498 (Incorrect SQL generated for pg_copy_to()).
Implemented FR #31021 (pg_last_notice() is needed to get all notice messages).
Implemented FR #48532 (Allow pg_fetch_all() to index numerically).
Readline:
Fixed bug #72538 (readline_redisplay crashes php).
Reflection:
Undo backwards compatiblity break in ReflectionType->__toString() and deprecate via documentation instead.
Reverted prepending for class names.
Implemented request #38992 (invoke() and invokeArgs() static method calls should match). (cmb).
Add ReflectionNamedType::getName(). This method should be used instead of ReflectionType::__toString()
Prepend for class names and ? for nullable types returned from ReflectionType::__toString().
Fixed bug #72661 (ReflectionType::__toString crashes with iterable).
Fixed bug #72222 (ReflectionClass::export doesn't handle array constants).
Failure to retrieve a reflection object or retrieve an object property will now throw an instance of Error instead of resulting in a fatal error.
Fix #72209 (ReflectionProperty::getValue() doesn't fail if object doesn't match type).
Session:
Fixed bug #73273 (session_unset() empties values from all variables in which is $_session stored).
Fixed bug #73100 (session_destroy null dereference in ps_files_path_create).
Fixed bug #68015 (Session does not report invalid uid for files save handler).
Fixed bug #72940 (SID always return "name=ID", even if session cookie exist).
Implemented session_gc() (Yasuo) https://wiki.php.net/rfc/session-create-id
Implemented session_create_id() (Yasuo) https://wiki.php.net/rfc/session-gc
Implemented RFC: Session ID without hashing. (Yasuo) https://wiki.php.net/rfc/session-id-without-hashing
Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow).
Custom session handlers that do not return strings for session IDs will now throw an instance of Error instead of resulting in a fatal error when a function is called that must generate a session ID.
An invalid setting for session.hash_function will throw an instance of Error instead of resulting in a fatal error when a session ID is created.
Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session Deserialization).
Improved fix for bug #68063 (Empty session IDs do still start sessions).
Fixed bug #71038 (session_start() returns TRUE on failure). Session save handlers must return 'string' always for successful read. i.e. Non-existing session read must return empty string. PHP 7.0 is made not to tolerate buggy return value.
Fixed bug #71394 (session_regenerate_id() must close opened session on errors).
SimpleXML:
Fixed bug #73293 (NULL pointer dereference in SimpleXMLElement::asXML()).
Fixed bug #72971 (SimpleXML isset/unset do not respect namespace).
Fixed bug #72957 (Null coalescing operator doesn't behave as expected with SimpleXMLElement).
Fixed bug #72588 (Using global var doesn't work while accessing SimpleXML element).
Creating an unnamed or duplicate attribute will throw an instance of Error instead of resulting in a fatal error.
SNMP:
Fixed bug #72708 (php_snmp_parse_oid integer overflow in memory allocation).
Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()).
Soap:
Fixed bug #73538 (SoapClient::__setSoapHeaders doesn't overwrite SOAP headers).
Fixed bug #73452 (Segfault (Regression for #69152)).
Fixed bug #73037 (SoapServer reports Bad Request when gzipped).
Fixed bug #73237 (Nested object in "any" element overwrites other fields).
Fixed bug #69137 (Peer verification fails when using a proxy with SoapClient) (Keith Smiley)
Fixed bug #71711 (Soap Server Member variables reference bug).
Fixed bug #71996 (Using references in arrays doesn't work like expected).
SPL:
Fixed bug #73423 (Reproducible crash with GDB backtrace).
Fixed bug #72888 (Segfault on clone on splFileObject).
Fixed bug #73029 (Missing type check when unserializing SplArray).
Fixed bug #72646 (SplFileObject::getCsvControl does not return the escape character).
Fixed bug #72684 (AppendIterator segfault with closed generator).
Attempting to clone an SplDirectory object will throw an instance of Error instead of resulting in a fatal error.
Calling ArrayIterator::append() when iterating over an object will throw an instance of Error instead of resulting in a fatal error.
Fixed bug #55701 (GlobIterator throws LogicException).
SQLite3:
Update to SQLite 3.15.1.
Fixed bug #73530 (Unsetting result set may reset other result set).
Fixed bug #73333 (2147483647 is fetched as string).
Fixed bug #72668 (Spurious warning when exception is thrown in user defined function).
Implemented FR #72653 (SQLite should allow opening with empty filename).
Fixed bug #70628 (Clearing bindings on an SQLite3 statement doesn't work).
Implemented FR #71159 (Upgraded bundled SQLite lib to 3.9.2).
Standard:
Fixed bug #73297 (HTTP stream wrapper should ignore HTTP 100 Continue).
Fixed bug #73303 (Scope not inherited by eval in assert()).
Fixed bug #73192 (parse_url return wrong hostname).
Fixed bug #73203 (passing additional_parameters causes mail to fail).
Fixed bug #73203 (passing additional_parameters causes mail to fail).
Fixed bug #72920 (Accessing a private constant using constant() creates an exception AND warning).
Fixed bug #65550 (get_browser() incorrectly parses entries with "+" sign).
Fixed bug #71882 (Negative ftruncate() on php://memory exhausts memory).
Fixed bug #55451 (substr_compare NULL length interpreted as 0).
Fixed bug #72278 (getimagesize returning FALSE on valid jpg).
Fixed bug #61967 (unset array item in array_walk_recursive cause inconsistent array).
Fixed bug #62607 (array_walk_recursive move internal pointer).
Fixed bug #69068 (Exchanging array during array_walk -> memory errors).
Fixed bug #70713 (Use After Free Vulnerability in array_walk()/ array_walk_recursive()).
Fixed bug #72622 (array_walk + array_replace_recursive create references from nothing).
Fixed bug #72330 (CSV fields incorrectly split if escape char followed by UTF chars).
Implemented RFC: More precise float values.
array_multisort now uses zend_sort instead zend_qsort.
Fixed bug #72505 (readfile() mangles files larger than 2G).
assert() will throw a ParseError when evaluating a string given as the first argument if the PHP code is invalid instead of resulting in a catchable fatal error.
Calling forward_static_call() outside of a class scope will now throw an instance of Error instead of resulting in a fatal error.
Added is_iterable() function.
Fixed bug #72306 (Heap overflow through proc_open and $env parameter).
Fixed bug #71100 (long2ip() doesn't accept integers in strict mode).
Implemented FR #55716 (Add an option to pass a custom stream context to get_headers()).
Additional validation for parse_url() for login/pass components).
Implemented FR #69359 (Provide a way to fetch the current environment variables).
unpack() function accepts an additional optional argument $offset.
Implemented #51879 stream context socket option tcp_nodelay (Joe)
Streams:
Fixed bug #73586 (php_user_filter::$stream is not set to the stream the filter is working on).
Fixed bug #72853 (stream_set_blocking doesn't work).
Fixed bug #72743 (Out-of-bound read in php_stream_filter_create).
Implemented FR #27814 (Multiple small packets send for HTTP request).
Fixed bug #72764 (ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5).
Fixed bug #72810 (Missing SKIP_ONLINE_TESTS checks).
Fixed bug #41021 (Problems with the ftps wrapper).
Fixed bug #54431 (opendir() does not work with ftps:// wrapper).
Fixed bug #72667 (opendir() with ftp:// attempts to open data stream for non-existent directories).
Fixed bug #72771 (ftps:// wrapper is vulnerable to protocol downgrade attack).
Fixed bug #72534 (stream_socket_get_name crashes).
Fixed bug #72439 (Stream socket with remote address leads to a segmentation fault).
sysvshm:
Fixed bug #72858 (shm_attach null dereference).
Tidy:
Implemented support for libtidy 5.0.0 and above.
Creating a tidyNode manually will now throw an instance of Error instead of resulting in a fatal error.
Wddx:
Fixed bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow).
Fixed bug #72142 (WDDX Packet Injection Vulnerability in wddx_serialize_value()).
Fixed bug #72749 (wddx_deserialize allows illegal memory access) (Stas)
Fixed bug #72750 (wddx_deserialize null dereference).
Fixed bug #72790 (wddx_deserialize null dereference with invalid xml).
Fixed bug #72799 (wddx_deserialize null dereference in php_wddx_pop_element).
Fixed bug #72860 (wddx_deserialize use-after-free).
Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element).
Fixed bug #72564 (boolean always deserialized as "true") (Remi)
A circular reference when serializing will now throw an instance of Error instead of resulting in a fatal error.
XML:
Fixed bug #72135 (malformed XML causes fault) (edgarsandi)
Fixed bug #72714 (_xml_startElementHandler() segmentation fault).
Fixed bug #72085 (SEGV on unknown address zif_xml_parse).
XMLRPC:
Fixed bug #72647 (xmlrpc_encode() unexpected output after referencing array elements).
Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).
A circular reference when serializing will now throw an instance of Error instead of resulting in a fatal error.
Zip:
Fixed bug #68302 (impossible to compile php with zip support).
Fixed bug #72660 (NULL Pointer dereference in zend_virtual_cwd).
Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener).
ZipArchive::addGlob() will throw an instance of Error instead of resulting in a fatal error if glob support is not available.

New in PHP 7.0.14 RC 1 (Nov 23, 2016)

New in PHP 7.1.0 RC 6 (Nov 9, 2016)

New in PHP 7.0.13 (Nov 8, 2016)

Core:
Fixed bug #73350 (Exception::__toString() cause circular references). (Laruence)
Fixed bug #73181 (parse_str() without a second argument leads to crash). (Nikita)
Fixed bug #66773 (Autoload with Opcache allows importing conflicting class name to namespace). (Nikita)
Fixed bug #66862 ((Sub-)Namespaces unexpected behaviour). (Nikita)
Fix pthreads detection when cross-compiling (ffontaine)
Fixed bug #73337 (try/catch not working with two exceptions inside a same operation). (Dmitry)
Fixed bug #73338 (Exception thrown from error handler causes valgrind warnings (and crashes)). (Bob, Dmitry)
Fixed bug #73329 ((Float)"Nano" == NAN). (Anatol)
GD:
Fixed bug #73213 (Integer overflow in imageline() with antialiasing). (cmb)
Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()). (cmb)
Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb)
Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf). (cmb)
Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow). (cmb)
Fixed bug #72696 (imagefilltoborder stackoverflow on truecolor images). (cmb)
IMAP:
Fixed bug #73418 (Integer Overflow in "_php_imap_mail" leads to crash). (Anatol)
OCI8:
Fixed bug #71148 (Bind reference overwritten on PHP 7). (Oracle Corp.)
phpdbg:
Properly allow for stdin input from a file. (Bob)
Add -s command line option / stdin command for reading script from stdin. (Bob)
Ignore non-executable opcodes in line mode of phpdbg_end_oplog(). (Bob)
Fixed bug #70776 (Simple SIGINT does not have any effect with -rr). (Bob)
Fixed bug #71234 (INI files are loaded even invoked as -n --version). (Bob)
Session:
Fixed bug #73273 (session_unset() empties values from all variables in which is $_session stored). (Nikita)
SOAP:
Fixed bug #73037 (SoapServer reports Bad Request when gzipped). (Anatol)
Fixed bug #73237 (Nested object in "any" element overwrites other fields). (Keith Smiley)
Fixed bug #69137 (Peer verification fails when using a proxy with SoapClient) (Keith Smiley)
SQLite3:
Fixed bug #73333 (2147483647 is fetched as string). (cmb)
Standard:
Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)
Fixed bug #71241 (array_replace_recursive sometimes mutates its parameters). (adsr)
Wddx:
Fixed bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow). (Stas)

New in PHP 7.1.0 RC 5 (Oct 25, 2016)

New in PHP 7.0.13 RC 1 (Oct 25, 2016)

Core:
Fixed bug #73350 (Exception::__toString() cause circular references). (Laruence)
Fixed bug #73181 (parse_str() without a second argument leads to crash). (Nikita)
Fixed bug #66773 (Autoload with Opcache allows importing conflicting class name to namespace). (Nikita)
Fixed bug #66862 ((Sub-)Namespaces unexpected behaviour). (Nikita)
Fix pthreads detection when cross-compiling (ffontaine)
Fixed bug #73337 (try/catch not working with two exceptions inside a same operation). (Dmitry)
Fixed bug #73338 (Exception thrown from error handler causes valgrind warnings (and crashes)). (Bob, Dmitry)
Fixed bug #73329 ((Float)"Nano" == NAN). (Anatol)
GD:
Fixed bug #73213 (Integer overflow in imageline() with antialiasing). (cmb)
Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()). (cmb)
Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb)
Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf). (cmb)
OCI8:
Fixed bug #71148 (Bind reference overwritten on PHP 7). (Oracle Corp.)
phpdbg:
Properly allow for stdin input from a file. (Bob)
Add -s command line option / stdin command for reading script from stdin. (Bob)
Ignore non-executable opcodes in line mode of phpdbg_end_oplog(). (Bob)
Fixed bug #70776 (Simple SIGINT does not have any effect with -rr). (Bob)
Fixed bug #71234 (INI files are loaded even invoked as -n --version). (Bob)
Session:
Fixed bug #73273 (session_unset() empties values from all variables in which is $_session stored). (Nikita)
SOAP:
Fixed bug #73037 (SoapServer reports Bad Request when gzipped). (Anatol)
Fixed bug #73237 (Nested object in "any" element overwrites other fields). (Keith Smiley)
Fixed bug #69137 (Peer verification fails when using a proxy with SoapClient) (Keith Smiley)
SQLite3:
Fixed bug #73333 (2147483647 is fetched as string). (cmb)
Standard:
Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)
Fixed bug #71241 (array_replace_recursive sometimes mutates its parameters). (adsr)

New in PHP 7.1.0 RC 4 (Oct 18, 2016)

Core:
Fixed bug #73288 (Segfault in __clone > Exception.toString > __get). (Laruence)
Fixed for #73240 (Write out of bounds at number_format). (Stas)
BCmath:
Fix bug #73190 (memcpy negative parameter _bc_new_num_ex). (Stas)
Date:
Fixed bug #45554 (Inconsistent behavior of the u format char). (Derick)
Fixed bug #48225 (DateTime parser doesn't set microseconds for "now"). (Derick)
Fixed bug #52514 (microseconds are missing in DateTime class). (Derick)
Fixed bug #52519 (microseconds in DateInterval are missing). (Derick)
Fixed bug #60089 (DateTime::createFromFormat() U after u nukes microtime). (Derick)
Fixed bug #64887 (Allow DateTime modification with subsecond items). (Derick)
Fixed bug #68506 (General DateTime improvments needed for microseconds to become useful). (Derick)
Fixed bug #73109 (timelib_meridian doesn't parse dots correctly). (Derick)
Fixed bug #73247 (DateTime constructor does not initialise microseconds property). (Derick)
Fixed bug #73147 (Use After Free in PHP7 unserialize()). (Stas)
Fixed bug #73189 (Memcpy negative size parameter php_resolve_path). (Stas)
DOM:
Fixed bug #73150 (missing NULL check in dom_document_save_html). (Stas)
GD:
Fixed bug #73213 (Integer overflow in imageline() with antialiasing). (cmb)
Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()). (cmb)
Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb)
Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf). (cmb)
Intl:
Fixed bug #73007 (add locale length check). (Stas)
Fixed bug #73218 (add mitigation for ICU int overflow). (Stas)
OCI8
Fixed bug #71148 (Bind reference overwritten on PHP 7). (Oracle Corp.)
OpenSSL:
Fixed bug #73276 (crash in openssl_random_pseudo_bytes function). (Stas)
Session:
Fixed bug #73273 (session_unset() empties values from all variables in which is $_session stored). (Nikita)
SOAP:
Fixed bug #73037 (SoapServer reports Bad Request when gzipped). (Anatol)
Fixed bug #73237 (Nested object in "any" element overwrites other fields). (Keith Smiley)
SimpleXML:
Fixed bug #73293 (NULL pointer dereference in SimpleXMLElement::asXML()). (Stas)
SQLite3:
Updated to SQLite3 3.15.0. (cmb)
Standard:
Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)

New in PHP 7.0.12 (Oct 14, 2016)

Core:
Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c). (cmb)
Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by password_verify). (Anatol)
Fixed bug #73058 (crypt broken when salt is 'too' long). (Anatol)
Fixed bug #69579 (Invalid free in extension trait). (John Boehr)
Fixed bug #73156 (segfault on undefined function). (Dmitry)
Fixed bug #73163 (PHP hangs if error handler throws while accessing undef const in default value). (Nikita)
Fixed bug #73172 (parse error: Invalid numeric literal). (Nikita, Anatol)
Fixed for #73240 (Write out of bounds at number_format). (Stas)
Fixed bug #73147 (Use After Free in PHP7 unserialize()). (Stas)
Fixed bug #73189 (Memcpy negative size parameter php_resolve_path). (Stas)
BCmath:
Fix bug #73190 (memcpy negative parameter _bc_new_num_ex). (Stas)
COM:
Fixed bug #73126 (Cannot pass parameter 1 by reference). (Anatol)
Date:
Fixed bug #73091 (Unserializing DateInterval object may lead to __toString invocation). (Stas)
DOM:
Fixed bug #73150 (missing NULL check in dom_document_save_html). (Stas)
Filter:
Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE). (julien)
Fixed bug #73054 (default option ignored when object passed to int filter). (cmb)
GD:
Fixed bug #67325 (imagetruecolortopalette: white is duplicated in palette). (cmb)
Fixed bug #50194 (imagettftext broken on transparent background w/o alphablending). (cmb)
Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab, cmb)
Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box). (Mark Plomer, cmb)
Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given). (cmb)
Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries). (cmb)
Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted files). (cmb)
Fixed bug #73161 (imagecreatefromgd2() may leak memory). (cmb)
Intl:
Fixed bug #73218 (add mitigation for ICU int overflow). (Stas)
Mbstring:
Fixed bug #66797 (mb_substr only takes 32-bit signed integer). (cmb)
Fixed bug #66964 (mb_convert_variables() cannot detect recursion) (Yasuo)
Fixed bug #72992 (mbstring.internal_encoding doesn't inherit default_charset). (Yasuo)
Mysqlnd:
Fixed bug #72489 (PHP Crashes When Modifying Array Containing MySQLi Result Data). (Nikita)
Opcache:
Fixed bug #72982 (Memory leak in zend_accel_blacklist_update_regexp() function). (Laruence)
OpenSSL:
Fixed bug #73072 (Invalid path SNI_server_certs causes segfault). (Jakub Zelenka)
Fixed bug #73276 (crash in openssl_random_pseudo_bytes function). (Stas)
Fixed bug #73275 (crash in openssl_encrypt function). (Stas)
PCRE:
Fixed bug #73121 (Bundled PCRE doesn't compile because JIT isn't supported on s390). (Anatol)
Fixed bug #73174 (heap overflow in php_pcre_replace_impl). (Stas)
PDO_DBlib:
Fixed bug #72414 (Never quote values as raw binary data). (Adam Baratz)
Allow PDO::setAttribute() to set query timeouts. (Adam Baratz)
Handle SQLDECIMAL/SQLNUMERIC types, which are used by later TDS versions. (Adam Baratz)
Add common PDO test suite. (Adam Baratz)
Free error and message strings when cleaning up PDO instances. (Adam Baratz)
Fixed bug #67130 (PDOStatement::nextRowset() should succeed when all rows in current rowset haven't been fetched). (Peter LeBrun)
Ignore potentially misleading dberr values. (Chris Kings-Lynne)
phpdbg:
Fixed bug #72996 (phpdbg_prompt.c undefined reference to DL_LOAD). (Nikita)
Fixed next command not stopping when leaving function. (Bob)
Session:
Fixed bug #68015 (Session does not report invalid uid for files save handler). (Yasuo)
Fixed bug #73100 (session_destroy null dereference in ps_files_path_create). (cmb)
SimpleXML:
Fixed bug #73293 (NULL pointer dereference in SimpleXMLElement::asXML()). (Stas)
SOAP:
Fixed bug #71711 (Soap Server Member variables reference bug). (Nikita)
Fixed bug #71996 (Using references in arrays doesn't work like expected). (Nikita)
SPL:
Fixed bug #73257, #73258 (SplObjectStorage unserialize allows use of non-object as key). (Stas)
SQLite3:
Updated bundled SQLite3 to 3.14.2. (cmb)
Zip:
Fixed bug #70752 (Depacking with wrong password leaves 0 length files). (cmb)

New in PHP 7.1.0 RC 3 (Sep 29, 2016)

Core:
Fixed bug #73156 (segfault on undefined function). (Dmitry)
Fixed bug #73163 (PHP hangs if error handler throws while accessing undef const in default value). (Nikita)
Fixed bug #73172 (parse error: Invalid numeric literal). (Nikita, Anatol)
Fixed bug #73181 (parse_str() without a second argument leads to crash). (Nikita)
COM:
Fixed bug #73126 (Cannot pass parameter 1 by reference). (Anatol)
Fixed bug #69579 (Invalid free in extension trait). (John Boehr)
GD:
Fixed bug #50194 (imagettftext broken on transparent background w/o alphablending). (cmb)
Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab, cmb)
Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box). (Mark Plomer, cmb)
Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given). (cmb)
Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries). (cmb)
Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted files). (cmb)
Fixed bug #73161 (imagecreatefromgd2() may leak memory). (cmb)
JSON:
Fixed bug #73113 (Segfault with throwing JsonSerializable). (julien)
PCRE:
Fixed bug #73121 (Bundled PCRE doesn't compile because JIT isn't supported on s390). (Anatol)
PDO_DBlib:
Fixed bug #72414 (Never quote values as raw binary data). (Adam Baratz)
Allow PDO::setAttribute() to set query timeouts. (Adam Baratz)
Handle SQLDECIMAL/SQLNUMERIC types, which are used by later TDS versions. (Adam Baratz)
Add common PDO test suite. (Adam Baratz)
Free error and message strings when cleaning up PDO instances. (Adam Baratz)
Fixed bug #67130 (PDOStatement::nextRowset() should succeed when all rows in current rowset haven't been fetched). (Peter LeBrun)
Ignore potentially misleading dberr values. (Chris Kings-Lynne)
phpdbg:
Added generator command for inspection of currently alive generators. (Bob)
Reflection
Undo backwards compatiblity break in ReflectionType->__toString() and deprecate via documentation instead. (Nikita)
Session:
Fixed bug #73100 (session_destroy null dereference in ps_files_path_create). (cmb)

New in PHP 7.0.12 RC 1 (Sep 28, 2016)

Core:
Fixed bug #73067 (__debugInfo crashes when throwing an exception). (Laruence)
Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c). (cmb)
Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by password_verify). (Anatol)
Fixed bug #73058 (crypt broken when salt is 'too' long). (Anatol)
Fixed bug #69579 (Invalid free in extension trait). (John Boehr)
Fixed bug #73156 (segfault on undefined function). (Dmitry)
Fixed bug #73163 (PHP hangs if error handler throws while accessing undef const in default value). (Nikita)
Fixed bug #73172 (parse error: Invalid numeric literal). (Nikita, Anatol)
COM:
Fixed bug #73126 (Cannot pass parameter 1 by reference). (Anatol)
Filter:
Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE). (julien)
Fixed bug #73054 (default option ignored when object passed to int filter). (cmb)
GD:
Fixed bug #67325 (imagetruecolortopalette: white is duplicated in palette). (cmb)
Fixed bug #50194 (imagettftext broken on transparent background w/o alphablending). (cmb)
Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab, cmb)
Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box). (Mark Plomer, cmb)
Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given). (cmb)
Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries). (cmb)
Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted files). (cmb)
Fixed bug #73161 (imagecreatefromgd2() may leak memory). (cmb)
Mbstring:
Fixed bug #66797 (mb_substr only takes 32-bit signed integer). (cmb)
Fixed bug #66964 (mb_convert_variables() cannot detect recursion) (Yasuo)
Fixed bug #72992 (mbstring.internal_encoding doesn't inherit default_charset). (Yasuo)
Mysqlnd:
Fixed bug #72489 (PHP Crashes When Modifying Array Containing MySQLi Result Data). (Nikita)
Opcache:
Fixed bug #72982 (Memory leak in zend_accel_blacklist_update_regexp() function). (Laruence)
OpenSSL:
Fixed bug #73072 (Invalid path SNI_server_certs causes segfault). (Jakub Zelenka)
PCRE:
Fixed bug #73121 (Bundled PCRE doesn't compile because JIT isn't supported on s390). (Anatol)
PDO_DBlib:
Fixed bug #72414 (Never quote values as raw binary data). (Adam Baratz)
Allow PDO::setAttribute() to set query timeouts. (Adam Baratz)
Handle SQLDECIMAL/SQLNUMERIC types, which are used by later TDS versions. (Adam Baratz)
Add common PDO test suite. (Adam Baratz)
Free error and message strings when cleaning up PDO instances. (Adam Baratz)
Fixed bug #67130 (PDOStatement::nextRowset() should succeed when all rows in current rowset haven't been fetched). (Peter LeBrun)
Ignore potentially misleading dberr values. (Chris Kings-Lynne)
phpdbg:
Fixed bug #72996 (phpdbg_prompt.c undefined reference to DL_LOAD). (Nikita)
Fixed next command not stopping when leaving function. (Bob)
Session:
Fixed bug #68015 (Session does not report invalid uid for files save handler). (Yasuo)
Fixed bug #73100 (session_destroy null dereference in ps_files_path_create). (cmb)
SOAP:
Fixed bug #71711 (Soap Server Member variables reference bug). (Nikita)
Fixed bug #71996 (Using references in arrays doesn't work like expected). (Nikita)
SQLite3:
Updated bundled SQLite3 to 3.14.2. (cmb)
Zip:
Fixed bug #70752 (Depacking with wrong password leaves 0 length files). (cmb)

New in PHP 7.1.0 RC 2 (Sep 14, 2016)

New in PHP 7.0.11 (Sep 13, 2016)

Core:
Fixed bug #72944 (Null pointer deref in zval_delref_p). (Dmitry)
Fixed bug #72943 (assign_dim on string doesn't reset hval). (Laruence)
Fixed bug #72911 (Memleak in zend_binary_assign_op_obj_helper). (Laruence)
Fixed bug #72813 (Segfault with __get returned by ref). (Laruence)
Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator). (Nikita)
Fixed bug #72854 (PHP Crashes on duplicate destructor call). (Nikita)
Fixed bug #72857 (stream_socket_recvfrom read access violation). (Anatol)
COM:
Fixed bug #72922 (COM called from PHP does not return out parameters). (Anatol)
Dba:
Fixed bug #70825 (Cannot fetch multiple values with group in ini file). (cmb)
FTP:
Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with require_ssl_reuse). (Benedict Singer)
GD:
Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles). (cmb)
Fixed bug #66005 (imagecopy does not support 1bit transparency on truecolor images). (cmb)
Fixed bug #72913 (imagecopy() loses single-color transparency on palette images). (cmb)
Fixed bug #68716 (possible resource leaks in _php_image_convert()). (cmb)
iconv:
Fixed bug #72320 (iconv_substr returns false for empty strings). (cmb)
IMAP:
Fixed bug #72852 (imap_mail null dereference). (Anatol)
Intl:
Fixed bug #65732 (grapheme_*() is not Unicode compliant on CR LF sequence). (cmb)
Fixed bug #73007 (add locale length check). (Stas)
Mysqlnd:
Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields). (Stas)
OCI8
Fixed invalid handle error with Implicit Result Sets. (Chris Jones)
Fixed bug #72524 (Binding null values triggers ORA-24816 error). (Chris Jones)
Opcache:
Fixed bug #72949 (Typo in opcache error message). (cmb)
PDO:
Fixed bug #72788 (Invalid memory access when using persistent PDO connection). (Keyur)
Fixed bug #72791 (Memory leak in PDO persistent connection handling). (Keyur)
Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY returns false). (cmb)
PDO_DBlib:
Implemented stringify 'uniqueidentifier' fields. (Alexander Zhuravlev, Adam Baratz)
PDO_pgsql:
Implemented FR #72633 (Postgres PDO lastInsertId() should work without specifying a sequence). (Pablo Santiago Sánchez, Matteo)
Fixed bug #72759 (Regression in pgo_pgsql). (Anatol)
Phar:
Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile). (Stas)
Fixed bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile). (Stas)
Reflection:
Fixed bug #72846 (getConstant for a array constant with constant values returns NULL/NFC/UKNOWN). (Laruence)
Session:
Fixed bug #72724 (PHP7: session-uploadprogress kills httpd). (Nikita)
Fixed bug #72940 (SID always return "name=ID", even if session cookie exist). (Yasuo)
SimpleXML:
Fixed bug #72971 (SimpleXML isset/unset do not respect namespace). (Nikita)
Fixed bug #72957 (Null coalescing operator doesn't behave as expected with SimpleXMLElement). (Nikita)
SPL:
Fixed bug #73029 (Missing type check when unserializing SplArray). (Stas)
Standard:
Fixed bug #55451 (substr_compare NULL length interpreted as 0). (Lauri Kenttä)
Fixed bug #72278 (getimagesize returning FALSE on valid jpg). (cmb)
Fixed bug #65550 (get_browser() incorrectly parses entries with "+" sign). (cmb)
Streams:
Fixed bug #72853 (stream_set_blocking doesn't work). (Laruence)
Fixed bug #72764 (ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5). (vhuk)
Fixed bug #71882 (Negative ftruncate() on php://memory exhausts memory). (cmb)
SQLite3:
Downgraded bundled SQLite to 3.8.10.2. (Anatol);
Sysvshm:
Fixed bug #72858 (shm_attach null dereference). (Anatol)
XML:
Fixed bug #72085 (SEGV on unknown address zif_xml_parse). (cmb)
Fixed bug #72714 (_xml_startElementHandler() segmentation fault). (cmb)
Wddx:
Fixed bug #72860 (wddx_deserialize use-after-free). (Stas)
Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element). (Stas)
ZIP:
Fixed bug #68302 (impossible to compile php with zip support). (cmb)

New in PHP 7.1.0 RC 1 (Sep 1, 2016)

Core:
Fixed bug #72944 (Null pointer deref in zval_delref_p). (Dmitry)
Fixed bug #72943 (assign_dim on string doesn't reset hval). (Laruence)
Fixed bug #72598 (Reference is lost after array_slice()) (Nikita)
Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by password_verify). (Anatol)
Implement ArgumentCountError when passing in too few arguments (Davey)
COM:
Fixed bug #72922 (COM called from PHP does not return out parameters). (Anatol)
Dba:
Fixed bug #70825 (Cannot fetch multiple values with group in ini file). (cmb)
GD:
Fixed bug #66005 (imagecopy does not support 1bit transparency on truecolor images). (cmb)
Fixed bug #72913 (imagecopy() loses single-color transparency on palette images). (cmb)
Fixed bug #68716 (possible resource leaks in _php_image_convert()). (cmb)
iconv:
Fixed bug #72320 (iconv_substr returns false for empty strings). (cmb)
Intl:
Fixed bug #65732 (grapheme_*() is not Unicode compliant on CR LF sequence). (cmb)
JSON:
Implemented earlier return when json_encode fails, fixes bugs #68992 (Stacking exceptions thrown by JsonSerializable) and #70275 (On recursion error, json_encode can eat up all system memory). (Jakub Zelenka)
mbstring:
Fixed bug #66797 (mb_substr only takes 32-bit signed integer). (cmb)
Opcache:
Fixed bug #72949 (Typo in opcache error message). (cmb)
PDO_DBlib:
Implemented stringify 'uniqueidentifier' fields. (Alexander Zhuravlev, Adam Baratz)
Reflection:
Reverted prepending for class names. (Trowski)
Session:
Fixed bug #72940 (SID always return "name=ID", even if session cookie exist). (Yasuo)
Implemented session_gc() and session_create_id() functions. (Yasuo)
SimpleXML:
Fixed bug #72971 (SimpleXML isset/unset do not respect namespace). (Nikita)
Fixed bug #72957 (Null coalescing operator doesn't behave as expected with SimpleXMLElement). (Nikita)
SOAP:
Fixed bug #71711 (Soap Server Member variables reference bug). (Nikita)
Fixed bug #71996 (Using references in arrays doesn't work like expected). (Nikita)
Standard:
Fixed bug #72920 (Accessing a private constant using constant() creates an exception AND warning). (Laruence)
Fixed bug #65550 (get_browser() incorrectly parses entries with "+" sign). (cmb)
Fixed bug #71882 (Negative ftruncate() on php://memory exhausts memory). (cmb)
XML:
Fixed bug #72714 (_xml_startElementHandler() segmentation fault). (cmb)

New in PHP 7.0.11 RC 1 (Aug 31, 2016)

Core:
Fixed bug #72944 (Null pointer deref in zval_delref_p). (Dmitry)
Fixed bug #72943 (assign_dim on string doesn't reset hval). (Laruence)
Fixed bug #72911 (Memleak in zend_binary_assign_op_obj_helper). (Laruence)
Fixed bug #72813 (Segfault with __get returned by ref). (Laruence)
Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator). (Nikita)
Fixed bug #72854 (PHP Crashes on duplicate destructor call). (Nikita)
Fixed bug #72857 (stream_socket_recvfrom read access violation). (Anatol)
Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by password_verify). (Anatol)
COM:
Fixed bug #72922 (COM called from PHP does not return out parameters). (Anatol)
Dba:
Fixed bug #70825 (Cannot fetch multiple values with group in ini file). (cmb)
FTP:
Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with require_ssl_reuse). (Benedict Singer)
GD:
Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles). (cmb)
Fixed bug #66005 (imagecopy does not support 1bit transparency on truecolor images). (cmb)
Fixed bug #72913 (imagecopy() loses single-color transparency on palette images). (cmb)
Fixed bug #68716 (possible resource leaks in _php_image_convert()). (cmb)
iconv:
Fixed bug #72320 (iconv_substr returns false for empty strings). (cmb)
IMAP:
Fixed bug #72852 (imap_mail null dereference). (Anatol)
Intl:
Fixed bug #65732 (grapheme_*() is not Unicode compliant on CR LF sequence). (cmb)
OCI8
Fixed invalid handle error with Implicit Result Sets. (Chris Jones)
Fixed bug #72524 (Binding null values triggers ORA-24816 error). (Chris Jones)
Opcache:
Fixed bug #72949 (Typo in opcache error message). (cmb)
PDO:
Fixed bug #72788 (Invalid memory access when using persistent PDO connection). (Keyur)
Fixed bug #72791 (Memory leak in PDO persistent connection handling). (Keyur)
Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY returns false). (cmb)
PDO_DBlib:
Implemented stringify 'uniqueidentifier' fields. (Alexander Zhuravlev, Adam Baratz)
PDO_pgsql:
Implemented FR #72633 (Postgres PDO lastInsertId() should work without specifying a sequence). (Pablo Santiago Sánchez, Matteo)
Fixed bug #72759 (Regression in pgo_pgsql). (Anatol)
Reflection:
Fixed bug #72846 (getConstant for a array constant with constant values returns NULL/NFC/UKNOWN). (Laruence)
Session:
Fixed bug #72724 (PHP7: session-uploadprogress kills httpd). (Nikita)
Fixed bug #72940 (SID always return "name=ID", even if session cookie exist). (Yasuo)
SimpleXML:
Fixed bug #72971 (SimpleXML isset/unset do not respect namespace). (Nikita)
Fixed bug #72957 (Null coalescing operator doesn't behave as expected with SimpleXMLElement). (Nikita)
Standard:
Fixed bug #55451 (substr_compare NULL length interpreted as 0). (Lauri Kenttä)
Fixed bug #72278 (getimagesize returning FALSE on valid jpg). (cmb)
Fixed bug #65550 (get_browser() incorrectly parses entries with "+" sign). (cmb)
Streams:
Fixed bug #72853 (stream_set_blocking doesn't work). (Laruence)
Fixed bug #72764 (ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5). (vhuk)
Sysvshm:
Fixed bug #72858 (shm_attach null dereference). (Anatol)
XML:
Fixed bug #72085 (SEGV on unknown address zif_xml_parse). (cmb)
Fixed bug #72714 (_xml_startElementHandler() segmentation fault). (cmb)
ZIP:
Fixed bug #68302 (impossible to compile php with zip support). (cmb)

New in PHP 7.1.0 Beta 3 (Aug 19, 2016)

Core:
Fixed bug #72813 (Segfault with __get returned by ref). (Laruence)
Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator). (Nikita)
TypeError messages for arg_info type checks will now say "must be ... or null" where the parameter or return type accepts null. (Andrea)
Fixed bug #72857 (stream_socket_recvfrom read access violation). (Anatol)
Fixed bug #72663 (Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization). (Stas)
Fixed bug #72681 (PHP Session Data Injection Vulnerability). (Stas)
Fixed bug #72742 (memory allocator fails to realloc small block to large one). (Stas)
Bz2:
Fixed bug #72837 (integer overflow in bzdecompress caused heap corruption). (Stas)
Curl
Fixed bug #72674 (Heap overflow in curl_escape). (Stas)
EXIF:
Fixed bug #72735 (Samsung picture thumb not read (zero size)). (Kalle, Remi)
Fixed bug #72627 (Memory Leakage In exif_process_IFD_in_TIFF). (Stas)
FTP:
Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with require_ssl_reuse). (Benedict Singer)
mbstring:
Fixed bug #72711 (`mb_ereg` does not clear the `$regs` parameter on failure). (ju1ius)
Mcrypt:
Fixed bug #72782 (Heap Overflow due to integer overflows). (Stas)
OCI8
Fixed invalid handle error with Implicit Result Sets. (Chris Jones)
Fixed bug #72524 (Binding null values triggers ORA-24816 error). (Chris Jones)
Opcache:
Fixed bug #72762 (Infinite loop while parsing a file with opcache enabled). (Nikita)
PDO:
Fixed bug #72788 (Invalid memory access when using persistent PDO connection). (Keyur)
Fixed bug #72791 (Memory leak in PDO persistent connection handling). (Keyur)
Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY returns false). (cmb)
Reflection:
Implemented request #38992 (invoke() and invokeArgs() static method calls should match). (cmb).
Add ReflectionNamedType::getName() and return leading "?" for nullable types from ReflectionType::__toString(). (Trowski)
Session:
Implemented RFC: Session ID without hashing. (Yasuo) https://wiki.php.net/rfc/session-id-without-hashing
SPL:
Fixed bug #72888 (Segfault on clone on splFileObject). (Laruence)
SQLite3:
Updated to SQLite3 3.14.0. (cmb)
Standard:
Fixed bug #55451 (substr_compare NULL length interpreted as 0). (Lauri Kenttä)
Fixed bug #72278 (getimagesize returning FALSE on valid jpg). (cmb)
Stream:
Fixed bug #72853 (stream_set_blocking doesn't work). (Laruence)
Fixed bug #72743 (Out-of-bound read in php_stream_filter_create). (Loianhtuan)
Implemented FR #27814 (Multiple small packets send for HTTP request). (vhuk)
Fixed bug #72764 (ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5). (vhuk)
Fixed bug #72810 (Missing SKIP_ONLINE_TESTS checks). (vhuk)
sysvshm:
Fixed bug #72858 (shm_attach null dereference). (Anatol)
XML:
Fixed bug #72085 (SEGV on unknown address zif_xml_parse). (cmb)
ZIP:
Fixed bug #68302 (impossible to compile php with zip support). (cmb)

New in PHP 7.0.10 (Aug 19, 2016)

Core:
Fixed bug #72629 (Caught exception assignment to variables ignores references).
Fixed bug #72594 (Calling an earlier instance of an included anonymous class fatals).
Fixed bug #72581 (previous property undefined in Exception after deserialization).
Fixed bug #72496 (Cannot declare public method with signature incompatible with parent private method).
Fixed bug #72024 (microtime() leaks memory).
Fixed bug #71911 (Unable to set --enable-debug on building extensions by phpize on Windows).
Fixed bug causing ClosedGeneratorException being thrown into the calling code instead of the Generator yielding from.
Implemented FR #72614 (Support "nmake test" on building extensions by phpize).
Fixed bug #72641 (phpize (on Windows) ignores PHP_PREFIX).
Fixed potential segfault in object storage freeing in shutdown sequence.
Fixed bug #72663 (Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization).
Fixed bug #72681 (PHP Session Data Injection Vulnerability).
Fixed bug #72683 (getmxrr broken).
Fixed bug #72742 (memory allocator fails to realloc small block to large one).
Bz2:
Fixed bug #72837 (integer overflow in bzdecompress caused heap corruption).
Calendar:
Fixed bug #67976 (cal_days_month() fails for final month of the French calendar).
Fixed bug #71894 (AddressSanitizer: global-buffer-overflow in zif_cal_from_jd).
COM:
Fixed bug #72569 (DOTNET/COM array parameters broke in PHP7).
CURL:
Fixed bug #71709 (curl_setopt segfault with empty CURLOPT_HTTPHEADER).
Fixed bug #71929 (CURLINFO_CERTINFO data parsing error).
Fixed bug #72674 (Heap overflow in curl_escape).
DOM:
Fixed bug #66502 (DOM document dangling reference).
EXIF:
Fixed bug #72735 (Samsung picture thumb not read (zero size)).
Fixed bug #72627 (Memory Leakage In exif_process_IFD_in_TIFF).
Filter:
Fixed bug #71745 (FILTER_FLAG_NO_RES_RANGE does not cover whole 127.0.0.0/8 range).
FPM:
Fixed bug #72575 (using --allow-to-run-as-root should ignore missing user).
GD:
Fixed bug #72596 (imagetypes function won't advertise WEBP support).
Fixed bug #72604 (imagearc() ignores thickness for full arcs).
Fixed bug #70315 (500 Server Error but page is fully rendered).
Fixed bug #43828 (broken transparency of imagearc for truecolor in blendingmode).
Fixed bug #66555 (Always false condition in ext/gd/libgd/gdkanji.c).
Fixed bug #68712 (suspicious if-else statements).
Fixed bug #72697 (select_colors write out-of-bounds).
Fixed bug #72730 (imagegammacorrect allows arbitrary write access).
Intl:
Fixed bug #72639 (Segfault when instantiating class that extends IntlCalendar and adds a property).
Partially fixed Fixed bug #72506 (idn_to_ascii for UTS #46 incorrect for long domain names).
mbstring:
Fixed bug #72691 (mb_ereg_search raises a warning if a match zero-width).
Fixed bug #72693 (mb_ereg_search increments search position when a match zero-width).
Fixed bug #72694 (mb_ereg_search_setpos does not accept a string's last position).
Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error).
Mcrypt:
Fixed bug #72782 (Heap Overflow due to integer overflows).
Opcache:
Fixed bug #72590 (Opcache restart with kill_all_lockers does not work).
PCRE:
Fixed bug #72688 (preg_match missing group names in matches).
PDO_pgsql:
Fixed bug #70313 (PDO statement fails to throw exception).
Reflection:
Fixed bug #72222 (ReflectionClass::export doesn't handle array constants).
SimpleXML:
Fixed bug #72588 (Using global var doesn't work while accessing SimpleXML element).
SNMP:
Fixed bug #72708 (php_snmp_parse_oid integer overflow in memory allocation).
SPL:
Fixed bug #55701 (GlobIterator throws LogicException).
Fixed bug #72646 (SplFileObject::getCsvControl does not return the escape character).
Fixed bug #72684 (AppendIterator segfault with closed generator).
SQLite3:
Fixed bug #72668 (Spurious warning when exception is thrown in user defined function).
Fixed bug #72571 (SQLite3::bindValue, SQLite3::bindParam crash).
Implemented FR #72653 (SQLite should allow opening with empty filename).
Updated to SQLite3 3.13.0.
Standard:
Fixed bug #72622 (array_walk + array_replace_recursive create references from nothing).
Fixed bug #72152 (base64_decode $strict fails to detect null byte).
Fixed bug #72263 (base64_decode skips a character after padding in strict mode).
Fixed bug #72264 (base64_decode $strict fails with whitespace between padding).
Fixed bug #72330 (CSV fields incorrectly split if escape char followed by UTF chars).
Streams:
Fixed bug #41021 (Problems with the ftps wrapper).
Fixed bug #54431 (opendir() does not work with ftps:// wrapper).
Fixed bug #72667 (opendir() with ftp:// attempts to open data stream for non-existent directories).
Fixed bug #72771 (ftps:// wrapper is vulnerable to protocol downgrade attack).
XMLRPC:
Fixed bug #72647 (xmlrpc_encode() unexpected output after referencing array elements).
Wddx:
Fixed bug #72564 (boolean always deserialized as "true") (Remi)
Fixed bug #72142 (WDDX Packet Injection Vulnerability in wddx_serialize_value()).
Fixed bug #72749 (wddx_deserialize allows illegal memory access) (Stas)
Fixed bug #72750 (wddx_deserialize null dereference).
Fixed bug #72790 (wddx_deserialize null dereference with invalid xml).
Fixed bug #72799 (wddx_deserialize null dereference in php_wddx_pop_element).
Zip:
Fixed bug #72660 (NULL Pointer dereference in zend_virtual_cwd).

New in PHP 7.1.0 Beta 2 (Aug 3, 2016)

Core:
Implemented FR #72614 (Support "nmake test" on building extensions by phpize). (Yuji Uchiyama)
Fixed bug #72641 (phpize (on Windows) ignores PHP_PREFIX). (Yuji Uchiyama)
Fixed bug #72683 (getmxrr broken). (Anatol)
Calendar:
Fixed bug #67976 (cal_days_month() fails for final month of the French calendar). (cmb)
Fixed bug #71894 (AddressSanitizer: global-buffer-overflow in zif_cal_from_jd). (cmb)
CURL:
Fixed bug #71709 (curl_setopt segfault with empty CURLOPT_HTTPHEADER). (Pierrick)
Fixed bug #71929 (CURLINFO_CERTINFO data parsing error). (Pierrick)
Intl:
Fixed bug #72639 (Segfault when instantiating class that extends IntlCalendar and adds a property). (Laruence)
Fixed bug #72658 (Locale::lookup() / locale_lookup() hangs if no match found). (Anatol)
GD:
Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles). (cmb)
mbstring:
Fixed bug #72691 (mb_ereg_search raises a warning if a match zero-width). (cmb)
Fixed bug #72693 (mb_ereg_search increments search position when a match zero-width). (cmb)
Fixed bug #72694 (mb_ereg_search_setpos does not accept a string's last position). (cmb)
Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error). (ju1ius)
Mysqlnd:
Fixed bug #71863 (Segfault when EXPLAIN with "Unknown column" error when using MariaDB). (Andrey)
Fixed bug #72701 (mysqli_get_host_info() wrong output). (Anatol)
PCRE:
Fixed bug #72688 (preg_match missing group names in matches). (cmb)
Downgraded to PCRE 8.38. (Anatol)
Reflection:
Fixed bug #72661 (ReflectionType::__toString crashes with iterable). (Laruence)
SPL:
Fixed bug #72646 (SplFileObject::getCsvControl does not return the escape character). (cmb)
Fixed bug #72684 (AppendIterator segfault with closed generator). (Pierrick)
SQLite3:
Fixed bug #72668 (Spurious warning when exception is thrown in user defined function). (Laruence)
Implemented FR #72653 (SQLite should allow opening with empty filename). (cmb)
Standard:
Fixed bug #61967 (unset array item in array_walk_recursive cause inconsistent array). (Nikita)
Fixed bug #62607 (array_walk_recursive move internal pointer). (Nikita)
Fixed bug #69068 (Exchanging array during array_walk -> memory errors). (Nikita)
Fixed bug #70713 (Use After Free Vulnerability in array_walk()/ array_walk_recursive()). (Nikita)
Streams:
Fixed bug #41021 (Problems with the ftps wrapper). (vhuk)
Fixed bug #54431 (opendir() does not work with ftps:// wrapper). (vhuk)
Fixed bug #72667 (opendir() with ftp:// attempts to open data stream for non-existent directories). (vhuk)
Wddx:
Fixed bug #72142 (WDDX Packet Injection Vulnerability in wddx_serialize_value()). (Taoguang Chen)
XMLRPC:
Fixed bug #72647 (xmlrpc_encode() unexpected output after referencing array elements). (Laruence)
Zip:
Fixed bug #72660 (NULL Pointer dereference in zend_virtual_cwd). (Laruence)

New in PHP 7.0.10 RC 1 (Aug 2, 2016)

Core:
Fixed bug #72629 (Caught exception assignment to variables ignores references). (Laruence)
Fixed bug #72594 (Calling an earlier instance of an included anonymous class fatals). (Laruence)
Fixed bug #72581 (previous property undefined in Exception after deserialization). (Laruence)
Fixed bug #72496 (Cannot declare public method with signature incompatible with parent private method). (Pedro Magalhães)
Fixed bug #72024 (microtime() leaks memory). (maroszek at gmx dot net)
Fixed bug #71911 (Unable to set --enable-debug on building extensions by phpize on Windows). (Yuji Uchiyama)
Fixed bug causing ClosedGeneratorException being thrown into the calling code instead of the Generator yielding from. (Bob)
Implemented FR #72614 (Support "nmake test" on building extensions by phpize). (Yuji Uchiyama)
Fixed bug #72641 (phpize (on Windows) ignores PHP_PREFIX). (Yuji Uchiyama)
Fixed potential segfault in object storage freeing in shutdown sequence. (Bob)
Fixed bug #72683 (getmxrr broken). (Anatol)
Calendar:
Fixed bug #67976 (cal_days_month() fails for final month of the French calendar). (cmb)
Fixed bug #71894 (AddressSanitizer: global-buffer-overflow in zif_cal_from_jd). (cmb)
COM:
Fixed bug #72569 (DOTNET/COM array parameters broke in PHP7). (Anatol)
CURL:
Fixed bug #71709 (curl_setopt segfault with empty CURLOPT_HTTPHEADER). (Pierrick)
Fixed bug #71929 (CURLINFO_CERTINFO data parsing error). (Pierrick)
DOM:
Fixed bug #66502 (DOM document dangling reference). (Sean Heelan, cmb)
Filter:
Fixed bug #71745 (FILTER_FLAG_NO_RES_RANGE does not cover whole 127.0.0.0/8 range). (bugs dot php dot net at majkl578 dot cz)
FPM:
Fixed bug #72575 (using --allow-to-run-as-root should ignore missing user). (gooh)
GD:
Fixed bug #72596 (imagetypes function won't advertise WEBP support). (cmb)
Fixed bug #72604 (imagearc() ignores thickness for full arcs). (cmb)
Fixed bug #70315 (500 Server Error but page is fully rendered). (cmb)
Fixed bug #43828 (broken transparency of imagearc for truecolor in blendingmode). (cmb)
Fixed bug #66555 (Always false condition in ext/gd/libgd/gdkanji.c). (cmb)
Fixed bug #68712 (suspicious if-else statements). (cmb)
Intl:
Fixed bug #72639 (Segfault when instantiating class that extends IntlCalendar and adds a property). (Laruence)
Partially fixed #72506 (idn_to_ascii for UTS #46 incorrect for long domain names). (cmb)
mbstring:
Fixed bug #72691 (mb_ereg_search raises a warning if a match zero-width). (cmb)
Fixed bug #72693 (mb_ereg_search increments search position when a match zero-width). (cmb)
Fixed bug #72694 (mb_ereg_search_setpos does not accept a string's last position). (cmb)
Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error). (ju1ius)
Opcache:
Fixed bug #72590 (Opcache restart with kill_all_lockers does not work). (Keyur)
PCRE:
Fixed bug #72688 (preg_match missing group names in matches). (cmb)
PDO_pgsql:
Fixed bug #70313 (PDO statement fails to throw exception). (Matteo)
Implemented FR #72633 (Postgres PDO lastInsertId() should work without specifying a sequence). (Pablo Santiago Sánchez)
Reflection:
Fixed bug #72222 (ReflectionClass::export doesn't handle array constants). (Nikita Nefedov)
SimpleXML:
Fixed bug #72588 (Using global var doesn't work while accessing SimpleXML element). (Laruence)
SPL:
Fixed bug #55701 (GlobIterator throws LogicException). (Valentin VĂLCIU)
Fixed bug #72646 (SplFileObject::getCsvControl does not return the escape character). (cmb)
Fixed bug #72684 (AppendIterator segfault with closed generator). (Pierrick)
SQLite3:
Fixed bug #72668 (Spurious warning when exception is thrown in user defined function). (Laruence)
Fixed bug #72571 (SQLite3::bindValue, SQLite3::bindParam crash). (Laruence)
Implemented FR #72653 (SQLite should allow opening with empty filename). (cmb)
Updated to SQLite3 3.13.0. (cmb)
Standard:
Fixed bug #72622 (array_walk + array_replace_recursive create references from nothing). (Laruence)
Fixed bug #72152 (base64_decode $strict fails to detect null byte). (Lauri Kenttä)
Fixed bug #72263 (base64_decode skips a character after padding in strict mode). (Lauri Kenttä)
Fixed bug #72264 (base64_decode $strict fails with whitespace between padding). (Lauri Kenttä)
Fixed bug #72330 (CSV fields incorrectly split if escape char followed by UTF chars). (cmb)
Streams:
Fixed bug #41021 (Problems with the ftps wrapper). (vhuk)
Fixed bug #54431 (opendir() does not work with ftps:// wrapper). (vhuk)
Fixed bug #72667 (opendir() with ftp:// attempts to open data stream for non-existent directories). (vhuk)
XMLRPC:
Fixed bug #72647 (xmlrpc_encode() unexpected output after referencing array elements). (Laruence)
Wddx:
Fixed bug #72564 (boolean always deserialized as "true") (Remi)
Fixed bug #72142 (WDDX Packet Injection Vulnerability in wddx_serialize_value()). (Taoguang Chen)
Zip:
Fixed bug #72660 (NULL Pointer dereference in zend_virtual_cwd). (Laruence)

New in PHP 7.1.0 Beta 1 (Jul 21, 2016)

New in PHP 7.0.9 (Jul 19, 2016)

Core:
Fixed bug #72508 (strange references after recursive function call and "switch" statement). (Laruence)
Fixed bug #72513 (Stack-based buffer overflow vulnerability in virtual_file_ex). (Stas)
Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications). (Stas)
bz2:
Fixed bug #72613 (Inadequate error handling in bzread()). (Stas)
CLI:
Fixed bug #72484 (SCRIPT_FILENAME shows wrong path if the user specify router.php). (Laruence)
COM:
Fixed bug #72498 (variant_date_from_timestamp null dereference). (Anatol)
Curl:
Fixed bug #72541 (size_t overflow lead to heap corruption). (Stas)
Exif:
Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE). (Stas)
Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment). (Stas)
GD:
Fixed bug #43475 (Thick styled lines have scrambled patterns). (cmb)
Fixed bug #53640 (XBM images require width to be multiple of 8). (cmb)
Fixed bug #64641 (imagefilledpolygon doesn't draw horizontal line). (cmb)
Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access). (Pierre)
Fixed bug #72519 (imagegif/output out-of-bounds access). (Pierre)
Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()). (Pierre)
Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow). (Pierre)
Fixed bug #72494 (imagecropauto out-of-bounds access). (Pierre)
Intl:
Fixed bug #72533 (locale_accept_from_http out-of-bounds access). (Stas)
Mbstring:
Fixed bug #72405 (mb_ereg_replace mbc_to_code (oniguruma) oob read access). (Laruence)
Fixed bug #72399 (Use-After-Free in MBString (search_re)). (Laruence)
mcrypt:
Fixed bug #72551, bug #72552 (In correct casting from size_t to int lead to heap overflow in mdecrypt_generic). (Stas)
PDO_pgsql:
Fixed bug #72570 (Segmentation fault when binding parameters on a query without placeholders). (Matteo)
PCRE:
Fixed bug #72476 (Memleak in jit_stack). (Laruence)
Fixed bug #72463 (mail fails with invalid argument). (Anatol)
Readline:
Fixed bug #72538 (readline_redisplay crashes php). (Laruence)
Standard:
Fixed bug #72505 (readfile() mangles files larger than 2G). (Cschneid)
Fixed bug #72306 (Heap overflow through proc_open and $env parameter). (Laruence)
Session:
Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow). (Laruence)
Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session Deserialization). (Stas)
SNMP:
Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()). (Stas)
Streams:
Fixed bug #72439 (Stream socket with remote address leads to a segmentation fault). (Laruence)
XMLRPC:
Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c). (Stas)
Zip:
Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener). (Stas)

New in PHP 7.0.9 RC 1 (Jul 6, 2016)

New in PHP 7.1.0 Alpha 3 (Jul 6, 2016)

Core:
Implemented RFC: Iterable. (Aaron Piotrowski)
Fixed bug #72523 (dtrace issue with reflection (failed test)). (Laruence)
Fixed bug #72508 (strange references after recursive function call and "switch" statement). (Laruence)
Implemented RFC: Closure::fromCallable (Danack)
COM:
Fixed bug #72498 (variant_date_from_timestamp null dereference). (Anatol)
CURL:
Add curl_multi_errno(), curl_share_errno() and curl_share_strerror()
functions. (Pierrick)
Add support for HTTP/2 Server Push (davey)
Date:
Invalid serialization data for a DateTime or DatePeriod object will now throw an instance of Error from __wakeup() or __set_state() instead of resulting in a fatal error. (Aaron Piotrowski)
Timezone initialization failure from serialized data will now throw an instance of Error from __wakeup() or __set_state() instead of resulting in a fatal error. (Aaron Piotrowski)
Export date_get_interface_ce() for extension use. (Jeremy Mikola)
DOM:
Invalid schema or RelaxNG validation contexts will throw an instance of Error instead of resulting in a fatal error. (Aaron Piotrowski)
Attempting to register a node class that does not extend the appropriate base class will now throw an instance of Error instead of resulting in a fatal error. (Aaron Piotrowski)
Attempting to read an invalid or write to a readonly property will throw an instance of Error instead of resulting in a fatal error. (Aaron Piotrowski)
GD:
Fixed bug #72404 (imagecreatefromjpeg fails on selfie). (cmb)
IMAP:
An email address longer than 16385 bytes will throw an instance of Error instead of resulting in a fatal error. (Aaron Piotrowski)
Intl:
Failure to call the parent constructor in a class extending Collator before invoking the parent methods will throw an instance of Error instead of resulting in a recoverable fatal error. (Aaron Piotrowski)
Cloning a Transliterator object may will now throw an instance of Error instead of resulting in a fatal error if cloning the internal transliterator fails. (Aaron Piotrowski)
LDAP:
Providing an unknown modification type to ldap_batch_modify() will now throw an instance of Error instead of resulting in a fatal error. (Aaron Piotrowski)
Mbstring:
mb_ereg() and mb_eregi() will now throw an instance of ParseError if an invalid PHP expression is provided and the 'e' option is used. (Aaron Piotrowski)
Mcrypt:
mcrypt_encrypt() and mcrypt_decrypt() will throw an instance of Error instead of resulting in a fatal error if mcrypt cannot be initialized. (Aaron Piotrowski)
Mysqli:
Attempting to read an invalid or write to a readonly property will throw an instance of Error instead of resulting in a fatal error. (Aaron Piotrowski)
OpenSSL:
Implemented FR #61204 (Add elliptic curve support for OpenSSL). (Dominic Luechinger)
PCRE:
Fixed bug #72476 (Memleak in jit_stack). (Laruence)
Fixed bug #72463 (mail fails with invalid argument). (Anatol)
Readline:
Fixed bug #72538 (readline_redisplay crashes php). (Laruence)
Reflection:
Failure to retrieve a reflection object or retrieve an object property will now throw an instance of Error instead of resulting in a fatal error. (Aaron Piotrowski)
SQLite3:
Fixed bug #70628 (Clearing bindings on an SQLite3 statement doesn't work). (cmb)
Session:
Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow). (Laruence)
Custom session handlers that do not return strings for session IDs will now throw an instance of Error instead of resulting in a fatal error when a function is called that must generate a session ID. (Aaron Piotrowski)
An invalid setting for session.hash_function will throw an instance of Error instead of resulting in a fatal error when a session ID is created. (Aaron Piotrowski)
SimpleXML:
Creating an unnamed or duplicate attribute will throw an instance of Error instead of resulting in a fatal error. (Aaron Piotrowski)
SPL:
Attempting to clone an SplDirectory object will throw an instance of Error instead of resulting in a fatal error. (Aaron Piotrowski)
Calling ArrayIterator::append() when iterating over an object will throw an instance of Error instead of resulting in a fatal error. (Aaron Piotrowski)
Fixed bug #55701 (GlobIterator throws LogicException). (Valentin VĂLCIU)
Standard:
Implemented RFC: More precise float values. (Jakub Zelenka, Yasuo)
array_multisort now uses zend_sort instead zend_qsort. (Laruence)
Fixed bug #72505 (readfile() mangles files larger than 2G). (Cschneid)
assert() will throw a ParseError when evaluating a string given as the first argument if the PHP code is invalid instead of resulting in a catchable fatal error. (Aaron Piotrowski)
Calling forward_static_call() outside of a class scope will now throw an instance of Error instead of resulting in a fatal error. (Aaron Piotrowski)
Streams:
Fixed bug #72534 (stream_socket_get_name crashes). (Anatol)
Tidy:
Creating a tidyNode manually will now throw an instance of Error instead of resulting in a fatal error. (Aaron Piotrowski)
WDDX:
A circular reference when serializing will now throw an instance of Error instead of resulting in a fatal error. (Aaron Piotrowski)
XML-RPC:
A circular reference when serializing will now throw an instance of Error instead of resulting in a fatal error. (Aaron Piotrowski)
Zip:
ZipArchive::addGlob() will throw an instance of Error instead of resulting in a fatal error if glob support is not available. (Aaron Piotrowski)

New in PHP 7.1.0 Alpha 2 (Jun 22, 2016)

Core:
Implemented RFC: Replace "Missing argument" warning with "Too few arguments" exception. (Dmitry)
Implemented RFC: Fix inconsistent behavior of $this variable. (Dmitry)
Fixed bug #72441 (Segmentation fault: RFC list_keys). (Laruence)
Fixed bug #72395 (list() regression). (Laruence)
Fixed bug #72373 (TypeError after Generator function w/declared return type finishes). (Nikita)
Fixed bug #69489 (tempnam() should raise notice if falling back to temp dir). (Laruence, Anatol)
Fixed UTF-8 and long path support on Windows. (Anatol)
Fixed bug #72268 (Integer Overflow in nl2br()). (Stas)
Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/ json_utf8_to_utf16()). (Stas)
Fixed bug #72400 (Integer Overflow in addcslashes/addslashes). (Stas)
Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL). (Stas)
GD:
Fixed bug #43475 (Thick styled lines have scrambled patterns). (cmb)
Fixed bug #53640 (XBM images require width to be multiple of 8). (cmb)
Fixed bug #64641 (imagefilledpolygon doesn't draw horizontal line). (cmb)
Fixed bug #72298 (pass2_no_dither out-of-bounds access). (Stas)
Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in heap overflow). (Pierre)
Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)
JSON
Implemented FR #46600 ("_empty_" key in objects). (Jakub Zelenka)
Mbstring:
Fixed bug #72405 (mb_ereg_replace mbc_to_code (oniguruma) oob read access). (Laruence)
Fixed bug #72399 (Use-After-Free in MBString (search_re)). (Laruence)
Fixed bug #72402 (_php_mb_regex_ereg_replace_exec double free). (Stas)
mcrypt:
Fixed bug #72455 (Heap Overflow due to integer overflows). (Stas)
OpenSSL:
Implemented FR #67304 (Added AEAD support [CCM and GCM modes] to openssl_encrypt and openssl_decrypt). (Jakub Zelenka)
Implemented error storing to the global queue and cleaning up the OpenSSL error queue (resolves bugs #68276 and #69882). (Jakub Zelenka)
PCRE:
Upgraded to PCRE 8.39. (Anatol)
SPL:
Fixed bug #72262 (int/size_t confusion in SplFileObject::fread). (Stas)
Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and unserialize). (Dmitry)
Sqlite3:
Implemented FR #72385 (Update SQLite bundle lib(3.13.0)). (Laruence)
Standard:
Fixed bug #72306 (Heap overflow through proc_open and $env parameter). (Laruence)
Streams:
Fixed bug #72439 (Stream socket with remote address leads to a segmentation fault). (Laruence)
WDDX:
Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (Stas)
zip:
Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize). (Dmitry)

New in PHP 7.0.8 (Jun 21, 2016)

Core:
Fixed bug #72218 (If host name cannot be resolved then PHP 7 crashes). (Esminis at esminis dot lt)
Fixed bug #72221 (segfault, past-the-end access). (Lauri Kenttä)
Fixed bug #72268 (Integer Overflow in nl2br()). (Stas)
Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/ json_utf8_to_utf16()). (Stas)
Fixed bug #72400 (Integer Overflow in addcslashes/addslashes). (Stas)
Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL). (Stas)
FPM:
Fixed bug #72308 (fastcgi_finish_request and logging environment variables). (Laruence)
GD:
Fixed bug #72298 (pass2_no_dither out-of-bounds access). (Stas)
Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre)
Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in heap overflow). (Pierre)
Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)
Intl:
Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol)
mbstring:
Fixed bug #72402 (_php_mb_regex_ereg_replace_exec double free). (Stas)
mcrypt:
Fixed bug #72455 (Heap Overflow due to integer overflows). (Stas)
PCRE:
Fixed bug #72143 (preg_replace uses int instead of size_t). (Joe)
PDO_pgsql:
Fixed bug #71573 (Segfault (core dumped) if paramno beyond bound). (Laruence)
Fixed bug #72294 (Segmentation fault/invalid pointer in connection with pgsql_stmt_dtor). (Anatol)
Phpdbg:
Fixed bug #72284 (phpdbg fatal errors with coverage). (Bob)
Postgres:
Fixed bug #72195 (pg_pconnect/pg_connect cause use-after-free). (Laruence)
Fixed bug #72197 (pg_lo_create arbitrary read). (Anatol)
SPL:
Fixed bug #72262 (int/size_t confusion in SplFileObject::fread). (Stas)
Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and unserialize). (Dmitry)
Standard:
Fixed bug #72017 (range() with float step produces unexpected result). (Thomas Punt)
Fixed bug #72193 (dns_get_record returns array containing elements of type 'unknown'). (Laruence)
Fixed bug #72229 (Wrong reference when serialize/unserialize an object). (Laruence)
Fixed bug #72300 (ignore_user_abort(false) has no effect). (Laruence)
XML:
Fixed bug #72206 (xml_parser_create/xml_parser_free leaks mem). (Joe)
XMLRPC:
Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type). (Joe, Laruence)
WDDX:
Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (Stas)
Zip:
Fixed ug #72258 (ZipArchive converts filenames to unrecoverable form). (Anatol)
Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize). (Dmitry)

New in PHP 7.1.0 Alpha 1 (Jun 8, 2016)

Core:
Added nullable types. (Levi, Dmitry)
Added DFA optimization framework based on e-SSA form. (Dmitry, Nikita)
Added specialized opcode handlers (e.g. ZEND_ADD_LONG_NO_OVERFLOW). (Dmitry)
Change statement and fcall extension handlers to accept frame. (Joe)
Implemented safe execution timeout handling, that prevents random crashes after "Maximum execution time exceeded" error. (Dmitry)
Fixed bug #53432 (Assignment via string index access on an empty string converts to array). (Nikita)
Fixed bug #62210 (Exceptions can leak temporary variables). (Dmitry, Bob)
Fixed bug #62814 (It is possible to stiffen child class members visibility). (Nikita)
Fixed bug #69989 (Generators don't participate in cycle GC). (Nikita)
Fixed bug #71604 (Aborted Generators continue after nested finally). (Nikita)
Fixed bug #71572 (String offset assignment from an empty string inserts null byte). (Francois)
Fixed bug #71897 (ASCII 0x7F Delete control character permitted in identifiers). (Andrea)
Fixed bug #72188 (Nested try/finally blocks losing return value). (Dmitry)
Fixed bug #72213 (Finally leaks on nested exceptions). (Dmitry, Nikita)
Implemented the RFC `Support Class Constant Visibility`. (Sean DuBois, Reeze Xia, Dmitry)
Added void return type. (Andrea)
Added support for negative string offsets in string offset syntax and various string functions. (Francois)
Added a form of the list() construct where keys can be specified. (Andrea)
Number operators taking numeric strings now emit E_NOTICEs or E_WARNINGs when given malformed numeric strings. (Andrea)
(int), intval() where $base is 10 or unspecified, settype(), decbin(), decoct(), dechex(), integer operators and other conversions now always respect scientific notation in numeric strings. (Andrea)
Implemented the RFC `Catching multiple exception types`. (Bronislaw Bialek, Pierrick)
Raise a compile-time warning on octal escape sequence overflow. (Sara)
Added [] = as alternative construct to list() =. (Bob)
Implemented logging to syslog with dynamic error levels. (Jani Ollikainen)
Fixed bug #47517 (php-cgi.exe missing UAC manifest). (maxdax15801 at users noreply github com)
Apache2handler:
Enable per-module logging in Apache 2.4+. (Martin Vobruba)
CLI Server:
Fixed bug #71276 (Built-in webserver does not send Date header). (see at seos fr)
FTP:
Implemented FR #55651 (Option to ignore the returned FTP PASV address). (abrender at elitehosts dot com)
Intl:
Added IntlTimeZone::getWindowsID() and IntlTimeZone::getIDForWindowsID(). (Sara)
Fixed bug #69374 (IntlDateFormatter formatObject returns wrong utf8 value). (lenhatanh86 at gmail com)
Fixed bug #69398 (IntlDateFormatter formatObject returns wrong value when time style is NONE). (lenhatanh86 at gmail com)
Hash:
Added SHA3 fixed mode algorithms (224, 256, 384, and 512 bit). (Sara)
Added SHA512/256 and SHA512/224 algorithms. (Sara)
JSON:
Exported JSON parser API including json_parser_method that can be used for implementing custom logic when parsing JSON. (Jakub Zelenka)
Escaped U+2028 and U+2029 when JSON_UNESCAPED_UNICODE is supplied as json_encode options and added JSON_UNESCAPED_LINE_TERMINATORS to restore the previous behaviour. (Eddie Kohler)
PDO_Firebird:
Fixed bug #60052 (Integer returned as a 64bit integer on X86_64). (Mariuz)
Pgsql:
Implemented FR #31021 (pg_last_notice() is needed to get all notice messages). (Yasuo)
Implemented FR #48532 (Allow pg_fetch_all() to index numerically). (Yasuo)
Reflection:
Fix #72209 (ReflectionProperty::getValue() doesn't fail if object doesn't match type). (Joe)
Session:
Improved fix for bug #68063 (Empty session IDs do still start sessions). (Yasuo)
Fixed bug #71038 (session_start() returns TRUE on failure). Session save handlers must return 'string' always for successful read. i.e. Non-existing session read must return empty string. PHP 7.0 is made not to tolerate buggy return value. (Yasuo)
Fixed bug #71394 (session_regenerate_id() must close opened session on errors). (Yasuo)
SQLite3:
Implemented FR #71159 (Upgraded bundled SQLite lib to 3.9.2). (Laruence)
Standard:
Fixed bug #71100 (long2ip() doesn't accept integers in strict mode). (Laruence)
Implemented FR #55716 (Add an option to pass a custom stream context to get_headers()). (Ferenc)
Additional validation for parse_url() for login/pass components). (Ilia) (Julien)
Implemented FR #69359 (Provide a way to fetch the current environment variables). (Ferenc)
unpack() function accepts an additional optional argument $offset. (Dmitry)
Implemented #51879 stream context socket option tcp_nodelay (Joe)

New in PHP 7.0.8 RC 1 (Jun 8, 2016)

New in PHP 7.0.7 (May 25, 2016)

Core:
Fixed bug #72162 (use-after-free error_reporting). (Laruence)
Add compiler option to disable special case function calls. (Joe)
Fixed bug #72101 (crash on complex code). (Dmitry)
Fixed bug #72100 (implode() inserts garbage into resulting string when joins very big integer). (Mikhail Galanin)
Fixed bug #72057 (PHP Hangs when using custom error handler and typehint). (Nikita Nefedov)
Fixed bug #72038 (Function calls with values to a by-ref parameter don't always throw a notice). (Bob)
Fixed bug #71737 (Memory leak in closure with parameter named $this). (Nikita)
Fixed bug #72059 (?? is not allowed on constant expressions). (Bob, Marcio)
Fixed bug #72159 (Imported Class Overrides Local Class Name). (Nikita)
Curl:
Fixed bug #68658 (Define CURLE_SSL_CACERT_BADFILE). (Pierrick)
DBA:
Fixed bug #72157 (use-after-free caused by dba_open). (Shm, Laruence)
GD:
Fixed bug #72227 (imagescale out-of-bounds read). (Stas)
Intl:
Fixed #72241 (get_icu_value_internal out-of-bounds read). (Stas)
JSON:
Fixed bug #72069 (Behavior \JsonSerializable different from json_encode). (Laruence)
Mbstring:
Fixed bug #72164 (Null Pointer Dereference mb_ereg_replace). (Laruence)
OCI8:
Fixed bug #71600 (oci_fetch_all segfaults when selecting more than eight columns). (Tian Yang)
Opcache:
Fixed bug #72014 (Including a file with anonymous classes multiple times leads to fatal error). (Laruence)
OpenSSL:
Fixed bug #72165 (Null pointer dereference openssl_csr_new). (Anatol)
PCNTL:
Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite). (Laruence)
POSIX:
Fixed bug #72133 (php_posix_group_to_array crashes if gr_passwd is NULL). (esminis at esminis dot lt)
Postgres:
Fixed bug #72028 (pg_query_params(): NULL converts to empty string). (Laruence)
Fixed bug #71062 (pg_convert() doesn't accept ISO 8601 for datatype timestamp). (denver at timothy dot io)
Fixed bug #72151 (mysqli_fetch_object changed behaviour). (Anatol)
Reflection:
Fixed bug #72174 (ReflectionProperty#getValue() causes __isset call). (Nikita)
Session:
Fixed bug #71972 (Cyclic references causing session_start(): Failed to decode session object). (Laruence)
Sockets:
Added socket_export_stream() function for getting a stream compatible resource from a socket resource. (Chris Wright, Bob)
SPL:
Fixed bug #72051 (The reference in CallbackFilterIterator doesn't work as expected). (Laruence)
SQLite3:
Fixed bug #68849 (bindValue is not using the right data type). (Anatol)
Standard:
Fixed bug #72075 (Referencing socket resources breaks stream_select). (Laruence)
Fixed bug #72031 (array_column() against an array of objects discards all values matching null). (Nikita)

New in PHP 7.0.7 RC 1 (May 11, 2016)

Core:
Fixed bug #72162 (use-after-free error_reporting). (Laruence)
Add compiler option to disable special case function calls. (Joe)
Fixed bug #72101 (crash on complex code). (Dmitry)
Fixed bug #72100 (implode() inserts garbage into resulting string when joins very big integer). (Mikhail Galanin)
Fixed bug #72057 (PHP Hangs when using custom error handler and typehint). (Nikita Nefedov)
Fixed bug #72038 (Function calls with values to a by-ref parameter don't always throw a notice). (Bob)
Fixed bug #71737 (Memory leak in closure with parameter named $this). (Nikita)
Fixed bug #72059 (?? is not allowed on constant expressions). (Bob, Marcio)
Fixed bug #72159 (Imported Class Overrides Local Class Name). (Nikita)
Curl:
Fixed bug #68658 (Define CURLE_SSL_CACERT_BADFILE). (Pierrick)
DBA:
Fixed bug #72157 (use-after-free caused by dba_open). (Shm, Laruence)
JSON:
Fixed bug #72069 (Behavior \JsonSerializable different from json_encode). (Laruence)
Mbstring:
Fixed bug #72164 (Null Pointer Dereference mb_ereg_replace). (Laruence)
OCI8:
Fixed bug #71600 (oci_fetch_all segfaults when selecting more than eight columns). (Tian Yang)
Opcache:
Fixed bug #72014 (Including a file with anonymous classes multiple times leads to fatal error). (Laruence)
OpenSSL:
Fixed bug #72165 (Null pointer dereference openssl_csr_new). (Anatol)
PCNTL:
Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite). (Laruence)
POSIX:
Fixed bug #72133 (php_posix_group_to_array crashes if gr_passwd is NULL). (esminis at esminis dot lt)
Postgres:
Fixed bug #72028 (pg_query_params(): NULL converts to empty string). (Laruence)
Fixed bug #71062 (pg_convert() doesn't accept ISO 8601 for datatype timestamp). (denver at timothy dot io)
Fixed bug #72151 (mysqli_fetch_object changed behaviour). (Anatol)
Reflection:
Fixed bug #72174 (ReflectionProperty#getValue() causes __isset call). (Nikita)
Session:
Fixed bug #71972 (Cyclic references causing session_start(): Failed to decode session object). (Laruence)
Sockets:
Added socket_export_stream() function for getting a stream compatible resource from a socket resource. (Chris Wright, Bob)
SPL:
Fixed bug #72051 (The reference in CallbackFilterIterator doesn't work as expected). (Laruence)
SQLite3:
Fixed bug #68849 (bindValue is not using the right data type). (Anatol)
Standard:
Fixed bug #72075 (Referencing socket resources breaks stream_select). (Laruence)
Fixed bug #72031 (array_column() against an array of objects discards all values matching null). (Nikita)

New in PHP 7.0.6 (Apr 27, 2016)

New in PHP 7.0.6 RC 1 (Apr 12, 2016)

New in PHP 7.0.5 (Mar 29, 2016)

Core:
Huge pages disabled by default. (Rasmus)
Added ability to enable huge pages in Zend Memory Manager through the environment variable USE_ZEND_ALLOC_HUGE_PAGES=1. (Dmitry)
Fixed bug #71756 (Call-by-reference widens scope to uninvolved functions when used in switch). (Laruence)
Fixed bug #71729 (Possible crash in zend_bin_strtod, zend_oct_strtod, zend_hex_strtod). (Laruence)
Fixed bug #71695 (Global variables are reserved before execution). (Laruence)
Fixed bug #71629 (Out-of-bounds access in php_url_decode in context php_stream_url_wrap_rfc2397). (mt at debian dot org)
Fixed bug #71622 (Strings used in pass-as-reference cannot be used to invoke C::$callable()). (Bob)
Fixed bug #71596 (Segmentation fault on ZTS with date function (setlocale)). (Anatol)
Fixed bug #71535 (Integer overflow in zend_mm_alloc_heap()). (Dmitry)
Fixed bug #71470 (Leaked 1 hashtable iterators). (Nikita)
Fixed bug #71575 (ISO C does not allow extra ‘;’ outside of a function). (asgrim)
Fixed bug #71724 (yield from does not count EOLs). (Nikita)
Fixed bug #71767 (ReflectionMethod::getDocComment returns the wrong comment). (Grigorii Sokolik)
Fixed bug #71806 (php_strip_whitespace() fails on some numerical values). (Nikita)
Fixed bug #71624 (`php -R` (PHP_MODE_PROCESS_STDIN) is broken). (Sean DuBois)
CLI Server:
Fixed bug #69953 (Support MKCALENDAR request method). (Christoph)
Curl:
Fixed bug #71694 (Support constant CURLM_ADDED_ALREADY). (mpyw)
Date:
Fixed bug #71635 (DatePeriod::getEndDate segfault). (Thomas Punt)
Fileinfo:
Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic file). (Anatol)
libxml:
Fixed bug #71536 (Access Violation crashes php-cgi.exe). (Anatol)
mbstring:
Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in mbfl_strcut). (Stas)
ODBC:
Fixed bug #47803, #69526 (Executing prepared statements is succesfull only for the first two statements). (einavitamar at gmail dot com, Anatol)
PCRE:
Fixed bug #71659 (segmentation fault in pcre running twig tests). (nish dot aravamudan at canonical dot com)
PDO_DBlib:
Bug #54648 (PDO::MSSQL forces format of datetime fields). (steven dot lambeth at gmx dot de, Anatol)
Phar:
Fixed bug #71625 (Crash in php7.dll with bad phar filename). (Anatol)
Fixed bug #71317 (PharData fails to open specific file). (Jos Elstgeest)
Fixed bug #71860 (Invalid memory write in phar on filename with \0 in name). (Stas)
phpdbg:
Fixed crash when advancing (except step) inside an internal function. (Bob)
Session:
Fixed Bug #71683 (Null pointer dereference in zend_hash_str_find_bucket). (Yasuo)
SNMP:
Fixed bug #71704 (php_snmp_error() Format String Vulnerability). (andrew at jmpesp dot org)
SPL:
Fixed bug #71617 (private properties lost when unserializing ArrayObject). (Nikita)
Standard:
Fixed bug #71660 (array_column behaves incorrectly after foreach by reference). (Laruence)
Fixed bug #71798 (Integer Overflow in php_raw_url_encode). (taoguangchen at icloud dot com, Stas)
Zip:
Update bundled libzip to 1.1.2. (Remi, Anatol)

New in PHP 7.0.5 RC 1 (Mar 15, 2016)

CLI Server:
Fixed bug #69953 (Support MKCALENDAR request method). (Christoph)
Core:
Fixed bug #71756 (Call-by-reference widens scope to uninvolved functions when used in switch). (Laruence)
Fixed bug #71729 (Possible crash in zend_bin_strtod, zend_oct_strtod, zend_hex_strtod). (Laruence)
Fixed bug #71695 (Global variables are reserved before execution). (Laruence)
Fixed bug #71629 (Out-of-bounds access in php_url_decode in context php_stream_url_wrap_rfc2397). (mt at debian dot org)
Fixed bug #71622 (Strings used in pass-as-reference cannot be used to invoke C::$callable()). (Bob)
Fixed bug #71596 (Segmentation fault on ZTS with date function (setlocale)). (Anatol)
Fixed bug #71535 (Integer overflow in zend_mm_alloc_heap()). (Dmitry)
Fixed bug #71470 (Leaked 1 hashtable iterators). (Nikita)
Fixed bug #71575 (ISO C does not allow extra ‘;’ outside of a function). (asgrim)
Fixed bug #71724 (yield from does not count EOLs). (Nikita)
Fixed bug #71767 (ReflectionMethod::getDocComment returns the wrong comment). (Grigorii Sokolik)
Fixed bug #71806 (php_strip_whitespace() fails on some numerical values). (Nikita)
Fixed bug #71624 (`php -R` (PHP_MODE_PROCESS_STDIN) is broken). (Sean DuBois)
Curl:
Fixed bug #71694 (Support constant CURLM_ADDED_ALREADY). (mpyw)
Date:
Fixed bug #71635 (DatePeriod::getEndDate segfault). (Thomas Punt)
libxml:
Fixed bug #71536 (Access Violation crashes php-cgi.exe). (Anatol)
ODBC:
Fixed bug #47803, #69526 (Executing prepared statements is succesfull only for the first two statements). (einavitamar at gmail dot com, Anatol)
PCRE:
Fixed bug #71659 (segmentation fault in pcre running twig tests). (nish dot aravamudan at canonical dot com)
PDO_DBlib:
Bug #54648 (PDO::MSSQL forces format of datetime fields). (steven dot lambeth at gmx dot de, Anatol)
Phar:
Fixed bug #71625 (Crash in php7.dll with bad phar filename). (Anatol)
Fixed bug #71317 (PharData fails to open specific file). (Jos Elstgeest)
phpdbg:
Fixed crash when advancing (except step) inside an internal function. (Bob)
Session:
Fixed Bug #71683 (Null pointer dereference in zend_hash_str_find_bucket). (Yasuo)
SPL:
Fixed bug #71617 (private properties lost when unserializing ArrayObject). (Nikita)
Standard:
Fixed bug #71660 (array_column behaves incorrectly after foreach by reference). (Laruence)
Zip:
Update bundled libzip to 1.1.2. (Remi, Anatol)

New in PHP 7.0.4 (Mar 3, 2016)

Core:
Fixed bug (Low probability segfault in zend_arena). (Laruence)
Fixed bug #71441 (Typehinted Generator with return in try/finally crashes). (Bob)
Fixed bug #71442 (forward_static_call crash). (Laruence)
Fixed bug #71443 (Segfault using built-in webserver with intl using symfony). (Laruence)
Fixed bug #71449 (An integer overflow bug in php_implode()). (Stas)
Fixed bug #71450 (An integer overflow bug in php_str_to_str_ex()). (Stas)
Fixed bug #71474 (Crash because of VM stack corruption on Magento2). (Dmitry)
Fixed bug #71485 (Return typehint on internal func causes Fatal error when it throws exception). (Laruence)
Fixed bug #71529 (Variable references on array elements don't work when using count). (Nikita)
Fixed bug #71601 (finally block not executed after yield from). (Bob)
Fixed bug #71637 (Multiple Heap Overflow due to integer overflows in xml/filter_url/addcslashes). (Stas)
CLI server:
Fixed bug #71559 (Built-in HTTP server, we can download file in web by bug). (Johannes, Anatol)
CURL:
Fixed bug #71523 (Copied handle with new option CURLOPT_HTTPHEADER crashes while curl_multi_exec). (Laruence)
Fixed memory leak in curl_getinfo(). (Leigh)
Date:
Fixed bug #71525 (Calls to date_modify will mutate timelib_rel_time, causing date_date_set issues). (Sean DuBois)
Fileinfo:
Fixed bug #71434 (finfo throws notice for specific python file). (Laruence)
FPM:
Fixed bug #62172 (FPM not working with Apache httpd 2.4 balancer/fcgi setup). (Matt Haught, Remi)
Fixed bug #71269 (php-fpm dumped core). (Mickaël)
Opcache:
Fixed bug #71584 (Possible use-after-free of ZCG(cwd) in Zend Opcache). (Yussuf Khalil)
PCRE:
Fixed bug #71537 (PCRE segfault from Opcache). (Laruence)
phpdbg:
Fixed inherited functions from unspecified files being included in phpdbg_get_executable(). (Bob)
SOAP:
Fixed bug #71610 (Type Confusion Vulnerability SOAP / make_http_soap_request()). (Stas)
Standard:
Fixed bug #71603 (compact() maintains references in php7). (Laruence)
Fixed bug #70720 (strip_tags improper php code parsing). (Julien)
XMLRPC:
Fixed bug #71501 (xmlrpc_encode_request ignores encoding option). (Hieu Le)
Zip:
Fixed bug #71561 (NULL pointer dereference in Zip::ExtractTo). (Laruence)

New in PHP 7.0.3 (Feb 2, 2016)

Core:
Added support for new HTTP 451 code. (Julien)
Fixed bug #71039 (exec functions ignore length but look for NULL termination). (Anatol)
Fixed bug #71089 (No check to duplicate zend_extension). (Remi)
Fixed bug #71201 (round() segfault on 64-bit builds). (Anatol)
Fixed bug #71221 (Null pointer deref (segfault) in get_defined_vars via ob_start). (hugh at allthethings dot co dot nz)
Fixed bug #71248 (Wrong interface is enforced). (Dmitry)
Fixed bug #71273 (A wrong ext directory setup in php.ini leads to crash). (Anatol)
Fixed Bug #71275 (Bad method called on cloning an object having a trait). (Bob)
Fixed bug #71297 (Memory leak with consecutive yield from). (Bob)
Fixed bug #71300 (Segfault in zend_fetch_string_offset). (Laruence)
Fixed bug #71314 (var_export(INF) prints INF.0). (Andrea)
Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input). (Leo Gaspard)
Fixed bug #71336 (Wrong is_ref on properties as exposed via get_object_vars()). (Laruence)
Fixed bug #71459 (Integer overflow in iptcembed()). (Stas)
Apache2handler:
Fix >2G Content-Length headers in apache2handler. (Adam Harvey)
CURL:
Fixed bug #71227 (Can't compile php_curl statically). (Anatol)
Fixed bug #71225 (curl_setopt() fails to set CURLOPT_POSTFIELDS with reference to CURLFile). (Laruence)
Interbase:
Fixed Bug #71305 (Crash when optional resource is omitted).
(Laruence, Anatol)
LDAP:
Fixed bug #71249 (ldap_mod_replace/ldap_mod_add store value as string "Array"). (Laruence)
mbstring:
Fixed bug #71397 (mb_send_mail segmentation fault). (Andrea, Yasuo)
OpenSSL:
Fixed bug #71475 (openssl_seal() uninitialized memory usage). (Stas)
Phar:
Fixed bug #71354 (Heap corruption in tar/zip/phar parser). (Stas)
Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()). (Stas)
Fixed bug #71488 (Stack overflow when decompressing tar archives). (Stas)
SOAP:
Fixed bug #70979 (crash with bad soap request). (Anatol)
SPL:
Fixed bug #71204 (segfault if clean spl_autoload_funcs while autoloading). (Laruence)
Fixed bug #71202 (Autoload function registered by another not activated immediately). (Laruence)
Fixed bug #71311 (Use-after-free vulnerability in SPL(ArrayObject, unserialize)). (Sean Heelan)
Fixed bug #71313 (Use-after-free vulnerability in SPL(SplObjectStorage, unserialize)). (Sean Heelan)
Standard:
Fixed bug #71287 (Error message contains hexadecimal instead of decimal number). (Laruence)
Fixed bug #71264 (file_put_contents() returns unexpected value when filesystem runs full). (Laruence)
Fixed bug #71245 (file_get_contents() ignores "header" context option if it's a reference). (Laruence)
Fixed bug #71220 (Null pointer deref (segfault) in compact via ob_start). (hugh at allthethings dot co dot nz)
Fixed bug #71190 (substr_replace converts integers in original $search array to strings). (Laruence)
Fixed bug #71188 (str_replace converts integers in original $search array to strings). (Laruence)
Fixed bug #71132, #71197 (range() segfaults). (Thomas Punt)
WDDX:
Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization). (Stas)

New in PHP 7.0.3 RC 1 (Jan 19, 2016)

Core:
Fixed bug #71336 (Wrong is_ref on properties as exposed via get_object_vars()). (Laruence)
Fixed bug #71248 (Wrong interface is enforced). (Dmitry)
Fixed bug #71300 (Segfault in zend_fetch_string_offset). (Laruence)
Fixed bug #71221 (Null pointer deref (segfault) in get_defined_vars via ob_start). (hugh at allthethings dot co dot nz)
Fixed bug #71201 (round() segfault on 64-bit builds). (Anatol)
Added support for new HTTP 451 code. (Julien)
Fixed Bug #71275 (Bad method called on cloning an object having a trait). (Bob)
Fixed bug #71273 (A wrong ext directory setup in php.ini leads to crash). (Anatol)
Fixed bug #71297 (Memory leak with consecutive yield from). (Bob)
Fixed bug #71314 (var_export(INF) prints INF.0). (Andrea)
Apache2handler:
Fix >2G Content-Length headers in apache2handler. (Adam Harvey)
CURL:
Fixed bug #71227 (Can't compile php_curl statically). (Anatol)
Fixed bug #71225 (curl_setopt() fails to set CURLOPT_POSTFIELDS with reference to CURLFile). (Laruence)
Interbase:
Fixed Bug #71305 (Crash when optional resource is omitted). (Laruence, Anatol)
LDAP:
Fixed bug #71249 (ldap_mod_replace/ldap_mod_add store value as string "Array"). (Laruence)
mbsgring:
Fixed bug #71397 (mb_send_mail segmentation fault). (Andrea, Yasuo)
SOAP:
Fixed bug #70979 (crash with bad soap request). (Anatol)
SPL:
Fixed bug #71204 (segfault if clean spl_autoload_funcs while autoloading). (Laruence)
Fixed bug #71202 (Autoload function registered by another not activated immediately). (Laruence)
Session:
Improved fix for bug #68063 (Empty session IDs do still start sessions). (Yasuo)
Fixed bug #69111 (Crash in SessionHandler::read()) (Yasuo)
Fixed bug #71038 (session_start() returns TRUE on failure). Session save handlers must return 'string' always for successful read. i.e. Non-existing session read must return empty string. PHP 7.0 is made not to tolerate buggy return value. (Yasuo)
Fixed bug #71394 (session_regenerate_id() must close opened session on errors). (Yasuo)
Standard:
Fixed bug #71287 (Error message contains hexadecimal instead of decimal number). (Laruence)
Fixed bug #71264 (file_put_contents() returns unexpected value when filesystem runs full). (Laruence)
Fixed bug #71245 (file_get_contents() ignores "header" context option if it's a reference). (Laruence)
Fixed bug #71220 (Null pointer deref (segfault) in compact via ob_start). (hugh at allthethings dot co dot nz)
Fixed bug #71190 (substr_replace converts integers in original $search array to strings). (Laruence)
Fixed bug #71188 (str_replace converts integers in original $search array to strings). (Laruence)
Fixed bug #70720 (strip_tags improper php code parsing). (Julien)
Fixed bug #71132, #71197 (range() segfaults). (Thomas Punt)

New in PHP 7.0.2 (Jan 7, 2016)

Core:
Fixed bug #71165 (-DGC_BENCH=1 doesn't work on PHP7).
Fixed bug #71163 (Segmentation Fault: cleanup_unfinished_calls).
Fixed bug #71109 (ZEND_MOD_CONFLICTS("xdebug") doesn't work).
Fixed bug #71092 (Segmentation fault with return type hinting).
Fixed bug memleak in header_register_callback.
Fixed bug #71067 (Local object in class method stays in memory for each call).
Fixed bug #66909 (configure fails utf8_to_mutf7 test).
Fixed bug #70781 (Extension tests fail on dynamic ext dependency).
Fixed bug #71089 (No check to duplicate zend_extension).
Fixed bug #71086 (Invalid numeric literal parse error within highlight_string() function).
Fixed bug #71154 (Incorrect HT iterator invalidation causes iterator reuse).
Fixed bug #52355 (Negating zero does not produce negative zero).
Fixed bug #66179 (var_export() exports float as integer).
Fixed bug #70804 (Unary add on negative zero produces positive zero).
CURL:
Fixed bug #71144 (Sementation fault when using cURL with ZTS).
DBA:
Fixed key leak with invalid resource.
Filter:
Fixed bug #71063 (filter_input(INPUT_ENV, ..) does not work).
FTP:
Implemented FR #55651 (Option to ignore the returned FTP PASV address).
FPM:
Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).
GD:
Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds).
Mbstring:
Fixed bug #71066 (mb_send_mail: Program terminated with signal SIGSEGV, Segmentation fault).
Opcache:
Fixed bug #71127 (Define in auto_prepend_file is overwrite).
PCRE:
Fixed bug #71178 (preg_replace with arrays creates [0] in replace array if not already set).
Readline:
Fixed bug #71094 (readline_completion_function corrupts static array on second TAB).
Session:
Fixed bug #71122 (Session GC may not remove obsolete session data).
SPL:
Fixed bug #71077 (ReflectionMethod for ArrayObject constructor returns wrong number of parameters).
Fixed bug #71153 (Performance Degradation in ArrayIterator with large arrays).
Standard:
Fixed bug #71270 (Heap BufferOver Flow in escapeshell functions).
WDDX:
Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).
Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability).
XMLRPC:
Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker).

New in PHP 7.0.2 RC 1 (Dec 22, 2015)

Core:
Fixed bug #71165 (-DGC_BENCH=1 doesn't work on PHP7). (y dot uchiyama dot 1015 at gmail dot com)
Fixed bug #71163 (Segmentation Fault: cleanup_unfinished_calls). (Laruence)
Fixed bug #71109 (ZEND_MOD_CONFLICTS("xdebug") doesn't work). (Laruence)
Fixed bug #71092 (Segmentation fault with return type hinting). (Laruence)
Fixed bug memleak in header_register_callback. (Laruence)
Fixed bug #71067 (Local object in class method stays in memory for each call). (Laruence)
Fixed bug #66909 (configure fails utf8_to_mutf7 test). (Michael Orlitzky)
Fixed bug #70781 (Extension tests fail on dynamic ext dependency). (Francois Laupretre)
Fixed bug #71089 (No check to duplicate zend_extension). (Remi)
Fixed bug #71086 (Invalid numeric literal parse error within highlight_string() function). (Nikita)
Fixed bug #71154 (Incorrect HT iterator invalidation causes iterator reuse). (Nikita)
Fixed bug #52355 (Negating zero does not produce negative zero). (Andrea)
Fixed bug #66179 (var_export() exports float as integer). (Andrea)
Fixed bug #70804 (Unary add on negative zero produces positive zero). (Andrea)
CURL:
Fixed bug #71144 (Sementation fault when using cURL with ZTS). (Michael Maroszek, Laruence)
DBA:
Fixed key leak with invalid resource. (Laruence)
Filter:
Fixed bug #71063 (filter_input(INPUT_ENV, ..) does not work). (Reeze Xia)
FTP:
Implemented FR #55651 (Option to ignore the returned FTP PASV address). (abrender at elitehosts dot com)
Mbstring:
Fixed bug #71066 (mb_send_mail: Program terminated with signal SIGSEGV, Segmentation fault). (Laruence)
Opcache:
Fixed bug #71127 (Define in auto_prepend_file is overwrite). (Laruence)
PCRE:
Fixed bug #71178 (preg_replace with arrays creates [0] in replace array if not already set). (Laruence)
Readline:
Fixed bug #71094 (readline_completion_function corrupts static array on second TAB). (Nikita)
Session:
Fixed bug #71122 (Session GC may not remove obsolete session data). (Yasuo)
SPL:
Fixed bug #71077 (ReflectionMethod for ArrayObject constructor returns wrong number of parameters). (Laruence)
Fixed bug #71153 (Performance Degradation in ArrayIterator with large arrays). (Nikita)

New in PHP 7.0.1 (Dec 17, 2015)

Core:
Fixed bug #71105 (Format String Vulnerability in Class Name Error Message).
Fixed bug #70831 (Compile fails on system with 160 CPUs).
Fixed bug #71006 (symbol referencing errors on Sparc/Solaris).
Fixed bug #70997 (When using parentClass:: instead of parent::, static context changed).
Fixed bug #70970 (Segfault when combining error handler with output buffering).
Fixed bug #70967 (Weird error handling for __toString when Error is thrown).
Fixed bug #70958 (Invalid opcode while using ::class as trait method paramater default value).
Fixed bug #70944 (try{ } finally{} can create infinite chains of exceptions).
Fixed bug #70931 (Two errors messages are in conflict).
Fixed bug #70904 (yield from incorrectly marks valid generator as finished).
Fixed bug #70899 (buildconf failure in extensions).
Fixed bug #61751 (SAPI build problem on AIX: Undefined symbol: php_register_internal_extensions).
Fixed \int (or generally every scalar type name with leading backslash) to not be accepted as type name.
Fixed exception not being thrown immediately into a generator yielding from an array.
Fixed bug #70987 (static::class within Closure::call() causes segfault).
Fixed bug #71013 (Incorrect exception handler with yield from).
Fixed double free in error condition of format printer.
CLI server:
Fixed bug #71005 (Segfault in php_cli_server_dispatch_router()).
Intl:
Fixed bug #71020 (Use after free in Collator::sortWithSortKeys).
Mysqlnd:
Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction).
Fixed bug #68344 (MySQLi does not provide way to disable peer certificate validation) by introducing MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT connection flag.
OCI8:
Fixed LOB implementation size_t/zend_long mismatch reported by gcov.
Opcache:
Fixed #71024 (Unable to use PHP 7.0 x64 side-by-side with PHP 5.6 x32 on the same server).
Fixed bug #70991 (zend_file_cache.c:710: error: array type has incomplete element type).
Fixed bug #70977 (Segmentation fault with opcache.huge_code_pages=1).
Phpdbg:
Fixed stderr being written to stdout.
Reflection:
Fixed bug #71018 (ReflectionProperty::setValue() behavior changed).
Fixed bug #70982 (setStaticPropertyValue behaviors inconsistently with 5.6).
SPL:
Fixed bug #71028 (Undefined index with ArrayIterator).
SQLite3:
Fixed bug #71049 (SQLite3Stmt::execute() releases bound parameter instead of internal buffer).
Standard:
Fixed bug #70999 (php_random_bytes: called object is not a function).
Fixed bug #70960 (ReflectionFunction for array_unique returns wrong number of parameters).
Streams/Socket:
Add IPV6_V6ONLY constant / make it usable in stream contexts.
Soap:
Fixed bug #70993 (Array key references break argument processing).
PDO_Firebird:
Fixed bug #60052 (Integer returned as a 64bit integer on X64_86).

New in PHP 7.0.1 RC 1 (Dec 8, 2015)

Core:
Fixed bug #70831 (Compile fails on system with 160 CPUs). (Daniel Axtens)
Fixed bug #71006 (symbol referencing errors on Sparc/Solaris). (Dmitry)
Fixed bug #70997 (When using parentClass:: instead of parent::, static context changed). (Dmitry)
Fixed bug #70970 (Segfault when combining error handler with output buffering). (Laruence)
Fixed bug #70967 (Weird error handling for __toString when Error is thrown). (Laruence)
Fixed bug #70958 (Invalid opcode while using ::class as trait method paramater default value). (Laruence)
Fixed bug #70944 (try{ } finally{} can create infinite chains of exceptions). (Laruence)
Fixed bug #70931 (Two errors messages are in conflict). (dams, Laruence)
Fixed bug #70904 (yield from incorrectly marks valid generator as finished). (Bob)
Fixed bug #70899 (buildconf failure in extensions). (Bob, Reeze)
Fixed bug #61751 (SAPI build problem on AIX: Undefined symbol: php_register_internal_extensions). (Lior Kaplan)
Fixed \int (or generally every scalar type name with leading backslash) to not be accepted as type name. (Bob)
Fixed exception not being thrown immediately into a generator yielding from an array. (Bob)
Fixed bug #70987 (static::class within Closure::call() causes segfault). (Andrea)
Fixed bug #71013 (Incorrect exception handler with yield from). (Bob)
Fixed double free in error condition of format printer. (Bob)
CLI server:
Fixed bug #71005 (Segfault in php_cli_server_dispatch_router()). (Adam)
Intl:
Fixed bug #71020 (Use after free in Collator::sortWithSortKeys). (emmanuel dot law at gmail dot com, Laruence)
Mysqlnd:
Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction). (Laruence)
Fixed bug #68344 (MySQLi does not provide way to disable peer certificate validation) by introducing MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT connection flag. (Andrey)
OCI8:
Fixed LOB implementation size_t/zend_long mismatch reported by gcov. (Senthil)
Opcache:
Fixed #71024 (Unable to use PHP 7.0 x64 side-by-side with PHP 5.6 x32 on the same server). (Anatol)
Fixed bug #70991 (zend_file_cache.c:710: error: array type has incomplete element type). (Laruence)
Fixed bug #70977 (Segmentation fault with opcache.huge_code_pages=1). (Laruence)
Phpdbg:
Fixed stderr being written to stdout. (Bob)
Reflection:
Fixed bug #71018 (ReflectionProperty::setValue() behavior changed). (Laruence)
Fixed bug #70982 (setStaticPropertyValue behaviors inconsistently with 5.6). (Laruence)
SPL:
Fixed bug #71028 (Undefined index with ArrayIterator). (Laruence)
SQLite3:
Fixed bug #71049 (SQLite3Stmt::execute() releases bound parameter instead of internal buffer). (Laruence)
Standard:
Fixed bug #70999 (php_random_bytes: called object is not a function). (Scott)
Fixed bug #70960 (ReflectionFunction for array_unique returns wrong number of parameters). (Laruence)
Streams/Socket:
Add IPV6_V6ONLY constant / make it usable in stream contexts. (Bob)
Soap:
Fixed bug #70993 (Array key references break argument processing). (Laruence)
PDO_Firebird:
Fixed bug #60052 (Integer returned as a 64bit integer on X64_86). (Mariuz)

New in PHP 7.0.0 (Dec 4, 2015)

New in PHP 5.6.16 (Nov 27, 2015)

New in PHP 7.0.0 RC 8 (Nov 25, 2015)

New in PHP 5.6.16 RC1 (Nov 11, 2015)

New in PHP 7.0.0 RC 7 (Nov 10, 2015)

New in PHP 5.6.15 (Oct 29, 2015)

New in PHP 7.0.0 RC 6 (Oct 28, 2015)

New in PHP 7.0.0 RC 5 (Oct 13, 2015)

New in PHP 5.6.14 (Oct 2, 2015)

New in PHP 7.0.0 RC 3 (Oct 1, 2015)

New in PHP 5.6.13 (Sep 7, 2015)

New in PHP 7.0.0 RC 2 (Sep 4, 2015)

Core:
Fixed bug #70398 (SIGSEGV, Segmentation fault zend_ast_destroy_ex). (Dmitry, Bob, Laruence)
Fixed bug #70332 (Wrong behavior while returning reference on object). (Laruence, Dmitry)
Fixed bug #70300 (Syntactical inconsistency with new group use syntax). (marcio dot web2 at gmail dot com)
Fixed bug #70321 (Magic getter breaks reference to array property). (Laruence)
Fixed bug #70187 (Notice: unserialize(): Unexpected end of serialized data) (Dmitry)
Fixed bug #70145 (From field incorrectly parsed from headers). (Anatol)
Fixed bug #70370 (Bundled libtool.m4 doesn't handle FreeBSD 10 when building extensions). (Adam)
Fixed bug causing exception traces with anon classes to be truncated. (Bob)
Fixed bug #70397 (Segmentation fault when using Closure::call and yield). (Bob)
Curl:
Fixed bug #70330 (Segmentation Fault with multiple "curl_copy_handle"). (Laruence)
EXIF:
Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes). (Stas)
hash:
Fixed bug #70312 (HAVAL gives wrong hashes in specific cases). (letsgolee at naver dot com)
Mysqli:
Fixed bug #32490 (constructor of mysqli has wrong name). (cmb)
Pcntl:
Fixed bug #70386 (Can't compile on NetBSD because of missing WCONTINUED and WIFCONTINUED). (Matteo)
PCRE:
Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string match). (cmb)
Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions). (Anatol Belski)
PDO:
Fixed bug #70389 (PDO constructor changes unrelated variables). (Laruence)
PDO_OCI:
Fixed bug #70308 (PDO::ATTR_PREFETCH is ignored). (Chris Jones)
SOAP:
Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). (Stas)
SPL:
Fixed bug #70303 (Incorrect constructor reflection for ArrayObject). (cmb)
Standard:
Fixed bug #70342 (changing configuration with ignore_user_abort(true) isn't working). (Laruence)
Fixed bug #70295 (Segmentation fault with setrawcookie). (Bob)
Fixed bug #67131 (setcookie() conditional for empty values not met). (cmb)
Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). (taoguangchen at icloud dot com)
Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). (taoguangchen at icloud dot com)
Reflection:
Fixed bug causing bogus traces for ReflectionGenerator::getTrace(). (Bob)
XSLT:
Fixed bug #69782 (NULL pointer dereference). (Stas)
ZIP:
Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories). (neal at fb dot com)

New in PHP 7.0.0 RC 1 (Aug 18, 2015)

Core:
Fixed bug #70288 (Apache crash related to ZEND_SEND_REF). (Laruence)
Fixed bug #70262 (Accessing array crashes PHP 7.0beta3). (Laruence, Dmitry)
Fixed bug #70258 (Segfault if do_resize fails to allocated memory). (Laruence)
Fixed bug #70253 (segfault at _efree () in zend_alloc.c:1389). (Laruence)
Fixed bug #70240 (Segfault when doing unset($var());). (Laruence)
Fixed bug #70223 (Incrementing value returned by magic getter). (Laruence)
Fixed bug #70215 (Segfault when __invoke is static). (Bob)
Fixed bug #70207 (Finally is broken with opcache). (Laruence, Dmitry)
Fixed bug #70173 (ZVAL_COPY_VALUE_EX broken for 32bit Solaris Sparc). (Laruence, cmb)
Fixed bug #69487 (SAPI may truncate POST data). (cmb)
Fixed bug #70198 (Checking liveness does not work as expected). (Shafreeck Sea, Anatol Belski)
Fixed bug #70241/#70293 (Skipped assertions affect Generator returns). (Bob)
Fixed bug #70239 (Creating a huge array doesn't result in exhausted, but segfault). (Laruence, Anatol)
CLI server:
Fixed bug #66606 (Sets HTTP_CONTENT_TYPE but not CONTENT_TYPE). (wusuopu, cmb)
Fixed bug #70264 (CLI server directory traversal). (cmb)
Date:
Fixed bug #70245 (strtotime does not emit warning when 2nd parameter is object or string). (cmb)
Fixed bug #70266 (DateInterval::__construct.interval_spec is not supposed to be optional). (cmb)
Fixed bug #70277 (new DateTimeZone($foo) is ignoring text after null byte). (cmb)
MCrypt:
Fixed bug #69833 (mcrypt fd caching not working). (Anatol)
Opcache:
Fixed bug #70237 (Empty while and do-while segmentation fault with opcode on CLI enabled). (Dmitry, Laruence)
PCRE:
Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string match). (cmb)
PDO:
Fixed bug #70272 (Segfault in pdo_mysql). (Laruence)
Fixed bug #70221 (persistent sqlite connection + custom function segfaults). (Laruence)
Phpdbg:
Fixed bug #70214 (FASYNC not defined, needs sys/file.h include). (Bob)
Standard:
Fixed bug #70250 (extract() turns array elements to references). (Laruence)
Fixed bug #70211 (php 7 ZEND_HASH_IF_FULL_DO_RESIZE use after free). (Laruence)
Fixed bug #70208 (Assert breaking access on objects). (Bob)

New in PHP 5.6.12 (Aug 7, 2015)

Core:
Fixed bug #70012 (Exception lost with nested finally block). (Laruence)
Fixed bug #70002 (TS issues with temporary dir handling). (Anatol)
Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls). (Stas)
Fixed bug #69892 (Different arrays compare indentical due to integer key truncation). (Nikita)
Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref). (Stas)
CLI server:
Fixed bug #69655 (php -S changes MKCALENDAR request method to MKCOL). (cmb)
Fixed bug #64878 (304 responses return Content-Type header). (cmb)
GD:
Fixed bug #53156 (imagerectangle problem with point ordering). (cmb)
Fixed bug #66387 (Stack overflow with imagefilltoborder). (cmb)
Fixed bug #70102 (imagecreatefromwebm() shifts colors). (cmb)
Fixed bug #66590 (imagewebp() doesn't pad to even length). (cmb)
Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px). (cmb)
Fixed bug #70064 (imagescale(..., IMG_BICUBIC) leaks memory). (cmb)
Fixed bug #69024 (imagescale segfault with palette based image). (cmb)
Fixed bug #53154 (Zero-height rectangle has whiskers). (cmb)
Fixed bug #67447 (imagecrop() add a black line when cropping). (cmb)
Fixed bug #68714 (copy 'n paste error). (cmb)
Fixed bug #66339 (PHP segfaults in imagexbm). (cmb)
Fixed bug #70047 (gd_info() doesn't report WebP support). (cmb)
ODBC:
Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns). (cmb)
OpenSSL:
Fixed bug #69882 (OpenSSL error “key values mismatch” after openssl_pkcs12_read with extra cert) (Tomasz Sawicki)
Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). (Stas)
Phar:
Improved fix for bug #69441. (Anatol Belski)
Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). (Anatol Belski)
SOAP:
Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions). (Stas)
SPL:
Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). (sean.heelan)
Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). (taoguangchen at icloud dot com)
Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). (taoguangchen at icloud dot com)
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). (taoguangchen at icloud dot com)
Standard:
Fixed bug #70096 (Repeated iptcembed() adds superfluous FF bytes). (cmb)

New in PHP 5.6.12 RC 1 (Aug 6, 2015)

New in PHP 7.0.0 Beta 3 (Aug 6, 2015)

Core:
Fixed "finally" issues. (Nikita, Dmitry)
Fixed bug #70098 (Real memory usage doesn't decrease). (Dmitry)
Fixed bug #70159 (__CLASS__ is lost in closures). (Julien)
Fixed bug #70156 (Segfault in zend_find_alias_name). (Laruence)
Fixed bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION). (Laruence)
Fixed bug #70117 (Unexpected return type error). (Laruence)
Fixed bug #70106 (Inheritance by anonymous class). (Bob)
Fixed bug #69674 (SIGSEGV array.c:953). (cmb)
Fixed bug #70164 (__COMPILER_HALT_OFFSET__ under namespace is not defined). (Bob)
Fixed bug #70108 (sometimes empty $_SERVER['QUERY_STRING']). (Anatol)
Fixed bug #70179 ($this refcount issue). (Bob)
Fixed bug #69896 ('asm' operand has impossible constraints). (Anatol)
Fixed bug #70183 (null pointer deref (segfault) in zend_eval_const_expr). (Hugh Davenport)
Fixed bug #70182 (Segfault in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER). (Hugh Davenport)
Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls). (Stas)
Fixed bug #69892 (Different arrays compare indentical due to integer key truncation). (Nikita)
Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref). (Stas)
Curl:
Fixed bug #70163 (curl_setopt_array() type confusion). (Laruence)
IMAP:
Fixed bug #70158 (Building with static imap fails). (cmb)
Fixed bug #69998 (curl multi leaking memory). (Pierrick)
Opcache:
Fixed bug #70111 (Segfault when a function uses both an explicit return type and an explicit cast). (Laruence)
OpenSSL:
Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). (Stas)
Phar:
Improved fix for bug #69441. (Anatol Belski)
Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). (Anatol Belski)
Phpdbg:
Fixed bug #70138 (Segfault when displaying memory leaks). (Bob)
SOAP:
Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions). (Stas)
SPL:
Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). (sean.heelan)
Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). (taoguangchen at icloud dot com)
Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). (taoguangchen at icloud dot com)
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). (taoguangchen at icloud dot com)
Standard:
Fixed bug #70140 (str_ireplace/php_string_tolower Arbitrary Code
Implemented #70112 (Allow "dirname" to go up various times). (Remi) Execution). (Laruence)
Fixed bug #36365 (scandir duplicates file name at every 65535th file). (cmb)

New in PHP 5.6.11 (Jul 10, 2015)

Core:
Fixed bug #69768 (escapeshell*() doesn't cater to !). (cmb)
Fixed bug #69703 (Use __builtin_clzl on PowerPC). (dja at axtens dot net, Kalle)
Fixed bug #69732 (can induce segmentation fault with basic php code). (Dmitry)
Fixed bug #69642 (Windows 10 reported as Windows 8). (Christian Wenz, Anatol Belski)
Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault). (Christoph M. Becker)
Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10 as "Business"). (Christian Wenz)
Fixed bug #69740 (finally in generator (yield) swallows exception in iteration). (Nikita)
Fixed bug #69835 (phpinfo() does not report many Windows SKUs). (Christian Wenz)
Fixed bug #69892 (Different arrays compare indentical due to integer key truncation). (Nikita)
Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776. (Yasuo)
GD:
Fixed bug #61221 (imagegammacorrect function loses alpha channel). (cmb)
GMP:
Fixed bug #69803 (gmp_random_range() modifies second parameter if GMP number). (Nikita)
PCRE:
Fixed Bug #53823 (preg_replace: * qualifier on unicode replace garbles the string). (cmb)
Fixed bug #69864 (Segfault in preg_replace_callback) (cmb, ab)
PDO_pgsql:
Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements when closeCuror() is u). (Philip Hofstetter)
Fixed bug #69362 (PDO-pgsql fails to connect if password contains a leading single quote). (Matteo)
Fixed bug #69344 (PDO PgSQL Incorrect binding numeric array with gaps). (Matteo)
SimpleXML:
Refactored the fix for bug #66084 (simplexml_load_string() mangles empty node name). (Christoph Michael Becker)
SPL:
Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error). (Stas)
Fixed bug #67805 (SplFileObject setMaxLineLength). (Willian Gustavo Veiga).
Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()). (Laruence)
Sqlite3:
Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()). (Laruence)

New in PHP 7.0.0 Beta 1 (Jul 8, 2015)

Core:
Fixed bug #70006 (cli function with default arg = STDOUT crash output). (Laruence)
Fixed bug #69521 (Segfault in gc_collect_cycles()). (arjen at react dot com, Laruence)
Improved zend_string API (Francois Laupretre)
Fixed bug #69955 (Segfault when trying to combine [] and assign-op on ArrayAccess object). (Laruence)
Fixed bug #69957 (Different ways of handling div/mod/intdiv). (Bob)
Fixed bug #69900 (Too long timeout on pipes). (Anatol)
Fixed bug #62210 (Exceptions can leak temporary variables. As a part of the fix serious refactoring was done. op_array->brk_cont_array was removed, and replaced with more general and speed efficient op_array->T_liveliness. ZEND_GOTO opcode is always replaced by ZEND_JMP at compile time). (Bob, Dmitry, Laruence)
CLI server:
Fixed bug #69655 (php -S changes MKCALENDAR request method to MKCOL). (cmb)
Fixed bug #64878 (304 responses return Content-Type header). (cmb)
COM:
Fixed bug #69939 (Casting object to bool returns false). (Kalle)
JSON:
Fixed bug #62010 (json_decode produces invalid byte-sequences). (Jakub Zelenka)
OCI8:
Corrected oci8 hash destructors to prevent segfaults, and a few other fixes. (Cameron Porter)
ODBC:
Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns). (cmb)
OpenSSL:
Fixed bug #69882 (OpenSSL error "key values mismatch" after openssl_pkcs12_read with extra cert) (Tomasz Sawicki)
PCRE:
Fixed bug #53823 (preg_replace: * qualifier on unicode replace garbles the string). (cmb)
Session:
Fixed bug #69952 (Data integrity issues accessing superglobals by reference). (Bob)
SPL:
Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()). (Laruence)
Standard:
Fixed bug #69983 (get_browser fails with user agent of null). (Kalle, cmb, Laruence)
Fixed bug #69976 (Unable to parse "all" urls with colon char). (cmb)
Fixed bug #69768 (escapeshell*() doesn't cater to !). (cmb)
Sqlite3:
Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()). (Laruence)

New in PHP 7.0.0 Alpha 2 (Jun 24, 2015)

Core:
Fixed bug #69872 (uninitialised value in strtr with array). (Laruence)
Fixed bug #69868 (Invalid read of size 1 in zend_compile_short_circuiting). (Laruence)
Fixed bug #69849 (Broken output of apache_request_headers). (Kalle)
Fixed bug #69840 (iconv_substr() doesn't work with UTF-16BE). (Kalle)
Fixed bug #69823 (PHP 7.0.0alpha1 segmentation fault when exactly 33 extensions are loaded). (Laruence)
Fixed bug #69805 (null ptr deref and seg fault in zend_resolve_class_name). (Laruence)
Fixed bug #69802 (Reflection on Closure::__invoke borks type hint class name). (Dmitry)
Fixed bug #69761 (Serialization of anonymous classes should be prevented). (Laruence)
Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault). (Christoph M. Becker)
Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10 as "Business"). (Christian Wenz)
Fixed bug #69835 (phpinfo() does not report many Windows SKUs). (Christian Wenz)
Fixed bug #69889 (Null coalesce operator doesn't work for string offsets). (Nikita)
Fixed bug #69891 (Unexpected array comparison result). (Nikita)
Fixed bug #69892 (Different arrays compare indentical due to integer key truncation). (Nikita)
Fixed bug #69893 (Strict comparison between integer and empty string keys crashes). (Nikita)
DOM:
Fixed bug #69846 (Segmenation fault (access violation) when iterating over DOMNodeList). (Anatol Belski)
GD:
Fixed bug #61221 (imagegammacorrect function loses alpha channel). (cmb)
mysqlnd:
Fixed Bug #69796 (mysqli_stmt::fetch doesn't assign null values to bound variables). (Laruence)
Curl:
Fixed bug #69831 (Segmentation fault in curl_getinfo). (im dot denisenko at yahoo dot com)
Opcache:
Removed opcache.load_comments configuration directive. Now doc comments loading costs nothing and always enabled. (Dmitry)
Fixed bug #69838 (Wrong size calculation for function table). (Anatol)
PCRE:
Fixed bug #69864 (Segfault in preg_replace_callback) (cmb, ab)
PDO_pgsql:
Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements when closeCuror() is u). (Philip Hofstetter)
SPL:
Fixed bug #69845 (ArrayObject with ARRAY_AS_PROPS broken). (Dmitry)
SQLite3:
Fixed bug #69897 (segfault when manually constructing SQLite3Result). (Kalle)
Standard:
Fixed bug #62922 (Truncating entire string should result in string). (Nikita)

New in PHP 5.6.10 (Jun 12, 2015)

New in PHP 7.0.0 Alpha 1 (Jun 11, 2015)

Core:
Fixed bug #69767 (Default parameter value with wrong type segfaults). (cmb, Laruence)
Fixed bug #69756 (Fatal error: Nesting level too deep recursive dependency ? with ===). (Dmitry, Laruence)
Fixed bug #69758 (Item added to array not being removed by array_pop/shift ). (Laruence)
Fixed bug #68475 (Add support for $callable() sytnax with 'Class::method'). (Julien, Aaron Piotrowski)
Fixed bug #69485 (Double free on zend_list_dtor). (Laruence)
Fixed bug #69427 (Segfault on magic method __call of private method in superclass). (Laruence)
Improved __call() and __callStatic() magic method handling. Now they are called in a stackless way using ZEND_CALL_TRAMPOLINE opcode, without additional stack frame. (Laruence, Dmitry)
Optimized strings concatenation. (Dmitry, Laruence)
Fixed weird operators behavior. Division by zero now emits warning and returns +/-INF, modulo by zero and intdid() throws an exception, shifts by negative offset throw exceptions. Compile-time evaluation of division by zero is disabled. (Dmitry, Andrea, Nikita)
Fixed bug #69371 (Hash table collision leads to inaccessible array keys). (Laruence)
Fixed bug #68933 (Invalid read of size 8 in zend_std_read_property). (Laruence, arjen at react dot com)
Fixed bug #68252 (segfault in Zend/zend_hash.c in function _zend_hash_del_el). (Laruence)
Fixed bug #65598 (Closure executed via static autoload incorrectly marked as static). (Nikita)
Fixed bug #66811 (Cannot access static::class in lambda, writen outside of a class). (Nikita)
Fixed bug #69568 (call a private function in closure failed). (Nikita)
Added PHP_INT_MIN constant. (Andrea)
Added Closure::call() method. (Andrea)
Fixed bug #67959 (Segfault when calling phpversion('spl')). (Florian)
Implemented the RFC `Catchable "Call to a member function bar() on a non-object"`. (Timm)
Added options parameter for unserialize allowing to specify acceptable classes (https://wiki.php.net/rfc/secure_unserialize). (Stas)
Fixed bug #63734 (Garbage collector can free zvals that are still referenced). (Dmitry)
Removed ZEND_ACC_FINAL_CLASS, promoting ZEND_ACC_FINAL as final class modifier. (Guilherme Blanco)
is_long() & is_integer() is now an alias of is_int(). (Kalle)
Implemented FR #55467 (phpinfo: PHP Variables with $ and single quotes). (Kalle)
Added ?? operator. (Andrea)
Added operator. (Andrea)
Added \u{xxxxx} Unicode Codepoint Escape Syntax. (Andrea)
Fixed oversight where define() did not support arrays yet const syntax did. (Andrea, Dmitry)
Use "integer" and "float" instead of "long" and "double" in ZPP, type hint and conversion error messages. (Andrea)
Implemented FR #55428 (E_RECOVERABLE_ERROR when output buffering in output buffering handler). (Kalle)
Removed scoped calls of non-static methods from an incompatible $this context. (Nikita)
Removed support for #-style comments in ini files. (Nikita)
Removed support for assigning the result of new by reference. (Nikita)
Invalid octal literals in source code now produce compile errors, fixes PHPSadness #31. (Andrea)
Removed dl() function on fpm-fcgi. (Nikita)
Removed support for hexadecimal numeric strings. (Nikita)
Removed obsolete extensions and SAPIs. See the full list in UPGRADING. (Anatol)
Added NULL byte protection to exec, system and passthru. (Yasuo)
Added error_clear_last() function. (Reeze Xia)
Fixed bug #68797 (Number 2.2250738585072012e-308 converted incorrectly). (Anatol)
Improved zend_qsort(using hybrid sorting algo) for better performance, and also renamed zend_qsort to zend_sort. (Laruence)
Added stable sorting algo zend_insert_sort. (Laruence)
Implemented the RFC `Scalar Type Decalarations v0.5`. (Anthony)
Implemented the RFC `Group Use Declarations`. (Marcio)
Implemented the RFC `Continue Output Buffering`. (Mike)
Implemented the RFC `Constructor behaviour of internal classes`. (Dan, Dmitry)
Implemented the RFC `Fix "foreach" behavior`. (Dmitry)
Implemented the RFC `Generator Delegation`. (Bob)
Implemented the RFC `Anonymous Class Support`. (Joe, Nikita, Dmitry)
Implemented the RFC `Context Sensitive Lexer`. (Marcio Almada)
Fixed bug #69511 (Off-by-one buffer overflow in php_sys_readlink). (Jan Starke, Anatol)
CLI server:
Refactor MIME type handling to use a hash table instead of linear search. (Adam)
Update the MIME type list from the one shipped by Apache HTTPD. (Adam)
Added support for SEARCH WebDav method. (Mats Lindh)
Curl:
Fixed bug #68937 (Segfault in curl_multi_exec). (Laruence)
Removed support for unsafe file uploads. (Nikita)
Date:
Fixed day_of_week function as it could sometimes return negative values internally. (Derick)
Removed $is_dst parameter from mktime() and gmmktime(). (Nikita)
Removed date.timezone warning (https://wiki.php.net/rfc/date.timezone_warning_removal). (Bob)
Added "v" DateTime format modifier to get the 3-digit version of fraction of seconds. (Mariano Iglesias)
Implemented FR #69089: Added DateTime::RFC3339_EXTENDED to output in RFC3339 Extended format which includes fraction of seconds (Mariano Iglesias)
DBA:
Fixed bug #62490 (dba_delete returns true on missing item (inifile)). (Mike)
Fixed bug #68711 (useless comparisons). (bugreports at internot dot info)
DOM:
Made DOMNode::textContent writeable. (Tjerk)
GD:
Made fontFetch's path parser thread-safe. (Sara)
Removed T1Lib support. (Kalle)
Fileinfo:
Fixed bug #66242 (libmagic: don't assume char is signed). (ArdB)
Filter:
New FILTER_VALIDATE_DOMAIN and better RFC conformance for FILTER_VALIDATE_URL. (Kevin Dunglas)
FPM:
Fixed bug #68945 (Unknown admin values segfault pools). (Laruence)
Fixed bug #65933 (Cannot specify config lines longer than 1024 bytes). (Chris Wright)
Implement request #67106 (Split main fpm config). (Elan Ruusamäe, Remi)
FTP:
Fixed bug #69082 (FTPS support on Windows). (Anatol)
Intl:
Removed deprecated aliases datefmt_set_timezone_id() and IntlDateFormatter::setTimeZoneID(). (Nikita)
JSON:
Replace non-free JSON parser with a parser from Jsond extension, fixes #63520 (JSON extension includes a problematic license statement). (Jakub Zelenka)
Fixed bug #68938 (json_decode() decodes empty string without error). (jeremy at bat-country dot us)
LDAP:
Fixed bug #47222 (Implement LDAP_OPT_DIAGNOSTIC_MESSAGE). (Andreas Heigl)
LiteSpeed:
Updated LiteSpeed SAPI code from V5.5 to V6.6. (George Wang)
libxml:
Fixed handling of big lines in error messages with libxml >= 2.9.0. (Christoph M. Becker)
Mcrypt:
Fixed possible read after end of buffer and use after free. (Dmitry)
Removed mcrypt_generic_end() alias. (Nikita)
Removed mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb(), mcrypt_ofb(). (Nikita)
Opcache:
Fixed bug #69688 (segfault with eval and opcache fast shutdown). (Laruence)
Added experimental (disabled by default) file based opcode cache. (Dmitry, Laruence, Anatol)
Fixed bug with try blocks being removed when extended_info opcode generation is turned on. (Laruence)
Fixed bug #68644 (strlen incorrect : mbstring + func_overload=2 +UTF-8 + Opcache). (Laruence)
OpenSSL:
Added "alpn_protocols" SSL context option allowing encrypted client/server streams to negotiate alternative protocols using the ALPN TLS extension when built against OpenSSL 1.0.2 or newer. Negotiated protocol information is accessible through stream_get_meta_data() output.
Removed "CN_match" and "SNI_server_name" SSL context options. Use automatic detection or the "peer_name" option instead. (Nikita)
pcntl:
Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL). (Julien)
Added wifcontinued and wcontinued. (xilon-jul)
Added rusage support to pcntl_wait() and pcntl_waitpid(). (Anton Stepanenko, Tony)
PCRE:
Removed support for the /e (PREG_REPLACE_EVAL) modifier. (Nikita)
PDO:
Fixed bug #59450 (./configure fails with "Cannot find php_pdo_driver.h"). (maxime dot besson at smile dot fr)
PDO_mysql:
Fixed bug #68424 (Add new PDO mysql connection attr to control multi statements option). (peter dot wolanin at acquia dot com)
PDO_pgsql:
Removed PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT attribute in favor of ATTR_EMULATE_PREPARES). (Nikita)
Reflection
Fixed inheritance chain of Reflector interface. (Tjerk)
Added ReflectionGenerator class. (Bob)
Added reflection support for return types and type declarations. (Sara, Matteo)
Session:
Fixed bug #67694 (Regression in session_regenerate_id()). (Tjerk)
Fixed bug #68941 (mod_files.sh is a bash-script). (bugzilla at ii.nl, Yasuo)
SOAP:
Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes). (Laruence)
SPL:
Changed ArrayIterator implementation using zend_hash_iterator_... API. Allowed modification of iterated ArrayObject using the same behavior as proposed in `Fix "foreach" behavior`. Removed "Array was modified outside object and internal position is no longer valid" hack. (Dmitry)
Implemented #67886 (SplPriorityQueue/SplHeap doesn't expose extractFlags nor curruption state). (Julien)
Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator). (Paul Garvin)
Sqlite3:
Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args). (Julien)
Standard:
Fixed bug #69723 (Passing parameters by reference and array_column). (Laruence)
Fixed bug #69523 (Cookie name cannot be empty). (Christoph M. Becker)
Fixed bug #69325 (php_copy_file_ex does not pass the argument). (imbolk at gmail dot com)
Fixed bug #69299 (Regression in array_filter's $flag argument in PHP 7). (Laruence)
Removed call_user_method() and call_user_method_array() functions. (Kalle)
Fixed user session handlers (See rfc:session.user.return-value). (Sara)
Added intdiv() function. (Andrea)
Improved precision of log() function for base 2 and 10. (Marc Bennewitz)
Remove string category support in setlocale(). (Nikita)
Remove set_magic_quotes_runtime() and its alias magic_quotes_runtime(). (Nikita)
Fixed bug #65272 (flock() out parameter not set correctly in windows). (Daniel Lowrey)
Added preg_replace_callback_array function. (Wei Dai)
Deprecated salt option to password_hash. (Anthony)
Fixed bug #69686 (password_verify reports back error on PHP7 will null string). (Anthony)
Added Windows support for getrusage(). (Kalle)
Removed hardcoded limit on number of pipes in proc_open(). (Tony)
Streams:
Fixed bug #68532 (convert.base64-encode omits padding bytes). (blaesius at krumedia dot de)
Removed set_socket_blocking() in favor of its alias stream_set_blocking(). (Nikita)
XSL:
Fixed bug #64776 (The XSLT extension is not thread safe). (Mike)
Removed xsl.security_prefs ini option. (Nikita)
Zlib:
Added deflate_init(), deflate_add(), inflate_init(), inflate_add() functions allowing incremental/streaming compression/decompression. (Daniel Lowrey & Bob Weinand)
Zip:
Added ZipArchive::setCompressionName and ZipArchive::setCompressionIndex methods (Remi, Cedric Delmas)
Update bundled libzip to 1.0.1 (Remi, Anatol)
Fixed bug #67161. (ZipArchive::getStream() returns NULL for certain file) (Christoph M. Becker)

New in PHP 5.6.10 RC 1 (May 28, 2015)

New in PHP 5.6.9 (May 14, 2015)

New in PHP 5.6.9 RC 1 (Apr 30, 2015)

New in PHP 5.6.8 (Apr 17, 2015)

Core:
Fixed bug #66609 (php crashes with __get() and ++ operator in some cases).
Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters).
Fixed bug #68917 (parse_url fails on some partial urls).
Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString).
Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values).
Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing).
Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator).
Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability).
Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions).
Apache2handler:
Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler).
cURL:
Implemented FR #69278 (HTTP2 support).
Fixed bug #68739 (Missing break / control flow).
Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER).
Date:
Fixed bug #69336 (Issues with "last day of ").
Enchant:
Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds).
Ereg:
Fixed bug #68740 (NULL Pointer Dereference).
Fileinfo:
Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault).
Filter:
Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used).
Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127).
OPCache:
Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function).
Fixed bug #69281 (opcache_is_script_cached no longer works).
Fixed bug #68677 (Use After Free). (CVE-2015-1351)
OpenSSL:
Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts) (Chris Wright)
Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly) (Daniel Lowrey)
Fixed bug #69215 (Crypto servers should send client CA list) (Daniel Lowrey)
Add a check for RAND_egd to allow compiling against LibreSSL (Leigh)
Phar:
Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).
Fixed bug #64931 (phar_add_file is too restrictive on filename).
Fixed bug #65467 (Call to undefined method cli_arg_typ_string).
Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar").
Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783)
Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode).
Postgres:
Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352)
SPL:
Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc).
SOAP:
Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)).
Sqlite3:
Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception).
Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3).
Fixed bug #66550 (SQLite prepared statement use-after-free).

New in PHP 5.6.8 RC 1 (Apr 1, 2015)

Core:
Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence)
Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk)
Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai)
Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski)
Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values). (Juan Basso)
Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita)
Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita)
cURL:
Implemented FR#69278 (HTTP2 support). (Masaki Kagaya)
Fixed bug #68739 (Missing break / control flow). (Laruence)
Date:
Added DateTime::createFromImmutable(). (Trevor Suarez)
Enchant:
Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds). (Anatol)
Ereg:
Fixed bug #68740 (NULL Pointer Dereference). (Laruence)
Filter:
Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used). (Jeff Welch)
Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff Welch)
OPCache:
Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function). (Laruence)
Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence)
OpenSSL:
Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts) (Chris Wright)
Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly) (Daniel Lowrey)
Fixed bug #69215 (Crypto servers should send client CA list) (Daniel Lowrey)
Add a check for RAND_egd to allow compiling against LibreSSL (Leigh)
Phar:
Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar). (Mike)
Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike)
Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike)
Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar"). (Mike)
Postgres:
Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352) (Laruence)
SPL:
Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc). (adam dot scarr at 99designs dot com)
SOAP:
Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)). (Laruence)
SQLITE:
Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception). (Dan Ackroyd)
Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol)

New in PHP 5.6.7 (Mar 19, 2015)

Core:
Fixed bug #69174 (leaks when unused inner class use traits precedence). (Laruence)
Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize). (Laruence)
Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build). (dan at syneto dot net)
Fixed bug #65593 (Segfault when calling ob_start from output buffering callback). (Mike)
Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c). (nayana at ddproperty dot com)
Fixed bug #68166 (Exception with invalid character causes segv). (Rasmus)
Fixed bug #69141 (Missing arguments in reflection info for some builtin functions). (kostyantyn dot lysyy at oracle dot com)
Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (Stas)
Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski)
Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas)
CGI:
Fixed bug #69015 (php-cgi's getopt does not see $argv). (Laruence)
CLI:
Fixed bug #67741 (auto_prepend_file messes up __LINE__). (Reeze Xia)
cURL:
Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on Win32). (Grant Pannell)
Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl. (Linus Unneback)
Ereg:
Fixed bug #69248 (heap overflow vulnerability in regcomp.c) (CVE-2015-2305). (Stas)
FPM:
Fixed bug #68822 (request time is reset too early). (honghu069 at 163 dot com)
ODBC:
Fixed bug #68964 (Allowed memory size exhausted with odbc_exec). (Anatol)
Opcache:
Fixed bug #69159 (Opcache causes problem when passing a variable variable to a function). (Dmitry, Laruence)
Fixed bug #69125 (Array numeric string as key). (Laruence)
Fixed bug #69038 (switch(SOMECONSTANT) misbehaves). (Laruence)
OpenSSL:
Fixed bug #68912 (Segmentation fault at openssl_spki_new). (Laruence)
Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't observe socket timeouts). (Brad Broerman)
Fixed bug #68920 (use strict peer_fingerprint input checks) (Daniel Lowrey)
Fixed bug #68879 (IP Address fields in subjectAltNames not used) (Daniel Lowrey)
Fixed bug #68265 (SAN match fails with trailing DNS dot) (Daniel Lowrey)
Fixed bug #67403 (Add signatureType to openssl_x509_parse) (Daniel Lowrey)
Fixed bug (#69195 Inconsistent stream crypto values across versions) (Daniel Lowrey)
pgsql:
Fixed bug #68638 (pg_update() fails to store infinite values). (william dot welter at 4linux dot com dot br, Laruence)
Readline:
Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters). (Laruence)
SOAP:
Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (andrea dot palazzo at truel dot it, Laruence)
SPL:
Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage). (Laruence)
Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after calling getChildren()). (Julien)
ZIP:
Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary) (CVE-2015-2331). (Stas)

New in PHP 5.6.7 RC 1 (Mar 6, 2015)

Core:
Fixed bug #69174 (leaks when unused inner class use traits precedence). (Laruence)
Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize). (Laruence)
Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build). (dan at syneto dot net)
Fixed bug #65593 (Segfault when calling ob_start from output buffering callback). (Mike)
Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c). (nayana at ddproperty dot com)
Fixed bug #68166 (Exception with invalid character causes segv). (Rasmus)
Fixed bug #69141 (Missing arguments in reflection info for some builtin functions). (kostyantyn dot lysyy at oracle dot com)
CGI:
Fixed bug #69015 (php-cgi's getopt does not see $argv). (Laruence)
CLI:
Fixed bug #67741 (auto_prepend_file messes up __LINE__). (Reeze Xia)
cURL:
Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on Win32). (Grant Pannell)
Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl. (Linus Unneback)
FPM:
Fixed bug #68822 (request time is reset too early). (honghu069 at 163 dot com)
ODBC:
Fixed bug #68964 (Allowed memory size exhausted with odbc_exec). (Anatol)
Opcache:
Fixed bug #69159 (Opcache causes problem when passing a variable variable to a function). (Dmitry, Laruence)
Fixed bug #69125 (Array numeric string as key). (Laruence)
Fixed bug #69038 (switch(SOMECONSTANT) misbehaves). (Laruence)
OpenSSL:
Fixed bug #68912 (Segmentation fault at openssl_spki_new). (Laruence)
Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't observe socket timeouts). (Brad Broerman)
Fixed bug #68920 (use strict peer_fingerprint input checks) (Daniel Lowrey)
Fixed bug #68879 (IP Address fields in subjectAltNames not used) (Daniel Lowrey)
Fixed bug #68265 (SAN match fails with trailing DNS dot) (Daniel Lowrey)
Fixed bug #67403 (Add signatureType to openssl_x509_parse) (Daniel Lowrey)
pgsql:
Fixed bug #68638 (pg_update() fails to store infinite values). (william dot welter at 4linux dot com dot br, Laruence)
Readline:
Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters). (Laruence)
SOAP:
Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (andrea dot palazzo at truel dot it, Laruence)
SPL:
Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage). (Laruence)
Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after calling getChildren()). (Julien)

New in PHP 5.6.6 (Feb 20, 2015)

Core:
Removed support for multi-line headers, as the are deprecated by RFC 7230.
Fixed bug #67068 (getClosure returns somethings that's not a closure).
Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273)
Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow).
Fixed bug #67988 (htmlspecialchars() does not respect default_charset specified by ini_set) (Yasuo)
Added NULL byte protection to exec, system and passthru.
Dba:
Fixed bug #68711 (useless comparisons).
Enchant:
Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()).
Fileinfo:
Fixed bug #68827 (Double free with disabled ZMM).
Fixed bug #67647 (Bundled libmagic 5.17 does not detect quicktime files correctly).
Fixed bug #68731 (finfo_buffer doesn't extract the correct mime with some gifs).
FPM:
Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).
Fixed bug #68571 (core dump when webserver close the socket).
JSON:
Fixed bug #50224 (json_encode() does not always encode a float as a float) by adding JSON_PRESERVE_ZERO_FRACTION.
LIBXML:
Fixed bug #64938 (libxml_disable_entity_loader setting is shared between threads).
Mysqli:
Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support) (Keyur Govande)
Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors) (Keyur Govande)
Opcache:
Fixed bug with try blocks being removed when extended_info opcode generation is turned on.
PDO_mysql:
Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of named pipes).
Phar:
Fixed bug #68901 (use after free).
Pgsql:
Fixed bug #65199 (pg_copy_from() modifies input array variable) (Yasuo)
Session:
Fixed bug #68941 (mod_files.sh is a bash-script) (bugzilla at ii.nl, Yasuo)
Fixed bug #66623 (no EINTR check on flock) (Yasuo)
Fixed bug #68063 (Empty session IDs do still start sessions) (Yasuo)
Sqlite3:
Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args).
Standard:
Fixed bug #65272 (flock() out parameter not set correctly in windows).
Fixed bug #69033 (Request may get env. variables from previous requests if PHP works as FastCGI).
Streams:
Fixed bug which caused call after final close on streams filter.

New in PHP 5.6.6 RC1 (Feb 5, 2015)

Core:
Fixed bug #67068 (getClosure returns somethings that's not a closure). (Danack at basereality dot com)
Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow). (Stas)
Fixed Bug #67988 (htmlspecialchars() does not respect default_charset specified by ini_set) (Yasuo)
Dba:
Fixed bug #68711 (useless comparisons). (bugreports at internot dot info)
JSON:
Fixed bug #50224 (json_encode() does not always encode a float as a float) by adding JSON_PRESERVE_ZERO_FRACTION. (Juan Basso)
Fileinfo:
Fixed bug #68827 (Double free with disabled ZMM). (Joshua Rogers)
Fixed bug #67647 (Bundled libmagic 5.17 does not detect quicktime files correctly). (Anatol)
Fixed bug #68731 (finfo_buffer doesn't extract the correct mime with some gifs). (Anatol)
FPM:
Fixed bug #66479 (Wrong response to FCGI_GET_VALUES). (Frank Stolle)
Fixed bug #68571 (core dump when webserver close the socket). (redfoxli069 at gmail dot com, Laruence)
JSON:
Fixed bug #68938 (json_decode() decodes empty string without error). (jeremy at bat-country dot us)
LIBXML:
Fixed bug #64938 (libxml_disable_entity_loader setting is shared between threads). (Martin Jansen)
Opcache:
Fixed bug with try blocks being removed when extended_info opcode generation is turned on. (Laruence)
PDO_mysql:
Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of named pipes). ([email protected])
Phar:
Fixed bug #68901 (use after free). (bugreports at internot dot info)
Pgsql:
Fixed Bug #65199 (pg_copy_from() modifies input array variable) (Yasuo)
Session:
Fixed bug #68941 (mod_files.sh is a bash-script) (bugzilla at ii.nl, Yasuo)
Fixed Bug #66623 (no EINTR check on flock) (Yasuo)
Fixed bug #68063 (Empty session IDs do still start sessions) (Yasuo)
Sqlite3:
Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args). (Julien)
Standard:
Fixed bug #65272 (flock() out parameter not set correctly in windows). (Daniel Lowrey)
Mysqli:
Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support) (Keyur Govande)
Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors) (Keyur Govande)
Streams:
Fixed bug which caused call after final close on streams filter. (Bob)

New in PHP 5.6.5 (Jan 21, 2015)

Core:
Upgraded crypt_blowfish to version 1.3. (Leigh)
Fixed bug #60704 (unlink() bug with some files path).
Fixed bug #65419 (Inside trait, self::class != __CLASS__). (Julien)
Fixed bug #68536 (pack for 64bits integer is broken on bigendian). (Remi)
Fixed bug #55541 (errors spawn MessageBox, which blocks test automation).(Anatol)
Fixed bug #68297 (Application Popup provides too few information). (Anatol)
Fixed bug #65769 (localeconv() broken in TS builds). (Anatol)
Fixed bug #65230 (setting locale randomly broken). (Anatol)
Fixed bug #66764 (configure doesn't define EXPANDED_DATADIR / PHP_DATADIRcorrectly). (Ferenc)
Fixed bug #68583 (Crash in timeout thread). (Anatol)
Fixed bug #65576 (Constructor from trait conflicts with inheritedconstructor). (dunglas at gmail dot com)
Fixed bug #68676 (Explicit Double Free). (Kalle)
Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()).(CVE-2015-0231) (Stefan Esser)
CGI:
Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427)(Stas)
CLI server:
Fixed bug #68745 (Invalid HTTP requests make web server segfault). (Adam)
cURL:
Fixed bug #67643 (curl_multi_getcontent returns '' whenCURLOPT_RETURNTRANSFER isn't set). (Jille Timmermans)
Date:
Implemented FR #68268 (DatePeriod: Getter for start date, end date and interval). (Marc Bennewitz)
EXIF:
Fixed bug #68799: Free called on unitialized pointer. (CVE-2015-0232)(Stas)
Fileinfo:
Fixed bug #68398 (msooxml matches too many archives). (Anatol)
Fixed bug #68665 (invalid free in libmagic). (Joshua Rogers, Anatol Belski)
Fixed bug #68671 (incorrect expression in libmagic).(Joshua Rogers, Anatol Belski)
Removed readelf.c and related code from libmagic sources(Remi, Anatol)
Fixed bug #68735 (fileinfo out-of-bounds memory access).(Anatol)
FPM:
Fixed request #68526 (Implement POSIX Access Control List for UDS). (Remi)
Fixed bug #68751 (listen.allowed_clients is broken). (Remi)
GD:
Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (Jan Bee, Remi)
Fixed request #68656 (Report gd library version). (Remi)
mbstring:
Fixed bug #68504 (--with-libmbfl configure option not present on Windows).(Ashesh Vashi)
Opcache:
Fixed bug #68644 (strlen incorrect : mbstring + func_overload=2 +UTF-8+ Opcache). (Laruence)
Fixed bug #67111 (Memory leak when using "continue 2" inside two foreachloops). (Nikita)
OpenSSL:
Improved handling of OPENSSL_KEYTYPE_EC keys. (Dominic Luechinger)
pcntl:
Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handlerwhen setting SIG_DFL). (Julien)
PCRE:
Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream).(Rainer Jung, Anatol Belski)
pgsql:
Fixed bug #68697 (lo_export return -1 on failure). (Ondřej Surý)
PDO:
Fixed bug #68371 (PDO#getAttribute() cannot be called with platform-specifiattribute names). (Matteo)
PDO_mysql:
Fixed bug #68424 (Add new PDO mysql connection attr to control multistatements option). (peter dot wolanin at acquia dot com)
SPL:
Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAMEbreaks the RecursiveIterator). (Paul Garvin)
Fixed bug #68479 (Added escape parameter to SplFileObject::fputcsv). (Salathe)
SQLite:
Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2). (Anatol)
Streams:
Fixed bug #68532 (convert.base64-encode omits padding bytes).(blaesius at krumedia dot de)

New in PHP 5.6.5 RC 1 (Jan 7, 2015)

Core:
Upgraded crypt_blowfish to version 1.3. (Leigh)
Fixed bug #60704 (unlink() bug with some files path).
Fixed bug #65419 (Inside trait, self::class != __CLASS__). (Julien)
Fixed bug #68536 (pack for 64bits integer is broken on bigendian). (Remi)
Fixed bug #55541 (errors spawn MessageBox, which blocks test automation). (Anatol)
Fixed bug #68297 (Application Popup provides too few information). (Anatol)
Fixed bug #65769 (localeconv() broken in TS builds). (Anatol)
Fixed bug #65230 (setting locale randomly broken). (Anatol)
Fixed bug #66764 (configure doesn't define EXPANDED_DATADIR / PHP_DATADIR correctly). (Ferenc)
Fixed bug #68583 (Crash in timeout thread). (Anatol)
Fixed bug #65576 (Constructor from trait conflicts with inherited constructor). (dunglas at gmail dot com)
Fixed bug #68676 (Explicit Double Free). (Kalle)
CGI:
Fix bug #68618 (out of bounds read crashes php-cgi). (Stas)
CLI server:
Fix bug #68745 (Invalid HTTP requests make web server segfault). (Adam)
cURL:
Fixed bug #67643 (curl_multi_getcontent returns '' when CURLOPT_RETURNTRANSFER isn't set). (Jille Timmermans)
Date:
Implemented FR #68268 (DatePeriod: Getter for start date, end date and interval). (Marc Bennewitz)
Fileinfo:
Fixed bug #68398 (msooxml matches too many archives). (Anatol)
Fixed bug #68665 (invalid free in libmagic). (Joshua Rogers, Anatol Belski)
Fixed bug #68671 (incorrect expression in libmagic). (Joshua Rogers, Anatol Belski)
Removed readelf.c and related code from libmagic sources (Remi, Anatol)
Fixed bug #68735 (fileinfo out-of-bounds memory access). (Anatol)
FPM:
Fixed request #68526 (Implement POSIX Access Control List for UDS). (Remi)
Fixed bug #68751 (listen.allowed_clients is broken). (Remi)
GD:
Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (Jan Bee, Remi)
Fixed request #68656 (Report gd library version). (Remi)
mbstring:
Fixed bug #68504 (--with-libmbfl configure option not present on Windows). (Ashesh Vashi)
Opcache:
Fixed bug #68644 (strlen incorrect : mbstring + func_overload=2 +UTF-8 + Opcache). (Laruence)
Fixed bug #67111 (Memory leak when using "continue 2" inside two foreach loops). (Nikita)
OpenSSL:
Improved handling of OPENSSL_KEYTYPE_EC keys. (Dominic Luechinger)
pcntl:
Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL). (Julien)
PCRE:
Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream). (Rainer Jung, Anatol Belski)
pgsql:
Fixed bug #68697 (lo_export return -1 on failure). (Ondřej Surý)
PDO_mysql:
Fixed bug #68424 (Add new PDO mysql connection attr to control multi statements option). (peter dot wolanin at acquia dot com)
SPL:
Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator). (Paul Garvin)
Fixed bug #68479 (Added escape parameter to SplFileObject::fputcsv). (Salathe)
SQLite:
Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2). (Anatol)
Streams:
Fixed bug #68532 (convert.base64-encode omits padding bytes). (blaesius at krumedia dot de)

New in PHP 5.6.4 (Dec 19, 2014)

Core:
Fixed bug #68091 (Some Zend headers lack appropriate extern "C" blocks). (Adam)
Fixed bug #68104 (Segfault while pre-evaluating a disabled function). (Laruence)
Fixed bug #68185 ("Inconsistent insteadof definition."incorrectly triggered). (Julien)
Fixed bug #68355 (Inconsistency in example php.ini comments). (Chris McCafferty)
Fixed bug #68370 ("unset($this)" can make the program crash). (Laruence)
Fixed bug #68422 (Incorrect argument reflection info for array_multisort()). (Alexander Lisachenko)
Fixed bug #68545 (NULL pointer dereference in unserialize.c). (Anatol)
Fixed bug #68446 (Array constant not accepted for array parameter default). (Bob, Dmitry)
Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142) (Stefan Esser)
Date:
Fixed day_of_week function as it could sometimes return negative values internally. (Derick)
FPM:
Fixed bug #68381 (fpm_unix_init_main ignores log_level). (David Zuelke, Remi)
Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all addresses). (Remi)
Fixed bug #68421 (access.format='%R' doesn't log ipv6 address). (Remi)
Fixed bug #68423 (PHP-FPM will no longer load all pools). (Remi)
Fixed bug #68428 (listen.allowed_clients is IPv4 only). (Remi)
Fixed bug #68452 (php-fpm man page is oudated). (Remi)
Fixed request #68458 (Change pm.start_servers default warning to notice). (David Zuelke, Remi)
Fixed bug #68463 (listen.allowed_clients can silently result in no allowed access). (Remi)
Fixed request #68391 (php-fpm conf files loading order). (Florian Margaine, Remi)
Fixed bug #68478 (access.log don't use prefix). (Remi)
Mcrypt:
Fixed possible read after end of buffer and use after free. (Dmitry)
GMP:
Fixed bug #68419 (build error with gmp 4.1). (Remi)
PDO_pgsql:
Fixed bug #67462 (PDO_PGSQL::beginTransaction() wrongly throws exception when not in transaction) (Matteo)
Fixed bug #68351 (PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving) (Matteo)
Session:
Fixed bug #68331 (Session custom storage callable functions not being called) (Yasuo Ohgaki)
SOAP:
Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes). (Laruence)
zlib:
Fixed bug #53829 (Compiling PHP with large file support will replace function gzopen by gzopen64) (Sascha Kettler, Matteo)

New in PHP 5.6.3 (Nov 15, 2014)

Core:
Implemented 64-bit format codes for pack() and unpack().
Fixed bug #51800 (proc_open on Windows hangs forever).
Fixed bug #67633 (A foreach on an array returned from a function not doing copy-on-write).
Fixed bug #67739 (Windows 8.1/Server 2012 R2 OS build number reported as 6.2 (instead of 6.3)).
Fixed bug #67949 (DOMNodeList elements should be accessible through array notation) (Florian)
Fixed bug #68095 (AddressSanitizer reports a heap buffer overflow in php_getopt()).
Fixed bug #68118 ($a->foo .= 'test'; can leave $a->foo undefined).
Fixed bug #68129 (parse_url() - incomplete support for empty usernames and passwords) (Tjerk)
Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).
CURL:
Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, and CURL_SSLVERSION_TLSv1_2 constants if supported by libcurl (Rasmus)
Fileinfo:
Fixed bug #66242 (libmagic: don't assume char is signed).
Fixed bug #68224 (buffer-overflow in libmagic/readcdf.c caught by AddressSanitizer).
Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers).
FPM:
Fixed bug #65641 (PHP-FPM incorrectly defines the SCRIPT_NAME variable when using Apache, mod_proxy-fcgi and ProxyPass).
Implemented FR #55508 (listen and listen.allowed_clients should take IPv6 addresses).
GD:
Fixed bug #65171 (imagescale() fails without height param).
GMP:
Implemented gmp_random_range() and gmp_random_bits().
Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).
Mysqli:
Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support) (Keyur Govande)
ODBC:
Fixed bug #68087 (ODBC not correctly reading DATE column when preceded by a VARCHAR column) (Keyur Govande)
OpenSSL:
Fixed bug #68074 (Allow to use system cipher list instead of hardcoded value).
PDO_pgsql:
Fixed bug #68199 (PDO::pgsqlGetNotify doesn't support NOTIFY payloads) (Matteo, Alain Laporte)
Fixed bug #66584 (Segmentation fault on statement deallocation) (Matteo)
Reflection:
Fixed bug #68103 (Duplicate entry in Reflection for class alias).
SPL:
Fixed bug #68128 (Regression in RecursiveRegexIterator) (Tjerk)

New in PHP 5.6.3 RC 1 (Oct 29, 2014)

Core:
Implemented 64-bit format codes for pack() and unpack()(Leigh)
Fixed bug #51800 (proc_open on Windows hangs forever)(Anatol)
Fixed bug #67633 (A foreach on an array returned from a function not doing
copy-on-write)(Nikita)
Fixed bug #67739 (Windows 8.1/Server 2012 R2 OS build number reported
as 6.2 (instead of 6.3))(Christian Wenz)
Fixed bug #67949 (DOMNodeList elements should be accessible through
array notation) (Florian)
Fixed bug #68095 (AddressSanitizer reports a heap buffer overflow in
php_getopt())(Stas)
Fixed bug #68118 ($a->foo .= 'test'; can leave $a->foo undefined)(Nikita)
Fixed bug #68129 (parse_url() incomplete support for empty usernames
and passwords) (Tjerk)
phpdbg:
Added XML protocol (-x command line flag)(Bob)
Added hard interruptions (twice SIGINT)(Bob)
Fileinfo:
Fixed bug #66242 (libmagic: don't assume char is signed)(ArdB)
Fixed bug #68224 (buffer-overflow in libmagic/readcdf.c caught by
AddressSanitizer)(Remi)
Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers).
(CVE-2014-3710) (Remi)
FPM:
Fixed bug #65641 (PHP-FPM incorrectly defines the SCRIPT_NAME variable
when using Apache, mod_proxy-fcgi and ProxyPass)(Remi)
Implemented FR #55508 (listen and listen.allowed_clients should take IPv6
addresses)(Robin Gloster)
GD:
Fixed bug #65171 (imagescale() fails without height param)(Remi)
GMP:
Implemented gmp_random_range() and gmp_random_bits()(Leigh)
Fixed bug #63595 (GMP memory management conflicts with other libraries
using GMP)(Remi)
Reflection:
Fixed bug #68103 (Duplicate entry in Reflection for class alias)(Remi)
OpenSSL:
Fixed bug #68074 (Allow to use system cipher list instead of hardcoded
value)(Remi)
Mysqli:
Fixed bug #68114 (linker error on some OS X machines with fixed width
decimal support) (Keyur Govande)
ODBC:
Fixed bug #68087 (ODBC not correctly reading DATE column when preceded by
a VARCHAR column) (Keyur Govande)
SPL:
Fixed bug #68128 (Regression in RecursiveRegexIterator) (Tjerk)
CURL:
Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, and
CURL_SSLVERSION_TLSv1_2 constants if supported by libcurl (Rasmus)
PDO_pgsql:
Fixed bug #68199 (PDO::pgsqlGetNotify doesn't support NOTIFY payloads)
(Matteo, Alain Laporte)

New in PHP 5.6.2 (Oct 16, 2014)

New in PHP 5.6.1 (Oct 3, 2014)

New in PHP 5.6.1 RC 1 (Sep 12, 2014)

New in PHP 5.6.0 (Aug 28, 2014)

General improvement:
Added constant scalar expressions syntax.
Added dedicated syntax for variadic functions.
Added support for argument unpacking to complement the variadic syntax.
Added an exponentiation operator (**).
Added phpdbg SAPI.
Added unified default encoding.
The php://input stream is now re-usable and can be used concurrently with enable_post_data_reading=0.
Added use function and use const..
Added a function for timing attack safe string comparison.
Added the __debugInfo() magic method to allow userland classes to implement the get_debug_info API previously available only to extensions.
Added gost-crypto (CryptoPro S-box) hash algorithm.
Stream wrappers verify peer certificates and host names by default in encrypted client streams.
Uploads equal or greater than 2GB in size are now accepted.
Core:
Fixed bug #67693 (incorrect push to the empty array).
Removed inconsistency regarding behaviour of array in constants at run-time.
Fixed bug #67497 (eval with parse error causes segmentation fault in generator).
Fixed bug #67151 (strtr with empty array crashes).
Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012).
Fixed bug #66608 (Incorrect behavior with nested "finally" blocks).
Implemented FR #34407 (ucwords and Title Case).
Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0).
Fixed bug #67368 (Memory leak with immediately dereferenced array in class constant).
Fixed bug #67468 (Segfault in highlight_file()/highlight_string()).
Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability).
Fixed bug #67551 (php://input temp file will be located in sys_temp_dir instead of upload_tmp_dir).
Fixed bug #67169 (array_splice all elements, then []= gives wrong index).
Fixed bug #67198 (php://input regression).
Fixed bug #67247 (spl_fixedarray_resize integer overflow).
Fixed bug #67250 (iptcparse out-of-bounds read).
Fixed bug #67252 (convert_uudecode out-of-bounds read).
Fixed bug #67249 (printf out-of-bounds read).
Implemented FR #64744 (Differentiate between member function call on a null and non-null, non-objects).
Fixed bug #67436 (Autoloader isn't called if two method definitions don't match).
Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases).
Fixed bug #67390 (insecure temporary file use in the configure script).
Fixed bug #67392 (dtrace breaks argument unpack).
Fixed bug #67428 (header('Location: foo') will override a 308-399 response code).
Fixed bug #67433 (SIGSEGV when using count() on an object implementing Countable).
Fixed bug #67399 (putenv with empty variable may lead to crash).
Expose get_debug_info class hook as __debugInfo() magic method.
Implemented unified default encoding (RFC: https://wiki.php.net/rfc/default_encoding).
Added T_POW (**) operator (RFC: https://wiki.php.net/rfc/pow-operator).
Improved IS_VAR operands fetching.
Improved empty string handling. Now ZE uses an interned string instead of allocation new empty string each time.
Implemented internal operator overloading (RFC: https://wiki.php.net/rfc/operator_overloading_gmp).
Made calls from incompatible context issue an E_DEPRECATED warning instead of E_STRICT (phase 1 of RFC: https://wiki.php.net/rfc/incompat_ctx).
Uploads equal or greater than 2GB in size are now accepted.
Reduced POST data memory usage by 200-300%. Changed INI setting always_populate_raw_post_data to throw a deprecation warning when enabling and to accept -1 for never populating the $HTTP_RAW_POST_DATA global variable, which will be the default in future PHP versions.
Implemented dedicated syntax for variadic functions (RFC: https://wiki.php.net/rfc/variadics).
Fixed bug #50333 Improving multi-threaded scalability by using emalloc/efree/estrdup (Anatol, Dmitry)
Implemented constant scalar expressions (with support for constants) (RFC: https://wiki.php.net/rfc/const_scalar_exprs).
Fixed bug #65784 (Segfault with finally).
Fixed bug #66509 (copy() arginfo has changed starting from 5.4).
Allow zero length comparison in substr_compare() (Tjerk)
Fixed bug #60602 (proc_open() changes environment array) (Tjerk)
Fixed bug #61019 (Out of memory on command stream_get_contents).
Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).
Fixed bug #66182 (exit in stream filter produces segfault).
Fixed bug #66736 (fpassthru broken).
Fixed bug #66822 (Cannot use T_POW in const expression) (Tjerk)
Fixed bug #67043 (substr_compare broke by previous change) (Tjerk)
Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()).
Fixed bug #66015 (Unexpected array indexing in class's static property).
Added (constant) string/array dereferencing to static scalar expressions to complete the set; now possible thanks to bug #66015 being fixed.
Fixed bug #66568 (Update reflection information for unserialize() function).
Fixed bug #66660 (Composer.phar install/update fails).
Fixed bug #67024 (getimagesize should recognize BMP files with negative height).
Fixed bug #67064 (Countable interface prevents using 2nd parameter ($mode) of count() function).
Fixed bug #67072 (Echoing unserialized "SplFileObject" crash).
Fixed bug #67033 (Remove reference to Windows 95).
Apache2 Handler SAPI:
Fixed Apache log issue caused by APR's lack of support for %zu (APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120).
CLI server:
Added some MIME types to the CLI web server.
Fixed bug #67079 (Missing MIME types for XML/XSL files).
Fixed bug #66830 (Empty header causes PHP built-in web server to hang).
Fixed bug #67594 (Unable to access to apache_request_headers() elements).
Implemented FR #67429 (CLI server is missing some new HTTP response codes).
Fixed Bug #67406 (built-in web-server segfaults on startup).
COM:
Fixed bug #41577 (DOTNET is successful once per server run) (Aidas Kasparas)
Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas).
Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)).
Curl:
Implemented FR #65646 (re-enable CURLOPT_FOLLOWLOCATION with open_basedir or safe_mode).
Check for openssl.cafile ini directive when loading CA certs.
Remove cURL close policy related constants as these have no effect and are no longer used in libcurl.
Fixed bug #66109 (Can't reset CURLOPT_CUSTOMREQUEST to default behaviour) (Tjerk)
Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive.
Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset).
Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
Date:
Fixed bug #66091 (memory leaks in DateTime constructor) (Tjerk).
Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
Fixed regression in fix for bug #67118 (constructor can't be called twice).
Fixed bug #67251 (date_parse_from_format out-of-bounds read).
Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read).
Added DateTimeImmutable::createFromMutable to create a DateTimeImmutable object from an existing DateTime (mutable) object (Derick)
Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
Fixed bug #67118 (DateTime constructor crash with invalid data).
DOM:
Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset).
Embed:
Fixed bug #65715 (php5embed.lib isn't provided anymore). (Anatol).
Fileinfo:
Fixed bug #67716 (Segfault in cdf.c).
Fixed bug #67705 (extensive backtracking in rule regular expression).
Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS).
Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in performance degradation).
Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check).
Fixed bug #67329 (fileinfo: NULL pointer deference flaw by processing certain CDF files).
Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size).
Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary check).
Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check).
Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check).
Upgraded to libmagic-5.17 (Anatol)
Fixed bug #66731 (file: infinite recursion).
Fixed bug #66820 (out-of-bounds memory access in fileinfo) (CVE-2014-2270).
Fixed bug #66946i (fileinfo: extensive backtracking in awk rule regular expression).
Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
Fixed bug #66907 (Solaris 10 is missing strcasestr and needs substitute).
Fixed bug #66307 (Fileinfo crashes with powerpoint files).
FPM:
Fix bug #67606 (revised fix 67541, broke mod_fastcgi BC).
Fixed bug #67530 (error_log=syslog ignored).
Fixed bug #67635 (php links to systemd libraries without using pkg-config).
Fix bug #67531 (syslog cannot be set in pool configuration).
Fix bug #67541 (Fix Apache 2.4.10+ SetHandler proxy:fcgi:// incompatibilities).
Included apparmor support in fpm (RFC: https://wiki.php.net/rfc/fpm_change_hat).
Added clear_env configuration directive to disable clearenv() call.
Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure default configuration) (CVE-2014-0185).
GD:
Fixed bug #67730 (Null byte injection possible with imagexxx functions).
Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference).
Fixed bug #67248 (imageaffinematrixget missing check of parameters).
Fixed imagettftext to load the correct character map rather than the last one.
Fixed bug #66714 ( imageconvolution breakage).
Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer CVE-2013-7327). (Tomas Hoger, Remi).
Fixed #66869 (Invalid 2nd argument crashes imageaffinematrixget) (Pierre)
Fixed bug #66887 (imagescale - poor quality of scaled image).
Fixed bug #66890 (imagescale segfault).
Fixed bug #66893 (imagescale ignore method argument).
GMP:
Fixed bug #66872 (invalid argument crashes gmp_testbit) (Pierre)
Fixed crashes in serialize/unserialize.
Moved GMP to use object as the underlying structure and implemented various improvements based on this.
Added gmp_root() and gmp_rootrem() functions for calculating nth roots.
Hash:
Added gost-crypto (CryptoPro S-box) GOST hash algo.
Fixed bug #66698 (Missing FNV1a32 and FNV1a64 hash functions). (Michael M Slusarz).
Implemented timing attack safe string comparison function (RFC: https://wiki.php.net/rfc/timing_attack).
hash_pbkdf2() now works correctly if the $length argument is not specified.
Intl:
Fixed bug #66873 (A reproductible crash in UConverter when given invalid encoding) (Stas)
Fixed bug #66921 (Wrong argument type hint for function intltz_from_date_time_zone).
Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).
Fixed bug #67349 (Locale::parseLocale Double Free).
Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)).
JSON:
Fixed case part of bug #64874 ("json_decode handles whitespace and case-sensitivity incorrectly")
Fixed bug #65753 (JsonSerializeable couldn't implement on module extension) ([email protected])
Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).
ldap:
Added new function ldap_modify_batch().
Fixed issue with null bytes in LDAP bindings.
litespeed:
Fixed bug #63228 (-Werror=format-security error in lsapi code).
Mail:
Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script) (Tjerk)
Mcrypt:
No longer allow invalid key sizes, invalid IV sizes or missing required IV in mcrypt_encrypt, mcrypt_decrypt and the deprecated mode functions.
Use /dev/urandom as the default source for mcrypt_create_iv().
Mbstring:
Upgraded to oniguruma 5.9.5 (Anatol)
Fixed bug #67199 (mb_regex_encoding mismatch).
Milter:
Fixed bug #67715 (php-milter does not build and crashes randomly).
mysqli:
Added new function mysqli_get_links_stats() as well as new INI variable mysqli.rollback_on_cached_plink of type bool (Andrey)
Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed) (Remi)
Fixed building against an external libmysqlclient.
mysqlnd:
Disabled flag for SP OUT variables for 5.5+ servers as they are not natively supported by the overlying APIs.
Added a new fetching mode to mysqlnd.
Added support for gb18030 from MySQL 5.7.
Network:
Fixed bug #67717 (segfault in dns_get_record).
Fixed bug #67432 (Fix potential segfault in dns_get_record()).
OCI8:
Fixed Bug #66875 (Improve performance of multi-row OCI_RETURN_LOB queries) (Perrier, Chris Jones)
ODBC:
Fixed bug #60616 (odbc_fetch_into returns junk at end of multi-byte char fields).
OpenSSL:
Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas).
Fixed bug #67609 (TLS connections fail behind HTTP proxy).
Fixed broken build against OpenSSL older than 0.9.8 where ECDH unavailable.
Fixed bug #67666 (Subject altNames doesn't support wildcard matching).
Fixed bug #67224 (Fall back to crypto_type from context if not specified explicitly in stream_socket_enable_crypto).
Fixed bug #65698 (certificates validity parsing does not work past 2050).
Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME).
Peer certificates now verified by default in client socket operations (RFC: https://wiki.php.net/rfc/tls-peer-verification).
New openssl.cafile and openssl.capath ini directives.
Added crypto_method option for the ssl stream context.
Added certificate fingerprint support.
Added explicit TLSv1.1 and TLSv1.2 stream transports.
Fixed bug #65729 (CN_match gives false positive).
Peer name verification matches SAN DNS names for certs using the Subject Alternative Name x509 extension.
Fixed segfault when built against OpenSSL>=1.0.1 (Daniel Lowrey)
Added SPKAC support.
Fallback to Windows CA cert store for peer verification if no openssl.cafile ini directive or "cafile" SSL context option specified in Windows.
The openssl.cafile and openssl.capath ini directives introduced in alpha2 now have PHP_INI_PERDIR accessibility (was PHP_INI_ALL).
New "peer_name" SSL context option replaces "CN_match" (which still works as before but triggers E_DEPRECATED).
Fixed segfault when accessing non-existent context for client SNI use (Daniel Lowrey)
Fixed bug #66501 (Add EC key support to php_openssl_is_private_key).
Fixed Bug #47030 (add new boolean "verify_peer_name" SSL context option allowing clients to verify cert names separately from the cert itself). "verify_peer_name" is enabled by default for client streams.
Fixed Bug #65538 ("cafile" SSL context option now supports stream wrappers).
New openssl_get_cert_locations() function to aid CA file and peer verification debugging.
Encrypted stream wrappers now disable TLS compression by default.
New "capture_session_meta" SSL context option allows encrypted client and server streams access to negotiated protocol/cipher information.
New "honor_cipher_order" SSL context option allows servers to prioritize cipher suites of their choosing when negotiating SSL/TLS handshakes.
New "single_ecdh_use" and "single_dh_use" SSL context options allow for improved forward secrecy in encrypted stream servers.
New "dh_param" SSL context option allows stream servers control over the parameters when negotiating DHE cipher suites.
New "ecdh_curve" SSL context option allowing stream servers to specify the curve to use when negotiating ephemeral ECDHE ciphers (defaults to NIST P-256).
New "rsa_key_size" SSL context option gives stream servers control over the key size (in bits) used for RSA key agreements.
Crypto methods for encrypted client and server streams now use bitwise flags for fine-grained protocol support.
Added new tlsv1.0 stream wrapper to specify TLSv1 client/server method. tls wrapper now negotiates TLSv1, TLSv1.1 or TLSv1.2.
Encrypted client streams now enable SNI by default.
Encrypted streams now prioritize ephemeral key agreement and high strength ciphers by default.
New OPENSSL_DEFAULT_STREAM_CIPHERS constant exposes default cipher list.
New STREAM_CRYPTO_METHOD_* constants for enhanced control over the crypto methods negotiated encrypted server/client sessions.
Encrypted stream servers now automatically mitigate potential DoS vector arising from client-initiated TLS renegotiation. New "reneg_limit", "reneg_window" and "reneg_limit_callback" SSL context options for custom renegotiation limiting control.
Fixed memory leak in windows cert verification on verify failure.
Peer certificate capturing via SSL context options now functions even if peer verification fails.
Encrypted TLS servers now support the server name indication TLS extension via the new "SNI_server_certs" SSL context option.
Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1).
Fix bug #66942 (memory leak in openssl_seal()).
Fix bug #66952 (memory leak in openssl_open()).
Fix bug #66840 (Fix broken build when extension built separately).
OPcache:
Added an optimization of class constants and constant calls to some internal functions (Laruence, Dmitry)
Added an optimization pass to convert FCALL_BY_NAME into DO_FCALL.
Added an optimization pass to merged identical constants (and related cache_slots) in op_array->literals table.
Added script level constant replacement optimization pass.
Added function opcache_is_script_cached().
Added information about interned strings usage.
Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault happen) (Dmitry, Laruence)
PCRE:
Fixed bug #67238 (Ungreedy and min/max quantifier bug, applied patch from the upstream).
Upgraded to PCRE 8.34.
Added support for (*MARK) backtracking verbs.
pgsql:
Fix bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756), which affected builds against libpq < 7.3.
pg_insert()/pg_select()/pg_update()/pg_delete() are no longer EXPERIMENTAL.
Impremented FR #25854 Return value for pg_insert should be resource instead of bool.
Implemented FR #41146 - Add "description" with exteneded flag pg_meta_data(). pg_meta_data(resource $conn, string $table [, bool extended]) It also made pg_meta_data() return "is enum" always.
Read-only access to the socket stream underlying database connections is exposed via a new pg_socket() function to allow read/write polling when establishing asynchronous connections and executing queries in non-blocking applications.
Asynchronous connections are now possible using the PGSQL_CONNECT_ASYNC flag in conjunction with a new pg_connect_poll() function and connection polling status constants.
New pg_flush() and pg_consume_input() functions added to manually complete non-blocking reads/writes to underlying connection sockets.
pg_version() returns full report which obtained by PQparameterStatus().
Added pg_lo_truncate().
Added 64bit large object support for PostgreSQL 9.3 and later.
Fixed bug #67555 (Cannot build against libpq 7.3).
phpdbg:
Fixed bug #67575 (Compilation fails for phpdbg when the build directory != src directory).
Fix Bug #67499 (readline feature not enabled when build with libedit).
Fix issue krakjoe/phpdbg#94 (List behavior is inconsistent).
Fix issue krakjoe/phpdbg#97 (The prompt should always ensure it is on a newline).
Fix issue krakjoe/phpdbg#98 (break if does not seem to work).
Fix issue krakjoe/phpdbg#99 (register function has the same behavior as run).
Fix issue krakjoe/phpdbg#100 (No way to list the current stack/frames) (Help entry was missing).
Fixed bug which caused phpdbg to fail immediately on startup in non-debug builds.
Fixed bug #67212 (phpdbg uses non-standard TIOCGWINSZ).
Included phpdbg sapi (RFC: https://wiki.php.net/rfc/phpdbg).
Added watchpoints (watch command).
Renamed some commands (next => continue and how to step).
Fixed issue #85 (https://github.com/krakjoe/phpdbg/issues/85) (Added stdin/stdout/stderr constants and their php:// wrappers).
PDO:
Fixed bug #66604 ('pdo/php_pdo_error.h' not copied to the include dir).
PDO-ODBC:
Fixed bug #50444 (PDO-ODBC changes for 64-bit).
PDO_pgsql:
Fixed Bug #42614 (PDO_pgsql: add pg_get_notify support).
Fixed Bug #63657 (pgsqlCopyFromFile, pgsqlCopyToArray use Postgres < 7.3 syntax).
Cleaned up code by increasing the requirements to libpq versions providing PQexecParams, PQprepare, PQescapeStringConn, PQescapeByteaConn. According to the release notes that means 8.0.8+ or 8.1.4+.
Deprecated PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT, an undocument constant effectively equivalent to PDO::ATTR_EMULATE_PREPARES.
Added PDO::PGSQL_ATTR_DISABLE_PREPARES constant to execute the queries without preparing them, while still passing parameters separately from the command text using PQexecParams.
PDO_firebird:
Fixed Bug #66071 (memory corruption in error handling) (Popa)
Phar:
Fix bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name).
Fixed bug #67587 (Redirection loop on nginx with FPM).
readline:
Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt).
Fixed bug #67496 (Save command history when exiting interactive shell with control-c).
Reflection:
Implemented FR #67713 (loosen the restrictions on ReflectionClass::newInstanceWithoutConstructor()).
Session:
Fixed bug #67694 (Regression in session_regenerate_id()).
Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas).
Fixed bug #66827 (Session raises E_NOTICE when session name variable is array).
Fixed Bug #65315 (session.hash_function silently fallback to default md5) (Yasuo)
Implemented Request #17860 (Session write short circuit).
Implemented Request #20421 (session_abort() and session_reset() function).
Remove session_gc() and session_serializer_name() wich were introduced in the first 5.6.0 alpha.
SimpleXML:
Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol)
SQLite:
Updated the bundled libsqlite to the version 3.8.3.1 (Anatol)
Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3).
SOAP:
Implemented FR #49898 (Add SoapClient::__getCookies()).
SPL:
Revert fix for bug #67064 (BC issues).
Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting).
Fixed bug #67538 (SPL Iterators use-after-free).
Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion) (CVE-2014-3515).
Fixed bug #67359 (Segfault in recursiveDirectoryIterator).
Fixed bug #66127 (Segmentation fault with ArrayObject unset).
Fixed request #67453 (Allow to unserialize empty data).
Added feature #65545 (SplFileObject::fread()) (Tjerk)
Fixed bug #66834 (empty() does not work on classes that extend ArrayObject) (Tjerk)
Fixed bug #66702 (RegexIterator::INVERT_MATCH does not invert).
Standard:
Implemented FR #65634 (HTTP wrapper is very slow with protocol_version 1.1).
Implemented Change crypt() behavior w/o salt RFC. (Yasuo) https://wiki.php.net/rfc/crypt_function_salt
Implemented request #49824 (Change array_fill() to allow creating empty array).
Streams:
Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects).
Tokenizer:
Fixed bug #67395 (token_name() does not return name for T_POW and T_POW_EQUAL token).
XMLReader:
Fixed bug #55285 (XMLReader::getAttribute/No/Ns methods inconsistency).
XSL:
Fixed bug #53965 ( cannot find files with relative paths when loaded with "file://").
Zip:
update libzip to version 1.11.2. PHP don't use any ilibzip private symbol anymore.
new method ZipArchive::setPassword($password).
add --with-libzip option to build with system libzip.
new methods: ZipArchive::setExternalAttributesName($name, $opsys, $attr [, $flags]) ZipArchive::setExternalAttributesIndex($idx, $opsys, $attr [, $flags]) ZipArchive::getExternalAttributesName($name, &$opsys, &$attr [, $flags]) ZipArchive::getExternalAttributesIndex($idx, &$opsys, &$attr [, $flags])
Zlib:
Fixed bug #67865 (internal corruption phar error). Mike
Fixed bug #67724 (chained zlib filters silently fail with large amounts of data).

New in PHP 5.5.16 (Aug 22, 2014)

New in PHP 5.6.0 RC 4 (Aug 14, 2014)

New in PHP 5.5.1.6 RC 1 (Aug 7, 2014)

New in PHP 5.6.0 RC 3 (Aug 1, 2014)

Core:
Fixed bug #67497 (eval with parse error causes segmentation fault in generator). (Nikita)
Fixed bug #67151 (strtr with empty array crashes). (Nikita)
Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012). (Christian Wenz)
Fixed bug #66608 (Incorrect behavior with nested "finally" blocks). (Laruence, Dmitry)
Implemented FR #34407 (ucwords and Title Case). (Tjerk)
COM:
Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas).
CLI server:
Fixed bug #66830 (Empty header causes PHP built-in web server to hang). (Adam)
Fixed bug #67594 (Unable to access to apache_request_headers() elements). (Tjerk)
FPM:
Fixed bug #67530 (error_log=syslog ignored). (Remi)
Fixed bug #67635 (php links to systemd libraries without using pkg-config). ([email protected], Remi)
Intl:
Fixed bug #66921 (Wrong argument type hint for function intltz_from_date_time_zone). (Stas)
Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting). (Stas)
pgsql:
Fixed bug #67555 (Cannot build against libpq 7.3). (Adam)
ODBC:
Fixed bug #60616 (odbc_fetch_into returns junk at end of multi-byte char fields). (Keyur Govande)
OpenSSL:
Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas).
Fixed bug #67609 (TLS connections fail behind HTTP proxy). (Daniel Lowrey)
Fixed broken build against OpenSSL older than 0.9.8 where ECDH unavailable. (Lior Kaplan)
Fixed bug #67666 (Subject altNames doesn't support wildcard matching). (Tjerk)
Phar:
Fixed bug #67587 (Redirection loop on nginx with FPM). (Christian Weiske)
readline:
Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt). (Bob, Johannes)
Fixed bug #67496 (Save command history when exiting interactive shell with control-c). (Dmitry Saprykin, Johannes)
Reflection:
Implemented FR #67713 (loosen the restrictions on ReflectionClass::newInstanceWithoutConstructor()). (Ferenc)
SPL:
Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting). (research at insighti dot org, Laruence)
Fixed bug #67538 (SPL Iterators use-after-free). (CVE-2014-4670) (Laruence)
Session:
Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas).
Fixed bug #66827 (Session raises E_NOTICE when session name variable is array). (Yasuo)
OPCache:
Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault happen) (Dmitry, Laruence)
phpdbg:
Fixed bug #67575 (Compilation fails for phpdbg when the build directory != src directory). (Andy Thompson)

New in PHP 5.5.15 (Jul 23, 2014)

New in PHP 5.5.14 (Jun 30, 2014)

New in PHP 5.6.0 RC 1 (Jun 20, 2014)

Core:
Implemented FR #64744 (Differentiate between member function call on a null and non-null, non-objects). (Boro Sitnikovski)
Fixed bug #67436 (Autoloader isn't called if two method definitions don't match). (Bob)
Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases). (Levi Morrison)
Fixed bug #67390 (insecure temporary file use in the configure script). (Remi) (CVE-2014-3981)
Fixed bug #67392 (dtrace breaks argument unpack). (Nikita)
Fixed bug #67428 (header('Location: foo') will override a 308-399 response code). (Adam)
Fixed bug #67433 (SIGSEGV when using count() on an object implementing Countable). (Matteo)
Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas)
CLI server:
Implemented FR #67429 (CLI server is missing some new HTTP response codes). (Adam)
Fixed Bug #67406 (built-in web-server segfaults on startup). (Remi)
Fileinfo:
Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size). (Francisco Alonso, Jan Kaluza, Remi)
Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary check). (Francisco Alonso, Jan Kaluza, Remi)
Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check). (Francisco Alonso, Jan Kaluza, Remi)
Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check). (Francisco Alonso, Jan Kaluza, Remi)
mysqlnd:
Added support for gb18030 from MySQL 5.7. (Andrey)
Network:
Fixed bug #67432 (Fix potential segfault in dns_get_record()). (CVE-2014-4049). (Sara)
OpenSSL:
Fixed bug #65698 (certificates validity parsing does not work past 2050). (Paul Oehler)
Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME). (Paul Oehler)
phpdbg:
Fixed bug #67212 (phpdbg uses non-standard TIOCGWINSZ). (Ferenc)
SOAP:
Implemented FR #49898 (Add SoapClient::__getCookies()). (Boro Sitnikovski)
SPL:
Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas)
Fixed request #67453 (Allow to unserialize empty data). (Remi)
Streams:
Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects). (Adam)
Tokenizer:
Fixed bug #67395 (token_name() does not return name for T_POW and T_POW_EQUAL token). (Ferenc)

New in PHP 5.6.0 Beta 4 (Jun 5, 2014)

New in PHP 5.5.13 (May 27, 2014)

New in PHP 5.6.0 Beta 3 (May 16, 2014)

New in PHP 5.5.13 RC 1 (May 15, 2014)

New in PHP 5.6.0 Beta 2 (May 2, 2014)

CLI server:
Fixed bug #67079 (Missing MIME types for XML/XSL files).
COM:
Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)).
Core:
Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()).
Fixed bug #66015 (Unexpected array indexing in class's static property).
Added (constant) string/array dereferencing to static scalar expressions to complete the set; now possible thanks to bug #66015 being fixed.
Fixed bug #66568 (Update reflection information for unserialize() function).
Fixed bug #66660 (Composer.phar install/update fails).
Fixed bug #67024 (getimagesize should recognize BMP files with negative height).
Fixed bug #67064 (Countable interface prevents using 2nd parameter ($mode) of count() function).
Fixed bug #67072 (Echoing unserialized "SplFileObject" crash).
Fixed bug #67033 (Remove reference to Windows 95).
cURL:
Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset). (Mike)
Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
Date:
Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
Fixed bug #67118 (DateTime constructor crash with invalid data).
DOM:
Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset).
Fileinfo:
Fixed bug #66907 (Solaris 10 is missing strcasestr and needs substitute).
Fixed bug #66307 (Fileinfo crashes with powerpoint files).
FPM:
Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure default configuration) (CVE-2014-0185).
GMP:
Fixed crashes in serialize/unserialize.
JSON:
Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).
LDAP:
Fixed issue with null bytes in LDAP bindings. (Matthew Daley)
litespeed
Fixed bug #63228 (-Werror=format-security error in lsapi code).
mysqlnd:
Added a new fetching mode to mysqlnd.
OpenSSL:
Fix bug #66942 (memory leak in openssl_seal()).
Fix bug #66952 (memory leak in openssl_open()).
Fix bug #66840 (Fix broken build when extension built separately).
phpdbg:
Added watchpoints (watch command).
Renamed some commands (next => continue and how to step).
Fixed issue #85 (https://github.com/krakjoe/phpdbg/issues/85).
PDO:
Fixed bug #66604 ('pdo/php_pdo_error.h' not copied to the include dir).
PDO-ODBC:
Fixed bug #50444 (PDO-ODBC changes for 64-bit).
Phar:
Fix bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name). (PR #588)
SQLite:
Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3).
Apache2 Handler SAPI:
Fixed Apache log issue caused by APR's lack of support for %zu (APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120).

New in PHP 5.5.12 (May 1, 2014)

New in PHP 5.5.12 RC 1 (Apr 18, 2014)

New in PHP 5.6.0 Beta 1 (Apr 12, 2014)

Highlights:
A new method called fread() to the SplFileObject class
A new static method called createFromMutable() to the DateTimeImmutable class
A new function called hash_compare()
Support for marks to the PCRE extension
Support for asynchronous connections and queries to the Pgsql extension
Core:
Allow zero length comparison in substr_compare() (Tjerk)
Fixed bug #60602 (proc_open() changes environment array) (Tjerk)
Fixed bug #61019 (Out of memory on command stream_get_contents). (Mike)
Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets). (Mike)
Fixed bug #66182 (exit in stream filter produces segfault). (Mike)
Fixed bug #66736 (fpassthru broken). (Mike)
Fixed bug #66822 (Cannot use T_POW in const expression) (Tjerk)
Fixed bug #67043 (substr_compare broke by previous change) (Tjerk)
SPL:
Added feature #65545 (SplFileObject::fread()) (Tjerk)
Fixed bug #66834 (empty() does not work on classes that extend ArrayObject) (Tjerk)
Fixed bug #66702 (RegexIterator::INVERT_MATCH does not invert). (Joshua Thijssen)
cURL:
Fixed bug #66109 (Can't reset CURLOPT_CUSTOMREQUEST to default behaviour) (Tjerk)
Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive. (Adam)
Date:
Added DateTimeImmutable::createFromMutable to create a DateTimeImmutable object from an existing DateTime (mutable) object (Derick)
Embed:
Fixed bug #65715 (php5embed.lib isn't provided anymore). (Anatol).
Fileinfo:
Fixed bug #66820 (out-of-bounds memory access in fileinfo) (CVE-2014-2270). (Remi)
Fixed bug #66946i (fileinfo: extensive backtracking in awk rule regular expression). (CVE-2013-7345) (Remi)
Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian). (Remi)
GD:
Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer CVE-2013-7327). (Tomas Hoger, Remi).
Fixed #66869 (Invalid 2nd argument crashes imageaffinematrixget) (Pierre)
Fixed bug #66887 (imagescale poor quality of scaled image). (Remi)
Fixed bug #66890 (imagescale segfault). (Remi)
Fixed bug #66893 (imagescale ignore method argument). (Remi)
GMP:
Fixed bug #66872 (invalid argument crashes gmp_testbit) (Pierre)
Hash:
Fixed bug #66698 (Missing FNV1a32 and FNV1a64 hash functions). (Michael M Slusarz).
Implemented timing attack safe string comparison function (RFC: https://wiki.php.net/rfc/timing_attack). (Rouven Weßling)
hash_pbkdf2() now works correctly if the $length argument is not specified. (Nikita)
Intl:
Fixed bug #66873 (A reproductible crash in UConverter when given invalid encoding) (Stas)
Mail:
Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script) (Tjerk)
Mbstring:
Upgraded to oniguruma 5.9.5 (Anatol)
Mcrypt:
No longer allow invalid key sizes, invalid IV sizes or missing required IV in mcrypt_encrypt, mcrypt_decrypt and the deprecated mode functions. (Nikita)
Use /dev/urandom as the default source for mcrypt_create_iv(). (Nikita)
MySQLi:
Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed) (Remi)
OCI8:
Fixed Bug #66875 (Improve performance of multi-row OCI_RETURN_LOB queries)
(Perrier, Chris Jones)
OpenSSL:
Fixed memory leak in windows cert verification on verify failure. (Chris Wright)
Peer certificate capturing via SSL context options now functions even if peer verification fails. (Daniel Lowrey)
Encrypted TLS servers now support the server name indication TLS extension via the new "SNI_server_certs" SSL context option. (Daniel Lowrey)
Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1). (Remi)
PCRE:
Added support for (*MARK) backtracking verbs. (Nikita)
PDO_firebird:
Fixed Bug #66071 (memory corruption in error handling) (Popa)
PDO_pgsql:
Cleaned up code by increasing the requirements to libpq versions providing PQexecParams, PQprepare, PQescapeStringConn, PQescapeByteaConn. According to the release notes that means 8.0.8+ or 8.1.4+. (Matteo)
Deprecated PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT, an undocument constant effectively equivalent to PDO::ATTR_EMULATE_PREPARES. (Matteo)
Added PDO::PGSQL_ATTR_DISABLE_PREPARES constant to execute the queries without preparing them, while still passing parameters separately from the command text using PQexecParams. (Matteo)
Pgsql:
Read-only access to the socket stream underlying database connections is exposed via a new pg_socket() function to allow read/write polling when establishing asynchronous connections and executing queries in non-blocking applications. (Daniel Lowrey)
Asynchronous connections are now possible using the PGSQL_CONNECT_ASYNC flag in conjunction with a new pg_connect_poll() function and connection polling status constants. (Daniel Lowrey)
New pg_flush() and pg_consume_input() functions added to manually complete non-blocking reads/writes to underlying connection sockets. (Daniel Lowrey)
Session:
Remove session_gc() and session_serializer_name() wich were introduced in the first 5.6.0 alpha.
SimpleXML:
Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol)
SQLite:
Updated the bundled libsqlite to the version 3.8.3.1 (Anatol)
XSL:
Fixed bug #53965 ( cannot find files with relative paths when loaded with "file://"). (Anatol)

New in PHP 5.6.0 Alpha 3 (Apr 4, 2014)

Core:
Expose get_debug_info class hook as __debugInfo() magic method. (Sara)
Implemented unified default encoding (RFC: https://wiki.php.net/rfc/default_encoding). (Yasuo Ohgaki)
Curl:
Check for openssl.cafile ini directive when loading CA certs. (Daniel Lowrey)
Remove cURL close policy related constants as these have no effect and are no longer used in libcurl. (Chris Wright)
Fileinfo:
Upgraded to libmagic-5.17 (Anatol)
Fixed bug #66731 (file: infinite recursion). (CVE-2014-1943) (Remi)
FPM:
Added clear_env configuration directive to disable clearenv() call. (Github PR# 598, Paul Annesley)
GD:
Fixed imagettftext to load the correct character map rather than the last one. (Scott)
Fixed bug #66714 ( imageconvolution breakage). (Brad Daily)
JSON:
Fixed bug #65753 (JsonSerializeable couldn't implement on module extension) ([email protected])
OPCache:
Added function opcache_is_script_cached(). (Danack)
Added information about interned strings usage. (Terry, Julien, Dmitry)
Openssl:
Fallback to Windows CA cert store for peer verification if no openssl.cafile ini directive or "cafile" SSL context option specified in Windows. (Chris Wright)
The openssl.cafile and openssl.capath ini directives introduced in alpha2 now have PHP_INI_PERDIR accessibility (was PHP_INI_ALL). (Daniel Lowrey)
New "peer_name" SSL context option replaces "CN_match" (which still works as before but triggers E_DEPRECATED). (Daniel Lowrey)
Fixed segfault when accessing non-existent context for client SNI use (Daniel Lowrey)
Fixed bug #66501 (Add EC key support to php_openssl_is_private_key). (Mark Zedwood)
Fixed Bug #47030 (add new boolean "verify_peer_name" SSL context option allowing clients to verify cert names separately from the cert itself). "verify_peer_name" is enabled by default for client streams. (Daniel Lowrey)
Fixed Bug #65538 ("cafile" SSL context option now supports stream wrappers). (Daniel Lowrey)
New openssl_get_cert_locations() function to aid CA file and peer verification debugging. (Daniel Lowrey)
Encrypted stream wrappers now disable TLS compression by default. (Daniel Lowrey)
New "capture_session_meta" SSL context option allows encrypted client and server streams access to negotiated protocol/cipher information. (Daniel Lowrey)
New "honor_cipher_order" SSL context option allows servers to prioritize cipher suites of their choosing when negotiating SSL/TLS handshakes. (Daniel Lowrey)
New "single_ecdh_use" and "single_dh_use" SSL context options allow for improved forward secrecy in encrypted stream servers. (Daniel Lowrey)
New "dh_param" SSL context option allows stream servers control over the parameters when negotiating DHE cipher suites. (Daniel Lowrey)
New "ecdh_curve" SSL context option allowing stream servers to specify the curve to use when negotiating ephemeral ECDHE ciphers (defaults to NIST P-256). (Daniel Lowrey)
New "rsa_key_size" SSL context option gives stream servers control over the key size (in bits) used for RSA key agreements. (Daniel Lowrey)
Crypto methods for encrypted client and server streams now use bitwise flags for fine-grained protocol support. (Daniel Lowrey)
Added new tlsv1.0 stream wrapper to specify TLSv1 client/server method. tls wrapper now negotiates TLSv1, TLSv1.1 or TLSv1.2. (Daniel Lowrey)
Encrypted client streams now enable SNI by default. (Daniel Lowrey)
Encrypted streams now prioritize ephemeral key agreement and high strength ciphers by default. (Daniel Lowrey)
New OPENSSL_DEFAULT_STREAM_CIPHERS constant exposes default cipher list. (Daniel Lowrey)
New STREAM_CRYPTO_METHOD_* constants for enhanced control over the crypto methods negotiated encrypted server/client sessions. (Daniel Lowrey)
Encrypted stream servers now automatically mitigate potential DoS vector arising from client-initiated TLS renegotiation. New "reneg_limit", "reneg_window" and "reneg_limit_callback" SSL context options for custom renegotiation limiting control. (Daniel Lowrey)
Pgsql:
pg_insert()/pg_select()/pg_update()/pg_delete() are no longer EXPERIMENTAL. (Yasuo)
Impremented FR #25854 Return value for pg_insert should be resource instead of bool. (Yasuo)
Implemented FR #41146 Add "description" with exteneded flag pg_meta_data(). pg_meta_data(resource $conn, string $table [, bool extended]) It also made pg_meta_data() return "is enum" always. (Yasuo)

New in PHP 5.5.11 (Apr 4, 2014)

New in PHP 5.5.11 RC 1 (Mar 19, 2014)

New in PHP 5.5.10 (Mar 6, 2014)

New in PHP 5.5.10 RC 1 (Feb 20, 2014)

New in PHP 5.6.0 Alpha 2 (Feb 15, 2014)

New in PHP 5.5.9 (Feb 5, 2014)

New in PHP 5.6.0 Alpha 1 (Jan 25, 2014)

New in PHP 5.5.9 RC 1 (Jan 24, 2014)

New in PHP 5.5.8 (Jan 11, 2014)

New in PHP 5.5.8 RC 1 (Dec 27, 2013)

New in PHP 5.5.7 (Dec 11, 2013)

New in PHP 5.5.7 RC 1 (Nov 28, 2013)

New in PHP 5.5.6 (Nov 14, 2013)

New in PHP 5.5.5 (Oct 17, 2013)

Core:
Fixed bug #64979 (Wrong behavior of static variables in closure generators).
Fixed bug #65322 (compile time errors won't trigger auto loading).
Fixed bug #65821 (By-ref foreach on property access of string offset segfaults).
CLI Server:
Fixed bug #65633 (built-in server treat some http headers as case-sensitive).
Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding).
Added application/pdf to PHP CLI Web Server mime types
Datetime:
Fixed bug #64157 (DateTime::createFromFormat() reports confusing error message).
Fixed bug #65502 (DateTimeImmutable::createFromFormat returns DateTime).
Fixed bug #65548 (Comparison for DateTimeImmutable doesn't work).
DBA:
Fixed bug #65708 (dba functions cast $key param to string in-place, bypassing copy on write).
Filter:
Add RFC 6598 IPs to reserved addresses.
Fixed bug #64441 (FILTER_VALIDATE_URL rejects fully qualified domain names).
FTP:
Fixed bug #65667 (ftp_nb_continue produces segfault).
GD:
Ensure that the defined interpolation method is used with the generic scaling methods.
IMAP:
Fixed bug #65721 (configure script broken in 5.5.4 and 5.4.20 when enabling imap).
OPCache:
Fixed bug #65845 (Error when Zend Opcache Optimizer is fully enabled).
Fixed bug #65665 (Exception not properly caught when opcache enabled).
Fixed bug #65510 (5.5.2 crashes in _get_zval_ptr_ptr_var).
Fixed issue #135 (segfault in interned strings if initial memory is too low).
Added function opcache_compile_file() to load PHP scripts into cache without execution.
Added support for GNU Hurd.
Sockets:
Fixed bug #65808 (the socket_connect() won't work with IPv6 address).
SPL:
Fixed bug #64782 (SplFileObject constructor make $context optional / give it a default value).
Standard:
Fixed bug #61548 content-type must appear at the end of headers for 201 Location to work in http.
XMLReader:
Fixed bug #51936 Crash with clone XMLReader.
Fixed bug #64230 XMLReader does not suppress errors.
Build system:
Fixed bug #51076 Race condition in shtool's mkdir -p implementation.
Fixed bug #62396 'make test' crashes starting with 5.3.14 (missing gzencode()).

New in PHP 5.5.4 (Sep 20, 2013)

New in PHP 5.5.4 RC 1 (Sep 5, 2013)

New in PHP 5.5.3 (Sep 2, 2013)

New in PHP 5.5.2 (Aug 19, 2013)

Core:
Fixed bug #65372 (Segfault in gc_zval_possible_root when return reference fails).
Fixed value of FILTER_SANITIZE_FULL_SPECIAL_CHARS constant (previously was erroneously set to FILTER_SANITIZE_SPECIAL_CHARS value).
Fixed bug #65304 (Use of max int in array_sum).
Fixed bug #65291 (get_defined_constants() causes PHP to crash in a very limited case).
Fixed bug #62691 (solaris sed has no -i switch).
Fixed bug #61345 (CGI mode - make install don't work).
Fixed bug #61268 (--enable-dtrace leads make to clobber Zend/zend_dtrace.d).
DOM:
Added flags option to DOMDocument::schemaValidate() and DOMDocument::schemaValidateSource(). Added LIBXML_SCHEMA_CREATE flag.
OPcache:
Added opcache.restrict_api configuration directive that may limit usage of OPcahce API functions only to patricular script(s).
Added support for glob symbols in blacklist entries (?, *, **).
Fixed bug #65338 (Enabling both php_opcache and php_wincache AVs on shutdown).
Openssl:
Fixed handling null bytes in subjectAltName (CVE-2013-4248).
PDO_mysql:
Fixed bug #65299 (pdo mysql parsing errors).
Phar:
Fixed bug #65028 (Phar::buildFromDirectory creates corrupt archives for some specific contents).
Pgsql:
Fixed bug #62978 (Disallow possible SQL injections with pg_select()/pg_update() /pg_delete()/pg_insert()).
Fixed bug #65336 (pg_escape_literal/identifier() silently returns false).
Sessions:
Implemented strict sessions RFC (https://wiki.php.net/rfc/strict_sessions) which protects against session fixation attacks and session collisions (CVE-2011-4718).
Fixed possible buffer overflow under Windows. Note: Not a security fix.
Changed session.auto_start to PHP_INI_PERDIR.
SOAP:
Fixed bug #65018 (SoapHeader problems with SoapServer).
SPL:
Fixed bug #65328 (Segfault when getting SplStack object Value).
Added RecursiveTreeIterator setPostfix and getPostifx methods.
Fixed bug #61697 (spl_autoload_functions returns lambda functions incorrectly).
Streams:
Fixed bug #65268 (select() implementation uses outdated tick API).

New in PHP 5.5.2 RC 1 (Aug 2, 2013)

New in PHP 5.5.1 (Jul 19, 2013)

Core:
Fixed bug #65254 (Exception not catchable when exception thrown in autoload with a namespace).
Fixed bug #65088 (Generated configure script is malformed on OpenBSD).
Fixed bug #65108 (is_callable() triggers Fatal Error).
Fixed bug #65035 (yield / exit segfault).
Fixed bug #65161 (Generator + autoload + syntax error = segfault).
Fixed bug #65226 (chroot() does not get enabled).
hex2bin() raises E_WARNING for invalid hex string.
OPcache:
Fixed bug #64827 (Segfault in zval_mark_grey (zend_gc.c)).
OPcache is now compatible with LiteSpeed SAPI.
CGI:
Fixed bug #65143 (Missing php-cgi man page).
CLI server:
Fixed bug #65066 (Cli server not responsive when responding with 422 http status code).
DateTime:
Fixed bug #65184 (strftime() returns insufficient-length string under multibyte locales).
GD:
Fixed bug #65070 (bgcolor does not use the same format as the input image with imagerotate).
Fixed bug #65060 (imagecreatefrom... crashes with user streams).
Fixed bug #65084 (imagecreatefromjpeg fails with URL).
Fix gdImageCreateFromWebpCtx and use same logic to load WebP image that other formats.
Intl:
Add IntlCalendar::setMinimalDaysInFirstWeek()/intlcal_set_minimal_days_in_first_week().
Fixed trailing space in name of constant IntlCalendar::FIELD_FIELD_COUNT.
Fixed bug #62759 (Buggy grapheme_substr() on edge case).
Fixed bug #61860 (Offsets may be wrong for grapheme_stri* functions).
OCI8:
Bump PECL package info version check to allow PECL installs with PHP 5.5+.
PDO:
Allowed PDO_OCI to compile with Oracle Database 12c client libraries.
Pgsql:
pg_unescape_bytea() raises E_WARNING for invalid inputs.
Phar:
Fixed bug #65142 (Missing phar man page).
Session:
Added optional create_sid() argument to session_set_save_handler(), SessionHandler and new SessionIdInterface.
Sockets:
#63472Setting SO_BINDTODEVICE with socket_set_option.
Allowed specifying paths in the abstract namespace for the functions socket_bind(), socket_connect() and socket_sendmsg().
Fixed bug #65260sendmsg() ancillary data construction for SCM_RIGHTS is faulty.
SPL:
Fixed bug #65136RecursiveDirectoryIterator segfault.
Fixed bug #61828Memleak when calling Directory(Recursive)Iterator/Spl(Temp)FileObject ctor twice.
CGI/FastCGI SAPI:
Added PHP_FCGI_BACKLOG, overrides the default listen backlog.

New in PHP 5.5.0 (Jun 24, 2013)

Drop support for bison < 2.4 when building PHP from GIT source
Improved Zend Engine:
Added ARMv7/v8 versions of various Zend arithmetic functions that are implemented using inline assembler
Added systemtap support by enabling systemtap compatible dtrace probes on linux
Optimized access to temporary and compiled VM variables. 8% less memory reads
The VM stacks for passing function arguments and syntaticaly nested calls were merged into a single stack. The stack size needed for op_array execution is calculated at compile time and preallocated at once. As result all the stack push operations don't require checks for stack overflow any more
General improvement:
Added generators and coroutines.
Added "finally" keyword.
Added simplified password hashing API.
Added support for constant array/string dereferencing.
Added Class Name Resolution As Scalar Via "class" Keyword
Added support for using empty() on the result of function calls and other expressions
Added support for non-scalar Iterator keys in foreach
Added support for list in foreach
Core:
Added Zend Opcache extension and enable building it by default.
Added array_column function which returns a column in a multidimensional array
Added boolval()
Added "Z" option to pack/unpack
Added optional second argument for assert() to specify custom message
Added support for changing the process's title in CLI/CLI-Server SAPIs. The implementation is more robust that the proctitle PECL module
Improve set_exception_handler while doing reset
Return previous handler when passing NULL to set_error_handler and set_exception_handler
Implemented #64175 (Added HTTP codes as of RFC 6585)
Implemented #60738 (Allow 'set_error_handler' to handle NULL)
Implemented #60524 (specify temp dir by php.ini)
Implemented #46487 (Dereferencing process-handles no longer waits on those processes)
Fixed bug #65051 (count() off by one inside unset())
Fixed bug #64988 (Class loading order affects E_STRICT warning)
Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC)
Fixed bug #64960 (Segfault in gc_zval_possible_root)
Fixed bug #64936 (doc comments picked up from previous scanner run)
Fixed bug #64934 (Apache2 TS crash with get_browser())
Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode, CVE 2013-2110)
Fixed bug #64853 (Use of no longer available ini directives causes crash on TS build)
Fixed bug #64821 (Custom Exceptions crash when internal properties overridden)
Fixed bug #64720 (SegFault on zend_deactivate).
Fixed bug #64677 (execution operator `` stealing surrounding arguments)
Fixed bug #64660 (Segfault on memory exhaustion within function definition)
Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault)
Fixed bug #64565 (copy doesn't report failure on partial copy)
Fixed bug #64555 (foreach no longer copies keys if they are interned)
Fixed bug #47675 and Fixed bug #64577 (fd leak on Solaris)
Fixed bug #64544 (Valgrind warnings after using putenv)
Fixed bug #64515 (Memoryleak when using the same variablename 2times in function declaration)
Fixed bug #64503 (Compilation fails with error: conflicting types for 'zendparse')
Fixed bug #64239 (Debug backtrace changed behavior since 5.4.10 or 5.4.11)
Fixed bug #64523 allow XOR in php.ini
Fixed bug #64354 (Unserialize array of objects whose class can't be autoloaded fail)
Fixed bug #64370 (microtime(true) less than $_SERVER['REQUEST_TIME_FLOAT'])
Fixed bug #64166 (quoted-printable-encode stream filter incorrectly discarding whitespace)
Fixed bug #64142 (dval to lval different behavior on ppc64)
Fixed bug #64135 (Exceptions from set_error_handler are not always propagated)
Fixed bug #63980 (object members get trimmed by zero bytes)
Fixed bug #63874 (Segfault if php_strip_whitespace has heredoc)
Fixed bug #63830 (Segfault on undefined function call in nested generator)
Fixed bug #63822 (Crash when using closures with ArrayAccess)
Fixed bug #61681 (Malformed grammar)
Fixed bug #61038 (unpack("a5", "str\0\0") does not work as expected)
Fixed bug #61025 (__invoke() visibility not honored)
Fixed bug #60833 (self, parent, static behave inconsistently case-sensitive)
Fixed bug #52126 timestamp for mail.log
Fixed bug #49348 (Uninitialized ++$foo->bar; does not cause a notice)
Fixed bug #23955 allow specifying Max-Age attribute in setcookie()
Fixed bug #18556 (Engine uses locale rules to handle class names)
Fix undefined behavior when converting double variables to integers. The double is now always rounded towards zero, the remainder of its division by 2^32 or 2^64 (depending on sizeof(long)) is calculated and it's made signed assuming a two's complement representation
Removed legacy features:
Remove php_logo_guid(), php_egg_logo_guid(), php_real_logo_guid(), zend_logo_guid()
Drop Windows XP and 2003 support
Apache2 Handler SAPI:
Enabled Apache 2.4 configure option for Windows.
Calendar:
Fixed bug #64895 (Integer overflow in SndToJewish).
Fixed bug #54254 (cal_from_jd returns month = 6 when there is only one Adar).
CLI server:
Fixed bug #64128 (buit-in web server is broken on ppc64).
CURL:
Remove curl stream wrappers.
Implemented #46439 - added CURLFile for safer file uploads
Added support for CURLOPT_FTP_RESPONSE_TIMEOUT, CURLOPT_APPEND, CURLOPT_DIRLISTONLY, CURLOPT_NEW_DIRECTORY_PERMS, CURLOPT_NEW_FILE_PERMS, CURLOPT_NETRC_FILE, CURLOPT_PREQUOTE, CURLOPT_KRBLEVEL, CURLOPT_MAXFILESIZE, CURLOPT_FTP_ACCOUNT, CURLOPT_COOKIELIST, CURLOPT_IGNORE_CONTENT_LENGTH, CURLOPT_CONNECT_ONLY, CURLOPT_LOCALPORT, CURLOPT_LOCALPORTRANGE, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_SSL_SESSIONID_CACHE, CURLOPT_FTP_SSL_CCC, CURLOPT_HTTP_CONTENT_DECODING, CURLOPT_HTTP_TRANSFER_DECODING, CURLOPT_PROXY_TRANSFER_MODE, CURLOPT_ADDRESS_SCOPE, CURLOPT_CRLFILE, CURLOPT_ISSUERCERT, CURLOPT_USERNAME, CURLOPT_PASSWORD, CURLOPT_PROXYUSERNAME, CURLOPT_PROXYPASSWORD, CURLOPT_NOPROXY, CURLOPT_SOCKS5_GSSAPI_NEC, CURLOPT_SOCKS5_GSSAPI_SERVICE, CURLOPT_TFTP_BLKSIZE, CURLOPT_SSH_KNOWNHOSTS, CURLOPT_FTP_USE_PRET, CURLOPT_MAIL_FROM, CURLOPT_MAIL_RCPT, CURLOPT_RTSP_CLIENT_CSEQ, CURLOPT_RTSP_SERVER_CSEQ, CURLOPT_RTSP_SESSION_ID, CURLOPT_RTSP_STREAM_URI, CURLOPT_RTSP_TRANSPORT, CURLOPT_RTSP_REQUEST, CURLOPT_RESOLVE, CURLOPT_ACCEPT_ENCODING, CURLOPT_TRANSFER_ENCODING, CURLOPT_DNS_SERVERS and CURLOPT_USE_SSL
Fixed bug #55635 (CURLOPT_BINARYTRANSFER no longer used. The constant still exists for backward compatibility but is doing nothing)
Fixed bug #54995 (Missing CURLINFO_RESPONSE_CODE support)
Added new functions curl_escape, curl_multi_setopt, curl_multi_strerror curl_pause, curl_reset, curl_share_close, curl_share_init, curl_share_setopt curl_strerror and curl_unescape
Addes new curl options CURLOPT_TELNETOPTIONS, CURLOPT_GSSAPI_DELEGATION, CURLOPT_ACCEPTTIMEOUT_MS, CURLOPT_SSL_OPTIONS, CURLOPT_TCP_KEEPALIVE, CURLOPT_TCP_KEEPIDLE and CURLOPT_TCP_KEEPINTVL
DateTime:
Added DateTimeImmutable - a variant of DateTime that only returns the modified state instead of changing itself.
Fixed bug #64825 (Invalid free when unserializing DateTimeZone).
Fixed bug #64359 (strftime crash with VS2012)
Fixed bug #62852 (Unserialize Invalid Date causes crash)
Fixed bug #61642 (modify("+5 weekdays") returns Sunday)
Fixed bug #60774 (DateInterval::format("%a") is always zero when an interval is created using the createFromDateString method)
Fixed bug #54567 (DateTimeZone serialize/unserialize)
Fixed bug #53437 (Crash when using unserialized DatePeriod instance)
dba:
Fixed bug #62489 (dba_insert not working as expected)
Filter:
Implemented #49180 added MAC address validation.
Fileinfo:
Upgraded libmagic to 5.14.
Fixed bug #64830 (mimetype detection segfaults on mp3 file)
Fixed bug #63590 (Different results in TS and NTS under Windows)
Fixed bug #63248 (Load multiple magic files from a directory under Windows)
FPM:
Add --with-fpm-systemd option to report health to systemd, and systemd_interval option to configure this. The service can now use Type=notify in the systemd unit file.
Ignore QUERY_STRING when sent in SCRIPT_FILENAME
Log a warning when a syscall fails
Implemented #64764 (add support for FPM init.d script)
Fixed bug #64915 (error_log ignored when daemonize=0)
Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11)
Fixed some possible memory or resource leaks and possible null dereference detected by code coverity scan
GD:
Fixed bug #64962 (imagerotate produces corrupted image).
Fixed bug #64961 (segfault in imagesetinterpolation)
Fix build with system libgd >= 2.1 which is now the minimal version required (as build with previous version is broken). No change when bundled libgd is used
Upgraded libgd to 2.1
hash:
Added support for PBKDF2 via hash_pbkdf2().
Fixed bug #64745 (hash_pbkdf2() truncates data when using default length and hex output)
intl:
Added UConverter wrapper.
The intl extension now requires ICU 4.0+
Added intl.use_exceptions INI directive, which controls what happens when global errors are set together with intl.error_level
MessageFormatter::format() and related functions now accepted named arguments and mixed numeric/named arguments in ICU 4.8+
MessageFormatter::format() and related functions now don't error out when an insufficient argument count is provided. Instead, the placeholders will remain unsubstituted
MessageFormatter::parse() and MessageFormat::format() (and their static equivalents) don't throw away better than second precision in the arguments
IntlDateFormatter::__construct and datefmt_create() now accept for the $timezone argument time zone identifiers, IntlTimeZone objects, DateTimeZone objects and NULL
IntlDateFormatter::__construct and datefmt_create() no longer accept invalid timezone identifiers or empty strings
The default time zone used in IntlDateFormatter::__construct and datefmt_create() (when the corresponding argument is not passed or NULL is passed) is now the one given by date_default_timezone_get(), not the default ICU time zone
The time zone passed to the IntlDateFormatter is ignored if it is NULL and if the calendar passed is an IntlCalendar object -- in this case, the IntlCalendar's time zone will be used instead. Otherwise, the time zone specified in the $timezone argument is used instead. This does not affect old code, as IntlCalendar was introduced in this version
IntlDateFormatter::__construct and datefmt_create() now accept for the $calendar argument also IntlCalendar objects
IntlDateFormatter::getCalendar() and datefmt_get_calendar() return false if the IntlDateFormatter was set up with an IntlCalendar instead of the constants IntlDateFormatter::GREGORIAN/TRADITIONAL. IntlCalendar did not exist before this version
IntlDateFormatter::setCalendar() and datefmt_set_calendar() now also accept an IntlCalendar object, in which case its time zone is taken. Passing a constant is still allowed, and still keeps the time zone
IntlDateFormatter::setTimeZoneID() and datefmt_set_timezone_id() are deprecated. Use IntlDateFormatter::setTimeZone() or datefmt_set_timezone() instead
IntlDateFormatter::format() and datefmt_format() now also accept an IntlCalendar object for formatting
Added the classes: IntlCalendar, IntlGregorianCalendar, IntlTimeZone, IntlBreakIterator, IntlRuleBasedBreakIterator and IntlCodePointBreakIterator
Added the functions: intlcal_get_keyword_values_for_locale(), intlcal_get_now(), intlcal_get_available_locales(), intlcal_get(), intlcal_get_time(), intlcal_set_time(), intlcal_add(), intlcal_set_time_zone(), intlcal_after(), intlcal_before(), intlcal_set(), intlcal_roll(), intlcal_clear(), intlcal_field_difference(), intlcal_get_actual_maximum(), intlcal_get_actual_minimum(), intlcal_get_day_of_week_type(), intlcal_get_first_day_of_week(), intlcal_get_greatest_minimum(), intlcal_get_least_maximum(), intlcal_get_locale(), intlcal_get_maximum(), intlcal_get_minimal_days_in_first_week(), intlcal_get_minimum(), intlcal_get_time_zone(), intlcal_get_type(), intlcal_get_weekend_transition(), intlcal_in_daylight_time(), intlcal_is_equivalent_to(), intlcal_is_lenient(), intlcal_is_set(), intlcal_is_weekend(), intlcal_set_first_day_of_week(), intlcal_set_lenient(), intlcal_equals(), intlcal_get_repeated_wall_time_option(), intlcal_get_skipped_wall_time_option(), intlcal_set_repeated_wall_time_option(), intlcal_set_skipped_wall_time_option(), intlcal_from_date_time(), intlcal_to_date_time(), intlcal_get_error_code(), intlcal_get_error_message(), intlgregcal_create_instance(), intlgregcal_set_gregorian_change(), intlgregcal_get_gregorian_change() and intlgregcal_is_leap_year()
Added the functions: intltz_create_time_zone(), intltz_create_default(), intltz_get_id(), intltz_get_gmt(), intltz_get_unknown(), intltz_create_enumeration(), intltz_count_equivalent_ids(), intltz_create_time_zone_id_enumeration(), intltz_get_canonical_id(), intltz_get_region(), intltz_get_tz_data_version(), intltz_get_equivalent_id(), intltz_use_daylight_time(), intltz_get_offset(), intltz_get_raw_offset(), intltz_has_same_rules(), intltz_get_display_name(), intltz_get_dst_savings(), intltz_from_date_time_zone(), intltz_to_date_time_zone(), intltz_get_error_code(), intltz_get_error_message()
Added the methods: IntlDateFormatter::formatObject(), IntlDateFormatter::getCalendarObject(), IntlDateFormatter::getTimeZone(), IntlDateFormatter::setTimeZone()
Added the functions: datefmt_format_object(), datefmt_get_calendar_object(), datefmt_get_timezone(), datefmt_set_timezone(), datefmt_get_calendar_object(), intlcal_create_instance()
mbstring:
Fixed bug #64769 (mbstring PHPTs crash on Windows x64).
MCrypt:
mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb() and mcrypt_ofb() now throw E_DEPRECATED.
mysql:
This extension is now deprecated, and deprecation warnings will be generated when connections are established to databases via mysql_connect(), mysql_pconnect(), or through implicit connection: use MySQLi or PDO_MySQL instead
Dropped support for LOAD DATA LOCAL INFILE handlers when using libmysql. Known for stability problems
Added support for SHA256 authentication available with MySQL 5.6.6+
mysqli:
Added mysqli_begin_transaction()/mysqli::begin_transaction(). Implemented all options, per MySQL 5.6, which can be used with START TRANSACTION, COMMIT and ROLLBACK through options to mysqli_commit()/mysqli_rollback() and their respective OO counterparts. They work in libmysql and mysqlnd mode
Added mysqli_savepoint(), mysqli_release_savepoint()
Fixed bug #64726 (Segfault when calling fetch_object on a use_result and DB pointer has closed)
Fixed bug #64394 (MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS undeclared when using Connector/C)
mysqlnd:
Add new begin_transaction() call to the connection object. Implemented all options, per MySQL 5.6, which can be used with START TRANSACTION, COMMIT and ROLLBACK
Added mysqlnd_savepoint(), mysqlnd_release_savepoint()
Fixed bug #63530 (mysqlnd_stmt::bind_one_parameter crashes, uses wrong alloc for stmt->param_bind)
Fixed return value of mysqli_stmt_affected_rows() in the time after prepare() and before execute()
PCRE:
Merged PCRE 8.32
Deprecated the /e modifier
Fixed bug #63284 (Upgrade PCRE to 8.31)
PDO:
Fixed bug #63176 (Segmentation fault when instantiate 2 persistent PDO to the same db server)
PDO_DBlib:
Fixed bug #63638 (Cannot connect to SQL Server 2008 with PDO dblib)
Fixed bug #64338 (pdo_dblib can't connect to Azure SQL)
Fixed bug #64808 (FreeTDS PDO getColumnMeta on a prepared but not executed statement crashes)
PDO_pgsql:
Fixed bug #64949 (Buffer overflow in _pdo_pgsql_error)
PDO_mysql:
Fixed bug #48724 (getColumnMeta() doesn't return native_type for BIT, TINYINT and YEAR)
pgsql:
Added pg_escape_literal() and pg_escape_identifier()
Fixed bug #46408 Locale number format settings can cause pg_query_params to break with numerics
Phar:
Fixed timestamp update on Phar contents modification
readline:
Fixed bug #55694 (Expose additional readline variable to prevent default filename completion)
Reflection:
Fixed bug #64007 (There is an ability to create instance of Generator by hand)
Sockets:
Added recvmsg() and sendmsg() wrappers
Fixed bug #64508 (Fails to build with --disable-ipv6)
Fixed bug #64287 (sendmsg/recvmsg shutdown handler causes segfault)
SPL:
Fixed bug #64997 (Segfault while using RecursiveIteratorIterator on 64-bits systems)
Fixed bug #64264 (SPLFixedArray toArray problem)
Fixed bug #64228 (RecursiveDirectoryIterator always assumes SKIP_DOTS)
Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended)
Fixed bug #60560 (SplFixedArray un-/serialize, getSize(), count() return 0, keys are strings)
Fixed bug #52861 (unset fails with ArrayObject and deep arrays)
Implement #48358 (Add SplDoublyLinkedList::add() to insert an element at a given offset)
SNMP:
Fixed bug #64765 (Some IPv6 addresses get interpreted wrong)
Fixed bug #64159 (Truncated snmpget)
Fixed bug #64124 (IPv6 malformed)
Fixed bug #61981 (OO API, walk: $suffix_as_key is not working correctly)
SOAP:
Added SoapClient constructor option 'ssl_method' to specify ssl method
Streams:
Fixed bug #64770 (stream_select() fails with pipes returned by proc_open() on Windows x64)
Fixed Windows x64 version of stream_socket_pair() and improved error handling
Tokenizer:
Fixed bug #60097 (token_get_all fails to lex nested heredoc)
Zip:
Upgraded libzip to 0.10.1
Fixed bug #64452 (Zip crash intermittently)
Fixed bug #64342 (ZipArchive::addFile() has to check for file existence)

New in PHP 5.4.17 RC 1 (Jun 19, 2013)

New in PHP 5.5.0 RC 3 (Jun 7, 2013)

New in PHP 5.4.16 (Jun 5, 2013)

New in PHP 5.5.0 RC 2 (May 23, 2013)

New in PHP 5.5.0 RC 1 (May 9, 2013)

New in PHP 5.4.15 (May 8, 2013)

New in PHP 5.5.0 Beta 4 (Apr 24, 2013)

New in PHP 5.4.15 RC 1 (Apr 24, 2013)

New in PHP 5.4.14 (Apr 12, 2013)

New in PHP 5.5.0 Beta 3 (Apr 10, 2013)

New in PHP 5.4.14 RC 1 (Mar 28, 2013)

New in PHP 5.5.0 Beta 2 (Mar 28, 2013)

New in PHP 5.5.0 Beta 1 (Mar 20, 2013)

New in PHP 5.4.13 (Mar 14, 2013)

New in PHP 5.5.0 Alpha 6 (Mar 7, 2013)

New in PHP 5.4.13 RC 1 (Feb 27, 2013)

New in PHP 5.5.0 Alpha 5 (Feb 20, 2013)

New in PHP 5.4.12 (Feb 19, 2013)

New in PHP 5.4.12 RC 2 (Feb 13, 2013)

New in PHP 5.4.12 RC 1 (Jan 30, 2013)

New in PHP 5.5.0 Alpha 4 (Jan 22, 2013)

New in PHP 5.4.11 (Jan 16, 2013)

New in PHP 5.5.0 Alpha 3 (Jan 10, 2013)

New in PHP 5.4.11 RC 1 (Jan 3, 2013)

New in PHP 5.4.10 (Dec 19, 2012)

New in PHP 5.5.0 Alpha 2 (Dec 19, 2012)

New in PHP 5.5.0 Alpha 1 (Dec 6, 2012)

General improvements:
Added support for generators. (Nikita Popov)
Add simplified password hashing API (https://wiki.php.net/rfc/password_hash). (Anthony Ferrara)
Add generators and coroutines (https://wiki.php.net/rfc/generators). (Nikita Popov)
Support list in foreach (https://wiki.php.net/rfc/foreachlist). (Laruence)
Implemented 'finally' keyword (https://wiki.php.net/rfc/finally). (Laruence)
Drop Windows XP and 2003 support. (Pierre)
Improve set_exception_handler while doing reset.(Laruence)
Support constant array/string dereferencing. (Laruence)
Add support for using empty() on the result of function calls and other expressions (https://wiki.php.net/rfc/empty_isset_exprs). (Nikita Popov)
Remove php_logo_guid(), php_egg_logo_guid(), php_real_logo_guid(), zend_logo_guid(). (Adnrew Faulds)
Calendar:
Fixed bug #54254 (cal_from_jd returns month = 6 when there is only one Adar) (Stas, Eitan Mosenkis)
Core:
Added boolval(). (Jille Timmermans)
Added "Z" option to pack/unpack. (Gustavo)
Implemented FR #60738 (Allow 'set_error_handler' to handle NULL). (Laruence, Nikita Popov)
Added optional second argument for assert() to specify custom message. Patch by Lonny Kapelushnik ([email protected]). (Lars)
Fixed bug #18556 (Engine uses locale rules to handle class names). (Stas)
Fixed bug #61681 (Malformed grammar). (Nikita Popov, Etienne, Laruence)
Fixed bug #61038 (unpack("a5", "str\0\0") does not work as expected). (srgoogleguy, Gustavo)
Return previous handler when passing NULL to set_error_handler and set_exception_handler. (Nikita Popov)
cURL:
Added support for CURLOPT_FTP_RESPONSE_TIMEOUT, CURLOPT_APPEND, CURLOPT_DIRLISTONLY, CURLOPT_NEW_DIRECTORY_PERMS, CURLOPT_NEW_FILE_PERMS, CURLOPT_NETRC_FILE, CURLOPT_PREQUOTE, CURLOPT_KRBLEVEL, CURLOPT_MAXFILESIZE, CURLOPT_FTP_ACCOUNT, CURLOPT_COOKIELIST, CURLOPT_IGNORE_CONTENT_LENGTH, CURLOPT_CONNECT_ONLY, CURLOPT_LOCALPORT, CURLOPT_LOCALPORTRANGE, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_SSL_SESSIONID_CACHE, CURLOPT_FTP_SSL_CCC, CURLOPT_HTTP_CONTENT_DECODING, CURLOPT_HTTP_TRANSFER_DECODING, CURLOPT_PROXY_TRANSFER_MODE, CURLOPT_ADDRESS_SCOPE, CURLOPT_CRLFILE, CURLOPT_ISSUERCERT, CURLOPT_USERNAME, CURLOPT_PASSWORD, CURLOPT_PROXYUSERNAME, CURLOPT_PROXYPASSWORD, CURLOPT_NOPROXY, CURLOPT_SOCKS5_GSSAPI_NEC, CURLOPT_SOCKS5_GSSAPI_SERVICE, CURLOPT_TFTP_BLKSIZE, CURLOPT_SSH_KNOWNHOSTS, CURLOPT_FTP_USE_PRET, CURLOPT_MAIL_FROM, CURLOPT_MAIL_RCPT, CURLOPT_RTSP_CLIENT_CSEQ, CURLOPT_RTSP_SERVER_CSEQ, CURLOPT_RTSP_SESSION_ID, CURLOPT_RTSP_STREAM_URI, CURLOPT_RTSP_TRANSPORT, CURLOPT_RTSP_REQUEST, CURLOPT_RESOLVE, CURLOPT_ACCEPT_ENCODING, CURLOPT_TRANSFER_ENCODING, CURLOPT_DNS_SERVERS and CURLOPT_USE_SSL. (Pierrick)
Fixed bug #55635 (CURLOPT_BINARYTRANSFER no longer used. The constant still exists for backward compatibility but is doing nothing). (Pierrick)
Fixed bug #54995 (Missing CURLINFO_RESPONSE_CODE support). (Pierrick)
Datetime:
Fixed bug #61642 (modify("+5 weekdays") returns Sunday). (Dmitri Iouchtchenko)
Hash:
Added support for PBKDF2 via hash_pbkdf2(). (Anthony Ferrara)
Intl:
The intl extension now requires ICU 4.0+.
Added intl.use_exceptions INI directive, which controls what happens when global errors are set together with intl.error_level. (Gustavo)
MessageFormatter::format() and related functions now accepted named arguments and mixed numeric/named arguments in ICU 4.8+. (Gustavo)
MessageFormatter::format() and related functions now don't error out when an insufficient argument count is provided. Instead, the placeholders will remain unsubstituted. (Gustavo)
MessageFormatter::parse() and MessageFormat::format() (and their static equivalents) don't throw away better than second precision in the arguments. (Gustavo)
IntlDateFormatter::__construct and datefmt_create() now accept for the $timezone argument time zone identifiers, IntlTimeZone objects, DateTimeZone objects and NULL. (Gustavo)
IntlDateFormatter::__construct and datefmt_create() no longer accept invalid timezone identifiers or empty strings. (Gustavo)
The default time zone used in IntlDateFormatter::__construct and datefmt_create() (when the corresponding argument is not passed or NULL is passed) is now the one given by date_default_timezone_get(), not the default ICU time zone. (Gustavo)
The time zone passed to the IntlDateFormatter is ignored if it is NULL and if the calendar passed is an IntlCalendar object -in this case, the IntlCalendar's time zone will be used instead. Otherwise, the time zone specified in the $timezone argument is used instead. This does not affect old code, as IntlCalendar was introduced in this version. (Gustavo)
IntlDateFormatter::__construct and datefmt_create() now accept for the $calendar argument also IntlCalendar objects. (Gustavo)
IntlDateFormatter::getCalendar() and datefmt_get_calendar() return false if the IntlDateFormatter was set up with an IntlCalendar instead of the constants IntlDateFormatter::GREGORIAN/TRADITIONAL. IntlCalendar did not exist before this version. (Gustavo)
IntlDateFormatter::setCalendar() and datefmt_set_calendar() now also accept an IntlCalendar object, in which case its time zone is taken. Passing a constant is still allowed, and still keeps the time zone. (Gustavo)
IntlDateFormatter::setTimeZoneID() and datefmt_set_timezone_id() are deprecated. Use IntlDateFormatter::setTimeZone() or datefmt_set_timezone() instead. (Gustavo)
IntlDateFormatter::format() and datefmt_format() now also accept an IntlCalendar object for formatting. (Gustavo)
Added the classes: IntlCalendar, IntlGregorianCalendar, IntlTimeZone, IntlBreakIterator, IntlRuleBasedBreakIterator and IntlCodePointBreakIterator. (Gustavo)
Added the functions: intlcal_get_keyword_values_for_locale(), intlcal_get_now(), intlcal_get_available_locales(), intlcal_get(), intlcal_get_time(), intlcal_set_time(), intlcal_add(), intlcal_set_time_zone(), intlcal_after(), intlcal_before(), intlcal_set(), intlcal_roll(), intlcal_clear(), intlcal_field_difference(), intlcal_get_actual_maximum(), intlcal_get_actual_minimum(), intlcal_get_day_of_week_type(), intlcal_get_first_day_of_week(), intlcal_get_greatest_minimum(), intlcal_get_least_maximum(), intlcal_get_locale(), intlcal_get_maximum(), intlcal_get_minimal_days_in_first_week(), intlcal_get_minimum(), intlcal_get_time_zone(), intlcal_get_type(), intlcal_get_weekend_transition(), intlcal_in_daylight_time(), intlcal_is_equivalent_to(), intlcal_is_lenient(), intlcal_is_set(), intlcal_is_weekend(), intlcal_set_first_day_of_week(), intlcal_set_lenient(), intlcal_equals(), intlcal_get_repeated_wall_time_option(), intlcal_get_skipped_wall_time_option(), intlcal_set_repeated_wall_time_option(), intlcal_set_skipped_wall_time_option(), intlcal_from_date_time(), intlcal_to_date_time(), intlcal_get_error_code(), intlcal_get_error_message(), intlgregcal_create_instance(), intlgregcal_set_gregorian_change(), intlgregcal_get_gregorian_change() and intlgregcal_is_leap_year(). (Gustavo)
Added the functions: intltz_create_time_zone(), intltz_create_default(), intltz_get_id(), intltz_get_gmt(), intltz_get_unknown(), intltz_create_enumeration(), intltz_count_equivalent_ids(), intltz_create_time_zone_id_enumeration(), intltz_get_canonical_id(), intltz_get_region(), intltz_get_tz_data_version(), intltz_get_equivalent_id(), intltz_use_daylight_time(), intltz_get_offset(), intltz_get_raw_offset(), intltz_has_same_rules(), intltz_get_display_name(), intltz_get_dst_savings(), intltz_from_date_time_zone(), intltz_to_date_time_zone(), intltz_get_error_code(), intltz_get_error_message(). (Gustavo)
Added the methods: IntlDateFormatter::formatObject(), IntlDateFormatter::getCalendarObject(), IntlDateFormatter::getTimeZone(), IntlDateFormatter::setTimeZone(). (Gustavo)
Added the functions: datefmt_format_object(), datefmt_get_calendar_object(), datefmt_get_timezone(), datefmt_set_timezone(), datefmt_get_calendar_object(), intlcal_create_instance(). (Gustavo)
MCrypt:
mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb() and mcrypt_ofb() now throw E_DEPRECATED. (GoogleGuy)
MySQLi:
Dropped support for LOAD DATA LOCAL INFILE handlers when using libmysql. Known for stability problems. (Andrey)
Added support for SHA256 authentication available with MySQL 5.6.6+. (Andrey)
PCRE:
Deprecated the /e modifier (https://wiki.php.net/rfc/remove_preg_replace_eval_modifier). (Nikita Popov)
Fixed bug #63284 (Upgrade PCRE to 8.31). (Anatoliy)
pgsql:
Added pg_escape_literal() and pg_escape_identifier() (Yasuo)
SPL:
Fix bug #60560 (SplFixedArray un-/serialize, getSize(), count() return 0, keys are strings). (Adam)
Tokenizer:
Fixed bug #60097 (token_get_all fails to lex nested heredoc). (Nikita Popov)
Zip:
Upgraded libzip to 0.10.1 (Anatoliy)
Fileinfo:
Fixed bug #63248 (Load multiple magic files from a directory under Windows). (Anatoliy)

New in PHP 5.4.10 RC 1 (Dec 6, 2012)

New in PHP 5.4.9 (Nov 26, 2012)

New in PHP 5.4.9 RC1 (Nov 7, 2012)

New in PHP 5.4.8 (Oct 17, 2012)

CLI server:
Changed response to unknown HTTP method to 501 according to RFC. (Niklas Lindgren).
Support HTTP PATCH method. Patch by Niklas Lindgren, GitHub PR #190. (Lars)
Core:
Added optional second argument for assert() to specify custom message. Patch by Lonny Kapelushnik ([email protected]). (Lars)
Support building PHP with the native client toolchain. (Stuart Langley)
Added --offline option for tests. (Remi)
Fixed bug #63162 (parse_url does not match password component). (husman)
Fixed bug #63111 (is_callable() lies for abstract static method). (Dmitry)
Fixed bug #63093 (Segfault while load extension failed in zts-build). (Laruence)
Fixed bug #62976 (Notice: could not be converted to int when comparing some builtin classes). (Laruence)
Fixed bug #62955 (Only one directive is loaded from "Per Directory Values" Windows registry). (aserbulov at parallels dot com)
Fixed bug #62907 (Double free when use traits). (Dmitry)
Fixed bug #61767 (Shutdown functions not called in certain error situation). (Dmitry)
Fixed bug #60909 (custom error handler throwing Exception + fatal error = no shutdown function). (Dmitry)
Fixed bug #60723 (error_log error time has changed to UTC ignoring default timezone). (Laruence)
cURL:
Fixed bug #62085 (file_get_contents a remote file by Curl wrapper will cause cpu Soaring). (Pierrick)
Date:
Fixed bug #62896 ("DateTime->modify('+0 days')" modifies DateTime object) (Lonny Kapelushnik)
Fixed bug #62561 (DateTime add 'P1D' adds 25 hours). (Lonny Kapelushnik)
DOM:
Fixed bug #63015 (Incorrect arginfo for DOMErrorHandler). (Rob)
FPM:
Fixed bug #62954 (startup problems fpm / php-fpm). (fat)
Fixed bug #62886 (PHP-FPM may segfault/hang on startup). (fat)
Fixed bug #63085 (Systemd integration and daemonize). (remi, fat)
Fixed bug #62947 (Unneccesary warnings on FPM). (fat)
Fixed bug #62887 (Only /status?plain&full gives "last request cpu"). (fat)
Fixed bug #62216 (Add PID to php-fpm init.d script). (fat)
OpenSSL:
Implemented FR #61421 (OpenSSL signature verification missing RMD160, SHA224, SHA256, SHA384, SHA512). (Mark Jones)
SOAP
Fixed bug #50997 (SOAP Error when trying to submit 2nd Element of a choice). (Dmitry)
SPL:
Bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined variables). (Laruence)
mbstring:
Allow passing null as a default value to mb_substr() and mb_strcut(). Patch by Alexander Moskaliov via GitHub PR #133. (Lars)
Filter extension:
Bug #49510: Boolean validation fails with FILTER_NULL_ON_FAILURE with empty string or false. (Lars)
Sockets
Fixed bug #63000 (MCAST_JOIN_GROUP on OSX is broken, merge of PR 185 by Igor Wiedler). (Lars)

New in PHP 5.4.8 RC 1 (Oct 4, 2012)

CLI server:
Changed response to unknown HTTP method to 501 according to RFC. (Niklas Lindgren).
Support HTTP PATCH method. Patch by Niklas Lindgren, GitHub PR #190. (Lars)
Core:
Added optional second argument for assert() to specify custom message. Patch by Lonny Kapelushnik ([email protected]). (Lars)
Support building PHP with the native client toolchain. (Stuart Langley)
Added --offline option for tests. (Remi)
Fixed bug #63162 (parse_url does not match password component). (husman)
Fixed bug #63111 (is_callable() lies for abstract static method). (Dmitry)
Fixed bug #63093 (Segfault while load extension failed in zts-build). (Laruence)
Fixed bug #62976 (Notice: could not be converted to int when comparing some builtin classes). (Laruence)
Fixed bug #62955 (Only one directive is loaded from "Per Directory Values" Windows registry). (aserbulov at parallels dot com)
Fixed bug #62907 (Double free when use traits). (Dmitry)
Fixed bug #61767 (Shutdown functions not called in certain error situation). (Dmitry)
Fixed bug #60909 (custom error handler throwing Exception + fatal error = no shutdown function). (Dmitry)
Fixed bug #60723 (error_log error time has changed to UTC ignoring default timezone). (Laruence)
cURL:
Fixed bug #62085 (file_get_contents a remote file by Curl wrapper will cause cpu Soaring). (Pierrick)
Date:
Fixed bug #62896 ("DateTime->modify('+0 days')" modifies DateTime object) (Lonny Kapelushnik)
Fixed bug #62561 (DateTime add 'P1D' adds 25 hours). (Lonny Kapelushnik)
DOM:
Fixed bug #63015 (Incorrect arginfo for DOMErrorHandler). (Rob)
FPM:
Fixed bug #62954 (startup problems fpm / php-fpm). (fat)
Fixed bug #62886 (PHP-FPM may segfault/hang on startup). (fat)
Fixed bug #63085 (Systemd integration and daemonize). (remi, fat)
Fixed bug #62947 (Unneccesary warnings on FPM). (fat)
Fixed bug #62887 (Only /status?plain&full gives "last request cpu"). (fat)
Fixed bug #62216 (Add PID to php-fpm init.d script). (fat)
OpenSSL:
Implemented FR #61421 (OpenSSL signature verification missing RMD160, SHA224, SHA256, SHA384, SHA512). (Mark Jones)
SOAP
Fixed bug #50997 (SOAP Error when trying to submit 2nd Element of a choice). (Dmitry)
SPL:
Bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined variables). (Laruence)
mbstring:
Allow passing null as a default value to mb_substr() and mb_strcut(). Patch by Alexander Moskaliov via GitHub PR #133. (Lars)
Filter extension:
Bug #49510: Boolean validation fails with FILTER_NULL_ON_FAILURE with empty string or false. (Lars)
Sockets
Fixed bug #63000 (MCAST_JOIN_GROUP on OSX is broken, merge of PR 185 by Igor Wiedler). (Lars)

New in PHP 5.4.7 (Sep 13, 2012)

Core:
Fixed bug (segfault while build with zts and GOTO vm-kind). (Laruence)
Fixed bug #62955 (Only one directive is loaded from "Per Directory Values" Windows registry). (Felipe)
Fixed bug #62844 (parse_url() does not recognize //). (Andrew Faulds).
Fixed bug #62829 (stdint.h included on platform where HAVE_STDINT_H is not set). (Felipe)
Fixed bug #62763 (register_shutdown_function and extending class). (Laruence)
Fixed bug #62725 (Calling exit() in a shutdown function does not return the exit value). (Laruence)
Fixed bug #62744 (dangling pointers made by zend_disable_class). (Laruence)
Fixed bug #62716 (munmap() is called with the incorrect length). ([email protected])
Fixed bug #62358 (Segfault when using traits a lot). (Laruence)
Fixed bug #62328 (implementing __toString and a cast to string fails) (Laruence)
Fixed bug #51363 (Fatal error raised by var_export() not caught by error handler). (Lonny Kapelushnik)
Fixed bug #40459 (Stat and Dir stream wrapper methods do not call constructor). (Stas)
CURL:
Fixed bug #62912 (CURLINFO_PRIMARY_* AND CURLINFO_LOCAL_* not exposed). (Pierrick)
Fixed bug #62839 (curl_copy_handle segfault with CURLOPT_FILE). (Pierrick)
DateTime:
Fixed bug #62852 (Unserialize invalid DateTime causes crash). ([email protected])
Intl:
Fixed Spoofchecker not being registered on ICU 49.1. (Gustavo)
Fix bug #62933 (ext/intl compilation error on icu 3.4.1). (Gustavo)
Fix bug #62915 (defective cloning in several intl classes). (Gustavo)
Installation:
Fixed bug #62460 (php binaries installed as binary.dSYM). (Reeze Xia)
PCRE:
Fixed bug #55856 (preg_replace should fail on trailing garbage). (reg dot php at alf dot nu)
PDO:
Fixed bug #62685 (Wrong return datatype in PDO::inTransaction()). (Laruence)
Reflection:
Fixed bug #62892 (ReflectionClass::getTraitAliases crashes on importing trait methods as private). (Felipe)
Fixed bug #62715 (ReflectionParameter::isDefaultValueAvailable() wrong result). (Laruence)
Session:
Fixed bug (segfault due to retval is not initialized). (Laruence)
Fixed bug (segfault due to PS(mod_user_implemented) not be reseted when close handler call exit). (Laruence)
SPL:
Fixed bug #62904 (Crash when cloning an object which inherits SplFixedArray) (Laruence)
Implemented FR #62840 (Add sort flag to ArrayObject::ksort). (Laruence)
Standard:
Fixed bug #62836 (Seg fault or broken object references on unserialize()). (Laruence)
FPM:
Merged PR 121 by minitux to add support for slow request counting on PHP FPM status page. (Lars)

New in PHP 5.4.7 RC 1 (Aug 31, 2012)

Core:
Fixed bug (segfault while build with zts and GOTO vm-kind). (Laruence)
Fixed bug #62844 (parse_url() does not recognize //). (Andrew Faulds).
Fixed bug #62829 (stdint.h included on platform where HAVE_STDINT_H is not set). (Felipe)
Fixed bug #62763 (register_shutdown_function and extending class). (Laruence)
Fixed bug #62725 (Calling exit() in a shutdown function does not return the exit value). (Laruence)
Fixed bug #62744 (dangling pointers made by zend_disable_class). (Laruence)
Fixed bug #62716 (munmap() is called with the incorrect length). ([email protected])
Fixed bug #62358 (Segfault when using traits a lot). (Laruence)
Fixed bug #62328 (implementing __toString and a cast to string fails) (Laruence)
Fixed bug #51363 (Fatal error raised by var_export() not caught by error handler). (Lonny Kapelushnik)
Fixed bug #40459 (Stat and Dir stream wrapper methods do not call constructor). (Stas)
CURL:
Fixed bug #62912 (CURLINFO_PRIMARY_* AND CURLINFO_LOCAL_* not exposed). (Pierrick)
Fixed bug #62839 (curl_copy_handle segfault with CURLOPT_FILE). (Pierrick)
DateTime:
Fixed bug #62852 (Unserialize invalid DateTime causes crash). ([email protected])
Intl:
Fixed Spoofchecker not being registered on ICU 49.1. (Gustavo)
Fix bug #62933 (ext/intl compilation error on icu 3.4.1). (Gustavo)
Fix bug #62915 (defective cloning in several intl classes). (Gustavo)
Installation:
Fixed bug #62460 (php binaries installed as binary.dSYM). (Reeze Xia)
PCRE:
Fixed bug #55856 (preg_replace should fail on trailing garbage). (reg dot php at alf dot nu)
PDO:
Fixed bug #62685 (Wrong return datatype in PDO::inTransaction()). (Laruence)
Reflection:
Fixed bug #62892 (ReflectionClass::getTraitAliases crashes on importing trait methods as private). (Felipe)
Fixed bug #62715 (ReflectionParameter::isDefaultValueAvailable() wrong result). (Laruence)
Session:
Fixed bug (segfault due to retval is not initialized). (Laruence)
Fixed bug (segfault due to PS(mod_user_implemented) not be reseted when close handler call exit). (Laruence)
SPL:
Fixed bug #62904 (Crash when cloning an object which inherits SplFixedArray) (Laruence)
Implemented FR #62840 (Add sort flag to ArrayObject::ksort). (Laruence)
Standard:
Fixed bug #62836 (Seg fault or broken object references on unserialize()). (Laruence)
FPM:
Merged PR 121 by minitux to add support for slow request counting on PHP FPM status page. (Lars)

New in PHP 5.4.6 (Aug 17, 2012)

New in PHP 5.4.6 RC 1 (Aug 2, 2012)

New in PHP 5.4.5 (Jul 19, 2012)

Core:
Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt). (Anthony Ferrara)
Fixed bug #62432 (ReflectionMethod random corrupt memory on high concurrent). (Johannes)
Fixed bug #62373 (serialize() generates wrong reference to the object). (Moriyoshi)
Fixed bug #62357 (compile failure: (S) Arguments missing for built-in function __memcmp). (Laruence)
Fixed bug #61998 (Using traits with method aliases appears to result in crash during execution). (Dmitry)
Fixed bug #51094 (parse_ini_file() with INI_SCANNER_RAW cuts a value that includes a semi-colon). (Pierrick)
Fixed potential overflow in _php_stream_scandir (CVE-2012-2688). (Jason Powell, Stas)
EXIF:
Fixed information leak in ext exif (discovered by Martin Noga, Matthew "j00ru" Jurczyk, Gynvael Coldwind)
FPM:
Fixed bug #62205 (php-fpm segfaults (null passed to strstr)). (fat)
Fixed bug #62160 (Add process.priority to set nice(2) priorities). (fat)
Fixed bug #62153 (when using unix sockets, multiples FPM instances
Fixed bug #62033 (php-fpm exits with status 0 on some failures to start). (fat)
Fixed bug #61839 (Unable to cross-compile PHP with --enable-fpm). (fat)
Fixed bug #61835 (php-fpm is not allowed to run as root). (fat)
Fixed bug #61295 (php-fpm should not fail with commented 'user'
Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI requests). (fat)
Fixed bug #61045 (fpm don't send error log to fastcgi clients). (fat) for non-root start). (fat)
Fixed bug #61026 (FPM pools can listen on the same address). (fat) can be launched without errors). (fat)
Iconv:
Fix bug #55042 (Erealloc in iconv.c unsafe). (Stas)
Intl:
Fixed bug #62083 (grapheme_extract() memory leaks). (Gustavo)
ResourceBundle constructor now accepts NULL for the first two arguments. (Gustavo)
Fixed bug #62081 (IntlDateFormatter constructor leaks memory when called twice). (Gustavo)
Fixed bug #62070 (Collator::getSortKey() returns garbage). (Gustavo)
Fixed bug #62017 (datefmt_create with incorrectly encoded timezone leaks pattern). (Gustavo)
Fixed bug #60785 (memory leak in IntlDateFormatter constructor). (Gustavo)
JSON:
Fixed bug #61359 (json_encode() calls too many reallocs). (Stas)
libxml:
Fixed bug #62266 (Custom extension segfaults during xmlParseFile with FPM SAPI). (Gustavo)
Phar:
Fixed bug #62227 (Invalid phar stream path causes crash). (Felipe)
Readline:
Fixed bug #62186 (readline fails to compile void function should not return a value). (Johannes)
Reflection:
Fixed bug #62384 (Attempting to invoke a Closure more than once causes segfault). (Felipe)
Fixed bug #62202 (ReflectionParameter::getDefaultValue() memory leaks with constant). (Laruence)
Sockets:
Fixed bug #62025 (__ss_family was changed on AIX 5.3). (Felipe)
SPL:
Fixed bug #62433 (Inconsistent behavior of RecursiveDirectoryIterator to dot files). (Laruence)
Fixed bug #62262 (RecursiveArrayIterator does not implement Countable). (Nikita Popov)
XML Writer:
Fixed bug #62064 (memory leak in the XML Writer module). (jean-pierre dot lozi at lip6 dot fr)
Zip:
Upgraded libzip to 0.10.1 (Anatoliy)

New in PHP 5.4.5 RC 1 (Jul 4, 2012)

Core:
Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt). (Anthony Ferrara)
Fixed bug #62432 (ReflectionMethod random corrupt memory on high concurrent). (Johannes)
Fixed bug #62373 (serialize() generates wrong reference to the object). (Moriyoshi)
Fixed bug #62357 (compile failure: (S) Arguments missing for built-in function __memcmp). (Laruence)
Fixed bug #61998 (Using traits with method aliases appears to result in crash during execution). (Dmitry)
Fixed bug #51094 (parse_ini_file() with INI_SCANNER_RAW cuts a value that includes a semi-colon). (Pierrick)
Fixed potential overflow in _php_stream_scandir (CVE-2012-2688). (Jason Powell, Stas)
EXIF:
Fixed information leak in ext exif (discovered by Martin Noga, Matthew "j00ru" Jurczyk, Gynvael Coldwind)
FPM:
Fixed bug #62205 (php-fpm segfaults (null passed to strstr)). (fat)
Fixed bug #62160 (Add process.priority to set nice(2) priorities). (fat)
Fixed bug #62153 (when using unix sockets, multiples FPM instances
Fixed bug #62033 (php-fpm exits with status 0 on some failures to start). (fat)
Fixed bug #61839 (Unable to cross-compile PHP with --enable-fpm). (fat)
Fixed bug #61835 (php-fpm is not allowed to run as root). (fat)
Fixed bug #61295 (php-fpm should not fail with commented 'user'
Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI requests). (fat)
Fixed bug #61045 (fpm don't send error log to fastcgi clients). (fat) for non-root start). (fat)
Fixed bug #61026 (FPM pools can listen on the same address). (fat) can be launched without errors). (fat)
Iconv:
Fix bug #55042 (Erealloc in iconv.c unsafe). (Stas)
Intl:
Fixed bug #62083 (grapheme_extract() memory leaks). (Gustavo)
ResourceBundle constructor now accepts NULL for the first two arguments. (Gustavo)
Fixed bug #62081 (IntlDateFormatter constructor leaks memory when called twice). (Gustavo)
Fixed bug #62070 (Collator::getSortKey() returns garbage). (Gustavo)
Fixed bug #62017 (datefmt_create with incorrectly encoded timezone leaks pattern). (Gustavo)
Fixed bug #60785 (memory leak in IntlDateFormatter constructor). (Gustavo)
JSON:
Fixed bug #61359 (json_encode() calls too many reallocs). (Stas)
libxml:
Fixed bug #62266 (Custom extension segfaults during xmlParseFile with FPM SAPI). (Gustavo)
Phar:
Fixed bug #62227 (Invalid phar stream path causes crash). (Felipe)
Readline:
Fixed bug #62186 (readline fails to compile void function should not return a value). (Johannes)
Reflection:
Fixed bug #62384 (Attempting to invoke a Closure more than once causes segfault). (Felipe)
Fixed bug #62202 (ReflectionParameter::getDefaultValue() memory leaks with constant). (Laruence)
Sockets:
Fixed bug #62025 (__ss_family was changed on AIX 5.3). (Felipe)
SPL:
Fixed bug #62433 (Inconsistent behavior of RecursiveDirectoryIterator to dot files). (Laruence)
Fixed bug #62262 (RecursiveArrayIterator does not implement Countable). (Nikita Popov)
XML Writer:
Fixed bug #62064 (memory leak in the XML Writer module). (jean-pierre dot lozi at lip6 dot fr)
Zip:
Upgraded libzip to 0.10.1 (Anatoliy)

New in PHP 5.4.4 (Jun 13, 2012)

CLI Server:
Implemented FR #61977 (Need CLI web-server support for files with .htm & svg extensions). (Sixd, Laruence)
Improved performance while sending error page, this also fixed bug #61785 (Memory leak when access a non-exists file without router). (Laruence)
Fixed bug #61546 (functions related to current script failed when chdir() in cli sapi). (Laruence, [email protected])
COM:
Fixed bug #62146 com_dotnet cannot be built shared. (Johannes)
Core:
Fixed missing bound check in iptcparse(). (chris at chiappa.net)
Fixed CVE-2012-2143. (Solar Designer)
Fixed bug #62097 (fix for for bug #54547). (Gustavo)
Fixed bug #62005 (unexpected behavior when incrementally assigning to a member of a null object). (Laruence)
Fixed bug #61978 (Object recursion not detected for classes that implement JsonSerializable). (Felipe)
Fixed bug #61991 (long overflow in realpath_cache_get()). (Anatoliy)
Fixed bug #61922 (ZTS build doesn't accept zend.script_encoding config). (Laruence)
Fixed bug #61827 (incorrect \e processing on Windows) (Anatoliy)
Fixed bug #61782 (__clone/__destruct do not match other methods when checking access controls). (Stas)
Fixed bug #61761 ('Overriding' a private static method with a different signature causes crash). (Laruence)
Fixed bug #61730 (Segfault from array_walk modifying an array passed by reference). (Laruence)
Fixed bug #61728 (PHP crash when calling ob_start in request_shutdown phase). (Laruence)
Fixed bug #61660 (bin2hex(hex2bin($data)) != $data). (Nikita Popov)
Fixed bug #61650 (ini parser crashes when using ${xxxx} ini variables (without apache2)). (Laruence)
Fixed bug #61605 (header_remove() does not remove all headers). (Laruence)
Fixed bug #54547 (wrong equality of string numbers). (Gustavo)
Fixed bug #54197 ([PATH=] sections incompatibility with user_ini.filename set to null). (Anatoliy)
Changed php://fd to be available only for CLI.
CURL:
Fixed bug #61948 (CURLOPT_COOKIEFILE '' raises open_basedir restriction). (Laruence)
Intl:
Fixed bug #62082 (Memory corruption in internal function get_icu_disp_value_src_php()). (Gustavo)
PDO:
Fixed bug #61755 (A parsing bug in the prepared statements can lead to access violations). (Johannes)
Phar:
Fix bug #61065 (Secunia SA44335, CVE-2012-2386). (Rasmus)
Pgsql:
Added pg_escape_identifier/pg_escape_literal. (Yasuo Ohgaki)
FPM:
Fixed bug #61812 (Uninitialised value used in libmagic). (Laruence, Gustavo)
Fixed bug #61565 where php_stream_open_wrapper_ex tries to open a directory descriptor under windows. (Anatoliy)
Fixed bug #61566 failure caused by the posix lseek and read versions under windows in cdf_read(). (Anatoliy)
Libxml:
Fixed bug #61617 (Libxml tests failed(ht is already destroyed)). (Laruence)
Zlib:
Fixed bug #61820 (using ob_gzhandler will complain about headers already sent when no compression). (Mike)
Fixed bug #61443 (can't change zlib.output_compression on the fly). (Mike)
Fixed bug #60761 (zlib.output_compression fails on refresh). (Mike)

New in PHP 5.4.4 RC 1 (May 16, 2012)

CLI Server:
Implemented FR #61977 (Need CLI web-server support for files with .htm & svg extensions). (Sixd, Laruence)
Improved performance while sending error page, this also fixed bug #61785 (Memory leak when access a non-exists file without router). (Laruence)
Fixed bug #61546 (functions related to current script failed when chdir() in cli sapi). (Laruence, [email protected])
CURL:
Fixed bug #61948 (CURLOPT_COOKIEFILE '' raises open_basedir restriction). (Laruence)
Core:
Fixed missing bound check in iptcparse(). (chris at chiappa.net)
Fixed bug #62005 (unexpected behavior when incrementally assigning to a member of a null object). (Laruence)
Fixed bug #61978 (Object recursion not detected for classes that implement JsonSerializable). (Felipe)
Fixed bug #61991 (long overflow in realpath_cache_get()). (Anatoliy)
Fixed bug #61922 (ZTS build doesn't accept zend.script_encoding config). (Laruence)
Fixed bug #61827 (incorrect \e processing on Windows) (Anatoliy)
Fixed bug #61782 (__clone/__destruct do not match other methods when checking access controls). (Stas)
Fixed bug #61761 ('Overriding' a private static method with a different signature causes crash). (Laruence)
Fixed bug #61730 (Segfault from array_walk modifying an array passed by reference). (Laruence)
Fixed bug #61728 (PHP crash when calling ob_start in request_shutdown phase). (Laruence)
Fixed bug #61660 (bin2hex(hex2bin($data)) != $data). (Nikita Popov)
Fixed bug #61650 (ini parser crashes when using ${xxxx} ini variables (without apache2)). (Laruence)
Fixed bug #61605 (header_remove() does not remove all headers). (Laruence)
Fixed bug #54547 (wrong equality of string numbers). (Gustavo)
Fixed bug #54197 ([PATH=] sections incompatibility with user_ini.filename set to null). (Anatoliy)
Changed php://fd to be available only for CLI.
Phar:
Fix bug #61065 (Secunia SA44335). (Rasmus)
Reflection:
Implemented FR #61602 (Allow access to the name of constant used as function/method parameter's default value). ([email protected])
FPM
Fixed bug #61812 (Uninitialised value used in libmagic). (Laruence, Gustavo)
Libxml:
Fixed bug #61617 (Libxml tests failed(ht is already destroyed)). (Laruence)
Zlib:
Fixed bug #61820 (using ob_gzhandler will complain about headers already sent when no compression). (Mike)
Fixed bug #61443 (can't change zlib.output_compression on the fly). (Mike)
Fixed bug #60761 (zlib.output_compression fails on refresh). (Mike)

New in PHP 5.4.3 (May 8, 2012)

New in PHP 5.4.2 (May 4, 2012)

New in PHP 5.4.1 (Apr 25, 2012)

CLI Server:
Fixed bug #61461 (missing checks around malloc() calls). (Ilia)
Implemented FR #60850 (Built in web server does not set $_SERVER['SCRIPT_FILENAME'] when using router). (Laruence)
"Connection: close" instead of "Connection: closed" (Gustavo)
Core:
Fixed crash in ZTS using same class in many threads. (Johannes)
Fixed bug #61374 (html_entity_decode tries to decode code points that don't exist in ISO-8859-1). (Gustavo)
Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes). (Laruence)
Fixed bug #61225 (Incorrect lexing of 0b00*+). (Pierrick)
Fixed bug #61165 (Segfault strip_tags()). (Laruence)
Fixed bug #61106 (Segfault when using header_register_callback). (Nikita Popov)
Fixed bug #61087 (Memory leak in parse_ini_file when specifying invalid scanner mode). (Nikic, Laruence)
Fixed bug #61072 (Memory leak when restoring an exception handler). (Nikic, Laruence)
Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX). (Laruence)
Fixed bug #61052 (Missing error check in trait 'insteadof' clause). (Stefan)
Fixed bug #61011 (Crash when an exception is thrown by __autoload accessing a static property). (Laruence)
Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical vars). (Laruence)
Fixed bug #60978 (exit code incorrect). (Laruence)
Fixed bug #60911 (Confusing error message when extending traits). (Stefan)
Fixed bug #60801 (strpbrk() mishandles NUL byte). (Adam)
Fixed bug #60717 (Order of traits in use statement can cause a fatal error). (Stefan)
Fixed bug #60573 (type hinting with "self" keyword causes weird errors). (Laruence)
Fixed bug #60569 (Nullbyte truncates Exception $message). (Ilia)
Fixed bug #52719 (array_walk_recursive crashes if third param of the function is by reference). (Nikita Popov)
Improve performance of set_exception_handler while doing reset (Laruence)
fileinfo:
Fix fileinfo test problems. (Anatoliy Belsky)
FPM:
Fixed bug #61430 (Transposed memset() params in sapi/fpm/fpm/fpm_shm.c). (michaelhood at gmail dot com, Ilia)
Ibase:
Fixed bug #60947 (Segmentation fault while executing ibase_db_info). (Ilia)
Installation:
Fixed bug #61172 (Add Apache 2.4 support). (Chris Jones)
Intl:
Fixed bug #61487 (Incorrent bounds checking in grapheme_strpos). (Stas)
mbstring:
MFH mb_ereg_replace_callback() for security enhancements. (Rui)
mysqli:
Fixed bug #61003 (mysql_stat() require a valid connection). (Johannes).
mysqlnd:
Fixed bug #60948 (mysqlnd FTBFS when -Wformat-security is enabled). (Johannes)
Readline:
Fixed bug #61088 (Memory leak in readline_callback_handler_install). (Nikic, Laruence)
Session:
Fixed bug #60634 (Segmentation fault when trying to die() in SessionHandler::write()). (Ilia)
SOAP:
Fixed bug #61423 (gzip compression fails). (Ilia)
Fixed bug #60887 (SoapClient ignores user_agent option and sends no User-Agent header). (carloschilazo at gmail dot com)
Fixed bug #60842, #51775 (Chunked response parsing error when chunksize length line is > 10 bytes). (Ilia)
Fixed bug #49853 (Soap Client stream context header option ignored). (Dmitry)
PDO:
Fixed bug #61292 (Segfault while calling a method on an overloaded PDO object). (Laruence)
PDO_mysql:
Fixed bug #61207 (PDO::nextRowset() after a multi-statement query doesn't always work). (Johannes)
Fixed bug #61194 (PDO should export compression flag with myslqnd). (Johannes)
PDO_odbc:
Fixed bug #61212 (PDO ODBC Segfaults on SQL_SUCESS_WITH_INFO). (Ilia)
Phar:
Fixed bug #61184 (Phar::webPhar() generates headers with trailing NUL bytes). (Nikita Popov)
Reflection:
Fixed bug #60968 (Late static binding doesn't work with ReflectionMethod::invokeArgs()). (Laruence)
SPL:
Fixed bug #61453 (SplObjectStorage does not identify objects correctly). (Gustavo)
Fixed bug #61347 (inconsistent isset behavior of Arrayobject). (Laruence)
Standard:
Fixed memory leak in substr_replace. (Pierrick)
Make max_file_uploads ini directive settable outside of php.ini (Rasmus)
Fixed bug #61409 (Bad formatting on phpinfo()). (Jakub Vrana)
Fixed bug #60222 (time_nanosleep() does validate input params). (Ilia)
Fixed bug #60106 (stream_socket_server silently truncates long unix socket paths). (Ilia)
XMLRPC:
Fixed bug #61264 (xmlrpc_parse_method_descriptions leaks temporary variable). (Nikita Popov)
Fixed bug #61097 (Memory leak in xmlrpc functions copying zvals). (Nikita Popov)
Zlib:
Fixed bug #61306 (initialization of global inappropriate for ZTS). (Gustavo)
Fixed bug #61287 (A particular string fails to decompress). (Mike)
Fixed bug #61139 (gzopen leaks when specifying invalid mode). (Nikita Popov)

New in PHP 5.4.1 RC 2 (Apr 12, 2012)

New in PHP 5.4.1 RC 1 (Mar 22, 2012)

CLI Server:
Fixed bug #61461 (missing checks around malloc() calls). (Ilia)
Implemented FR #60850 (Built in web server does not set $_SERVER['SCRIPT_FILENAME'] when using router). (Laruence)
"Connection: close" instead of "Connection: closed" (Gustavo)
Core:
Fixed bug #61374 (html_entity_decode tries to decode code points that don't exist in ISO-8859-1). (Gustavo)
Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes). (Laruence)
Fixed bug #61225 (Incorrect lexing of 0b00*+). (Pierrick)
Fixed bug #61165 (Segfault strip_tags()). (Laruence)
Fixed bug #61106 (Segfault when using header_register_callback). (Nikita Popov)
Fixed bug #61087 (Memory leak in parse_ini_file when specifying invalid scanner mode). (Nikic, Laruence)
Fixed bug #61072 (Memory leak when restoring an exception handler). (Nikic, Laruence)
Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX). (Laruence)
Fixed bug #61052 (Missing error check in trait 'insteadof' clause). (Stefan)
Fixed bug #61011 (Crash when an exception is thrown by __autoload accessing a static property). (Laruence)
Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical vars). (Laruence)
Fixed bug #60978 (exit code incorrect). (Laruence)
Fixed bug #60911 (Confusing error message when extending traits). (Stefan)
Fixed bug #60801 (strpbrk() mishandles NUL byte). (Adam)
Fixed bug #60717 (Order of traits in use statement can cause a fatal error). (Stefan)
Fixed bug #60573 (type hinting with "self" keyword causes weird errors). (Laruence)
Fixed bug #60569 (Nullbyte truncates Exception $message). (Ilia)
Fixed bug #52719 (array_walk_recursive crashes if third param of the function is by reference). (Nikita Popov)
FPM:
Fixed bug #61430 (Transposed memset() params in sapi/fpm/fpm/fpm_shm.c). (michaelhood at gmail dot com, Ilia)
Ibase:
Fixed bug #60947 (Segmentation fault while executing ibase_db_info). (Ilia)
Installation:
Fixed bug #61172 (Add Apache 2.4 support). (Chris Jones)
mbstring:
MFH mb_ereg_replace_callback() for security enhancements. (Rui)
mysqli:
Fixed bug #61003 (mysql_stat() require a valid connection). (Johannes).
mysqlnd:
Fixed bug #60948 (mysqlnd FTBFS when -Wformat-security is enabled). (Johannes)
Readline:
Fixed bug #61088 (Memory leak in readline_callback_handler_install). (Nikic, Laruence)
Session:
Fixed bug #60634 (Segmentation fault when trying to die() in SessionHandler::write()). (Ilia)
SOAP:
Fixed bug #60887 (SoapClient ignores user_agent option and sends no User-Agent header). (carloschilazo at gmail dot com)
Fixed bug #60842, #51775 (Chunked response parsing error when chunksize length line is > 10 bytes). (Ilia)
Fixed bug #49853 (Soap Client stream context header option ignored). (Dmitry)
PDO:
Fixed bug #61292 (Segfault while calling a method on an overloaded PDO object). (Laruence)
PDO_mysql:
Fixed bug #61207 (PDO::nextRowset() after a multi-statement query doesn't always work). (Johannes)
Fixed bug #61194 (PDO should export compression flag with myslqnd). (Johannes)
PDO_odbc:
Fixed bug #61212 (PDO ODBC Segfaults on SQL_SUCESS_WITH_INFO). (Ilia)
Phar:
Fixed bug #61184 (Phar::webPhar() generates headers with trailing NUL bytes). (Nikita Popov)
Reflection:
Fixed bug #60968 (Late static binding doesn't work with ReflectionMethod::invokeArgs()). (Laruence)
SPL:
Fixed bug #61453 (SplObjectStorage does not identify objects correctly). (Gustavo)
Fixed bug #61347 (inconsistent isset behavior of Arrayobject). (Laruence)
Standard:
Fixed memory leak in substr_replace. (Pierrick)
Make max_file_uploads ini directive settable outside of php.ini (Rasmus)
Fixed bug #61409 (Bad formatting on phpinfo()). (Jakub Vrana)
Fixed bug #60222 (time_nanosleep() does validate input params). (Ilia)
Fixed bug #60106 (stream_socket_server silently truncates long unix socket paths). (Ilia)
XMLRPC:
Fixed bug #61264 (xmlrpc_parse_method_descriptions leaks temporary variable). (Nikita Popov)
Fixed bug #61097 (Memory leak in xmlrpc functions copying zvals). (Nikita Popov)
Zlib:
Fixed bug #61306 (initialization of global inappropriate for ZTS). (Gustavo)
Fixed bug #61287 (A particular string fails to decompress). (Mike)
Fixed bug #61139 (gzopen leaks when specifying invalid mode). (Nikita Popov)

New in PHP 5.4.0 (Mar 1, 2012)

autoconf 2.59+ is now supported (and required) for generating the configure script with ./buildconf. Autoconf 2.60+ is desirable otherwise the configure help order may be incorrect. (Rasmus, Chris Jones)
Removed legacy features:
break/continue $var syntax. (Dmitry)
Safe mode and all related ini options. (Kalle)
register_globals and register_long_arrays ini options. (Kalle)
import_request_variables(). (Kalle)
allow_call_time_pass_reference. (Pierrick)
define_syslog_variables ini option and its associated function. (Kalle)
highlight.bg ini option. (Kalle)
Session bug compatibility mode (session.bug_compat_42 and session.bug_compat_warn ini options). (Kalle)
session_is_registered(), session_register() and session_unregister() functions. (Kalle)
y2k_compliance ini option. (Kalle)
magic_quotes_gpc, magic_quotes_runtime and magic_quotes_sybase ini options. get_magic_quotes_gpc, get_magic_quotes_runtime are kept but always return false, set_magic_quotes_runtime raises an E_CORE_ERROR. (Pierrick, Pierre)
Removed support for putenv("TZ=..") for setting the timezone. (Derick)
Removed the timezone guessing algorithm in case the timezone isn't set with date.timezone or date_default_timezone_set(). Instead of a guessed timezone, "UTC" is now used instead. (Derick)
Moved extensions to PECL: (Johannes)
ext/sqlite. (Note: the ext/sqlite3 and ext/pdo_sqlite extensions are not affected)
General improvements:
Added short array syntax support ([1,2,3]), see UPGRADING guide for full details. (rsky0711 at gmail . com, sebastian.deutsch at 9elements . com, Pierre)
Added binary numbers format (0b001010). (Jonah dot Harris at gmail dot com)
Added support for Class::{expr}() syntax (Pierrick)
Added multibyte support by default. Previously php had to be compiled with --enable-zend-multibyte. Now it can be enabled or disabled through zend.multibyte directive in php.ini. (Dmitry)
Removed compile time dependency from ext/mbstring (Dmitry)
Added support for Traits. (Stefan)
Added closure $this support back. (Stas)
Added array dereferencing support. (Felipe)
Added callable typehint. (Hannes)
Added indirect method call through array. FR #47160. (Felipe)
Added DTrace support. (David Soria Parra)
Added class member access on instantiation (e.g. (new foo)->bar()) support. (Felipe)

New in PHP 5.4.0 RC 8 (Feb 17, 2012)

New in PHP 5.3.10 (Feb 6, 2012)

New in PHP 5.4.0 RC 7 (Feb 3, 2012)

New in PHP 5.4.0 RC 6 (Jan 20, 2012)

New in PHP 5.3.9 (Jan 11, 2012)

Core:
Added max_input_vars directive to prevent attacks based on hash collisions (Dmitry).
Fixed bug #60205 (possible integer overflow in content_length). (Laruence)
Fixed bug #60139 (Anonymous functions create cycles not detected by the GC). (Dmitry)
Fixed bug #60138 (GC crash with referenced array in RecursiveArrayIterator) (Dmitry).
Fixed bug #60120 (proc_open's streams may hang with stdin/out/err when the data exceeds or is equal to 2048 bytes). (Pierre, Pascal Borreli)
Fixed bug #60099 (__halt_compiler() works in braced namespaces). (Felipe)
Fixed bug #60019 (Function time_nanosleep() is undefined on OS X). (Ilia)
Fixed bug #55874 (GCC does not provide __sync_fetch_and_add on some archs). (klightspeed at netspace dot net dot au)
Fixed bug #55798 (serialize followed by unserialize with numeric object prop. gives integer prop). (Gustavo)
Fixed bug #55749 (TOCTOU issue in getenv() on Windows builds). (Pierre)
Fixed bug #55707 (undefined reference to `__sync_fetch_and_add_4' on Linux parisc). (Felipe)
Fixed bug #55674 (fgetcsv & str_getcsv skip empty fields in some tab-separated records). (Laruence)
Fixed bug #55649 (Undefined function Bug()). (Laruence)
Fixed bug #55622 (memory corruption in parse_ini_string). (Pierre)
Fixed bug #55576 (Cannot conditionally move uploaded file without race condition). (Gustavo)
Fixed bug #55510: $_FILES 'name' missing first character after upload. (Arpad)
Fixed bug #55509 (segfault on x86_64 using more than 2G memory). (Laruence)
Fixed bug #55504 (Content-Type header is not parsed correctly on HTTP POST request). (Hannes)
Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of). (alan_k)
Fixed bug #52461 (Incomplete doctype and missing xmlns). (virsacer at web dot de, Pierre)
Fixed bug #55366 (keys lost when using substr_replace an array). (Arpad)
Fixed bug #55273 (base64_decode() with strict rejects whitespace after pad). (Ilia)
Fixed bug #52624 (tempnam() by-pass open_basedir with nonnexistent directory). (Felipe)
Fixed bug #50982 (incorrect assumption of PAGE_SIZE size). (Dmitry)
Fixed invalid free in call_user_method() function. (Felipe)
Fixed bug #43200 (Interface implementation / inheritence not possible in abstract classes). (Felipe)
BCmath:
Fixed bug #60377 (bcscale related crashes on 64bits platforms). (shm)
Calendar:
Fixed bug #55797 (Integer overflow in SdnToGregorian leads to segfault (in optimized builds). (Gustavo)
cURL:
Fixed bug #60439 (curl_copy_handle segfault when used with CURLOPT_PROGRESSFUNCTION). (Pierrick)
Fixed bug #54798 (Segfault when CURLOPT_STDERR file pointer is closed before calling curl_exec). (Hannes)
Fixed issues were curl_copy_handle() would sometimes lose copied preferences. (Hannes)
DateTime:
Fixed bug #60373 (Startup errors with log_errors on cause segfault). (Derick)
Fixed bug #60236 (TLA timezone dates are not converted properly from timestamp). (Derick)
Fixed bug #55253 (DateTime::add() and sub() result -1 hour on objects with time zone type 2). (Derick)
Fixed bug #54851 (DateTime::createFromFormat() doesn't interpret "D"). (Derick)
Fixed bug #53502 (strtotime with timezone memory leak). (Derick)
Fixed bug #52062 (large timestamps with DateTime::getTimestamp and DateTime::setTimestamp). (Derick)
Fixed bug #51994 (date_parse_from_format is parsing invalid date using 'yz' format). (Derick)
Fixed bug #52113 (Seg fault while creating (by unserialization) DatePeriod). (Derick)
Fixed bug #48476 (cloning extended DateTime class without calling parent::__constr crashed PHP). (Hannes)
EXIF:
Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (Stas, flolechaud at gmail dot com)
Fileinfo:
Fixed bug #60094 (C++ comment fails in c89). (Laruence)
Fixed possible memory leak in finfo_open(). (Felipe)
Fixed memory leak when calling the Finfo constructor twice. (Felipe)
Filter:
Fixed Bug #55478 (FILTER_VALIDATE_EMAIL fails with internationalized domain name addresses containing >1 -). (Ilia)
FTP:
Fixed bug #60183 (out of sync ftp responses). (bram at ebskamp dot me, rasmus)
Gd:
Fixed bug #60160 (imagefill() doesn't work correctly for small images). (Florian)
Intl:
Fixed bug #60192 (SegFault when Collator not constructed properly). (Florian)
Fixed memory leak in several Intl locale functions. (Felipe)
JSON:
Fixed bug #55543 (json_encode() with JSON_NUMERIC_CHECK fails on objects with numeric string properties). (Ilia, dchurch at sciencelogic dot com)
mbstring:
Fixed possible crash in mb_ereg_search_init() using empty pattern. (Felipe)
MS SQL:
Fixed bug #60267 (Compile failure with freetds 0.91). (Felipe)
MySQL:
Fixed bug #55550 (mysql.trace_mode miscounts result sets). (Johannes)
MySQLi extension:
Fixed bug #55859 (mysqli->stat property access gives error). (Andrey)
Fixed bug #55582 (mysqli_num_rows() returns always 0 for unbuffered, when mysqlnd is used). (Andrey)
Fixed bug #55703 (PHP crash when calling mysqli_fetch_fields). (eran at zend dot com, Laruence)
mysqlnd:
Fixed bug #55609 (mysqlnd cannot be built shared). (Johannes)
Fixed bug #55067 (MySQL doesn't support compression - wrong config option). (Andrey)
NSAPI SAPI:
Don't set $_SERVER['HTTPS'] on unsecure connection (bug #55403). (Uwe Schindler)
OpenSSL:
Fixed bug #60279 (Fixed NULL pointer dereference in stream_socket_enable_crypto, case when ssl_handle of session_stream is not initialized.) (shm)
Fix segfault with older versions of OpenSSL. (Scott)
Oracle Database extension (OCI8):
Fixed bug #59985 (show normal warning text for OCI_NO_DATA). (Chris Jones)
Increased maximum Oracle error message buffer length for new 11.2.0.3 size. (Chris Jones)
Improve internal initalization failure error messages. (Chris Jones)
PDO
Fixed bug #55776 (PDORow to session bug). (Johannes)
PDO Firebird:
Fixed bug #48877 ("bindValue" and "bindParam" do not work for PDO Firebird). (Mariuz)
Fixed bug #47415 (PDO_Firebird segfaults when passing lowercased column name to bindColumn).
Fixed bug #53280 (PDO_Firebird segfaults if query column count less than param count). (Mariuz)
PDO MySQL driver:
Fixed bug #60155 (pdo_mysql.default_socket ignored). (Johannes)
Fixed bug #55870 (PDO ignores all SSL parameters when used with mysql native driver). (Pierre)
Fixed bug #54158 (MYSQLND+PDO MySQL requires #define MYSQL_OPT_LOCAL_INFILE). (Andrey)
PDO OCI driver:
Fixed bug #55768 (PDO_OCI can't resume Oracle session after it's been killed). (mikhail dot v dot gavrilov at gmail dot com, Chris Jones, Tony)
Phar:
Fixed bug #60261 (NULL pointer dereference in phar). (Felipe)
Fixed bug #60164 (Stubs of a specific length break phar_open_from_fp scanning for __HALT_COMPILER). (Ralph Schindler)
Fixed bug #53872 (internal corruption of phar). (Hannes)
Fixed bug #52013 (Unable to decompress files in a compressed phar). (Hannes)
PHP-FPM SAPI:
Fixed bug #60659 (FPM does not clear auth_user on request accept). (bonbons at linux-vserver dot org)
Fixed bug #60629 (memory corruption when web server closed the fcgi fd). (fat)
Fixed bug #60179 (php_flag and php_value does not work properly). (fat)
Fixed bug #55526 (Heartbeat causes a lot of unnecessary events). (fat)
Fixed bug #55533 (The -d parameter doesn't work). (fat)
Implemented FR #52569 (Add the "ondemand" process-manager to allow zero children). (fat)
Fixed bug #55486 (status show BIG processes number). (fat)
Fixed bug #55577 (status.html does not install). (fat)
Backported from 5.4 branch (Dropped restriction of not setting the same value multiple times, the last one holds). (giovanni at giacobbi dot net, fat)
Backported FR #55166 from 5.4 branch (Added process.max to control the number of process FPM can fork). (fat)
Backported FR #55181 from 5.4 branch (Enhance security by limiting access to user defined extensions). (fat)
Backported FR #54098 from 5.4 branch (Lowered process manager default value). (fat)
Backported FR #52052 from 5.4 branch (Added partial syslog support). (fat)
Implemented FR #54577 (Enhanced status page with full status and details about each processes. Also provide a web page (status.html) for real-time FPM status. (fat)
Enhance error log when the primary script can't be open. FR #60199. (fat)
Added .phar to default authorized extensions. (fat)
Postgres:
Fixed bug #60244 (pg_fetch_* functions do not validate that row param is >0). (Ilia)
Reflection:
Fixed bug #60367 (Reflection and Late Static Binding). (Laruence)
Session:
Fixed bug #55267 (session_regenerate_id fails after header sent). (Hannes)
SimpleXML:
Reverted the SimpleXML->query() behaviour to returning empty arrays instead of false when no nodes are found as it was since 5.3.3 (bug #48601). (chregu, rrichards)
SOAP:
Fixed bug #54911 (Access to a undefined member in inherit SoapClient may cause Segmentation Fault). (Dmitry)
Fixed bug #48216 (PHP Fatal error: SOAP-ERROR: Parsing WSDL: Extra content at the end of the doc, when server uses chunked transfer encoding with spaces after chunk size). (Dmitry)
Fixed bug #44686 (SOAP-ERROR: Parsing WSDL with references). (Dmitry)
Sockets:
Fixed bug #60048 (sa_len a #define on IRIX). (china at thewrittenword dot com)
SPL:
Fixed bug #60082 (Crash in ArrayObject() when using recursive references). (Tony)
Fixed bug #55807 (Wrong value for splFileObject::SKIP_EMPTY). (jgotti at modedemploi dot fr, Hannes)
Fixed bug #54304 (RegexIterator::accept() doesn't work with scalar values). (Hannes)
Streams:
Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together with the last read). (Gustavo)
Tidy:
Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference). (Maksymilian Arciemowicz, Felipe)
XSL:
Added xsl.security_prefs ini option to define forbidden operations within XSLT stylesheets, default is not to enable write operations. This option won't be in 5.4, since there's a new method. Fixes Bug #54446. (Chregu, Nicolas Gregoire)

New in PHP 5.4.0 RC 5 (Jan 6, 2012)

New in PHP 5.4.0 RC 4 (Dec 27, 2011)

New in PHP 5.4.0 RC 3 (Dec 9, 2011)

New in PHP 5.4.0 Beta 2 (Oct 31, 2011)

New in PHP 5.3.8 (Aug 24, 2011)

New in PHP 5.3.6 (Mar 18, 2011)

Upgraded bundled Sqlite3 to version 3.7.4. (Ilia)
Upgraded bundled PCRE to version 8.11. (Ilia)
Zend Engine:
Indirect reference to $this fails to resolve if direct $this is never used in method. (Scott)
Fixed bug numerous crashes due to setlocale (crash on error, pcre, mysql etc.) on Windows in thread safe mode. (Pierre)
Added options to debug backtrace functions. (Stas)
Fixed bug #53971 (isset() and empty() produce apparently spurious runtime error). (Dmitry)
Fixed bug #53958 (Closures can't 'use' shared variables by value and by reference). (Dmitry)
Fixed bug #53629 (memory leak inside highlight_string()). (Hannes, Ilia)
Fixed bug #51458 (Lack of error context with nested exceptions). (Stas)
Fixed bug #47143 (Throwing an exception in a destructor causes a fatal error). (Stas)
Fixed bug #43512 (same parameter name can be used multiple times in method/function definition). (Felipe)
Core:
Added ability to connect to HTTPS sites through proxy with basic authentication using stream_context/http/header/Proxy-Authorization (Dmitry)
Changed default value of ini directive serialize_precision from 100 to 17. (Gustavo)
Fixed bug #54055 (buffer overrun with high values for precision ini setting). (Gustavo)
Fixed bug #53959 (reflection data for fgetcsv out-of-date). (Richard)
Fixed bug #53577 (Regression introduced in 5.3.4 in open_basedir with a trailing forward slash). (lekensteyn at gmail dot com, Pierre)
Fixed bug #53682 (Fix compile on the VAX). (Rasmus, jklos)
Fixed bug #48484 (array_product() always returns 0 for an empty array). (Ilia)
Fixed bug #48607 (fwrite() doesn't check reply from ftp server before exiting). (Ilia)
Calendar extension:
Fixed bug #53574 (Integer overflow in SdnToJulian, sometimes leading to segfault). (Gustavo)
DOM extension:
Implemented FR #39771 (Made DOMDocument::saveHTML accept an optional DOMNode like DOMDocument::saveXML). (Gustavo)
DateTime extension:
Fixed a bug in DateTime->modify() where absolute date/time statements had no effect. (Derick)
Fixed bug #53729 (DatePeriod fails to initialize recurrences on 64bit big-endian systems). (Derick, [email protected])
Fixed bug #52808 (Segfault when specifying interval as two dates). (Stas)
Fixed bug #52738 (Can't use new properties in class extended from DateInterval). (Stas)
Fixed bug #52290 (setDate, setISODate, setTime works wrong when DateTime created from timestamp). (Stas)
Fixed bug #52063 (DateTime constructor's second argument doesn't have a null default value). (Gustavo, Stas)
Exif extension:
Fixed bug #54002 (crash on crafted tag, reported by Luca Carettoni). (Pierre) (CVE-2011-0708)
Filter extension:
Fixed bug #53924 (FILTER_VALIDATE_URL doesn't validate port number). (Ilia, Gustavo)
Fixed bug #53150 (FILTER_FLAG_NO_RES_RANGE is missing some IP ranges). (Ilia)
Fixed bug #52209 (INPUT_ENV returns NULL for set variables (CLI)). (Ilia)
Fixed bug #47435 (FILTER_FLAG_NO_RES_RANGE don't work with ipv6). (Ilia, valli at icsurselva dot ch)
Fileinfo extension:
Fixed bug #54016 (finfo_file() Cannot determine filetype in archives). (Hannes)
Gettext
Fixed bug #53837 (_() crashes on Windows when no LANG or LANGUAGE environment variable are set). (Pierre)
IMAP extension:
Implemented FR #53812 (get MIME headers of the part of the email). (Stas)
Fixed bug #53377 (imap_mime_header_decode() doesn't ignore \t during long MIME header unfolding). (Adam)
Intl extension:
Fixed bug #53612 (Segmentation fault when using cloned several intl objects). (Gustavo)
Fixed bug #53512 (NumberFormatter::setSymbol crash on bogus $attr values). (Felipe)
Implemented clone functionality for number, date & message formatters. (Stas).
JSON extension:
Fixed bug #53963 (Ensure error_code is always set during some failed decodings). (Scott)
mysqlnd
Fixed problem with always returning 0 as num_rows for unbuffered sets. (Andrey, Ulf)
MySQL Improved extension:
Added 'db' and 'catalog' keys to the field fetching functions (FR #39847). (Kalle)
Fixed buggy counting of affected rows when using the text protocol. The collected statistics were wrong when multi_query was used with mysqlnd (Andrey)
Fixed bug #53795 (Connect Error from MySqli (mysqlnd) when using SSL). (Kalle)
Fixed bug #53503 (mysqli::query returns false after successful LOAD DATA query). (Kalle, Andrey)
Fixed bug #53425 (mysqli_real_connect() ignores client flags when built to call libmysql). (Kalle, tre-php-net at crushedhat dot com)
OpenSSL extension:
Fixed stream_socket_enable_crypto() not honoring the socket timeout in server mode. (Gustavo)
Fixed bug #54060 (Memory leaks when openssl_encrypt). (Pierre)
Fixed bug #54061 (Memory leaks when openssl_decrypt). (Pierre)
Fixed bug #53592 (stream_socket_enable_crypto() busy-waits in client mode). (Gustavo)
Implemented FR #53447 (Cannot disable SessionTicket extension for servers that do not support it) by adding a no_ticket SSL context option. (Adam, Tony)
PDO MySQL driver:
Fixed bug #53551 (PDOStatement execute segfaults for pdo_mysql driver). (Johannes)
Implemented FR #47802 (Support for setting character sets in DSN strings). (Kalle)
PDO Oracle driver:
Fixed bug #39199 (Cannot load Lob data with more than 4000 bytes on ORACLE 10). (spatar at mail dot nnov dot ru)
PDO PostgreSQL driver:
Fixed bug #53517 (segfault in pgsql_stmt_execute() when postgres is down). (gyp at balabit dot hu)
Phar extension:
Fixed bug #54247 (format-string vulnerability on Phar). (Felipe) (CVE-2011-1153)
Fixed bug #53541 (format string bug in ext/phar). (crrodriguez at opensuse dot org, Ilia)
Fixed bug #53898 (PHAR reports invalid error message, when the directory does not exist). (Ilia)
PHP-FPM SAPI:
Enforce security in the fastcgi protocol parsing. (ef-lists at email dotde)
Fixed bug #53777 (php-fpm log format now match php_error log format). (fat)
Fixed bug #53527 (php-fpm --test doesn't set a valuable return value). (fat)
Fixed bug #53434 (php-fpm slowlog now also logs the original request). (fat)
Readline extension:
Fixed bug #53630 (Fixed parameter handling inside readline() function). (jo at feuersee dot de, Ilia)
Reflection extension:
Fixed bug #53915 (ReflectionClass::getConstant(s) emits fatal error on constants with self::). (Gustavo)
Shmop extension:
Fixed bug #54193 (Integer overflow in shmop_read()). (Felipe) Reported by Jose Carlos Norte (CVE-2011-1092)
SNMP extension:
Fixed bug #51336 (snmprealwalk (snmp v1) does not handle end of OID tree correctly). (Boris Lytochkin)
SOAP extension:
Fixed possible crash introduced by the NULL poisoning patch. (Mateusz Kocielski, Pierre)
SPL extension:
Fixed memory leak in DirectoryIterator::getExtension() and SplFileInfo::getExtension(). (Felipe)
Fixed bug #53914 (SPL assumes HAVE_GLOB is defined). (Chris Jones)
Fixed bug #53515 (property_exists incorrect on ArrayObject null and 0 values). (Felipe)
Added SplFileInfo::getExtension(). FR #48767. (Peter Cowburn)
SQLite3 extension:
Fixed memory leaked introduced by the NULL poisoning patch. (Mateusz Kocielski, Pierre)
Fixed memory leak on SQLite3Result and SQLite3Stmt when assigning to a reference. (Felipe)
Add SQlite3_Stmt::readonly() for checking if a statement is read only. (Scott)
Implemented FR #53466 (SQLite3Result::columnType() should return false after all of the rows have been fetched). (Scott)
Streams:
Fixed bug #54092 (Segmentation fault when using HTTP proxy with the FTP wrapper). (Gustavo)
Fixed bug #53913 (Streams functions assume HAVE_GLOB is defined). (Chris Jones)
Fixed bug #53903 (userspace stream stat callback does not separate the elements of the returned array before converting them). (Gustavo)
Implemented FR #26158 (open arbitrary file descriptor with fopen). (Gustavo)
Tokenizer Extension
Fixed bug #54089 (token_get_all() does not stop after __halt_compiler). (Ilia)
XSL extension:
Fixed memory leaked introduced by the NULL poisoning patch. (Mateusz Kocielski, Pierre)
Zip extension:
Added the filename into the return value of stream_get_meta_data(). (Hannes)
Fixed bug #53923 (Zip functions assume HAVE_GLOB is defined). (Adam)
Fixed bug #53893 (Wrong return value for ZipArchive::extractTo()). (Pierre)
Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive). (Stas, Maksymilian Arciemowicz). (CVE-2011-0421)
Fixed bug #53854 (Missing constants for compression type). (Richard, Adam)
Fixed bug #53603 (ZipArchive should quiet stat errors). (brad dot froehle at gmail dot com, Gustavo)
Fixed bug #53579 (stream_get_contents() segfaults on ziparchive streams). (Hannes)
Fixed bug #53568 (swapped memset arguments in struct initialization). (crrodriguez at opensuse dot org)
Fixed bug #53166 (Missing parameters in docs and reflection definition). (Richard)
Fixed bug #49072 (feof never returns true for damaged file in zip). (Gustavo, Richard Quadling)

New in PHP 5.3.3 (Jul 27, 2010)

Security Enhancements and Fixes:
Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531).
Fixed a possible resource destruction issues in shm_put_var().
Fixed a possible information leak because of interruption of XOR operator.
Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks.
Fixed a possible memory corruption in ArrayObject::uasort().
Fixed a possible memory corruption in parse_str().
Fixed a possible memory corruption in pack().
Fixed a possible memory corruption in substr_replace().
Fixed a possible memory corruption in addcslashes().
Fixed a possible stack exhaustion inside fnmatch().
Fixed a possible dechunking filter buffer overflow.
Fixed a possible arbitrary memory access inside sqlite extension.
Fixed string format validation inside phar extension.
Fixed handling of session variable serialization on certain prefix characters.
Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).
Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user.
Fixed possible buffer overflows when handling error packets in mysqlnd.
Key enhancements:
Upgraded bundled sqlite to version 3.6.23.1.
Upgraded bundled PCRE to version 8.02.
Added FastCGI Process Manager (FPM) SAPI.
Added stream filter support to mcrypt extension.
Added full_special_chars filter to ext/filter.
Fixed a possible crash because of recursive GC invocation.
Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).
Fixed bug #52060 (Memory leak when passing a closure to method_exists()).
Fixed bug #52001 (Memory allocation problems after using variable variables).
Fixed bug #51723 (Content-length header is limited to 32bit integer with Apache2 on Windows).
Fixed bug #48930 (__COMPILER_HALT_OFFSET__ incorrect in PHP >= 5.3).

New in PHP 5.3.2 (Mar 6, 2010)

Security Fixes:
Improved LCG entropy. (Rasmus, Samy Kamkar)
Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia)
Upgraded bundled sqlite to version 3.6.22. (Ilia)
Upgraded bundled libmagic to version 5.03. (Mikko)
Upgraded bundled PCRE to version 8.00. (Scott)
Updated timezone database to version 2010.3. (Derick)
Improved LCG entropy. (Rasmus, Samy Kamkar)
Improved crypt support for edge cases (UFC compatibility). (Solar Designer, Joey, Pierre)
Changed gmp_strval() to use full range from 2 to 62, and -2 to -36. FR #50283 (David Soria Parra)
Changed "post_max_size" php.ini directive to allow unlimited post size by setting it to 0. (Rasmus)
Changed tidyNode class to disallow manual node creation. (Pierrick)
Removed automatic file descriptor unlocking happening on shutdown and/or stream close (on all OSes). (Tony, Ilia)
Added libpng 1.4.0 support. (Pierre)
Added support for DISABLE_AUTHENTICATOR for imap_open. (Pierre)
Added missing host validation for HTTP urls inside FILTER_VALIDATE_URL. (Ilia)
Added stream_resolve_include_path(). (Mikko)
Added INTERNALDATE support to imap_append. (nick at mailtrust dot com)
Added support for SHA-256 and SHA-512 to php's crypt. (Pierre)
Added realpath_cache_size() and realpath_cache_get() functions. (Stas)
Added FILTER_FLAG_STRIP_BACKTICK option to the filter extension. (Ilia)
Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check. (Stas)
Added LIBXML_PARSEHUGE constant to override the maximum text size of a single text node when using libxml2.7.3+. (Kalle)
Added ReflectionMethod::setAccessible() for invoking non-public methods through the Reflection API. (Sebastian)
Added Collator::getSortKey for intl extension. (Stas)
Added support for CURLOPT_POSTREDIR. FR #49571. (Sriram Natarajan)
Added support for CURLOPT_CERTINFO. FR #49253. (Linus Nielsen Feltzing )
Added client-side server name indication support in openssl. (Arnaud)
Improved fix for bug #50006 (Segfault caused by uksort()). (Stas)
Fixed mysqlnd hang when queries exactly 16777214 bytes long are sent. (Andrey)
Fixed incorrect decoding of 5-byte BIT sequences in mysqlnd. (Andrey)
Fixed error_log() to be binary safe when using message_type 3. (Jani)
Fixed unnecessary invocation of setitimer when timeouts have been disabled. (Arvind Srinivasan)
Fixed memory leak in extension loading when an error occurs on Windows. (Pierre)
Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
Fixed a possible open_basedir/safe_mode bypass in session extension identified by Grzegorz Stachowiak. (Ilia)
Fixed possible crash when a error/warning is raised during php startup. (Pierre)
Fixed possible bad behavior of rename on windows when used with symbolic links or invalid paths. (Pierre)
Fixed error output to stderr on Windows. (Pierre)
Fixed memory leaks in is_writable/readable/etc on Windows. (Pierre)
Fixed memory leaks in the ACL function on Windows. (Pierre)
Fixed memory leak in the realpath cache on Windows. (Pierre)
Fixed memory leak in zip_close. (Pierre)
Fixed crypt's blowfish sanity check of the "setting" string, to reject iteration counts encoded as 36 through 39. (Solar Designer, Joey, Pierre)
Fixed bug #51059 (crypt crashes when invalid salt are given). (Pierre)
Fixed bug #50952 (allow underscore _ in constants parsed in php.ini files). (Jani)
Fixed bug #50940 (Custom content-length set incorrectly in Apache SAPIs). (Brian France, Rasmus)
Fixed bug #50930 (Wrong date by php_date.c patch with ancient gcc/glibc versions). (Derick)
Fixed bug #50907 (X-PHP-Originating-Script adding two new lines in *NIX). (Ilia)
Fixed bug #50859 (build fails with openssl 1.0 due to md2 deprecation). (Ilia, hanno at hboeck dot de)
Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes long). (Ilia)
Fixed bug #50829 (php.ini directive pdo_mysql.default_socket is ignored). (Ilia)
Fixed bug #50832 (HTTP fopen wrapper does not support passwordless HTTP authentication). (Jani)
Fixed bug #50787 (stream_set_write_buffer() has no effect on socket streams). (vnegrier at optilian dot com, Ilia)
Fixed bug #50761 (system.multiCall crashes in xmlrpc extension). (hiroaki dot kawai at gmail dot com, Ilia)
Fixed bug #50756 (CURLOPT_FTP_SKIP_PASV_IP does not exist). (Sriram)
Fixed bug #50732 (exec() adds single byte twice to $output array). (Ilia)
Fixed bug #50728 (All PDOExceptions hardcode 'code' property to 0). (Joey, Ilia)
Fixed bug #50723 (Bug in garbage collector causes crash). (Dmitry)
Fixed bug #50690 (putenv does not set ENV when the value is only one char). (Pierre)
Fixed bug #50680 (strtotime() does not support eighth ordinal number). (Ilia)
Fixed bug #50661 (DOMDocument::loadXML does not allow UTF-16). (Rob)
Fixed bug #50657 (copy() with an empty (zero-byte) HTTP source succeeds but returns false). (Ilia)
Fixed bug #50632 (filter_input() does not return default value if the variable does not exist). (Ilia)
Fixed bug #50576 (XML_OPTION_SKIP_TAGSTART option has no effect). (Pierrick)
Fixed bug #50558 (Broken object model when extending tidy). (Pierrick)
Fixed bug #50540 (Crash while running ldap_next_reference test cases). (Sriram)
Fixed bug #50519 (segfault in garbage collection when using set_error_handler and DomDocument). (Dmitry)
Fixed bug #50508 (compile failure: Conflicting HEADER type declarations). (Jani)
Fixed bug #50496 (Use of is valid only in a c99 compilation environment. (Sriram)
Fixed bug #50464 (declare encoding doesn't work within an included file). (Felipe)
Fixed bug #50458 (PDO::FETCH_FUNC fails with Closures). (Felipe, Pierrick)
Fixed bug #50445 (PDO-ODBC stored procedure call from Solaris 64-bit causes seg fault). (davbrown4 at yahoo dot com, Felipe)
Fixed bug #50416 (PROCEDURE db.myproc can't return a result set in the given context). (Andrey)
Fixed bug #50394 (Reference argument converted to value in __call). (Stas)
Fixed bug #50351 (performance regression handling objects, ten times slowerin 5.3 than in 5.2). (Dmitry)
Fixed bug #50392 (date_create_from_format() enforces 6 digits for 'u' format character). (Ilia)
Fixed bug #50345 (nanosleep not detected properly on some solaris versions). (Jani)
Fixed bug #50340 (php.ini parser does not allow spaces in ini keys). (Jani)
Fixed bug #50334 (crypt ignores sha512 prefix). (Pierre)
Fixed bug #50323 (Allow use of ; in values via ;; in PDO DSN). (Ilia, Pierrick)
Fixed bug #50285 (xmlrpc does not preserve keys in encoded indexed arrays). (Felipe)
Fixed bug #50282 (xmlrpc_encode_request() changes object into array in calling function). (Felipe)
Fixed bug #50267 (get_browser(null) does not use HTTP_USER_AGENT). (Jani)
Fixed bug #50266 (conflicting types for llabs). (Jani)
Fixed bug #50261 (Crash When Calling Parent Constructor with call_user_func()). (Dmitry)
Fixed bug #50255 (isset() and empty() silently casts array to object). (Felipe)
Fixed bug #50240 (pdo_mysql.default_socket in php.ini shouldn't used if it is empty). (foutrelis at gmail dot com, Ilia)
Fixed bug #50231 (Socket path passed using --with-mysql-sock is ignored when mysqlnd is enabled). (Jani)
Fixed bug #50219 (soap call Segmentation fault on a redirected url). (Pierrick)
Fixed bug #50212 (crash by ldap_get_option() with LDAP_OPT_NETWORK_TIMEOUT). (Ilia, shigeru_kitazaki at cybozu dot co dot jp)
Fixed bug #50209 (Compiling with libedit cannot find readline.h). (tcallawa at redhat dot com)
Fixed bug #50207 (segmentation fault when concatenating very large strings on 64bit linux). (Ilia)
Fixed bug #50196 (stream_copy_to_stream() produces warning when source is not file). (Stas)
Fixed bug #50195 (pg_copy_to() fails when table name contains schema. (Ilia)
Fixed bug #50185 (ldap_get_entries() return false instead of an empty array when there is no error). (Jani)
Fixed bug #50174 (Incorrectly matched docComment). (Felipe)
Fixed bug #50168 (FastCGI fails with wrong error on HEAD request to non-existant file). (Dmitry)
Fixed bug #50162 (Memory leak when fetching timestamp column from Oracle database). (Felipe)
Fixed bug #50159 (wrong working directory in symlinked files). (Dmitry)
Fixed bug #50158 (FILTER_VALIDATE_EMAIL fails with valid addresses containing = or ?). (Pierrick)
Fixed bug #50152 (ReflectionClass::hasProperty behaves like isset() not property_exists). (Felipe)
Fixed bug #50146 (property_exists: Closure object cannot have properties). (Felipe)
Fixed bug #50145 (crash while running bug35634.phpt). (Felipe)
Fixed bug #50140 (With default compilation option, php symbols are unresolved for nsapi). (Uwe Schindler)
Fixed bug #50087 (NSAPI performance improvements). (Uwe Schindler)
Fixed bug #50073 (parse_url() incorrect when ? in fragment). (Ilia)
Fixed bug #50023 (pdo_mysql doesn't use PHP_MYSQL_UNIX_SOCK_ADDR). (Ilia)
Fixed bug #50005 (Throwing through Reflection modified Exception object makes segmentation fault). (Felipe)
Fixed bug #49990 (SNMP3 warning message about security level printed twice). (Jani)
Fixed bug #49985 (pdo_pgsql prepare() re-use previous aborted transaction). (ben dot pineau at gmail dot com, Ilia, Matteo)
Fixed bug #49938 (Phar::isBuffering() returns inverted value). (Greg)
Fixed bug #49936 (crash with ftp stream in php_stream_context_get_option()). (Pierrick)
Fixed bug #49921 (Curl post upload functions changed). (Ilia)
Fixed bug #49866 (Making reference on string offsets crashes PHP). (Dmitry)
Fixed bug #49855 (import_request_variables() always returns NULL). (Ilia, sjoerd at php dot net)
Fixed bug #49851, #50451 (http wrapper breaks on 1024 char long headers). (Ilia)
Fixed bug #49800 (SimpleXML allow (un)serialize() calls without warning). (Ilia, wmeler at wp-sa dot pl)
Fixed bug #49719 (ReflectionClass::hasProperty returns true for a private property in base class). (Felipe)
Fixed bug #49677 (ini parser crashes with apache2 and using ${something} ini variables). (Jani)
Fixed bug #49660 (libxml 2.7.3+ limits text nodes to 10MB). (Felipe)
Fixed bug #49647 (DOMUserData does not exist). (Rob)
Fixed bug #49600 (imageTTFText text shifted right). (Takeshi Abe)
Fixed bug #49585 (date_format buffer not long enough for >4 digit years). (Derick, Adam)
Fixed bug #49560 (oci8: using LOBs causes slow PHP shutdown). (Oracle Corp.)
Fixed bug #49521 (PDO fetchObject sets values before calling constructor). (Pierrick)
Fixed bug #49472 (Constants defined in Interfaces can be overridden). (Felipe)
Fixed bug #49463 (setAttributeNS fails setting default namespace). (Rob)
Fixed bug #49244 (Floating point NaN cause garbage characters). (Sjoerd)
Fixed bug #49224 (Compile error due to old DNS functions on AIX systems). (Scott)
Fixed bug #49174 (crash when extending PDOStatement and trying to set queryString property). (Felipe)
Fixed bug #48811 (Directives in PATH section do not get applied to subdirectories). (Patch by: ct at swin dot edu dot au)
Fixed bug #48590 (SoapClient does not honor max_redirects). (Sriram)
Fixed bug #48190 (Content-type parameter "boundary" is not case-insensitive in HTTP uploads). (Ilia)
Fixed bug #47848 (importNode doesn't preserve attribute namespaces). (Rob)
Fixed bug #47409 (extract() problem with array containing word "this"). (Ilia, chrisstocktonaz at gmail dot com)
Fixed bug #47281 ($php_errormsg is limited in size of characters) (Oracle Corp.)
Fixed bug #46478 (htmlentities() uses obsolete mapping table for character entity references). (Moriyoshi)
Fixed bug #45599 (strip_tags() truncates rest of string with invalid attribute). (Ilia, hradtke)
Fixed bug #45120 (PDOStatement->execute() returns true then false for same statement). (Pierrick)
Fixed bug #44827 (define() allows :: in constant names). (Ilia)
Fixed bug #44098 (imap_utf8() returns only capital letters). (steffen at dislabs dot de, Pierre)
Fixed bug #34852 (Failure in odbc_exec() using oracle-supplied odbc driver). (tim dot tassonis at trivadis dot com)

New in PHP 5.3.2 RC1 (Dec 23, 2009)

Upgraded bundled sqlite to version 3.6.21. (Ilia)
Upgraded bundled PCRE to version 8.00. (Scott)
Changed gmp_strval() to use full range from 2 to 62, and -2 to -36. FR #50283 (David Soria Parra)
Changed "post_max_size" php.ini directive to allow unlimited post size by setting it to 0. (Rasmus)
Added INTERNALDATE support to imap_append. (nick at mailtrust dot com)
Added support for SHA-256 and SHA-512 to php's crypt. (Pierre)
Added realpath_cache_size() and realpath_cache_get() functions. (Stas)
Added FILTER_FLAG_STRIP_BACKTICK option to the filter extension. (Ilia)
Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check. (Stas)
Added LIBXML_PARSEHUGE constant to override the maximum text size of a single text node when using libxml2.7.3+. (Kalle)
Added ReflectionMethod::setAccessible() for invoking non-public methods through the Reflection API. (Sebastian)
Added Collator::getSortKey for intl extension. (Stas)
Added support for CURLOPT_POSTREDIR. FR #49571. (Sriram Natarajan)
Added support for CURLOPT_CERTINFO. FR #49253. (Linus Nielsen Feltzing )
Added client-side server name indication support in openssl. (Arnaud)
Improved fix for bug #50006 (Segfault caused by uksort()). (Stas)
Fixed mysqlnd hang when queries exactly 16777214 bytes long are sent. (Andrey)
Fixed incorrect decoding of 5-byte BIT sequences in mysqlnd. (Andrey)
Fixed error_log() to be binary safe when using message_type 3. (Jani)
Fixed unnecessary invocation of setitimer when timeouts have been disabled. (Arvind Srinivasan)
Fixed memory leak in extension loading when an error occurs on Windows. (Pierre)
Fixed bug #50540 (Crash while running ldap_next_reference test cases). (Sriram)
Fixed bug #50508 (compile failure: Conflicting HEADER type declarations). (Jani)
Fixed bug #50496 (Use of is valid only in a c99 compilation environment. (Sriram)
Fixed bug #50464 (declare encoding doesn't work within an included file). (Felipe)
Fixed bug #50458 (PDO::FETCH_FUNC fails with Closures). (Felipe, Pierrick)
Fixed bug #50445 (PDO-ODBC stored procedure call from Solaris 64-bit causes seg fault). (davbrown4 at yahoo dot com, Felipe)
Fixed bug #50394 (Reference argument converted to value in __call). (Stas)
Fixed bug #50351 (performance regression handling objects, ten times slower in 5.3 than in 5.2). (Dmitry)
Fixed bug #50392 (date_create_from_format() enforces 6 digits for 'u' format character). (Ilia)
Fixed bug #50345 (nanosleep not detected properly on some solaris versions). (Jani)
Fixed bug #50340 (php.ini parser does not allow spaces in ini keys). (Jani)
Fixed bug #50334 (crypt ignores sha512 prefix). (Pierre)
Fixed bug #50323 (Allow use of ; in values via ;; in PDO DSN). (Ilia, Pierrick)
Fixed bug #50285 (xmlrpc does not preserve keys in encoded indexed arrays). (Felipe)
Fixed bug #50282 (xmlrpc_encode_request() changes object into array in calling function). (Felipe)
Fixed bug #50267 (get_browser(null) does not use HTTP_USER_AGENT). (Jani)
Fixed bug #50266 (conflicting types for llabs). (Jani)
Fixed bug #50261 (Crash When Calling Parent Constructor with call_user_func()). (Dmitry)
Fixed bug #50255 (isset() and empty() silently casts array to object). (Felipe)
Fixed bug #50240 (pdo_mysql.default_socket in php.ini shouldn't used if it is empty). (foutrelis at gmail dot com, Ilia)
Fixed bug #50231 (Socket path passed using --with-mysql-sock is ignored when mysqlnd is enabled). (Jani)
Fixed bug #50219 (soap call Segmentation fault on a redirected url). (Pierrick)
Fixed bug #50212 (crash by ldap_get_option() with LDAP_OPT_NETWORK_TIMEOUT). (Ilia, shigeru_kitazaki at cybozu dot co dot jp)
Fixed bug #50209 (Compiling with libedit cannot find readline.h). (tcallawa at redhat dot com)
Fixed bug #50207 (segmentation fault when concatenating very large strings on 64bit linux). (Ilia)
Fixed bug #50196 (stream_copy_to_stream() produces warning when source is not file). (Stas)
Fixed bug #50195 (pg_copy_to() fails when table name contains schema. (Ilia)
Fixed bug #50185 (ldap_get_entries() return false instead of an empty array when there is no error). (Jani)
Fixed bug #50174 (Incorrectly matched docComment). (Felipe)
Fixed bug #50168 (FastCGI fails with wrong error on HEAD request to non-existant file). (Dmitry)
Fixed bug #50162 (Memory leak when fetching timestamp column from Oracle database). (Felipe)
Fixed bug #50159 (wrong working directory in symlinked files). (Dmitry)
Fixed bug #50158 (FILTER_VALIDATE_EMAIL fails with valid addresses containing = or ?). (Pierrick)
Fixed bug #50152 (ReflectionClass::hasProperty behaves like isset() not property_exists). (Felipe)
Fixed bug #50146 (property_exists: Closure object cannot have properties). (Felipe)
Fixed bug #50145 (crash while running bug35634.phpt). (Felipe)
Fixed bug #50140 (With default compilation option, php symbols are unresolved for nsapi). (Uwe Schindler)
Fixed bug #50087 (NSAPI performance improvements). (Uwe Schindler)
Fixed bug #50073 (parse_url() incorrect when ? in fragment). (Ilia)
Fixed bug #50023 (pdo_mysql doesn't use PHP_MYSQL_UNIX_SOCK_ADDR). (Ilia)
Fixed bug #50005 (Throwing through Reflection modified Exception object makes segmentation fault). (Felipe)
Fixed bug #49990 (SNMP3 warning message about security level printed twice). (Jani)
Fixed bug #49985 (pdo_pgsql prepare() re-use previous aborted transaction). (ben dot pineau at gmail dot com, Ilia, Matteo)
Fixed bug #49938 (Phar::isBuffering() returns inverted value). (Greg)
Fixed bug #49936 (crash with ftp stream in php_stream_context_get_option()). (Pierrick)
Fixed bug #49921 (Curl post upload functions changed). (Ilia)
Fixed bug #49866 (Making reference on string offsets crashes PHP). (Dmitry)
Fixed bug #49855 (import_request_variables() always returns NULL). (Ilia, sjoerd at php dot net)
Fixed bug #49851, #50451 (http wrapper breaks on 1024 char long headers). (Ilia)
Fixed bug #49800 (SimpleXML allow (un)serialize() calls without warning). (Ilia, wmeler at wp-sa dot pl)
Fixed bug #49719 (ReflectionClass::hasProperty returns true for a private property in base class). (Felipe)
Fixed bug #49677 (ini parser crashes with apache2 and using ${something} ini variables). (Jani)
Fixed bug #49660 (libxml 2.7.3+ limits text nodes to 10MB). (Felipe)
Fixed bug #49647 (DOMUserData does not exist). (Rob)
Fixed bug #49521 (PDO fetchObject sets values before calling constructor). (Pierrick)
Fixed bug #49472 (Constants defined in Interfaces can be overridden). (Felipe)
Fixed bug #49244 (Floating point NaN cause garbage characters). (Sjoerd)
Fixed bug #49224 (Compile error due to old DNS functions on AIX systems). (Scott)
Fixed bug #49174 (crash when extending PDOStatement and trying to set queryString property). (Felipe)
Fixed bug #47848 (importNode doesn't preserve attribute namespaces). (Rob)
Fixed bug #46478 (htmlentities() uses obsolete mapping table for character entity references). (Moriyoshi)
Fixed bug #45599 (strip_tags() truncates rest of string with invalid attribute). (Ilia, hradtke)
Fixed bug #45120 (PDOStatement->execute() returns true then false for same statement). (Pierrick)
Fixed bug #34852 (Failure in odbc_exec() using oracle-supplied odbc driver). (tim dot tassonis at trivadis dot com)

New in PHP 5.3.1 (Dec 8, 2009)

Security Fixes
Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion. (Ilia)
Added missing sanity checks around exif processing. (Ilia)
Fixed a safe_mode bypass in tempnam(). (Rasmus)
Fixed a open_basedir bypass in posix_mkfifo(). (Rasmus)
Fixed bug #50063 (safe_mode_include_dir fails). (Johannes, christian at elmerot dot se)
Added error constant when json_encode() detects an invalid UTF-8 sequence. (Scott)
Added support for ACL on Windows for thread safe SAPI (Apache2 for example) and fix its support on NTS. (Pierre)
Upgraded bundled sqlite to version 3.6.19. (Scott)
Updated timezone database to version 2009.17 (2009q). (Derick)
Fixed crash in com_print_typeinfo when an invalid typelib is given. (Pierre)
Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (Rasmus)
Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (Rasmus)
Fixed certificate validation inside php_openssl_apply_verification_policy (Ryan Sleevi, Ilia)
Fixed crash in SQLiteDatabase::ArrayQuery() and SQLiteDatabase::SingleQuery() when calling using Reflection. (Felipe)
Fixed crash when instantiating PDORow and PDOStatement through Reflection. (Felipe)
Fixed sanity check for the color index in imagecolortransparent. (Pierre)
Fixed scandir/readdir when used mounted points on Windows. (Pierre)
Fixed zlib.deflate compress filter to actually accept level parameter. (Jani)
Fixed leak on error in popen/exec (and related functions) on Windows. (Pierre)
Fixed possible bad caching of symlinked directories in the realpath cache on Windows. (Pierre)
Fixed atime and mtime in stat related functions on Windows. (Pierre)
Fixed spl_autoload_unregister/spl_autoload_functions wrt. Closures and Functors. (Christian Seiler)
Fixed open_basedir circumvention for "mail.log" ini directive. (Maksymilian Arciemowicz, Stas)
Fixed signature generation/validation for zip archives in ext/phar. (Greg)
Fixed memory leak in stream_is_local(). (Felipe, Tony)
Fixed BC break in mime_content_type(), removes the content encoding. (Scott)
Changed ini file directives [PATH=](on Win32) and [HOST=](on all) to be case insensitive (garretts)
Restored shebang line check to CGI sapi (not checked by scanner anymore). (Jani)
Improve symbolic, mounted volume and junctions support for realpath on Windows. (Pierre)
Improved readlink on Windows, suppress ?? and use the drive syntax only. (Pierre)
Improved dns_get_record() AAAA support on windows. Always available when IPv6 is support is installed, format is now the same than on unix. (Pierre)
Improved the DNS functions on OSX to use newer APIs, also use Bind 9 API where available on other platforms. (Scott)
Improved shared extension loading on OSX to use the standard Unix dlopen() API. (Scott)
Fixed bug #50063 (safe_mode_include_dir fails). (Johannes, christian at elmerot dot se)
Fixed bug #50052 (Different Hashes on Windows and Linux on wrong Salt size). (Pierre)
Fixed bug #49910 (no support for ././@LongLink for long filenames in phar tar support). (Greg)
Fixed bug #49908 (throwing exception in __autoload crashes when interface is not defined). (Felipe)
Fixed bug #49847 (exec() fails to return data inside 2nd parameter, given output lines >4095 bytes). (Ilia)
Fixed bug #49809 (time_sleep_until() is not available on OpenSolaris). (Jani)
Fixed bug #49757 (long2ip() can return wrong value in a multi-threaded applications). (Ilia, Florian Anderiasch)
Fixed bug #49738 (calling mcrypt after mcrypt_generic_deinit crashes). (Sriram Natarajan)
Fixed bug #49732 (crashes when using fileinfo when timestamp conversion fails). (Pierre)
Fixed bug #49698 (Unexpected change in strnatcasecmp()). (Rasmus)
Fixed bug #49630 (imap_listscan function missing). (Felipe)
Fixed bug #49572 (use of C++ style comments causes build failure). (Sriram Natarajan)
Fixed bug #49531 (CURLOPT_INFILESIZE sometimes causes warning "CURLPROTO_FILE cannot be set"). (Felipe)
Fixed bug #49517 (cURL's CURLOPT_FILE prevents file from being deleted after fclose). (Ilia)
Fixed bug #49470 (FILTER_SANITIZE_EMAIL allows disallowed characters). (Ilia)
Fixed bug #49447 (php engine need to correctly check for socket API return status on windows). (Sriram Natarajan)
Fixed bug #49391 (ldap.c utilizing deprecated ldap_modify_s). (Ilia)
Fixed bug #49361 (wordwrap() wraps incorrectly on end of line boundaries). (Ilia, code-it at mail dot ru)
Fixed bug #49372 (segfault in php_curl_option_curl). (Pierre)
Fixed bug #49306 (inside pdo_mysql default socket settings are ignored). (Ilia)
Fixed bug #49289 (bcmath module doesn't compile with phpize configure). (Jani)
Fixed bug #49286 (php://input (php_stream_input_read) is broken). (Jani)
Fixed bug #49269 (Ternary operator fails on Iterator object when used inside foreach declaration). (Etienne, Dmitry)
Fixed bug #49236 (Missing PHP_SUBST(PDO_MYSQL_SHARED_LIBADD)). (Jani)
Fixed bug #49223 (Inconsistency using get_defined_constants). (Garrett)
Fixed bug #49193 (gdJpegGetVersionString() inside gd_compact identifies wrong type in declaration). (Ilia)
Fixed bug #49183 (dns_get_record does not return NAPTR records). (Pierre)
Fixed bug #49144 (Import of schema from different host transmits original authentication details). (Dmitry)
Fixed bug #49142 (crash when exception thrown from __tostring()). (David Soria Parra)
Fixed bug #49986 (Missing ICU DLLs on windows package). (Pierre)
Fixed bug #49132 (posix_times returns false without error). (phpbugs at gunnu dot us)
Fixed bug #49125 (Error in dba_exists C code). (jdornan at stanford dot edu)
Fixed bug #49122 (undefined reference to mysqlnd_stmt_next_result on compile with --with-mysqli and MySQL 6.0). (Jani)
Fixed bug #49108 (2nd scan_dir produces segfault). (Felipe)
Fixed bug #49098 (mysqli segfault on error). (Rasmus)
Fixed bug #49095 (proc_get_status['exitcode'] fails on win32). (Felipe)
Fixed bug #49092 (ReflectionFunction fails to work with functions in fully qualified namespaces). (Kalle, Jani)
Fixed bug #49074 (private class static fields can be modified by using reflection). (Jani)
Fixed bug #49072 (feof never returns true for damaged file in zip). (Pierre)
Fixed bug #49065 ("disable_functions" php.ini option does not work on Zend extensions). (Stas)
Fixed bug #49064 (--enable-session=shared does not work: undefined symbol: php_url_scanner_reset_vars). (Jani)
Fixed bug #49056 (parse_ini_file() regression in 5.3.0 when using non-ASCII strings as option keys). (Jani)
Fixed bug #49052 (context option headers freed too early when using --with-curlwrappers). (Jani)
Fixed bug #49047 (The function touch() fails on directories on Windows). (Pierre)
Fixed bug #49032 (SplFileObject::fscanf() variables passed by reference). (Jani)
Fixed bug #49027 (mysqli_options() doesn't work when using mysqlnd). (Andrey)
Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars restrictions). (Ilia)
Fixed bug #49012 (phar tar signature algorithm reports as Unknown (0) in getSignature() call). (Greg)
Fixed bug #49020 (phar misinterprets ustar long filename standard). (Greg)
Fixed bug #49018 (phar tar stores long filenames wit prefix/name reversed). (Greg)
Fixed bug #49014 (dechunked filter broken when serving more than 8192 bytes in a chunk). (andreas dot streichardt at globalpark dot com, Ilia)
Fixed bug #49000 (PHP CLI in Interactive mode (php -a) crashes when including files from function). (Stas)
Fixed bug #48994 (zlib.output_compression does not output HTTP headers when set to a string value). (Jani)
Fixed bug #48980 (Crash when compiling with pdo_firebird). (Felipe)
Fixed bug #48962 (cURL does not upload files with specified filename). (Ilia)
Fixed bug #48929 (Double
after HTTP headers when "header" context option is an array). (David Zülke)
Fixed bug #48913 (Too long error code strings in pdo_odbc driver). (naf at altlinux dot ru, Felipe)
Fixed bug #48912 (Namespace causes unexpected strict behaviour with extract()). (Dmitry)
Fixed bug #48909 (Segmentation fault in mysqli_stmt_execute()). (Andrey)
Fixed bug #48899 (is_callable returns true even if method does not exist in parent class). (Felipe)
Fixed bug #48893 (Problems compiling with Curl). (Felipe)
Fixed bug #48872 (string.c: errors: duplicate case values). (Kalle)
Fixed bug #48854 (array_merge_recursive modifies arrays after first one). (Felipe)
Fixed bug #48805 (IPv6 socket transport is not working). (Ilia)
Fixed bug #48802 (printf() returns incorrect outputted length). (Jani)
Fixed bug #48880 (Random Appearing open_basedir problem). (Rasmus, Gwynne)
Fixed bug #48791 (open office files always reported as corrupted). (Greg)
Fixed bug #48788 (RecursiveDirectoryIterator doesn't descend into symlinked directories). (Ilia)
Fixed bug #48783 (make install will fail saying phar file exists). (Greg)
Fixed bug #48774 (SIGSEGVs when using curl_copy_handle()). (Sriram Natarajan)
Fixed bug #48771 (rename() between volumes fails and reports no error on Windows). (Pierre)
Fixed bug #48768 (parse_ini_*() crash with INI_SCANNER_RAW). (Jani)
Fixed bug #48763 (ZipArchive produces corrupt archive). (dani dot church at gmail dot com, Pierre)
Fixed bug #48762 (IPv6 address filter still rejects valid address). (Felipe)
Fixed bug #48757 (ReflectionFunction::invoke() parameter issues). (Kalle)
Fixed bug #48754 (mysql_close() crash php when no handle specified). (Johannes, Andrey)
Fixed bug #48752 (Crash during date parsing with invalid date). (Pierre)
Fixed bug #48746 (Unable to browse directories within Junction Points). (Pierre, Kanwaljeet Singla)
Fixed bug #48745 (mysqlnd: mysql_num_fields returns wrong column count for mysql_list_fields). (Andrey)
Fixed bug #48740 (PHAR install fails when INSTALL_ROOT is not the final install location). (james dot cohen at digitalwindow dot com, Greg)
Fixed bug #48733 (CURLOPT_WRITEHEADER|CURLOPT_FILE|CURLOPT_STDERR warns on files that have been opened with r+). (Ilia)
Fixed bug #48719 (parse_ini_*(): scanner_mode parameter is not checked for sanity). (Jani)
Fixed bug #48718 (FILTER_VALIDATE_EMAIL does not allow numbers in domain components). (Ilia)
Fixed bug #48681 (openssl signature verification for tar archives broken). (Greg)
Fixed bug #48660 (parse_ini_*(): dollar sign as last character of value fails). (Jani)
Fixed bug #48645 (mb_convert_encoding() doesn't understand hexadecimal html-entities). (Moriyoshi)
Fixed bug #48637 ("file" fopen wrapper is overwritten when using --with-curlwrappers). (Jani)
Fixed bug #48608 (Invalid libreadline version not detected during configure). (Jani)
Fixed bug #48400 (imap crashes when closing stream opened with OP_PROTOTYPE flag). (Jani)
Fixed bug #48377 (error message unclear on converting phar with existing file). (Greg)
Fixed bug #48247 (Infinite loop and possible crash during startup with errors when errors are logged). (Jani)
Fixed bug #48198 error: 'MYSQLND_LLU_SPEC' undeclared. Cause for #48780 and #46952 - both fixed too. (Andrey)
Fixed bug #48189 (ibase_execute error in return param). (Kalle)
Fixed bug #48182 (ssl handshake fails during asynchronous socket connection). (Sriram Natarajan)
Fixed bug #48116 (Fixed build with Openssl 1.0). (Pierre, Al dot Smith at aeschi dot ch dot eu dot org)
Fixed bug #48057 (Only the date fields of the first row are fetched, others are empty). (info at programmiernutte dot net)
Fixed bug #47481 (natcasesort() does not sort extended ASCII characters correctly). (Herman Radtke)
Fixed bug #47351 (Memory leak in DateTime). (Derick, Tobias John)
Fixed bug #47273 (Encoding bug in SoapServer->fault). (Dmitry)
Fixed bug #46682 (touch() afield returns different values on windows). (Pierre)
Fixed bug #46614 (Extended MySQLi class gives incorrect empty() result). (Andrey)
Fixed bug #46020 (with Sun Java System Web Server 7.0 on HPUX, #define HPUX). (Uwe Schindler)
Fixed bug #45905 (imagefilledrectangle() clipping error). (markril at hotmail dot com, Pierre)
Fixed bug #45554 (Inconsistent behavior of the u format char). (Derick)
Fixed bug #45141 (setcookie will output expires years of >4 digits). (Ilia)
Fixed bug #44683 (popen crashes when an invalid mode is passed). (Pierre)
Fixed bug #43510 (stream_get_meta_data() does not return same mode as used in fopen). (Jani)
Fixed bug #42434 (ImageLine w/ antialias = 1px shorter). (wojjie at gmail dot com, Kalle)
Fixed bug #40013 (php_uname() does not return nodename on Netware (Guenter Knauf)
Fixed bug #38091 (Mail() does not use FQDN when sending SMTP helo). (Kalle, Rick Yorgason)
Fixed bug #28038 (Sent incorrect RCPT TO commands to SMTP server) (Garrett)
Fixed bug #27051 (Impersonation with FastCGI does not exec process as impersonated user). (Pierre)
Fixed PECL bug #16842 (oci_error return false when NO_DATA_FOUND is raised). (Chris Jones)

New in PHP 5.3.0-3 (Jul 30, 2009)

Upgraded bundled PCRE to version 7.9. (Nuno)
Upgraded bundled sqlite to version 3.6.15. (Scott)
Moved extensions to PECL (Derick, Lukas, Pierre, Scott)
Removed the experimental RPL (master/slave) functions from mysqli. (Andrey)
Removed zend.ze1_compatibility_mode. (Dmitry)
Removed all zend_extension_* php.ini directives. Zend extensions are now always loaded using zend_extension directive. (Derick)
Removed special treatment of "/tmp" in sessions for open_basedir. Note: This undocumented behaviour was introduced in 5.2.2. (Alexey)
Removed shebang line check from CGI sapi (checked by scanner). (Dmitry)
Changed PCRE, Reflection and SPL extensions to be always enabled. (Marcus)
Changed md5() to use improved implementation. (Solar Designer, Dmitry)
Changed HTTP stream wrapper to accept any code between and including 200 to 399 as successful. (Mike, Noah Fontes)
Changed __call() to be invoked on private/protected method access, similar to properties and __get(). (Andrei)
Changed dl() to be disabled by default. Enabled only when explicitly registered by the SAPI. Currently enabled with cli, cgi and embed SAPIs. (Dmitry)
Changed opendir(), dir() and scandir() to use default context when no context argument is passed. (Sara)
Changed open_basedir to allow tightening in runtime contexts. (Sara)
Changed PHP/Zend extensions to use flexible build IDs. (Stas)
Changed error level E_ERROR into E_WARNING in Soap extension methods parameter validation. (Felipe)
Changed openssl info to show the shared library version number. (Scott)
Changed floating point behaviour to consistently use double precision on all platforms and with all compilers. (Christian Seiler)
Changed round() to act more intuitively when rounding to a certain precision and round very large and very small exponents correctly. (Christian Seiler)
Changed session_start() to return false when session startup fails. (Jani)
Changed property_exists() to check the existence of a property independent of accessibility (like method_exists()). (Felipe)
Changed array_reduce() to allow mixed $initial (Christian Seiler)
Improved PHP syntax and semantics:
Added lambda functions and closures. (Christian Seiler, Dmitry)
Added "jump label" operator (limited "goto"). (Dmitry, Sara)
Added NOWDOC syntax. (Gwynne Raskind, Stas, Dmitry)
Added HEREDOC syntax with double quotes. (Lars Strojny, Felipe)
Added support for using static HEREDOCs to initialize static variables and class members or constants. (Matt)
Improved syntax highlighting and consistency for variables in double-quoted strings and literal text in HEREDOCs and backticks. (Matt)
Added "?:" operator. (Marcus)
Added support for namespaces. (Dmitry, Stas, Gregory, Marcus)
Added support for Late Static Binding. (Dmitry, Etienne Kneuss)
Added support for __callStatic() magic method. (Sara)
Added forward_static_call(_array) to complete LSB. (Mike Lively)
Added support for dynamic access of static members using $foo::myFunc(). (Etienne Kneuss)
Improved checks for callbacks. (Marcus)
Added __DIR__ constant. (Lars Strojny)
Added new error modes E_USER_DEPRECATED and E_DEPRECATED. E_DEPRECATED is used to inform about stuff being scheduled for removal in future PHP versions. (Lars Strojny, Felipe, Marcus)
Added "request_order" INI variable to control specifically $_REQUEST behavior. (Stas)
Added support for exception linking. (Marcus)
Added ability to handle exceptions in destructors. (Marcus)
Improved PHP runtime speed and memory usage:
Substitute global-scope, persistent constants with their values at compile time. (Matt)
Optimized ZEND_SIGNED_MULTIPLY_LONG(). (Matt)
Removed direct executor recursion. (Dmitry)
Use fastcall calling convention in executor on x86. (Dmitry)
Use IS_CV for direct access to $this variable. (Dmitry)
Use ZEND_FREE() opcode instead of ZEND_SWITCH_FREE(IS_TMP_VAR). (Dmitry)
Lazy EG(active_symbol_table) initialization. (Dmitry)
Optimized ZEND_RETURN opcode to not allocate and copy return value if it is not used. (Dmitry)
Replaced all flex based scanners with re2c based scanners. (Marcus, Nuno, Scott)
Added garbage collector. (David Wang, Dmitry).
Improved PHP binary size and startup speed with GCC4 visibility control. (Nuno)
Improved engine stack implementation for better performance and stability. (Dmitry)
Improved memory usage by moving constants to read only memory. (Dmitry, Pierre)
Changed exception handling. Now each op_array doesn't contain ZEND_HANDLE_EXCEPTION opcode in the end. (Dmitry)
Optimized require_once() and include_once() by eliminating fopen(3) on second usage. (Dmitry)
Optimized ZEND_FETCH_CLASS + ZEND_ADD_INTERFACE into single ZEND_ADD_INTERFACE opcode. (Dmitry)
Optimized string searching for a single character. (Michal Dziemianko, Scott)
Optimized interpolated strings to use one less opcode. (Matt)
Improved php.ini handling (Jani):
Added ".htaccess" style user-defined php.ini files support for CGI/FastCGI.
Added support for special [PATH=/opt/httpd/www.example.com/] and [HOST=www.example.com] sections. Directives set in these sections can not be overridden by user-defined ini-files or during runtime.
Added better error reporting for php.ini syntax errors.
Allowed using full path to load modules using "extension" directive.
Allowed "ini-variables" to be used almost everywhere ini php.ini files.
Allowed using alphanumeric/variable indexes in "array" ini options.
Added 3rd optional parameter to parse_ini_file() to specify the scanning mode of INI_SCANNER_NORMAL or INI_SCANNER_RAW. In raw mode option values and section values are treated as-is.
Fixed get_cfg_var() to be able to return "array" ini options.
Added optional parameter to ini_get_all() to only retrieve the current value. (Hannes)
Improved Windows support:
Update all libraries to their latest stable version. (Pierre, Rob, Liz, Garrett).
Added Windows support for stat(), touch(), filemtime(), filesize() and related functions. (Pierre)
Re-added socket_create_pair() for Windows in sockets extension. (Kalle)
Added inet_pton() and inet_ntop() also for Windows platforms. (Kalle, Pierre)
Added mcrypt_create_iv() for Windows platforms. (Pierre)
Added ACL Cache support on Windows. (Kanwaljeet Singla, Pierre, Venkat Raman Don)
Added constants based on Windows' GetVersionEx information. PHP_WINDOWS_VERSION_* and PHP_WINDOWS_NT_*. (Pierre)
Added support for ACL (is_writable, is_readable, reports now correct results) on Windows. (Pierre, Venkat Raman Don, Kanwaljeet Singla)
Added support for fnmatch() on Windows. (Pierre)
Added support for time_nanosleep() and time_sleep_until() on Windows. (Pierre)
Added support for symlink(), readlink(), linkinfo() and link() on Windows. They are available only when the running platform supports them. (Pierre)
the GMP extension now relies on MPIR instead of the GMP library. (Pierre)
Added Windows support for stream_socket_pair(). (Kalle)
Drop all external dependencies for the core features. (Pierre)
Drastically improve the build procedure (Pierre, Kalle, Rob)
MSI installer now supports all recent Windows versions, including Windows 7. (John, Kanwaljeet Singla)
Improved and cleaned CGI code:
FastCGI is now always enabled and cannot be disabled. See sapi/cgi/CHANGES for more details. (Dmitry)
Added CGI SAPI -T option which can be used to measure execution time of script repeated several times. (Dmitry)
Improved streams:
Fixed confusing error message on failure when no errors are logged. (Greg)
Added stream_supports_lock() function. (Benjamin Schulz)
Added context parameter for copy() function. (Sara)
Added "glob://" stream wrapper. (Marcus)
Added "params" as optional parameter for stream_context_create(). (Sara)
Added ability to use stream wrappers in include_path. (Gregory, Dmitry)
Improved DNS API
Added Windows support for dns_check_record(), dns_get_mx(), checkdnsrr() and getmxrr(). (Pierre)
Added support for old style DNS functions (supports OSX and FBSD). (Scott)
Added a new "entries" array in dns_check_record() containing the TXT elements. (Felipe, Pierre)
Improved hash extension:
Changed mhash to be a wrapper layer around the hash extension. (Scott)
Added hash_copy() function. (Tony)
Added sha224 hash algorithm to the hash extension. (Scott)
Improved IMAP support (Pierre):
Added imap_gc() to clear the imap cache
Added imap_utf8_to_mutf7() and imap_mutf7_to_utf8()
Improved mbstring extension:
Added "mbstring.http_output_conv_mimetypes" INI directive that allows common non-text types such as "application/xhtml+xml" to be converted by mb_output_handler(). (Moriyoshi)
Improved OCI8 extension (Chris Jones/Oracle Corp.):
Added Database Resident Connection Pooling (DRCP) and Fast Application Notification (FAN) support.
Added support for Oracle External Authentication (not supported on Windows).
Improve persistent connection handling of restarted DBs.
Added SQLT_AFC (aka CHAR datatype) support to oci_bind_by_name.
Fixed bug #45458 (Numeric keys for associative arrays are not handled properly)
Fixed bug #41069 (Segmentation fault with query over DB link).
Fixed define of SQLT_BDOUBLE and SQLT_BFLOAT constants with Oracle 10g ORACLE_HOME builds.
Changed default value of oci8.default_prefetch from 10 to 100.
Fixed PECL bug #16035 (OCI8: oci_connect without ORACLE_HOME defined causes segfault) (Chris Jones/Oracle Corp.)
Fixed PECL bug #15988 (OCI8: sqlnet.ora isn't read with older Oracle libraries) (Chris Jones/Oracle Corp.)
Fixed PECL bug #14268 (Allow "pecl install oci8" command to "autodetect" an Instant Client RPM install) (Chris Jones/Oracle Corp.)
Fixed PECL bug #12431 (OCI8 ping functionality is broken).
Allow building (e.g from PECL) the PHP 5.3-based OCI8 code with PHP 4.3.9 onwards.
Provide separate extensions for Oracle 11g and 10g on Windows. (Pierre, Chris)
Improved OpenSSL extension:
Added support for OpenSSL digest and cipher functions. (Dmitry)
Added access to internal values of DSA, RSA and DH keys. (Dmitry)
Fixed a memory leak on openssl_decrypt(). (Henrique)
Fixed segfault caused by openssl_pkey_new(). (Henrique)
Fixed bug caused by uninitilized variables in openssl_pkcs7_encrypt() and openssl_pkcs7_sign(). (Henrique)
Fixed error message in openssl_seal(). (Henrique)
Improved pcntl extension (Arnaud):
Added pcntl_signal_dispatch().
Added pcntl_sigprocmask().
Added pcntl_sigwaitinfo().
Added pcntl_sigtimedwait().
Improved SOAP extension:
Added support for element names in context of XMLSchema's . (Dmitry)
Added ability to use Traversable objects instead of plain arrays. (Joshua Reese, Dmitry)
Fixed possible crash bug caused by an uninitialized value. (Zdash Urf)
Improved SPL extension:
Added SPL to list of standard extensions that cannot be disabled. (Marcus)
Added ability to store associative information with objects in SplObjectStorage. (Marcus)
Added ArrayAccess support to SplObjectStorage. (Marcus)
Added SplDoublyLinkedList, SplStack, SplQueue classes. (Etienne)
Added FilesystemIterator. (Marcus)
Added GlobIterator. (Marcus)
Added SplHeap, SplMinHeap, SplMaxHeap, SplPriorityQueue classes. (Etienne)
Added new parameter $prepend to spl_autoload_register(). (Etienne)
Added SplFixedArray. (Etienne, Tony)
Added delaying exceptions in SPL's autoload mechanism. (Marcus)
Added RecursiveTreeIterator. (Arnaud, Marcus)
Added MultipleIterator. (Arnaud, Marcus, Johannes)
Improved Zend Engine:
Added "compact" handler for Zend MM storage. (Dmitry)
Added "+" and "*" specifiers to zend_parse_parameters(). (Andrei)
Added concept of "delayed early binding" that allows opcode caches to perform class declaration (early and/or run-time binding) in exactly the same order as vanilla PHP. (Dmitry)
Improved crypt() function (Pierre):
Added Blowfish and extended DES support. (Using Blowfish implementation from Solar Designer).
Made crypt features portable by providing our own implementations for crypt_r and the algorithms which are used when OS does not provide them. PHP implementations are always used for Windows builds.
Deprecated session_register(), session_unregister() and session_is_registered(). (Hannes)
Deprecated define_syslog_variables(). (Kalle)
Deprecated ereg extension. (Felipe)
Added new extensions:
Added Enchant extension as a way to access spell checkers. (Pierre)
Added fileinfo extension as replacement for mime_magic extension. (Derick)
Added intl extension for Internationalization. (Ed B., Vladimir I., Dmitry L., Stanislav M., Vadim S., Kirti V.)
Added mysqlnd extension as replacement for libmysql for ext/mysql, mysqli and PDO_mysql. (Andrey, Johannes, Ulf)
Added phar extension for handling PHP Archives. (Greg, Marcus, Steph)
Added SQLite3 extension. (Scott)
Added new date/time functionality: (Derick)
date_parse_from_format(): Parse date/time strings according to a format.
date_create_from_format()/DateTime::createFromFormat(): Create a date/time object by parsing a date/time string according to a given format.
date_get_last_errors()/DateTime::getLastErrors(): Return a list of warnings and errors that were found while parsing a date/time string through.
support for abbreviation and offset based timezone specifiers for the 'e' format specifier, DateTime::__construct(), DateTime::getTimeZone() and DateTimeZone::getName().
support for selectively listing timezone identifiers by continent or country code through timezone_identifiers_list() / DateTimezone::listIdentifiers().
timezone_location_get() / DateTimezone::getLocation() for retrieving location information from timezones.
date_timestamp_set() / DateTime::setTimestamp() to set a Unix timestamp without invoking the date parser. (Scott, Derick)
date_timestamp_get() / DateTime::getTimestamp() to retrieve the Unix timestamp belonging to a date object.
two optional parameters to timezone_transitions_get() / DateTimeZone::getTranstions() to limit the range of transitions being returned.
support for "first/last day of " style texts.
support for date/time strings returned by MS SQL.
support for serialization and unserialization of DateTime objects.
support for diffing date/times through date_diff() / DateTime::diff().
support for adding/subtracting weekdays with strtotime() and DateTime::modify().
DateInterval class to represent the difference between two date/times.
support for parsing ISO intervals for use with DateInterval.
date_add() / DateTime::add(), date_sub() / DateTime::sub() for applying an interval to an existing date/time.
proper support for "this week", "previous week"/"last week" and "next week" phrases so that they actually mean the week and not a seven day period around the current day.
support for " of" and "last of" phrases to be used with months - like in "last saturday of februari 2008".
support for "back of " and "front of " phrases that are used in Scotland.
DatePeriod class which supports iterating over a DateTime object applying DateInterval on each iteration, up to an end date or limited by maximum number of occurences.
Added compatibility mode in GD, imagerotate, image(filled)ellipse imagefilter, imageconvolution and imagecolormatch are now always enabled. (Pierre)
Added array_replace() and array_replace_recursive() functions. (Matt)
Added ReflectionProperty::setAccessible() method that allows non-public property's values to be read through ::getValue() and set through ::setValue(). (Derick, Sebastian)
Added msg_queue_exists() function to sysvmsg extension. (Benjamin Schulz)
Added Firebird specific attributes that can be set via PDO::setAttribute() to control formatting of date/timestamp columns: PDO::FB_ATTR_DATE_FORMAT, PDO::FB_ATTR_TIME_FORMAT and PDO::FB_ATTR_TIMESTAMP_FORMAT. (Lars W)
Added gmp_testbit() function. (Stas)
Added icon format support to getimagesize(). (Scott)
Added LDAP_OPT_NETWORK_TIMEOUT option for ldap_set_option() to allow setting network timeout (FR #42837). (Jani)
Added optional escape character parameter to fgetcsv(). (David Soria Parra)
Added an optional parameter to strstr() and stristr() for retrieval of either the part of haystack before or after first occurrence of needle. (Johannes, Felipe)
Added xsl->setProfiling() for profiling stylesheets. (Christian)
Added long-option feature to getopt() and made getopt() available also on win32 systems by adding a common getopt implementation into core. (David Soria Parra, Jani)
Added support for optional values, and = as separator, in getopt(). (Hannes)
Added lcfirst() function. (David C)
Added PREG_BAD_UTF8_OFFSET_ERROR constant. (Nuno)
Added native support for asinh(), acosh(), atanh(), log1p() and expm1(). (Kalle)
Added LIBXML_LOADED_VERSION constant (libxml2 version currently used). (Rob)
Added JSON_FORCE_OBJECT flag to json_encode(). (Scott, Richard Quadling)
Added timezone_version_get() to retrieve the version of the used timezone database. (Derick)
Added 'n' flag to fopen to allow passing O_NONBLOCK to the underlying open(2) system call. (Mikko)
Added "dechunk" filter which can decode HTTP responses with chunked transfer-encoding. HTTP streams use this filter automatically in case "Transfer-Encoding: chunked" header is present in response. It's possible to disable this behaviour using "http"=>array("auto_decode"=>0) in stream context. (Dmitry)
Added support for CP850 encoding in mbstring extension. (Denis Giffeler, Moriyoshi)
Added stream_cast() and stream_set_options() to user-space stream wrappers, allowing stream_select(), stream_set_blocking(), stream_set_timeout() and stream_set_write_buffer() to work with user-space stream wrappers. (Arnaud)
Added header_remove() function. (chsc at peytz dot dk, Arnaud)
Added stream_context_get_params() function. (Arnaud)
Added optional parameter "new" to sybase_connect(). (Timm)
Added parse_ini_string() function. (grange at lemonde dot fr, Arnaud)
Added str_getcsv() function. (Sara)
Added openssl_random_pseudo_bytes() function. (Scott)
Added ability to send user defined HTTP headers with SOAP request. (Brian J.France, Dmitry)
Added concatenation option to bz2.decompress stream filter. (Keisial at gmail dot com, Greg)
Added support for using compressed connections with PDO_mysql. (Johannes)
Added the ability for json_decode() to take a user specified depth. (Scott)
Added support for the mysql_stmt_next_result() function from libmysql. (Andrey)
Added function preg_filter() that does grep and replace in one go. (Marcus)
Added system independent realpath() implementation which caches intermediate directories in realpath-cache. (Dmitry)
Added optional clear_realpath_cache and filename parameters to clearstatcache(). (Jani, Arnaud)
Added litespeed SAPI module. (George Wang)
Added ext/hash support to ext/session's ID generator. (Sara)
Added quoted_printable_encode() function. (Tony)
Added stream_context_set_default() function. (Davey Shafik)
Added optional "is_xhtml" parameter to nl2br() which makes the function output when false and when true (FR #34381). (Kalle)
Added PHP_MAXPATHLEN constant (maximum length of a path). (Pierre)
Added support for SSH via libssh2 in cURL. (Pierre)
Added support for gray levels PNG image with alpha in GD extension. (Pierre)
Added support for salsa hashing functions in HASH extension. (Scott)
Added DOMNode::getLineNo to get line number of parsed node. (Rob)
Added table info to PDO::getColumnMeta() with SQLite. (Martin Jansen, Scott)
Added mail logging functionality that allows logging of mail sent via mail() function. (Ilia)
Added json_last_error() to return any error information from json_decode(). (Scott)
Added gethostname() to return the current system host name. (Ilia)
Added shm_has_var() function. (Mike)
Added depth parameter to json_decode() to lower the nesting depth from the maximum if required. (Scott)
Added pixelation support in imagefilter(). (Takeshi Abe, Kalle)
Added SplObjectStorage::addAll/removeAll. (Etienne)
Implemented FR #41712 (curl progress callback: CURLOPT_PROGRESSFUNCTION). (sdteffen[at]gmail[dot].com, Pierre)
Implemented FR #47739 (Missing cURL option do disable IPv6). (Pierre)
Implemented FR #39637 (Missing cURL option CURLOPT_FTP_FILEMETHOD). (Pierre)
Fixed an issue with ReflectionProperty::setAccessible(). (Sebastian, Roman Borschel)
Fixed html_entity_decode() incorrectly converting numeric html entities to different characters with cp1251 and cp866. (Scott)
Fixed an issue in date() where a : was printed for the O modifier after a P modifier was used. (Derick)
Fixed exec() on Windows to not eat the first and last double quotes. (Scott)
Fixed readlink on Windows in thread safe SAPI (apache2.x etc.). (Pierre)
Fixed a bug causing miscalculations with the "last of month" relative time string. (Derick)
Fixed bug causing the algorithm parameter of mhash() to be modified. (Scott)
Fixed invalid calls to free when internal fileinfo magic file is used. (Scott)
Fixed memory leak inside wddx_add_vars() function. (Felipe)
Fixed check in recode extension to allow builing of recode and mysql extensions when using a recent libmysql. (Johannes)
Fixed PECL bug #12794 (PDOStatement->nextRowset() doesn't work). (Johannes)
Fixed PECL bug #12401 (Add support for ATTR_FETCH_TABLE_NAMES). (Johannes)
Fixed bug #48696 (ldap_read() segfaults with invalid parameters). (Felipe)
Fixed bug #48643 (String functions memory issue). (Dmitry)
Fixed bug #48641 (tmpfile() uses old parameter parsing). (crrodriguez at opensuse dot org)
Fixed bug #48624 (.user.ini never gets parsed). (Pierre)
Fixed bug #48620 (X-PHP-Originating-Script assumes no trailing CRLF in existing headers). (Ilia)
Fixed bug #48578 (Can't build 5.3 on FBSD 4.11). (Rasmus)
Fixed bug #48535 (file_exists returns false when impersonate is used). (Kanwaljeet Singla, Venkat Raman Don)
Fixed bug #48493 (spl_autoload_register() doesn't work correctly when prepending functions). (Scott)
Fixed bug #48215 (Calling a method with the same name as the parent class calls the constructor). (Scott)
Fixed bug #48200 (compile failure with mbstring.c when --enable-zend-multibyte is used). (Jani)
Fixed bug #48188 (Cannot execute a scrollable cursors twice with PDO_PGSQL). (Matteo)
Fixed bug #48185 (warning: value computed is not used in pdo_sqlite_stmt_get_col line 271). (Matteo)
Fixed bug #48087 (call_user_method() invalid free of arguments). (Felipe)
Fixed bug #48060 (pdo_pgsql - large objects are returned as empty). (Matteo)
Fixed bug #48034 (PHP crashes when script is 8192 (8KB) bytes long). (Dmitry)
Fixed bug #48004 (Error handler prevents creation of default object). (Dmitry)
Fixed bug #47880 (crashes in call_user_func_array()). (Dmitry)
Fixed bug #47856 (stristr() converts needle to lower-case). (Ilia)
Fixed bug #47851 (is_callable throws fatal error). (Dmitry)
Fixed bug #47816 (pcntl tests failing on NetBSD). (Matteo)
Fixed bug #47779 (Wrong value for SIG_UNBLOCK and SIG_SETMASK constants). (Matteo)
Fixed bug #47771 (Exception during object construction from arg call calls object's destructor). (Dmitry)
Fixed bug #47767 (include_once does not resolve windows symlinks or junctions) (Kanwaljeet Singla, Venkat Raman Don)
Fixed bug #47757 (rename JPG to JPEG in phpinfo). (Pierre)
Fixed bug #47745 (FILTER_VALIDATE_INT doesn't allow minimum integer). (Dmitry)
Fixed bug #47714 (autoloading classes inside exception_handler leads to crashes). (Dmitry)
Fixed bug #47671 (Cloning SplObjectStorage instances). (Etienne)
Fixed bug #47664 (get_class returns NULL instead of FALSE). (Dmitry)
Fixed bug #47662 (Support more than 127 subpatterns in preg_match). (Nuno)
Fixed bug #47596 (Bus error on parsing file). (Dmitry)
Fixed bug #47572 (Undefined constant causes segmentation fault). (Felipe)
Fixed bug #47560 (explode()'s limit parameter odd behaviour). (Matt)
Fixed bug #47549 (get_defined_constants() return array with broken array categories). (Ilia)
Fixed bug #47535 (Compilation failure in ps_fetch_from_1_to_8_bytes()). (Johannes)
Fixed bug #47534 (RecursiveDiteratoryIterator::getChildren ignoring CURRENT_AS_PATHNAME). (Etienne)
Fixed bug #47443 (metaphone('scratch') returns wrong result). (Felipe)
Fixed bug #47438 (mysql_fetch_field ignores zero offset). (Johannes)
Fixed bug #47398 (PDO_Firebird doesn't implements quoter correctly). (Felipe)
Fixed bug #47390 (odbc_fetch_into - BC in php 5.3.0). (Felipe)
Fixed bug #47359 (Use the expected unofficial mimetype for bmp files). (Scott)
Fixed bug #47343 (gc_collect_cycles causes a segfault when called within a destructor in one case). (Dmitry)
Fixed bug #47320 ($php_errormsg out of scope in functions). (Dmitry)
Fixed bug #47318 (UMR when trying to activate user config). (Pierre)
Fixed bug #47243 (OCI8: Crash at shutdown on Windows) (Chris Jones/Oracle Corp.)
Fixed bug #47231 (offsetGet error using incorrect offset). (Etienne)
Fixed bug #47229 (preg_quote() should escape the '-' char). (Nuno)
Fixed bug #47165 (Possible memory corruption when passing return value by reference). (Dmitry)
Fixed bug #47087 (Second parameter of mssql_fetch_array()). (Felipe)
Fixed bug #47085 (rename() returns true even if the file in PHAR does not exist). (Greg)
Fixed bug #47050 (mysqli_poll() modifies improper variables). (Johannes)
Fixed bug #47045 (SplObjectStorage instances compared with ==). (Etienne)
Fixed bug #47038 (Memory leak in include). (Dmitry)
Fixed bug #47031 (Fix constants in DualIterator example). (Etienne)
Fixed bug #47021 (SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked"). (Dmitry)
Fixed bug #46994 (OCI8: CLOB size does not update when using CLOB IN OUT param in stored procedure) (Chris Jones/Oracle Corp.)
Fixed bug #46979 (use with non-compound name *has* effect). (Dmitry)
Fixed bug #46957 (The tokenizer returns deprecated values). (Felipe)
Fixed bug #46944 (UTF-8 characters outside the BMP aren't encoded correctly). (Scott)
Fixed bug #46897 (ob_flush() should fail to flush unerasable buffers). (David C.)
Fixed bug #46849 (Cloning DOMDocument doesn't clone the properties). (Rob)
Fixed bug #46847 (phpinfo() is missing some settings). (Hannes)
Fixed bug #46844 (php scripts or included files with first line starting with # have the 1st line missed from the output). (Ilia)
Fixed bug #46817 (tokenizer misses last single-line comment (PHP 5.3+, with re2c lexer)). (Matt, Shire)
Fixed bug #46811 (ini_set() doesn't return false on failure). (Hannes)
Fixed bug #46763 (mb_stristr() wrong output when needle does not exist). (Henrique M. Decaria)
Fixed bug #46755 (warning: use statement with non-compound name). (Dmitry)
Fixed bug #46746 (xmlrpc_decode_request outputs non-suppressable error when given bad data). (Ilia)
Fixed bug #46738 (Segfault when mb_detect_encoding() fails). (Scott)
Fixed bug #46731 (Missing validation for the options parameter of the imap_fetch_overview() function). (Ilia)
Fixed bug #46711 (cURL curl_setopt leaks memory in foreach loops). (magicaltux [at] php [dot] net)
Fixed bug #46701 (Creating associative array with long values in the key fails on 32bit linux). (Shire)
Fixed bug #46681 (mkdir() fails silently on PHP 5.3). (Hannes)
Fixed bug #46653 (can't extend mysqli). (Johannes)
Fixed bug #46646 (Restrict serialization on some internal classes like Closure and SplFileInfo using exceptions). (Etienne)
Fixed bug #46623 (OCI8: phpinfo doesn't show compile time ORACLE_HOME with phpize) (Chris Jones/Oracle Corp.)
Fixed bug #46578 (strip_tags() does not honor end-of-comment when it encounters a single quote). (Felipe)
Fixed bug #46546 (Segmentation fault when using declare statement with non-string value). (Felipe)
Fixed bug #46542 (Extending PDO class with a __call() function doesn't work as expected). (Johannes)
Fixed bug #46421 (SplFileInfo not correctly handling /). (Etienne)
Fixed bug #46347 (parse_ini_file() doesn't support * in keys). (Nuno)
Fixed bug #46268 (DateTime::modify() does not reset relative time values). (Derick)
Fixed bug #46241 (stacked error handlers, internal error handling in general). (Etienne)
Fixed bug #46238 (Segmentation fault on static call with empty string method). (Felipe)
Fixed bug #46192 (ArrayObject with objects as storage serialization). (Etienne)
Fixed bug #46185 (importNode changes the namespace of an XML element). (Rob)
Fixed bug #46178 (memory leak in ext/phar). (Greg)
Fixed bug #46160 (SPL - Memory leak when exception is thrown in offsetSet). (Felipe)
Fixed bug #46147 (after stream seek, appending stream filter reads incorrect data). (Greg)
Fixed bug #46127 (php_openssl_tcp_sockop_accept forgets to set context on accepted stream) (Mark Karpeles, Pierre)
Fixed bug #46115 (Memory leak when calling a method using Reflection). (Dmitry)
Fixed bug #46110 (XMLWriter - openmemory() and openuri() leak memory on multiple calls). (Ilia)
Fixed bug #46108 (DateTime - Memory leak when unserializing). (Felipe)
Fixed bug #46106 (Memory leaks when using global statement). (Dmitry)
Fixed bug #46099 (Xsltprocessor::setProfiling - memory leak). (Felipe, Rob).
Fixed bug #46087 (DOMXPath - segfault on destruction of a cloned object). (Ilia)
Fixed bug #46048 (SimpleXML top-level @attributes not part of iterator). (David C.)
Fixed bug #46044 (Mysqli - wrong error message). (Johannes)
Fixed bug #46042 (memory leaks with reflection of mb_convert_encoding()). (Ilia)
Fixed bug #46039 (ArrayObject iteration is slow). (Arnaud)
Fixed bug #46033 (Direct instantiation of SQLite3stmt and SQLite3result cause a segfault.) (Scott)
Fixed bug #45991 (Ini files with the UTF-8 BOM are treated as invalid). (Scott)
Fixed bug #45989 (json_decode() doesn't return NULL on certain invalid strings). (magicaltux, Scott)
Fixed bug #45976 (Moved SXE from SPL to SimpleXML). (Etienne)
Fixed bug #45928 (large scripts from stdin are stripped at 16K border). (Christian Schneider, Arnaud)
Fixed bug #45911 (Cannot disable ext/hash). (Arnaud)
Fixed bug #45907 (undefined reference to 'PHP_SHA512Init'). (Greg)
Fixed bug #45826 (custom ArrayObject serialization). (Etienne)
Fixed bug #45820 (Allow empty keys in ArrayObject). (Etienne)
Fixed bug #45791 (json_decode() doesn't convert 0e0 to a double). (Scott)
Fixed bug #45786 (FastCGI process exited unexpectedly). (Dmitry)
Fixed bug #45757 (FreeBSD4.11 build failure: failed include; stdint.h). (Hannes)
Fixed bug #45743 (property_exists fails to find static protected member in child class). (Felipe)
Fixed bug #45717 (Fileinfo/libmagic build fails, missing err.h and getopt.h). (Derick)
Fixed bug #45706 (Unserialization of classes derived from ArrayIterator fails). (Etienne, Dmitry)
Fixed bug #45696 (Not all DateTime methods allow method chaining). (Derick)
Fixed bug #45682 (Unable to var_dump(DateInterval)). (Derick)
Fixed bug #45447 (Filesystem time functions on Vista and server 2008). (Pierre)
Fixed bug #45432 (PDO: persistent connection leak). (Felipe)
Fixed bug #45392 (ob_start()/ob_end_clean() and memory_limit). (Ilia)
Fixed bug #45384 (parse_ini_file will result in parse error with no trailing newline). (Arnaud)
Fixed bug #45382 (timeout bug in stream_socket_enable_crypto). (vnegrier at optilian dot com, Ilia)
Fixed bug #45044 (relative paths not resolved correctly). (Dmitry)
Fixed bug #44861 (scrollable cursor don't work with pgsql). (Matteo)
Fixed bug #44842 (parse_ini_file keys that start/end with underscore). (Arnaud)
Fixed bug #44575 (parse_ini_file comment # line problems). (Arnaud)
Fixed bug #44409 (PDO::FETCH_SERIALIZE calls __construct()). (Matteo)
Fixed bug #44173 (PDO->query() parameter parsing/checking needs an update). (Matteo)
Fixed bug #44154 (pdo->errorInfo() always have three elements in the returned array). (David C.)
Fixed bug #44153 (pdo->errorCode() returns NULL when there are no errors). (David C.)
Fixed bug #44135 (PDO MySQL does not support CLIENT_FOUND_ROWS). (Johannes, chx1975 at gmail dot com)
Fixed bug #44100 (Inconsistent handling of static array declarations with duplicate keys). (Dmitry)
Fixed bug #43831 ($this gets mangled when extending PDO with persistent connection). (Felipe)
Fixed bug #43817 (opendir() fails on Windows directories with parent directory unaccessible). (Dmitry)
Fixed bug #43069 (SoapClient causes 505 HTTP Version not supported error message). (Dmitry)
Fixed bug #43008 (php://filter uris ignore url encoded filternames and can't handle slashes). (Arnaud)
Fixed bug #42362 (HTTP status codes 204 and 304 should not be gzipped). (Scott, Edward Z. Yang)
Fixed bug #41874 (separate STDOUT and STDERR in exec functions). (Kanwaljeet Singla, Venkat Raman Don, Pierre)
Fixed bug #41534 (SoapClient over HTTPS fails to reestablish connection). (Dmitry)
Fixed bug #38802 (max_redirects and ignore_errors). (patch by [email protected])
Fixed bug #35980 (touch() works on files but not on directories). (Pierre)

New in PHP 5.2.9 (Apr 4, 2009)

Security Fixes:
Fixed security issue in imagerotate(), background colour isn't validated correctly with a non truecolour image. Reported by Hamid Ebadi, APA Laboratory (Fixes CVE-2008-5498). (Scott)
Fixed a crash on extract in zip when files or directories entry names contain a relative path. (Pierre)
Fixed explode() behavior with empty string to respect negative limit. (Shire)
Fixed a segfault when malformed string is passed to json_decode(). (Scott)
Fixed bug in xml_error_string() which resulted in messages being off by one. (Scott)
Changed __call() to be invoked on private/protected method access, similar to properties and __get(). (Andrei)
Added optional sorting type flag parameter to array_unique(). Default is SORT_REGULAR. (Andrei)
Fixed zip filename property read. (Pierre)
Fixed error conditions handling in stream_filter_append(). (Arnaud)
Fixed bug #47422 (modulus operator returns incorrect results on 64 bit linux). (Matt)
Fixed bug #47399 (mb_check_encoding() returns true for some illegal SJIS characters). (for-bugs at hnw dot jp, Moriyoshi)
Fixed bug #47353 (crash when creating a lot of objects in object destructor). (Tony)
Fixed bug #47322 (sscanf %d doesn't work). (Felipe)
Fixed bug #47282 (FILTER_VALIDATE_EMAIL is marking valid email addresses as invalid). (Ilia)
Fixed bug #47220 (segfault in dom_document_parser in recovery mode). (Rob)
Fixed bug #47217 (content-type is not set properly for file uploads). (Ilia)
Fixed bug #47174 (base64_decode() interprets pad char in mid string as terminator). (Ilia)
Fixed bug #47165 (Possible memory corruption when passing return value by reference). (Dmitry)
Fixed bug #47152 (gzseek/fseek using SEEK_END produces strange results). (Felipe)
Fixed bug #47131 (SOAP Extension ignores "user_agent" ini setting). (Ilia)
Fixed bug #47109 (Memory leak on $a->{"a"."b"} when $a is not an object). (Etienne, Dmitry)
Fixed bug #47104 (Linking shared extensions fails with icc). (Jani)
Fixed bug #47049 (SoapClient::__soapCall causes a segmentation fault). (Dmitry)
Fixed bug #47048 (Segfault with new pg_meta_data). (Felipe)
Fixed bug #47042 (PHP cgi sapi is removing SCRIPT_FILENAME for non apache). (Sriram Natarajan)
Fixed bug #47037 (No error when using fopen with empty string). (Cristian Rodriguez R., Felipe)
Fixed bug #47035 (dns_get_record returns a garbage byte at the end of a TXT record). (Felipe)
Fixed bug #47027 (var_export doesn't show numeric indices on ArrayObject). (Derick)
Fixed bug #46985 (OVERWRITE and binary mode does not work, regression introduced in 5.2.8). (Pierre)
Fixed bug #46973 (IPv6 address filter rejects valid address). (Felipe)
Fixed bug #46964 (Fixed pdo_mysql build with older version of MySQL). (Ilia)
Fixed bug #46959 (Unable to disable PCRE). (Scott)
Fixed bug #46918 (imap_rfc822_parse_adrlist host part not filled in correctly). (Felipe)
Fixed bug #46889 (Memory leak in strtotime()). (Derick)
Fixed bug #46887 (Invalid calls to php_error_docref()). (oeriksson at mandriva dot com, Ilia)
Fixed bug #46873 (extract($foo) crashes if $foo['foo'] exists). (Arnaud)
Fixed bug #46843 (CP936 euro symbol is not converted properly). (ty_c at cybozuy dot co dot jp, Moriyoshi)
Fixed bug #46798 (Crash in mssql extension when retrieving a NULL value inside a binary or image column type). (Ilia)
Fixed bug #46782 (fastcgi.c parse error). (Matt)
Fixed bug #46760 (SoapClient doRequest fails when proxy is used). (Felipe)
Fixed bug #46748 (Segfault when an SSL error has more than one error). (Scott)
Fixed bug #46739 (array returned by curl_getinfo should contain content_type key). (Mikko)
Fixed bug #46699 (xml_parse crash when parser is namespace aware). (Rob)
Fixed bug #46419 (Elements of associative arrays with NULL value are lost). (Dmitry)
Fixed bug #46282 (Corrupt DBF When Using DATE). (arne at bukkie dot nl)
Fixed bug #46026 (bz2.decompress/zlib.inflate filter tries to decompress after end of stream). (Greg)
Fixed bug #46005 (User not consistently logged under Apache2). (admorten at umich dot edu, Stas)
Fixed bug #45996 (libxml2 2.7 causes breakage with character data in xml_parse()). (Rob)
Fixed bug #45940 (MySQLI OO does not populate connect_error property on failed connect). (Johannes)
Fixed bug #45923 (mb_st[r]ripos() offset not handled correctly). (Moriyoshi)
Fixed bug #45327 (memory leak if offsetGet throws exception). (Greg)
Fixed bug #45239 (Encoding detector hangs with mbstring.strict_detection enabled). (Moriyoshi)
Fixed bug #45161 (Reusing a curl handle leaks memory). (Mark Karpeles, Jani)
Fixed bug #44336 (Improve pcre UTF-8 string matching performance). (frode at coretrek dot com, Nuno)
Fixed bug #43841 (mb_strrpos() offset is byte count for negative values). (Moriyoshi)
Fixed bug #37209 (mssql_execute with non fatal errors). (Kalle)
Fixed bug #35975 (Session cookie expires date format isn't the most compatible. Now matches that of setcookie()). (Scott)

New in PHP 5.2.8 (Dec 28, 2008)

New in PHP 5.2.7 (Dec 28, 2008)

Security Fixes:
Upgraded PCRE to version 7.8 (Fixes CVE-2008-2371) (Ilia)
Fixed missing initialization of BG(page_uid) and BG(page_gid), reported by Maksymilian Arciemowicz. (Stas)
Fixed incorrect php_value order for Apache configuration, reported by Maksymilian Arciemowicz. (Stas)
Fixed a crash inside gd with invalid fonts (Fixes CVE-2008-3658). (Pierre)
Fixed a possible overflow inside memnstr (Fixes CVE-2008-3659). (Laurent Gaffie)
Fixed security issues detailed in CVE-2008-2665 and CVE-2008-2666. (Christian Hoffmann)
Fixed bug #45151 (Crash with URI/file..php (filename contains 2 dots)).(Fixes CVE-2008-3660) (Dmitry)
Fixed bug #42862 (IMAP toolkit crash: rfc822.c legacy routine buffer overflow). (Fixes CVE-2008-2829) (Dmitry)
Updated timezone database to version 2008.9. (Derick)
Upgraded bundled libzip to 0.9.0. (Pierre)
Added logging option for error_log to send directly to SAPI. (Stas)
Added PHP_MAJOR_VERSION, PHP_MINOR_VERSION, PHP_RELEASE_VERSION,PHP_EXTRA_VERSION, PHP_VERSION_ID, PHP_ZTS and PHP_DEBUG constants. (Pierre)
Added "PHP_INI_SCAN_DIR" environment variable which can be used to either disable or change the compile time ini scan directory (FR Fixed bug #45114). (Jani)
Fixed memory leak inside sqlite_create_aggregate(). (Felipe)
Fixed memory leak inside PDO sqlite's sqliteCreateAggregate() method. (Felipe)
Fixed memory leak inside readline_callback_handler_remove() function. (Felipe)
Fixed sybase_fetch_*() to continue reading after CS_ROW_FAIL status (Timm)
Fixed a bug inside dba_replace() that could cause file truncation with invalid keys. (Ilia)
Fixed memory leak inside readline_callback_handler_install() function. (Ilia)
Fixed memory leak inside readline_completion_function() function. (Felipe)
Fixed stream_get_contents() when using $maxlength and socket is not closed. indeyets [at] php [dot] net on Fixed bug #46049. (Arnaud)
Fixed stream_get_line() to behave as documented on non-blocking streams. (Arnaud)
Fixed endless loop in PDOStatement::debugDumpParams().(jonah.harris at gmail dot com)
Fixed ability to use "internal" heaps in extensions. (Arnaud, Dmitry)
Fixed weekdays adding/subtracting algorithm. (Derick)
Fixed some ambiguities in the date parser. (Derick)
Fixed a bug with the YYYY-MM format not resetting the day correctly. (Derick)
Fixed a bug in the DateTime->modify() methods, it would not use the advanced relative time strings. (Derick)
Fixed extraction of zip files or directories when the entry name is a relative path. (Pierre)
Fixed read or write errors for large zip archives. (Pierre)
Fixed simplexml asXML() not to lose encoding when dumping entire document to file. (Ilia)
Fixed a crash inside PDO when trying instantiate PDORow manually. (Felipe)
Fixed build failure of ext/mysqli with libmysql 6.0 - missing rpl functions. (Andrey)
Fixed a regression when using strip_tags() and < is within an attribute. (Scott)
Fixed a crash on invalid method in ReflectionParameter constructor. (Christian Seiler)
Reverted fix for bug Fixed bug #44197 due to behaviour change in minor version. (Felipe)
Fixed bug #46732 (mktime.year description is wrong). (Derick)
Fixed bug #46696 (cURL fails in upload files with specified content-type). (Ilia)
Fixed bug #46673 (stream_lock call with wrong parameter). (Arnaud)
Fixed bug #46649 (Setting array element with that same array produces inconsistent results). (Arnaud)
Fixed bug #46626 (mb_convert_case does not handle apostrophe correctly). (Ilia)
Fixed bug #46543 (ibase_trans() memory leaks when using wrong parameters). (Felipe)
Fixed bug #46521 (Curl ZTS OpenSSL, error in config.m4 fragment). (jd at cpanel dot net)
Fixed bug #46496 (wddx_serialize treats input as ISO-8859-1). (Mark Karpeles)
Fixed bug #46427 (SoapClient() stumbles over its "stream_context" parameter). (Dmitry, Herman Radtke)
Fixed bug #46426 (offset parameter of stream_get_contents() does not workfor "0"). (Felipe)
Fixed bug #46406 (Unregistering nodeclass throws E_FATAL). (Rob)
Fixed bug #46389 (NetWare needs small patch for _timezone). (patch by [email protected])
Fixed bug #46388 (stream_notification_callback inside of object destroys object variables). (Felipe)
Fixed bug #46381 (wrong $this passed to internal methods causes segfault). (Tony)
Fixed bug #46379 (Infinite loop when parsing '#' in one line file). (Arnaud)
Fixed bug #46366 (bad cwd with / as pathinfo). (Dmitry)
Fixed bug #46360 (TCP_NODELAY constant for socket_{get,set}_option). (bugs at trick dot vanstaveren dot us)
Fixed bug #46343 (IPv6 address filter accepts invalid address). (Ilia)
Fixed bug #46335 (DOMText::splitText doesn't handle multibyte characters). (Rob)
Fixed bug #46323 (compilation of simplexml for NetWare breaks). (Patch by [email protected])
Fixed bug #46319 (PHP sets default Content-Type header for HTTP 304 response code, in cgi sapi). (Ilia)
Fixed bug #46313 (Magic quotes broke $_FILES). (Arnaud)
Fixed bug #46308 (Invalid write when changing property from inside getter). (Dmitry)
Fixed bug #46292 (PDO::setFetchMode() shouldn't requires the 2nd arg when using FETCH_CLASSTYPE). (Felipe)
Fixed bugs #46274, #46249 (pdo_pgsql always fill in NULL for empty BLOB and segfaults when returned by SELECT). (Felipe)
Fixed bug #46271 (local_cert option is not resolved to full path). (Ilia)
Fixed bug #46247 (ibase_set_event_handler() is allowing to pass callback without event). (Felipe)
Fixed bug #46246 (difference between call_user_func(array($this, $method))and $this->$method()). (Dmitry)
Fixed bug #46222 (ArrayObject EG(uninitialized_var_ptr) overwrite). (Etienne)
Fixed bug #46215 (json_encode mutates its parameter and has some class-specific state). (Felipe)
Fixed bug #46206 (pg_query_params/pg_execute convert passed values to strings). (Ilia)
Fixed bug #46191 (BC break: DOMDocument saveXML() doesn't accept null). (Rob)
Fixed bug #46164 (stream_filter_remove() closes the stream). (Arnaud)
Fixed bug #46157 (PDOStatement::fetchObject prototype error). (Felipe)
Fixed bug #46147 (after stream seek, appending stream filter reads incorrect data). (Greg)
Fixed bug #46139 (PDOStatement->setFetchMode() forgets FETCH_PROPS_LATE). (chsc at peytz dot dk, Felipe)
Fixed bug #46127 (php_openssl_tcp_sockop_accept forgets to set context on accepted stream). (Mark Karpeles, Pierre)
Fixed bug #46110 (XMLWriter - openmemory() and openuri() leak memory on multiple calls). (Ilia)
Fixed bug #46088 (RegexIterator::accept - segfault). (Felipe)
Fixed bug #46082 (stream_set_blocking() can cause a crash in some circumstances). (Felipe)
Fixed bug #46064 (Exception when creating ReflectionProperty object on dynamicly created property). (Felipe)
Fixed bug #46059 (Compile failure under IRIX 6.5.30 building posix.c). (Arnaud)
Fixed bug #46053 (SplFileObject::seek - Endless loop). (Arnaud)
Fixed bug #46051 (SplFileInfo::openFile - memory overlap). (Arnaud)
Fixed bug #46047 (SimpleXML converts empty nodes into object with nested array). (Rob)
Fixed bug #46031 (Segfault in AppendIterator::next). (Arnaud)
Fixed bug #46029 (Segfault in DOMText when using with Reflection). (Rob)
Fixed bug #46026 (bzip2.decompress/zlib.inflate filter tries to decompress after end of stream). (Keisial at gmail dot com, Greg)
Fixed bug #46024 (stream_select() doesn't return the correct number).(Arnaud)
Fixed bug #46010 (warnings incorrectly generated for iv in ecb mode). (Felipe)
Fixed bug #46003 (isset on nonexisting node return unexpected results). (Rob)
Fixed bug #45956 (parse_ini_file() does not return false with syntax errors in parsed file). (Jani)
Fixed bug #45901 (wddx_serialize_value crash with SimpleXMLElement object).(Rob)
Fixed bug #45862 (get_class_vars is inconsistent with 'protected' and 'private' variables). (ilewis at uk dot ibm dot com, Felipe)
Fixed bug #45860 (header() function fails to correctly replace all Status lines). (Dmitry)
Fixed bug #45805 (Crash on throwing exception from error handler). (Dmitry)
Fixed bug #45765 (ReflectionObject with default parameters of self::xxx cause an error). (Felipe)
Fixed bug #45751 (Using auto_prepend_file crashes (out of scope stack address use)). (basant dot kukreja at sun dot com)
Fixed bug #45722 (mb_check_encoding() crashes). (Moriyoshi)
Fixed bug #45705 (rfc822_parse_adrlist() modifies passed address parameter). (Jani)
Fixed bug #45691 (Some per-dir or runtime settings may leak into other requests). (Moriyoshi)
Fixed bug #45581 (htmlspecialchars() double encoding hex items). (Arnaud)
Fixed bug #45580 (levenshtein() crashes with invalid argument). (Ilia)
Fixed bug #45575 (Segfault with invalid non-string as event handler callback). (Christian Seiler)
Fixed bug #45568 (ISAPI doesn't properly clear auth_digest in header). (Patch by: navara at emclient dot com)
Fixed bug #45556 (Return value from callback isn't freed). (Felipe)
Fixed bug #45555 (Segfault with invalid non-string as register_introspection_callback). (Christian Seiler)
Fixed bug #45553 (Using XPath to return values for attributes with a namespace does not work). (Rob)
Fixed bug #45529 (new DateTimeZone() and date_create()->getTimezone() behave different). (Derick)
Fixed bug #45522 (FCGI_GET_VALUES request does not return supplied values). (Arnaud)
Fixed bug #45486 (mb_send_mail(); header 'Content-Type: text/plain; charset=' parsing incorrect). (Felipe)
Fixed bug #45485 (strip_tags and

New in PHP 5.2.6 (Oct 9, 2008)

Security Fixes
Fixed possible stack buffer overflow in FastCGI SAPI. (Andrei Nigmatulin)
Properly address incomplete multibyte chars inside escapeshellcmd() (Ilia, Stefan Esser)
Fixed security issue detailed in CVE-2008-0599. (Rasmus)
Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. (Ilia)
Upgraded PCRE to version 7.6 (Nuno)
Fixed two possible crashes inside posix extension (Tony)
Fixed incorrect heredoc handling when label is used within the block. (Matt)
Fixed sending of uninitialized paddings which may contain some information. (Andrei Nigmatulin)
Fixed a bug in formatting timestamps when DST is active in the default timezone (Derick)
Fix integer overflow in printf(). (Stas, Maksymilian Aciemowicz)
Fixed potential memleak in stream filter parameter for zlib filter. (Greg)
Added Reflection API metadata for the methods of the DOM classes. (Sebastian)
Fixed weird behavior in CGI parameter parsing. (Dmitry, Hannes Magnusson)
Fixed a bug with PDO::FETCH_COLUMN|PDO::FETCH_GROUP mode when a column # by which to group by data is specified. (Ilia)
Fixed segfault in filter extension when using callbacks. (Arnar Mar Sig, Felipe)
Fixed faulty fix for bug Fixed bug #40189 (endless loop in zlib.inflate stream filter). (Greg)
Fixed bug #44742 (timezone_offset_get() causes segmentation faults). (Derick)
Fixed bug #44720 (Prevent crash within session_register()). (Scott)
Fixed bug #44703 (htmlspecialchars() does not detect bad character set argument). (Andy Wharmby)
Fixed bug #44673 (With CGI argv/argc starts from arguments, not from script) (Dmitry)
Fixed bug #44667 (proc_open() does not handle pipes with the mode 'wb' correctly). (Jani)
Fixed bug #44663 (Crash in imap_mail_compose if "body" parameter invalid). (Ilia)
Fixed bug #44650 (escapeshellscmd() does not check arg count). (Ilia)
Fixed bug #44613 (Crash inside imap_headerinfo()). (Ilia, jmessa)
Fixed bug #44603 (Order issues with Content-Type/Length headers on POST). (Ilia)
Fixed bug #44594 (imap_open() does not validate # of retries parameter). (Ilia)
Fixed bug #44591 (imagegif's filename parameter). (Felipe)
Fixed bug #44557 (Crash in imap_setacl when supplied integer as username) (Thomas Jarosch)
Fixed bug #44487 (call_user_method_array issues a warning when throwing an exception). (David Soria Parra)
Fixed bug #44478 (Inconsistent behaviour when assigning new nodes). (Rob, Felipe)
Fixed bug #44445 (email validator does not handle domains starting/ending with a -). (Ilia)
Fixed bug #44440 (st_blocks undefined under BeOS). (Felipe)
Fixed bug #44394 (Last two bytes missing from output). (Felipe)
Fixed bug #44388 (Crash inside exif_read_data() on invalid images) (Ilia)
Fixed bug #44373 (PDO_OCI extension compile failed). (Felipe)
Fixed bug #44333 (SEGFAULT when using mysql_pconnect() with client_flags). (Felipe)
Fixed bug #44306 (Better detection of MIPS processors on Windows). (Ilia)
Fixed bug #44242 (metaphone('CMXFXM') crashes PHP). (Felipe)
Fixed bug #44233 (MSG_PEEK undefined under BeOS R5). (jonathonfreeman at gmail dot com, Ilia)
Fixed bug #44216 (strftime segfaults on large negative value). (Derick)
Fixed bug #44209 (strtotime() doesn't support 64 bit timestamps on 64 bit platforms). (Derick)
Fixed bug #44206 (OCI8 selecting ref cursors leads to ORA-1000 maximum open cursors reached). (Oracle Corp.)
Fixed bug #44200 (A crash in PDO when no bound targets exists and yet bound parameters are present). (Ilia)
Fixed bug #44197 (socket array keys lost on socket_select). (Felipe)
Fixed bug #44191 (preg_grep messes up array index). (Felipe)
Fixed bug #44189 (PDO setAttribute() does not properly validate values for native numeric options). (Ilia)
Fixed bug #44184 (Double free of loop-variable on exception). (Dmitry)
Fixed bug #44171 (Invalid FETCH_COLUMN index does not raise an error). (Ilia)
Fixed bug #44166 (Parameter handling flaw in PDO::getAvailableDrivers()). (Ilia)
Fixed bug #44159 (Crash: $pdo->setAttribute(PDO::STATEMENT_ATTR_CLASS, NULL)). (Felipe)
Fixed bug #44152 (Possible crash with syslog logging on ZTS builds). (Ilia)
Fixed bug #44141 (private parent constructor callable through static function). (Dmitry)
Fixed bug #44113 (OCI8 new collection creation can fail with OCI-22303). (Oracle Corp.)
Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=). (Dmitry)
Fixed bug #44046 (crash inside array_slice() function with an invalid by-ref offset). (Ilia)
Fixed bug #44028 (crash inside stream_socket_enable_crypto() when enabling encryption without crypto type). (Ilia)
Fixed bug #44018 (RecursiveDirectoryIterator options inconsistancy). (Marcus)
Fixed bug #44008 (OCI8 incorrect usage of OCI-Lob->close crashes PHP). (Oracle Corp.)
Fixed bug #43998 (Two error messages returned for incorrect encoding for mb_strto[upper|lower]). (Rui)
Fixed bug #43994 (mb_ereg 'successfully' matching incorrect). (Rui)
Fixed bug #43954 (Memory leak when sending the same HTTP status code multiple times). (Scott)
Fixed bug #43927 (koi8r is missing from html_entity_decode()). (andy at demos dot su, Tony)
Fixed bug #43912 (Interbase column names are truncated to 31 characters). (Ilia)
Fixed bug #43875 (Two error messages returned for $new and $flag argument in mysql_connect()). (Hannes)
Fixed bug #43863 (str_word_count() breaks on cyrillic "ya" in locale cp1251). (phprus at gmail dot com, Tony)
Fixed bug #43841 (mb_strrpos offset is byte count for negative values). (Rui)
Fixed bug #43840 (mb_strpos bounds check is byte count rather than a character count). (Rui)
Fixed bug #43808 (date_create never fails (even when it should)). (Derick)
Fixed bug #43793 (zlib filter is unable to auto-detect gzip/zlib file headers). (Greg)
Fixed bug #43703 (Signature compatibility check broken). (Dmitry)
Fixed bug #43677 (Inconsistent behaviour of include_path set with php_value). (manuel at mausz dot at)
Fixed bug #43663 (Extending PDO class with a __call() function doesn't work). (David Soria Parra)
Fixed bug #43647 (Make FindFile use PATH_SEPARATOR instead of ";"). (Ilia)
Fixed bug #43635 (mysql extension ingores INI settings on NULL values passed to mysql_connect()). (Ilia)
Fixed bug #43620 (Workaround for a bug inside libcurl 7.16.2 that can result in a crash). (Ilia)
Fixed bug #43614 (incorrect processing of numerical string keys of array in arbitrary serialized data). (Dmitriy Buldakov, Felipe)
Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de)
Fixed bug #43589 (a possible infinite loop in bz2_filter.c). (Greg)
Fixed bug #43580 (removed bogus declaration of a non-existent php_is_url() function). (Ilia)
Fixed bug #43559 (array_merge_recursive() doesn't behave as expected with duplicate NULL values). (Felipe, Tony)
Fixed bug #43533 (escapeshellarg('') returns null). (Ilia)
Fixed bug #43527 (DateTime created from a timestamp reports environment timezone). (Derick)
Fixed bug #43522 (stream_get_line() eats additional characters). (Felipe, Ilia, Tony)
Fixed bug #43507 (SOAPFault HTTP Status 500 - would like to be able to set the HTTP Status). (Dmitry)
Fixed bug #43505 (Assign by reference bug). (Dmitry)
Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de)
Fixed bug #43497 (OCI8 XML/getClobVal aka temporary LOBs leak UGA memory). (Chris)
Fixed bug #43495 (array_merge_recursive() crashes with recursive arrays). (Ilia)
Fixed bug #43493 (pdo_pgsql does not send username on connect when password is not available). (Ilia)
Fixed bug #43491 (Under certain conditions, file_exists() never returns). (Dmitry)
Fixed bug #43483 (get_class_methods() does not list all visible methods). (Dmitry)
Fixed bug #43482 (array_pad() does not warn on very small pad numbers). (Ilia)
Fixed bug #43457 (Prepared statement with incorrect parms doesn't throw exception with pdo_pgsql driver). (Ilia)
Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). (David C.)
Fixed bug #43386 (array_globals not reset to 0 properly on init). (Ilia)
Fixed bug #43377 (PHP crashes with invalid argument for DateTimeZone). (Ilia)
Fixed bug #43373 (pcntl_fork() should not raise E_ERROR on error). (Ilia)
Fixed bug #43364 (recursive xincludes don't remove internal xml nodes properly). (Rob, patch from [email protected])
Fixed bug #43301 (mb_ereg*_replace() crashes when replacement string is invalid PHP expression and 'e' option is used). (Jani)
Fixed bug #43295 (crash because of uninitialized SG(sapi_headers).mimetype). (Dmitry)
Fixed bug #43293 (Multiple segfaults in getopt()). (Hannes)
Fixed bug #43279 (pg_send_query_params() converts all elements in 'params' to strings). (Ilia)
Fixed bug #43276 (Incomplete fix for bug #42739, mkdir() under safe_mode). (Ilia)
Fixed bug #43248 (backward compatibility break in realpath()). (Dmitry)
Fixed bug #43221 (SimpleXML adding default namespace in addAttribute). (Rob)
Fixed bug #43216 (stream_is_local() returns false on "file://"). (Dmitry)
Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). (Dmitry)
Fixed bug #43182 (file_put_contents() LOCK_EX does not work properly on file truncation). (Ilia)
Fixed bug #43175 (__destruct() throwing an exception with __call() causes segfault). (Dmitry)
Fixed bug #43128 (Very long class name causes segfault). (Dmitry)
Fixed bug #43105 (PHP seems to fail to close open files). (Hannes)
Fixed bug #43092 (curl_copy_handle() crashes with > 32 chars long URL). (Jani)
Fixed bug #43003 (Invalid timezone reported for DateTime objects constructed using a timestamp). (Derick)
Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). (Ilia)
Fixed bug #42945 (preg_split() swallows part of the string). (Nuno)
Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). (Dmitry)
Fixed bug #42841 (REF CURSOR and oci_new_cursor() crash PHP). (Chris)
Fixed bug #42838 (Wrong results in array_diff_uassoc) (Felipe)
Fixed bug #42779 (Incorrect forcing from HTTP/1.0 request to HTTP/1.1 response). (Ilia)
Fixed bug #42736 (xmlrpc_server_call_method() crashes). (Tony)
Fixed bug #42692 (Procedure 'int1' not present with doc/lit SoapServer). (Dmitry)
Fixed bug #42548 (mysqli PROCEDURE calls can't return result sets). (Hartmut)
Fixed bug #42505 (new sendmail default breaks on Netware platform) (Guenter Knauf)
Fixed bug #42369 (Implicit conversion to string leaks memory). (David C., Rob).
Fixed bug #42272 (var_export() incorrectly escapes char(0)). (Derick)
Fixed bug #42261 (Incorrect lengths for date and boolean data types). (Ilia)
Fixed bug #42190 (Constructing DateTime with TimeZone Indicator invalidates DateTimeZone). (Derick)
Fixed bug #42177 (Warning "array_merge_recursive(): recursion detected" comes again...). (Felipe)
Fixed bug #41941 (oci8 extension not lib64 savvy). (Chris)
Fixed bug #41828 (Failing to call RecursiveIteratorIterator::__construct() causes a sefault). (Etienne)
Fixed bug #41599 (setTime() fails after modify() is used). (Derick)
Fixed bug #41562 (SimpleXML memory issue). (Rob)
Fixed bug #40013 (php_uname() does not return nodename on Netware (Guenter Knauf)
Fixed bug #38468 (Unexpected creation of cycle). (Dmitry)
Fixed bug #32979 (OpenSSL stream->fd casts broken in 64-bit build) (stotty at tvnet dot hu)