PHP 7.4.0beta4 released!

PHP 5 ChangeLog

Version 5.6.17

  • Core:
    • Fixed bug #66909 (configure fails utf8_to_mutf7 test).
    • Fixed bug #70958 (Invalid opcode while using ::class as trait method paramater default value).
    • Fixed bug #70957 (self::class can not be resolved with reflection for abstract class).
    • Fixed bug #70944 (try{ } finally{} can create infinite chains of exceptions).
    • Fixed bug #61751 (SAPI build problem on AIX: Undefined symbol: php_register_internal_extensions).
  • FPM:
    • Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).
  • GD:
    • Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds).
  • Mysqlnd:
    • Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction).
  • SOAP:
    • Fixed bug #70900 (SoapClient systematic out of memory error).
  • Standard:
    • Fixed bug #70960 (ReflectionFunction for array_unique returns wrong number of parameters).
  • PDO_Firebird:
    • Fixed bug #60052 (Integer returned as a 64bit integer on X64_86).
  • WDDX:
    • Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).
    • Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability).
  • XMLRPC:
    • Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()).

Version 5.5.31

  • FPM:
    • Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).
  • GD:
    • Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds).
  • WDDX:
    • Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).
    • Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability).
  • XMLRPC:
    • Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()).

Version 5.6.16

  • Core:
    • Fixed bug #70828 (php-fpm 5.6 with opcache crashes when referencing a non-existent constant).
    • Fixed bug #70748 (Segfault in ini_lex () at Zend/zend_ini_scanner.l).
  • Mysqlnd:
    • Fixed bug #68344 (MySQLi does not provide way to disable peer certificate validation) by introducing MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT connection flag.
  • OCI8:
    • Fixed bug #68298 (OCI int overflow).
  • PDO_DBlib:
    • Fixed bug #69757 (Segmentation fault on nextRowset).
  • SOAP:
    • Fixed bug #70875 (Segmentation fault if wsdl has no targetNamespace attribute).
  • SPL:
    • Fixed bug #70852 (Segfault getting NULL offset of an ArrayObject).

Version 5.6.15

  • Core:
    • Fixed bug #70681 (Segfault when binding $this of internal instance method to null).
    • Fixed bug #70685 (Segfault for getClosure() internal method rebind with invalid $this).
  • Date:
    • Fixed bug #70619 (DateTimeImmutable segfault).
  • Mcrypt:
    • Fixed bug #70625 (mcrypt_encrypt() won't return data when no IV was specified under RC4).
  • Mysqlnd:
    • Fixed bug #70384 (mysqli_real_query():Unknown type 245 sent by the server).
    • Fixed bug #70572 segfault in mysqlnd_connect.
  • Opcache:
    • Fixed bug #70632 (Third one of segfault in gc_remove_from_buffer).
    • Fixed bug #70631 (Another Segfault in gc_remove_from_buffer()).
    • Fixed bug #70601 (Segfault in gc_remove_from_buffer()).
    • Fixed compatibility with Windows 10 (see also #70652).

Version 5.6.14

  • Core:
    • Fixed bug #70370 (Bundled libtool.m4 doesn't handle FreeBSD 10 when building extensions).
  • CLI server:
    • Fixed bug #68291 (404 on urls with '+').
  • DOM:
    • Fixed bug #70001 (Assigning to DOMNode::textContent does additional entity encoding).
  • ldap:
    • Fixed bug #70465 (Bug in ldap_search() modifies LDAP_OPT_TIMELIMIT/DEREF's values). (Tyson Andre).
    • Fixed bug #69574 (ldap timeouts not enforced). (Côme Bernigaud).
  • Mysqlnd:
    • Fixed bug #70456 (mysqlnd doesn't activate TCP keep-alive when connecting to a server).
  • OpenSSL:
    • Fixed bug #55259 (openssl extension does not get the DH parameters from DH key resource).
    • Fixed bug #70395 (Missing ARG_INFO for openssl_seal()).
    • Fixed bug #60632 (openssl_seal fails with AES).
    • Fixed bug #68312 (Lookup for openssl.cnf causes a message box).
  • PDO:
    • Fixed bug #70389 (PDO constructor changes unrelated variables).
  • Phar:
    • Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). (CVE-2015-7803)
    • Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). (CVE-2015-7804)
  • Phpdbg:
    • Fix phpdbg_break_next() sometimes not breaking.
  • Standard:
    • Fixed bug #67131 (setcookie() conditional for empty values not met).
  • Streams:
    • Fixed bug #70361 (HTTP stream wrapper doesn't close keep-alive connections).
  • Zip:
    • Fixed bug #70322 (ZipArchive::close() doesn't indicate errors).

Version 5.5.30

  • Phar:
    • Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). (CVE-2015-7803)
    • Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). (CVE-2015-7804)

Version 5.6.13

  • Core:
    • Fixed bug #69900 (Too long timeout on pipes).
    • Fixed bug #69487 (SAPI may truncate POST data).
    • Fixed bug #70198 (Checking liveness does not work as expected).
    • Fixed bug #70172 (Use After Free Vulnerability in unserialize()). (CVE-2015-6834)
    • Fixed bug #70219 (Use after free vulnerability in session deserializer). (CVE-2015-6835)
  • CLI server:
    • Fixed bug #66606 (Sets HTTP_CONTENT_TYPE but not CONTENT_TYPE).
    • Fixed bug #70264 (CLI server directory traversal).
  • Date:
    • Fixed bug #70266 (DateInterval::__construct.interval_spec is not supposed to be optional).
    • Fixed bug #70277 (new DateTimeZone($foo) is ignoring text after null byte).
  • EXIF:
    • Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).
  • GMP:
    • Fixed bug #70284 (Use after free vulnerability in unserialize() with GMP).
  • hash:
    • Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).
  • MCrypt:
    • Fixed bug #69833 (mcrypt fd caching not working).
  • Opcache:
    • Fixed bug #70237 (Empty while and do-while segmentation fault with opcode on CLI enabled).
  • PCRE:
    • Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string match).
    • Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).
  • SOAP:
    • Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). (CVE-2015-6836)
  • SPL:
    • Fixed bug #70290 (Null pointer deref (segfault) in spl_autoload via ob_start).
    • Fixed bug #70303 (Incorrect constructor reflection for ArrayObject).
    • Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6834)
    • Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6834)
  • Standard:
    • Fixed bug #70052 (getimagesize() fails for very large and very small WBMP).
    • Fixed bug #70157 (parse_ini_string() segmentation fault with INI_SCANNER_TYPED).
  • XSLT:
    • Fixed bug #69782 (NULL pointer dereference). (CVE-2015-6837, CVE-2015-6838)
  • ZIP:
    • Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories).

Version 5.5.29

  • Core:
    • Fixed bug #70172 (Use After Free Vulnerability in unserialize()). (CVE-2015-6834)
    • Fixed bug #70219 (Use after free vulnerability in session deserializer). (CVE-2015-6835)
  • EXIF:
    • Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).
  • hash:
    • Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).
  • PCRE:
    • Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).
  • SOAP:
    • Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). (CVE-2015-6836)
  • SPL:
    • Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6834)
    • Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6834)
  • XSLT:
    • Fixed bug #69782 (NULL pointer dereference). (CVE-2015-6837, CVE-2015-6838)
  • ZIP:
    • Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories).

Version 5.4.45

  • Core:
    • Fixed bug #70172 (Use After Free Vulnerability in unserialize()). (CVE-2015-6834)
    • Fixed bug #70219 (Use after free vulnerability in session deserializer). (CVE-2015-6835)
  • EXIF:
    • Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).
  • hash:
    • Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).
  • PCRE:
    • Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).
  • SOAP:
    • Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). (CVE-2015-6836)
  • SPL:
    • Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6834)
    • Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6834)
  • XSLT:
    • Fixed bug #69782 (NULL pointer dereference). (CVE-2015-6837, CVE-2015-6838)
  • ZIP:
    • Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories).

Version 5.6.12

  • Core:
    • Fixed bug #70012 (Exception lost with nested finally block).
    • Fixed bug #70002 (TS issues with temporary dir handling).
    • Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls).
    • Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
    • Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref).
  • CLI server:
    • Fixed bug #69655 (php -S changes MKCALENDAR request method to MKCOL).
    • Fixed bug #64878 (304 responses return Content-Type header).
  • GD:
    • Fixed bug #53156 (imagerectangle problem with point ordering).
    • Fixed bug #66387 (Stack overflow with imagefilltoborder).
    • Fixed bug #70102 (imagecreatefromwebm() shifts colors).
    • Fixed bug #66590 (imagewebp() doesn't pad to even length).
    • Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px).
    • Fixed bug #70064 (imagescale(..., IMG_BICUBIC) leaks memory).
    • Fixed bug #69024 (imagescale segfault with palette based image).
    • Fixed bug #53154 (Zero-height rectangle has whiskers).
    • Fixed bug #67447 (imagecrop() add a black line when cropping).
    • Fixed bug #68714 (copy 'n paste error).
    • Fixed bug #66339 (PHP segfaults in imagexbm).
    • Fixed bug #70047 (gd_info() doesn't report WebP support).
  • ODBC:
    • Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns).
  • OpenSSL:
    • Fixed bug #69882 (OpenSSL error "key values mismatch" after openssl_pkcs12_read with extra cert).
    • Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure).
  • Phar:
    • Improved fix for bug #69441.
    • Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). (CVE-2015-6833)
  • SOAP:
    • Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions).
  • SPL:
    • Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). (CVE-2015-6832)
    • Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). (CVE-2015-6831)
    • Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6831)
    • Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6831)
  • Standard:
    • Fixed bug #70096 (Repeated iptcembed() adds superfluous FF bytes).

Version 5.5.28

06-Aug-2015
  • Core:
    • Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls).
    • Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
    • Fixed bug #70002 (TS issues with temporary dir handling).
    • Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref).
  • OpenSSL:
    • Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure).
  • Phar:
    • Improved fix for bug #69441.
    • Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). (CVE-2015-6833)
  • SOAP:
    • Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions).
  • SPL:
    • Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). (CVE-2015-6832)
    • Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). (CVE-2015-6831)
    • Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6831)
    • Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6831)

Version 5.4.44

06-Aug-2015
  • Core:
    • Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls).
    • Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
    • Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref).
  • OpenSSL:
    • Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure).
  • Phar:
    • Improved fix for bug #69441.
    • Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). (CVE-2015-6833)
  • SOAP:
    • Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions).
  • SPL:
    • Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). (CVE-2015-6832)
    • Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). (CVE-2015-6831)
    • Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6831)
    • Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6831)

Version 5.6.11

  • Core:
    • Fixed bug #69768 (escapeshell*() doesn't cater to !).
    • Fixed bug #69703 (Use __builtin_clzl on PowerPC).
    • Fixed bug #69732 (can induce segmentation fault with basic php code).
    • Fixed bug #69642 (Windows 10 reported as Windows 8).
    • Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault).
    • Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10 as "Business").
    • Fixed bug #69740 (finally in generator (yield) swallows exception in iteration).
    • Fixed bug #69835 (phpinfo() does not report many Windows SKUs).
    • Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
    • Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776.
  • GD:
    • Fixed bug #61221 (imagegammacorrect function loses alpha channel).
  • GMP:
    • Fixed bug #69803 (gmp_random_range() modifies second parameter if GMP number).
  • Mysqlnd:
    • Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM). (CVE-2015-3152)
  • PCRE:
    • Fixed bug #53823 (preg_replace: * qualifier on unicode replace garbles the string).
    • Fixed bug #69864 (Segfault in preg_replace_callback).
  • PDO_pgsql:
    • Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements when closeCuror() is u).
    • Fixed bug #69362 (PDO-pgsql fails to connect if password contains a leading single quote).
    • Fixed bug #69344 (PDO PgSQL Incorrect binding numeric array with gaps).
  • Phar:
    • Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). (CVE-2015-5589)
    • Fixed bug #69923 (Buffer overflow and stack smashing error in phar_fix_filepath). (CVE-2015-5590)
  • SimpleXML:
    • Refactored the fix for bug #66084 (simplexml_load_string() mangles empty node name).
  • SPL:
    • Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error).
    • Fixed bug #67805 (SplFileObject setMaxLineLength).
    • Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()).
  • Sqlite3:
    • Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()).

Version 5.5.27

09-Jul-2015
  • Core:
    • Fixed bug #69768 (escapeshell*() doesn't cater to !).
    • Fixed bug #69703 (Use __builtin_clzl on PowerPC).
    • Fixed bug #69732 (can induce segmentation fault with basic php code).
    • Fixed bug #69642 (Windows 10 reported as Windows 8).
    • Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault).
    • Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10 as "Business").
    • Fixed bug #69835 (phpinfo() does not report many Windows SKUs).
    • Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
    • Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776.
  • GD:
    • Fixed bug #61221 (imagegammacorrect function loses alpha channel).
  • Mysqlnd:
    • Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM). (CVE-2015-3152)
  • PCRE:
    • Fixed Bug #53823 (preg_replace: * qualifier on unicode replace garbles the string).
    • Fixed bug #69864 (Segfault in preg_replace_callback).
  • PDO_pgsql:
    • Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements when closeCuror() is u).
    • Fixed bug #69362 (PDO-pgsql fails to connect if password contains a leading single quote).
    • Fixed bug #69344 (PDO PgSQL Incorrect binding numeric array with gaps).
  • Phar:
    • Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). (CVE-2015-5589)
    • Fixed bug #69923 (Buffer overflow and stack smashing error in phar_fix_filepath). (CVE-2015-5590)
  • SimpleXML:
    • Refactored the fix for bug #66084 (simplexml_load_string() mangles empty node name).
  • SPL:
    • Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error).
    • Fixed bug #67805 (SplFileObject setMaxLineLength).

Version 5.4.43

09-Jul-2015
  • Core:
    • Fixed bug #69768 (escapeshell*() doesn't cater to !).
    • Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776.
  • Mysqlnd:
    • Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM). (CVE-2015-3152)
  • Phar:
    • Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). (CVE-2015-5589)
    • Fixed bug #69923 (Buffer overflow and stack smashing error in phar_fix_filepath). (CVE-2015-5590)

Version 5.6.10

  • Core:
    • Fixed bug #66048 (temp. directory is cached during multiple requests).
    • Fixed bug #69566 (Conditional jump or move depends on uninitialised value in extension trait).
    • Fixed bug #69599 (Strange generator+exception+variadic crash).
    • Fixed bug #69628 (complex GLOB_BRACE fails on Windows).
    • Fixed POST data processing slowdown due to small input buffer size on Windows.
    • Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). (CVE-2015-4642)
    • Fixed bug #69719 (Incorrect handling of paths with NULs).
  • FTP:
    • Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4643)
  • GD:
    • Fixed bug #69479 (GD fails to build with newer libvpx).
  • Iconv:
    • Fixed bug #48147 (iconv with //IGNORE cuts the string).
  • Litespeed SAPI:
    • Fixed bug #68812 (Unchecked return value).
  • Mail:
    • Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers).
  • MCrypt:
    • Added file descriptor caching to mcrypt_create_iv().
  • Opcache:
    • Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF).
  • PCRE:
    • Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)
  • Phar:
    • Fixed bug #69680 (phar symlink in binary directory broken).
  • Postgres:
    • Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644)
  • Sqlite3:
    • Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416)

Version 5.5.26

11-Jun-2015
  • Core:
    • Fixed bug #69566 (Conditional jump or move depends on uninitialised value in extension trait).
    • Fixed bug #66048 (temp. directory is cached during multiple requests).
    • Fixed bug #69628 (complex GLOB_BRACE fails on Windows).
    • Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). (CVE-2015-4642)
    • Fixed bug #69719 (Incorrect handling of paths with NULs).
  • FTP:
    • Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4643)
  • GD:
    • Fixed bug #69479 (GD fails to build with newer libvpx).
  • Iconv:
    • Fixed bug #48147 (iconv with //IGNORE cuts the string).
  • Litespeed SAPI:
    • Fixed bug #68812 (Unchecked return value).
  • Mail:
    • Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers).
  • MCrypt:
    • Added file descriptor caching to mcrypt_create_iv().
  • Opcache:
    • Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF).
  • PCRE:
    • Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)
  • Phar:
    • Fixed bug #69680 (phar symlink in binary directory broken).
  • Postgres:
    • Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644)
  • Sqlite3:
    • Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416)

Version 5.4.42

11-Jun-2015
  • Core:
    • Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4643)
    • Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). (CVE-2015-4642)
    • Fixed bug #69719 (Incorrect handling of paths with NULs).
  • Litespeed SAPI:
    • Fixed bug #68812 (Unchecked return value).
  • Mail:
    • Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers).
  • Postgres:
    • Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644)
  • Sqlite3:
    • Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416)

Version 5.6.9

  • Core:
    • Fixed bug #69467 (Wrong checked for the interface by using Trait).
    • Fixed bug #69420 (Invalid read in zend_std_get_method).
    • Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash).
    • Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer).
    • Fixed bug #68652 (segmentation fault in destructor).
    • Fixed bug #69419 (Returning compatible sub generator produces a warning).
    • Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA).
    • Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (CVE-2015-4024)
    • Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).
    • Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025)
    • Fixed bug #69522 (heap buffer overflow in unpack()).
  • FTP:
    • Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4022)
  • ODBC:
    • Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0).
    • Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result).
    • Fixed bug #69381 (out of memory with sage odbc driver).
  • OpenSSL:
    • Fixed bug #69402 (Reading empty SSL stream hangs until timeout).
  • PCNTL:
    • Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026)
  • PCRE:
    • Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)
  • Phar:
    • Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (CVE-2015-4021)

Version 5.5.25

14-May-2015
  • Core:
    • Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (CVE-2015-4024)
    • Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).
    • Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025)
    • Fixed bug #69522 (heap buffer overflow in unpack()).
    • Fixed bug #69467 (Wrong checked for the interface by using Trait).
    • Fixed bug #69420 (Invalid read in zend_std_get_method).
    • Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash).
    • Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer).
    • Fixed bug #68652 (segmentation fault in destructor).
    • Fixed bug #69419 (Returning compatible sub generator produces a warning).
    • Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA).
  • FTP:
    • Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4022)
  • ODBC:
    • Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0).
    • Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result).
    • Fixed bug #69381 (out of memory with sage odbc driver).
  • OpenSSL:
    • Fixed bug #69402 (Reading empty SSL stream hangs until timeout).
  • PCNTL:
    • Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026)
  • Phar:
    • Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (CVE-2015-4021)

Version 5.4.41

14-May-2015
  • Core:
    • Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (CVE-2015-4024)
    • Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).
    • Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025)
    • Fixed bug #69522 (heap buffer overflow in unpack()).
  • FTP:
    • Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4022)
  • PCNTL:
    • Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026)
  • PCRE:
    • Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)
  • Phar:
    • Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (CVE-2015-4021)

Version 5.6.8

  • Core:
    • Fixed bug #66609 (php crashes with __get() and ++ operator in some cases).
    • Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters).
    • Fixed bug #68917 (parse_url fails on some partial urls).
    • Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
    • Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString).
    • Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values).
    • Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing).
    • Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator).
    • Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability).
    • Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions).
  • Apache2handler:
    • Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (CVE-2015-3330)
  • cURL:
    • Implemented FR #69278 (HTTP2 support).
    • Fixed bug #68739 (Missing break / control flow).
    • Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER).
  • Date:
    • Fixed bug #69336 (Issues with "last day of <monthname>").
  • Enchant:
    • Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds).
  • Ereg:
    • Fixed bug #68740 (NULL Pointer Dereference).
  • Fileinfo:
    • Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault).
  • Filter:
    • Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used).
    • Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127).
  • Mbstring:
    • Fixed bug #68846 (False detection of CJK Unified Ideographs Extension E).
  • OPCache:
    • Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function).
    • Fixed bug #69281 (opcache_is_script_cached no longer works).
    • Fixed bug #68677 (Use After Free). (CVE-2015-1351)
  • OpenSSL:
    • Fixed bug #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts).
    • Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly).
    • Fixed bug #69215 (Crypto servers should send client CA list).
    • Add a check for RAND_egd to allow compiling against LibreSSL.
  • Phar:
    • Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).
    • Fixed bug #64931 (phar_add_file is too restrictive on filename).
    • Fixed bug #65467 (Call to undefined method cli_arg_typ_string).
    • Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar").
    • Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783)
    • Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (CVE-2015-3329)
  • Postgres:
    • Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352)
  • SOAP:
    • Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault).
    • Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)).
  • SPL:
    • Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc).
  • Sqlite3:
    • Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception).
    • Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3).
    • Fixed bug #66550 (SQLite prepared statement use-after-free).

Version 5.5.24

  • Apache2handler:
    • Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (CVE-2015-3330)
  • Core:
    • Fixed bug #66609 (php crashes with __get() and ++ operator in some cases).
    • Fixed bug #67626 (User exceptions not properly handled in streams).
    • Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters).
    • Fixed bug #68917 (parse_url fails on some partial urls).
    • Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
    • Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString).
    • Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing).
    • Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator).
    • Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability).
    • Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions).
  • cURL:
    • Implemented FR #69278 (HTTP2 support).
    • Fixed bug #68739 (Missing break / control flow).
    • Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER).
  • Date:
    • Export date_get_immutable_ce so that it can be used by extensions.
    • Fixed bug #69336 (Issues with "last day of <monthname>").
  • Enchant:
    • Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds).
  • Ereg:
    • Fixed bug #68740 (NULL Pointer Dereference).
  • Fileinfo:
    • Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault).
  • Filter:
    • Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used).
    • Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127).
  • Mbstring:
    • Fixed bug #68846 (False detection of CJK Unified Ideographs Extension E).
  • ODBC:
    • Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0).
  • OPCache:
    • Fixed bug #69281 (opcache_is_script_cached no longer works).
    • Fixed bug #68677 (Use After Free). (CVE-2015-1351)
  • OpenSSL:
    • Fixed bug #67403 (Add signatureType to openssl_x509_parse).
    • Add a check for RAND_egd to allow compiling against LibreSSL.
  • Phar:
    • Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).
    • Fixed bug #64931 (phar_add_file is too restrictive on filename).
    • Fixed bug #65467 (Call to undefined method cli_arg_typ_string).
    • Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar").
    • Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783)
    • Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (CVE-2015-3329)
  • Postgres:
    • Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352)
  • SOAP:
    • Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault).
    • Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)).
  • SPL:
    • Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc).
  • SQLITE:
    • Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception).
    • Fixed bug #69287 (Upgrade bundled sqlite to 3.8.8.3).
    • Fixed bug #66550 (SQLite prepared statement use-after-free).

Version 5.4.40

  • Apache2handler:
    • Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (CVE-2015-3330)
  • Core:
    • Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString).
    • Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability).
    • Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions).
  • cURL:
    • Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER).
  • Ereg:
    • Fixed bug #68740 (NULL Pointer Dereference).
  • Fileinfo:
    • Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault).
  • GD:
    • Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (CVE-2014-9709)
  • Phar:
    • Fixed bug #68901 (use after free). (CVE-2015-2301)
    • Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783)
    • Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (CVE-2015-3329)
  • Postgres:
    • Fixed bug #68741 (Null pointer deference). (CVE-2015-1352)
  • SOAP:
    • Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault).
    • Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)).
  • Sqlite3:
    • Fixed bug #66550 (SQLite prepared statement use-after-free).

Version 5.6.7

  • Core:
    • Fixed bug #69174 (leaks when unused inner class use traits precedence).
    • Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize).
    • Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build).
    • Fixed bug #65593 (Segfault when calling ob_start from output buffering callback).
    • Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c).
    • Fixed bug #68166 (Exception with invalid character causes segv).
    • Fixed bug #69141 (Missing arguments in reflection info for some builtin functions).
    • Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (CVE-2015-2787)
    • Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
    • Fixed bug #69207 (move_uploaded_file allows nulls in path). (CVE-2015-2348)
  • CGI:
    • Fixed bug #69015 (php-cgi's getopt does not see $argv).
  • CLI:
    • Fixed bug #67741 (auto_prepend_file messes up __LINE__).
  • cURL:
    • Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on Win32).
    • Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl.
  • Ereg:
    • Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (CVE-2015-2305)
  • FPM:
    • Fixed bug #68822 (request time is reset too early).
  • ODBC:
    • Fixed bug #68964 (Allowed memory size exhausted with odbc_exec).
  • Opcache:
    • Fixed bug #69159 (Opcache causes problem when passing a variable variable to a function).
    • Fixed bug #69125 (Array numeric string as key).
    • Fixed bug #69038 (switch(SOMECONSTANT) misbehaves).
  • OpenSSL:
    • Fixed bug #68912 (Segmentation fault at openssl_spki_new).
    • Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't observe socket timeouts).
    • Fixed bug #68920 (use strict peer_fingerprint input checks) (Daniel Lowrey)
    • Fixed bug #68879 (IP Address fields in subjectAltNames not used) (Daniel Lowrey)
    • Fixed bug #68265 (SAN match fails with trailing DNS dot) (Daniel Lowrey)
    • Fixed bug #67403 (Add signatureType to openssl_x509_parse) (Daniel Lowrey)
    • Fixed bug #69195 (Inconsistent stream crypto values across versions) (Daniel Lowrey)
  • pgsql:
    • Fixed bug #68638 (pg_update() fails to store infinite values).
  • Readline:
    • Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters).
  • SOAP:
    • Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (CVE-2015-4147, CVE-2015-4148)
  • SPL:
    • Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage).
    • Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after calling getChildren()).
  • ZIP:
    • Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary). (CVE-2015-2331)

Version 5.5.23

  • Core:
    • Fixed bug #69174 (leaks when unused inner class use traits precedence).
    • Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize).
    • Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build).
    • Fixed bug #65593 (Segfault when calling ob_start from output buffering callback).
    • Fixed bug #69017 (Fail to push to the empty array with the constant value defined in class scope).
    • Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c).
    • Fixed bug #68166 (Exception with invalid character causes segv).
    • Fixed bug #69141 (Missing arguments in reflection info for some builtin functions).
    • Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (CVE-2015-2787)
    • Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
    • Fixed bug #69207 (move_uploaded_file allows nulls in path). (CVE-2015-2348)
  • CGI:
    • Fixed bug #69015 (php-cgi's getopt does not see $argv).
  • CLI:
    • Fixed bug #67741 (auto_prepend_file messes up __LINE__).
  • cURL:
    • Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on Win32).
    • Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl.
  • Ereg:
    • Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (CVE-2015-2305)
  • FPM:
    • Fixed bug #68822 (request time is reset too early).
  • ODBC:
    • Fixed bug #68964 (Allowed memory size exhausted with odbc_exec).
  • Opcache:
    • Fixed bug #69125 (Array numeric string as key).
    • Fixed bug #69038 (switch(SOMECONSTANT) misbehaves).
  • OpenSSL:
  • pgsql:
    • Fixed bug #68638 (pg_update() fails to store infinite values).
  • Readline:
    • Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters).
  • SOAP:
    • Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (CVE-2015-4147, CVE-2015-4148)
  • SPL:
    • Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage).
    • Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after calling getChildren()).
  • ZIP:
    • Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary). (CVE-2015-2331)

Version 5.4.39

  • Core:
    • Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (CVE-2015-2787)
    • Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
    • Fixed bug #69207 (move_uploaded_file allows nulls in path). (CVE-2015-2348)
  • Ereg:
    • Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (CVE-2015-2305)
  • SOAP:
    • Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (CVE-2015-4147, CVE-2015-4148)
  • ZIP:
    • Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary). (CVE-2015-2331)

Version 5.6.6

  • Core:
    • Removed support for multi-line headers, as they are deprecated by RFC 7230.
    • Fixed bug #67068 (getClosure returns somethings that's not a closure).
    • Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273)
    • Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow).
    • Fixed bug #67988 (htmlspecialchars() does not respect default_charset specified by ini_set).
    • Added NULL byte protection to exec, system and passthru.
  • Dba:
    • Fixed bug #68711 (useless comparisons).
  • Enchant:
    • Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). (CVE-2014-9705)
  • Fileinfo:
    • Fixed bug #68827 (Double free with disabled ZMM).
    • Fixed bug #67647 (Bundled libmagic 5.17 does not detect quicktime files correctly).
    • Fixed bug #68731 (finfo_buffer doesn't extract the correct mime with some gifs).
  • FPM:
    • Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).
    • Fixed bug #68571 (core dump when webserver close the socket).
  • JSON:
    • Fixed bug #50224 (json_encode() does not always encode a float as a float) by adding JSON_PRESERVE_ZERO_FRACTION.
  • LIBXML:
    • Fixed bug #64938 (libxml_disable_entity_loader setting is shared between threads).
  • Mysqli:
    • Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).
    • Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors).
  • Opcache:
    • Fixed bug with try blocks being removed when extended_info opcode generation is turned on.
  • PDO_mysql:
    • Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of named pipes).
  • Phar:
    • Fixed bug #68901 (use after free). (CVE-2015-2301)
  • Pgsql:
    • Fixed bug #65199 (pg_copy_from() modifies input array variable).
  • Session:
    • Fixed bug #68941 (mod_files.sh is a bash-script).
    • Fixed bug #66623 (no EINTR check on flock).
    • Fixed bug #68063 (Empty session IDs do still start sessions).
  • Sqlite3:
    • Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args).
  • Standard:
    • Fixed bug #65272 (flock() out parameter not set correctly in windows).
    • Fixed bug #69033 (Request may get env. variables from previous requests if PHP works as FastCGI).
  • Streams:
    • Fixed bug which caused call after final close on streams filter.

Version 5.5.22

  • Core:
    • Fixed bug #67068 (getClosure returns somethings that's not a closure).
    • Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow).
    • Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273)
    • Added NULL byte protection to exec, system and passthru.
    • Removed support for multi-line headers, as they are deprecated by RFC 7230.
  • Date:
    • Fixed bug #45081 (strtotime incorrectly interprets SGT time zone).
  • Dba:
    • Fixed bug #68711 (useless comparisons).
  • Enchant:
    • Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). (CVE-2014-9705)
  • Fileinfo:
    • Fixed bug #68827 (Double free with disabled ZMM).
  • FPM:
    • Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).
    • Fixed bug #68571 (core dump when webserver close the socket).
  • Libxml:
    • Fixed bug #64938 (libxml_disable_entity_loader setting is shared between threads).
  • PDO_mysql:
    • Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of named pipes).
  • Phar:
    • Fixed bug #68901 (use after free). (CVE-2015-2301)
  • Pgsql:
    • Fixed bug #65199 (pg_copy_from() modifies input array variable).
  • Sqlite3:
    • Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args).
  • Mysqli:
    • Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).
    • Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors).
  • Session:
    • Fixed bug #68941 (mod_files.sh is a bash-script).
    • Fixed bug #66623 (no EINTR check on flock).
    • Fixed bug #68063 (Empty session IDs do still start sessions).
  • Standard:
    • Fixed bug #65272 (flock() out parameter not set correctly in windows).
    • Fixed bug #69033 (Request may get env. variables from previous requests if PHP works as FastCGI).
  • Streams:
    • Fixed bug which caused call after final close on streams filter.

Version 5.4.38

  • Core:
    • Removed support for multi-line headers, as they are deprecated by RFC 7230.
    • Added NULL byte protection to exec, system and passthru.
    • Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow).
    • Fixed bug #67827 (broken detection of system crypt sha256/sha512 support).
    • Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273)
  • Enchant:
    • Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). (CVE-2014-9705)
  • SOAP:
    • Fixed bug #67427 (SoapServer cannot handle large messages).

Version 5.6.5

  • Core:
    • Upgraded crypt_blowfish to version 1.3.
    • Fixed bug #60704 (unlink() bug with some files path).
    • Fixed bug #65419 (Inside trait, self::class != __CLASS__).
    • Fixed bug #68536 (pack for 64bits integer is broken on bigendian).
    • Fixed bug #55541 (errors spawn MessageBox, which blocks test automation).
    • Fixed bug #68297 (Application Popup provides too few information).
    • Fixed bug #65769 (localeconv() broken in TS builds).
    • Fixed bug #65230 (setting locale randomly broken).
    • Fixed bug #66764 (configure doesn't define EXPANDED_DATADIR / PHP_DATADIR correctly).
    • Fixed bug #68583 (Crash in timeout thread).
    • Fixed bug #65576 (Constructor from trait conflicts with inherited constructor).
    • Fixed bug #68676 (Explicit Double Free). (CVE-2014-9425)
    • Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231)
  • CGI:
    • Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427)
  • CLI server:
    • Fixed bug #68745 (Invalid HTTP requests make web server segfault).
  • cURL:
    • Fixed bug #67643 (curl_multi_getcontent returns '' when CURLOPT_RETURNTRANSFER isn't set).
  • Date:
    • Implemented FR #68268 (DatePeriod: Getter for start date, end date and interval).
  • EXIF:
    • Fixed bug #68799 (Free called on uninitialized pointer). (CVE-2015-0232)
  • Fileinfo:
    • Fixed bug #68398 (msooxml matches too many archives).
    • Fixed bug #68665 (invalid free in libmagic).
    • Fixed bug #68671 (incorrect expression in libmagic).
    • Removed readelf.c and related code from libmagic sources.
    • Fixed bug #68735 (fileinfo out-of-bounds memory access). (CVE-2014-9652)
  • FPM:
    • Implemented FR #68526 (Implement POSIX Access Control List for UDS).
    • Fixed bug #68751 (listen.allowed_clients is broken).
  • GD:
    • Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (CVE-2014-9709)
    • Implemented FR #68656 (Report gd library version).
  • mbstring:
    • Fixed bug #68504 (--with-libmbfl configure option not present on Windows).
  • Opcache:
    • Fixed bug #68644 (strlen incorrect : mbstring + func_overload=2 +UTF-8 + Opcache).
    • Fixed bug #67111 (Memory leak when using "continue 2" inside two foreach loops).
  • OpenSSL:
    • Improved handling of OPENSSL_KEYTYPE_EC keys.
  • pcntl:
    • Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL).
  • PCRE:
    • Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream).
  • pgsql:
    • Fixed bug #68697 (lo_export return -1 on failure).
  • PDO:
    • Fixed bug #68371 (PDO#getAttribute() cannot be called with platform-specifi attribute names).
  • PDO_mysql:
    • Fixed bug #68424 (Add new PDO mysql connection attr to control multi statements option).
  • SPL:
    • Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator).
    • Fixed bug #68479 (Added escape parameter to SplFileObject::fputcsv).
  • SQLite:
    • Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2).
  • Streams:
    • Fixed bug #68532 (convert.base64-encode omits padding bytes).

Version 5.5.21

  • Core:
    • Upgraded crypt_blowfish to version 1.3.
    • Fixed bug #60704 (unlink() bug with some files path).
    • Fixed bug #65419 (Inside trait, self::class != __CLASS__).
    • Fixed bug #65576 (Constructor from trait conflicts with inherited constructor).
    • Fixed bug #55541 (errors spawn MessageBox, which blocks test automation).
    • Fixed bug #68297 (Application Popup provides too few information).
    • Fixed bug #65769 (localeconv() broken in TS builds).
    • Fixed bug #65230 (setting locale randomly broken).
    • Fixed bug #66764 (configure doesn't define EXPANDED_DATADIR / PHP_DATADIR correctly).
    • Fixed bug #68583 (Crash in timeout thread).
    • Fixed bug #68676 (Explicit Double Free). (CVE-2014-9425)
    • Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231)
  • CGI:
    • Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427)
  • CLI server:
    • Fixed bug #68745 (Invalid HTTP requests make web server segfault).
  • cURL:
    • Fixed bug #67643 (curl_multi_getcontent returns '' when CURLOPT_RETURNTRANSFER isn't set).
  • EXIF:
    • Fixed bug #68799 (Free called on uninitialized pointer). (CVE-2015-0232)
  • Fileinfo:
    • Fixed bug #68671 (incorrect expression in libmagic).
    • Fixed bug #68735 (fileinfo out-of-bounds memory access). (CVE-2014-9652)
    • Removed readelf.c and related code from libmagic sources.
  • FPM:
    • Fixed bug #68751 (listen.allowed_clients is broken).
  • GD:
    • Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (CVE-2014-9709)
  • Mbstring:
    • Fixed bug #68504 (--with-libmbfl configure option not present on Windows).
  • Mcrypt:
    • Fixed possible read after end of buffer and use after free.
  • Opcache:
    • Fixed bug #67111 (Memory leak when using "continue 2" inside two foreach loops).
  • OpenSSL:
    • Fixed bug #55618 (use case-insensitive cert name matching).
  • Pcntl:
    • Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL).
  • PCRE:
    • Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream).
  • pgsql:
    • Fixed bug #68697 (lo_export return -1 on failure).
  • PDO:
    • Fixed bug #68371 (PDO#getAttribute() cannot be called with platform-specific attribute names).
  • PDO_mysql:
    • Fixed bug #68424 (Add new PDO mysql connection attr to control multi statements option).
  • SPL:
    • Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator).
    • Fixed bug #65213 (cannot cast SplFileInfo to boolean).
    • Fixed bug #68479 (Added escape parameter to SplFileObject::fputcsv).
  • SQLite:
    • Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2).
  • Streams:
    • Fixed bug #68532 (convert.base64-encode omits padding bytes).

Version 5.4.37

  • Core:
    • Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231)
  • CGI:
    • Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427)
  • EXIF:
    • Fixed bug #68799 (Free called on uninitialized pointer). (CVE-2015-0232)
  • Fileinfo:
    • Removed readelf.c and related code from libmagic sources.
    • Fixed bug #68735 (fileinfo out-of-bounds memory access). (CVE-2014-9652)
  • OpenSSL:
    • Fixed bug #55618 (use case-insensitive cert name matching).

Version 5.6.4

  • Core:
    • Fixed bug #68091 (Some Zend headers lack appropriate extern "C" blocks).
    • Fixed bug #68104 (Segfault while pre-evaluating a disabled function).
    • Fixed bug #68185 ("Inconsistent insteadof definition."- incorrectly triggered).
    • Fixed bug #68355 (Inconsistency in example php.ini comments).
    • Fixed bug #68370 ("unset($this)" can make the program crash).
    • Fixed bug #68422 (Incorrect argument reflection info for array_multisort()).
    • Fixed bug #68545 (NULL pointer dereference in unserialize.c).
    • Fixed bug #68446 (Array constant not accepted for array parameter default).
    • Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142)
  • Date:
    • Fixed day_of_week function as it could sometimes return negative values internally.
  • FPM:
    • Fixed bug #68381 (fpm_unix_init_main ignores log_level).
    • Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all addresses).
    • Fixed bug #68421 (access.format='%R' doesn't log ipv6 address).
    • Fixed bug #68423 (PHP-FPM will no longer load all pools).
    • Fixed bug #68428 (listen.allowed_clients is IPv4 only).
    • Fixed bug #68452 (php-fpm man page is oudated).
    • Implemented FR #68458 (Change pm.start_servers default warning to notice).
    • Fixed bug #68463 (listen.allowed_clients can silently result in no allowed access).
    • Implemented FR #68391 (php-fpm conf files loading order).
    • Fixed bug #68478 (access.log don't use prefix).
  • Mcrypt:
    • Fixed possible read after end of buffer and use after free.
  • GMP:
    • Fixed bug #68419 (build error with gmp 4.1).
  • PDO_pgsql:
    • Fixed bug #67462 (PDO_PGSQL::beginTransaction() wrongly throws exception when not in transaction).
    • Fixed bug #68351 (PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving).
  • Session:
    • Fixed bug #68331 (Session custom storage callable functions not being called).
  • SOAP:
    • Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes).
  • zlib:
    • Fixed bug #53829 (Compiling PHP with large file support will replace function gzopen by gzopen64).

Version 5.5.20

  • Core:
    • Fixed bug #68091 (Some Zend headers lack appropriate extern "C" blocks).
    • Fixed bug #68185 ("Inconsistent insteadof definition."- incorrectly triggered).
    • Fixed bug #68370 ("unset($this)" can make the program crash).
    • Fixed bug #68545 (NULL pointer dereference in unserialize.c).
    • Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142)
  • Date:
    • Fixed day_of_week function as it could sometimes return negative values internally.
  • FPM:
    • Fixed bug #68381 (fpm_unix_init_main ignores log_level).
    • Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all addresses).
    • Fixed bug #68421 (access.format='%R' doesn't log ipv6 address).
    • Fixed bug #68423 (PHP-FPM will no longer load all pools).
    • Fixed bug #68428 (listen.allowed_clients is IPv4 only).
    • Fixed bug #68452 (php-fpm man page is oudated).
    • Fixed bug #68458 (Change pm.start_servers default warning to notice).
    • Fixed bug #68463 (listen.allowed_clients can silently result in no allowed access).
    • Fixed bug #68391 (php-fpm conf files loading order).
    • Fixed bug #68478 (access.log don't use prefix).
  • Mcrypt:
    • Fixed possible read after end of buffer and use after free.
  • PDO_pgsql:
    • Fixed bug #66584 (Segmentation fault on statement deallocation).
    • Fixed bug #67462 (PDO_PGSQL::beginTransaction() wrongly throws exception when not in transaction).
    • Fixed bug #68351 (PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving).
  • SOAP:
    • Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes).
  • zlib:
    • Fixed bug #53829 (Compiling PHP with large file support will replace function gzopen by gzopen64).

Version 5.4.36

  • Core:
    • Upgraded crypt_blowfish to version 1.3.
    • Fixed bug #68545 (NULL pointer dereference in unserialize.c).
    • Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142)
  • Mcrypt:
    • Fixed possible read after end of buffer and use after free.

Version 5.6.3

  • Core:
    • Implemented 64-bit format codes for pack() and unpack().
    • Fixed bug #51800 (proc_open on Windows hangs forever).
    • Fixed bug #67633 (A foreach on an array returned from a function not doing copy-on-write).
    • Fixed bug #67739 (Windows 8.1/Server 2012 R2 OS build number reported as 6.2 (instead of 6.3)).
    • Fixed bug #67949 (DOMNodeList elements should be accessible through array notation).
    • Fixed bug #68095 (AddressSanitizer reports a heap buffer overflow in php_getopt()).
    • Fixed bug #68118 ($a->foo .= 'test'; can leave $a->foo undefined).
    • Fixed bug #68129 (parse_url() - incomplete support for empty usernames and passwords).
    • Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).
  • CURL:
    • Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, and CURL_SSLVERSION_TLSv1_2 constants if supported by libcurl.
  • Fileinfo:
    • Fixed bug #66242 (libmagic: don't assume char is signed).
    • Fixed bug #68224 (buffer-overflow in libmagic/readcdf.c caught by AddressSanitizer).
    • Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers). (CVE-2014-3710)
  • FPM:
    • Fixed bug #65641 (PHP-FPM incorrectly defines the SCRIPT_NAME variable when using Apache, mod_proxy-fcgi and ProxyPass).
    • Implemented FR #55508 (listen and listen.allowed_clients should take IPv6 addresses).
  • GD:
    • Fixed bug #65171 (imagescale() fails without height param).
  • GMP:
    • Implemented gmp_random_range() and gmp_random_bits().
    • Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).
  • Mysqli:
    • Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).
  • ODBC:
    • Fixed bug #68087 (ODBC not correctly reading DATE column when preceded by a VARCHAR column).
  • OpenSSL:
    • Fixed bug #68074 (Allow to use system cipher list instead of hardcoded value).
  • PDO_pgsql:
    • Fixed bug #68199 (PDO::pgsqlGetNotify doesn't support NOTIFY payloads).
    • Fixed bug #66584 (Segmentation fault on statement deallocation).
  • Reflection:
    • Fixed bug #68103 (Duplicate entry in Reflection for class alias).
  • SPL:
    • Fixed bug #68128 (Regression in RecursiveRegexIterator).

Version 5.5.19

  • Core:
    • Fixed bug #68095 (AddressSanitizer reports a heap buffer overflow in php_getopt()).
    • Fixed bug #68118 ($a->foo .= 'test'; can leave $a->foo undefined).
    • Fixed bug #68129 (parse_url() - incomplete support for empty usernames and passwords).
    • Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).
  • cURL:
    • Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, and CURL_SSLVERSION_TLSv1_2 constants if supported by libcurl.
  • Fileinfo:
    • Fixed bug #66242 (libmagic: don't assume char is signed).
    • Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers). (CVE-2014-3710)
  • FPM:
    • Implemented FR #55508 (listen and listen.allowed_clients should take IPv6 addresses.
  • GD:
    • Fixed bug #65171imagescale() fails without height param
  • GMP:
    • Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).
  • Mysqli:
    • Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).
  • ODBC:
    • Fixed bug #68087 (ODBC not correctly reading DATE column when preceded by a VARCHAR column)
  • SPL:
    • Fixed bug #68128 (Regression in RecursiveRegexIterator)

Version 5.4.35

  • Core:
    • Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).
  • Fileinfo:
    • Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers). (CVE-2014-3710)
  • GMP:
    • Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).
  • PDO_pgsql:
    • Fixed bug #66584 (Segmentation fault on statement deallocation).

Version 5.6.2

  • Core:
    • Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669)
  • cURL:
    • Fixed bug #68089 (NULL byte injection - cURL lib).
  • EXIF:
    • Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)
  • XMLRPC:
    • Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668)

Version 5.5.18

  • Core:
    • Fixed bug #67985 (Incorrect last used array index copied to new array after unset).
    • Fixed bug #67739 (Windows 8.1/Server 2012 R2 OS build number reported as 6.2 (instead of 6.3)).
    • Fixed bug #67633 (A foreach on an array returned from a function not doing copy-on-write).
    • Fixed bug #51800 (proc_open on Windows hangs forever).
    • Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669)
  • cURL:
    • Fixed bug #68089 (NULL byte injection - cURL lib).
  • Exif:
    • Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)
  • FPM:
    • Fixed bug #65641 (PHP-FPM incorrectly defines the SCRIPT_NAME variable when using Apache, mod_proxy-fcgi and ProxyPass).
  • OpenSSL:
    • Revert regression introduced by fix of bug #41631.
  • Reflection:
    • Fixed bug #68103 (Duplicate entry in Reflection for class alias).
  • Session:
    • Fixed bug #67972 (SessionHandler Invalid memory read create_sid()).
  • XMLRPC:
    • Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668)

Version 5.4.34

  • Fileinfo:
    • Fixed bug #66242 (libmagic: don't assume char is signed).
  • Core:
    • Fixed bug #67985 (Incorrect last used array index copied to new array after unset).
    • Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669)
  • cURL:
    • Fixed bug #68089 (NULL byte injection - cURL lib).
  • EXIF:
    • Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)
  • OpenSSL:
    • Reverted fixes for bug #41631, due to regressions.
  • XMLRPC:
    • Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668)

Version 5.6.1

  • Core:
    • Implemented FR #38409 (parse_ini_file() loses the type of booleans).
    • Fixed bug #65463 (SIGSEGV during zend_shutdown()).
    • Fixed bug #66036 (Crash on SIGTERM in apache process).
    • Fixed bug #67878 (program_prefix not honoured in man pages).
    • Fixed bug #67938 (Segfault when extending interface method with variadic).
    • Fixed bug #67985 (Incorrect last used array index copied to new array after unset).
    • Fixed bug #68088 (New Posthandler Potential Illegal efree() vulnerability). (CVE-2014-3622)
  • DOM:
    • Made DOMNode::textContent writeable.
  • Fileinfo:
    • Fixed bug #67731 (finfo::file() returns invalid mime type for binary files).
  • GD:
    • Made fontFetch's path parser thread-safe.
  • GMP:
    • Fixed bug #67917 (Using GMP objects with overloaded operators can cause memory exhaustion).
    • Fixed bug #50175 (gmp_init() results 0 on given base and number starting with 0x or 0b).
    • Implemented gmp_import() and gmp_export().
  • MySQLi:
    • Fixed bug #67839 (mysqli does not handle 4-byte floats correctly).
  • OpenSSL:
    • Fixed bug #67850 (extension won't build if openssl compiled without SSLv3).
  • phpdbg:
    • Fixed issue #111 (compile error without ZEND_SIGNALS).
  • SOAP:
    • Fixed bug #67955 (SoapClient prepends 0-byte to cookie names).
  • Session:
    • Fixed bug #67972 (SessionHandler Invalid memory read create_sid()).
  • Sysvsem:
    • Implemented FR #67990 (Add optional nowait argument to sem_acquire).

Version 5.5.17

  • Core:
    • Fixed bug #47358 (glob returns error, should be empty array()).
    • Fixed bug #65463 (SIGSEGV during zend_shutdown()).
    • Fixed bug #66036 (Crash on SIGTERM in apache process).
    • Fixed bug #67878 (program_prefix not honoured in man pages).
  • COM:
    • Fixed bug #41577 (DOTNET is successful once per server run).
  • Date:
    • Fixed bug #66091 (memory leaks in DateTime constructor).
    • Fixed bug #66985 (Some timezones are no longer valid in PHP 5.5.10).
    • Fixed bug #67109 (First uppercase letter breaks date string parsing).
  • FPM:
    • Fixed bug #67606 (FPM with mod_fastcgi/apache2.4 is broken).
  • GD:
    • Made fontFetch's path parser thread-safe.
  • MySQLi:
    • Fixed bug #67839 (mysqli does not handle 4-byte floats correctly).
  • OpenSSL:
    • Fixed bug #41631 (socket timeouts not honored in blocking SSL reads).
    • Fixed bug #67850 (extension won't build if openssl compiled without SSLv3).
  • SPL:
    • Fixed bug #67813 (CachingIterator::__construct InvalidArgumentException wrong message).
  • Zlib:
    • Fixed bug #67724 (chained zlib filters silently fail with large amounts of data).
    • Fixed bug #67865 (internal corruption phar error).

Version 5.4.33

  • Core:
    • Fixed bug #47358 (glob returns error, should be empty array()).
    • Fixed bug #65463 (SIGSEGV during zend_shutdown()).
    • Fixed bug #66036 (Crash on SIGTERM in apache process).
  • OpenSSL:
    • Fixed bug #41631 (socket timeouts not honored in blocking SSL reads).
  • Date:
    • Fixed bug #66091 (memory leaks in DateTime constructor).
  • FPM:
    • Fixed bug #67606 (FPM with mod_fastcgi/apache2.4 is broken).
  • GD:
    • Made fontFetch's path parser thread-safe.
  • Wddx:
    • Fixed bug #67873 (Segfaults in php_wddx_serialize_var).
  • Zlib:
    • Fixed bug #67724 (chained zlib filters silently fail with large amounts of data).
    • Fixed bug #67865 (internal corruption phar error).

Version 5.6.0

  • General improvements:
    • Added constant scalar expressions syntax.
    • Added dedicated syntax for variadic functions.
    • Added support for argument unpacking to complement the variadic syntax.
    • Added an exponentiation operator (**).
    • Added phpdbg SAPI.
    • Added unified default encoding.
    • The php://input stream is now re-usable and can be used concurrently with enable_post_data_reading=0.
    • Added use function and use const..
    • Added a function for timing attack safe string comparison.
    • Added the __debugInfo() magic method to allow userland classes to implement the get_debug_info API previously available only to extensions.
    • Added gost-crypto (CryptoPro S-box) hash algorithm.
    • Stream wrappers verify peer certificates and host names by default in encrypted client streams.
    • Uploads equal or greater than 2GB in size are now accepted.
  • Core:
    • Fixed bug #67693 (incorrect push to the empty array).
    • Removed inconsistency regarding behaviour of array in constants at run-time.
    • Fixed bug #67497 (eval with parse error causes segmentation fault in generator).
    • Fixed bug #67151 (strtr with empty array crashes).
    • Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012).
    • Fixed bug #66608 (Incorrect behavior with nested "finally" blocks).
    • Implemented FR #34407 (ucwords and Title Case).
    • Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0).
    • Fixed bug #67368 (Memory leak with immediately dereferenced array in class constant).
    • Fixed bug #67468 (Segfault in highlight_file()/highlight_string()).
    • Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability).
    • Fixed bug #67551 (php://input temp file will be located in sys_temp_dir instead of upload_tmp_dir).
    • Fixed bug #67169 (array_splice all elements, then []= gives wrong index).
    • Fixed bug #67198 (php://input regression).
    • Fixed bug #67247 (spl_fixedarray_resize integer overflow).
    • Fixed bug #67250 (iptcparse out-of-bounds read).
    • Fixed bug #67252 (convert_uudecode out-of-bounds read).
    • Fixed bug #67249 (printf out-of-bounds read).
    • Implemented FR #64744 (Differentiate between member function call on a null and non-null, non-objects).
    • Fixed bug #67436 (Autoloader isn't called if two method definitions don't match).
    • Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases).
    • Fixed bug #67390 (insecure temporary file use in the configure script). (CVE-2014-3981)
    • Fixed bug #67392 (dtrace breaks argument unpack).
    • Fixed bug #67428 (header('Location: foo') will override a 308-399 response code).
    • Fixed bug #67433 (SIGSEGV when using count() on an object implementing Countable).
    • Fixed bug #67399 (putenv with empty variable may lead to crash).
    • Expose get_debug_info class hook as __debugInfo() magic method.
    • Implemented unified default encoding (RFC: https://wiki.php.net/rfc/default_encoding).
    • Added T_POW (**) operator (RFC: https://wiki.php.net/rfc/pow-operator).
    • Improved IS_VAR operands fetching.
    • Improved empty string handling. Now ZE uses an interned string instead of allocation new empty string each time.
    • Implemented internal operator overloading (RFC: https://wiki.php.net/rfc/operator_overloading_gmp).
    • Made calls from incompatible context issue an E_DEPRECATED warning instead of E_STRICT (phase 1 of RFC: https://wiki.php.net/rfc/incompat_ctx).
    • Uploads equal or greater than 2GB in size are now accepted.
    • Reduced POST data memory usage by 200-300%. Changed INI setting always_populate_raw_post_data to throw a deprecation warning when enabling and to accept -1 for never populating the $HTTP_RAW_POST_DATA global variable, which will be the default in future PHP versions.
    • Implemented dedicated syntax for variadic functions (RFC: https://wiki.php.net/rfc/variadics).
    • Fixed bug #50333 Improving multi-threaded scalability by using emalloc/efree/estrdup (Anatol, Dmitry)
    • Implemented constant scalar expressions (with support for constants) (RFC: https://wiki.php.net/rfc/const_scalar_exprs).
    • Fixed bug #65784 (Segfault with finally).
    • Fixed bug #66509 (copy() arginfo has changed starting from 5.4).
    • Allow zero length comparison in substr_compare() (Tjerk)
    • Fixed bug #60602 (proc_open() changes environment array) (Tjerk)
    • Fixed bug #61019 (Out of memory on command stream_get_contents).
    • Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).
    • Fixed bug #66182 (exit in stream filter produces segfault).
    • Fixed bug #66736 (fpassthru broken).
    • Fixed bug #66822 (Cannot use T_POW in const expression) (Tjerk)
    • Fixed bug #67043 (substr_compare broke by previous change) (Tjerk)
    • Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()).
    • Fixed bug #66015 (Unexpected array indexing in class's static property).
    • Added (constant) string/array dereferencing to static scalar expressions to complete the set; now possible thanks to #66015 being fixed.
    • Fixed bug #66568 (Update reflection information for unserialize() function).
    • Fixed bug #66660 (Composer.phar install/update fails).
    • Fixed bug #67024 (getimagesize should recognize BMP files with negative height).
    • Fixed bug #67064 (Countable interface prevents using 2nd parameter ($mode) of count() function).
    • Fixed bug #67072 (Echoing unserialized "SplFileObject" crash).
    • Fixed bug #67033 (Remove reference to Windows 95).
  • Apache2 Handler SAPI:
    • Fixed Apache log issue caused by APR's lack of support for %zu (APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120).
  • CLI server:
    • Added some MIME types to the CLI web server.
    • Fixed bug #67079 (Missing MIME types for XML/XSL files).
    • Fixed bug #66830 (Empty header causes PHP built-in web server to hang).
    • Fixed bug #67594 (Unable to access to apache_request_headers() elements).
    • Implemented FR #67429 (CLI server is missing some new HTTP response codes).
    • Fixed bug #67406 (built-in web-server segfaults on startup).
  • COM:
    • Fixed bug #41577 (DOTNET is successful once per server run) (Aidas Kasparas)
    • Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas).
    • Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)).
  • Curl:
    • Implemented FR #65646 (re-enable CURLOPT_FOLLOWLOCATION with open_basedir or safe_mode).
    • Check for openssl.cafile ini directive when loading CA certs.
    • Remove cURL close policy related constants as these have no effect and are no longer used in libcurl.
    • Fixed bug #66109 (Can't reset CURLOPT_CUSTOMREQUEST to default behaviour) (Tjerk)
    • Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive.
    • Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset).
    • Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
  • Date:
    • Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712)
    • Fixed bug #66091 (memory leaks in DateTime constructor) (Tjerk).
    • Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
    • Fixed regression in fix for #67118 (constructor can't be called twice).
    • Fixed bug #67251 (date_parse_from_format out-of-bounds read).
    • Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read).
    • Added DateTimeImmutable::createFromMutable to create a DateTimeImmutable object from an existing DateTime (mutable) object (Derick)
    • Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
    • Fixed bug #67118 (DateTime constructor crash with invalid data).
  • DOM:
    • Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset).
  • Embed:
    • Fixed bug #65715 (php5embed.lib isn't provided anymore). (Anatol).
  • Fileinfo:
    • Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587)
    • Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538)
    • Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). (CVE-2014-0238)
    • Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in performance degradation). (CVE-2014-0237)
    • Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check). (CVE-2014-0207)
    • Fixed bug #67329 (fileinfo: NULL pointer deference flaw by processing certain CDF files). (CVE-2014-0236)
    • Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size). (CVE-2014-3478)
    • Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary check). (CVE-2014-3479)
    • Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check). (CVE-2014-3480)
    • Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check). (CVE-2014-3487)
    • Upgraded to libmagic-5.17 (Anatol)
    • Fixed bug #66731 (file: infinite recursion). (CVE-2014-1943)
    • Fixed bug #66820 (out-of-bounds memory access in fileinfo). (CVE-2014-2270)
    • Fixed bug #66946 (fileinfo: extensive backtracking in awk rule regular expression). (CVE-2013-7345)
    • Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
    • Fixed bug #66907 (Solaris 10 is missing strcasestr and needs substitute).
    • Fixed bug #66307 (Fileinfo crashes with powerpoint files).
  • FPM:
    • Fixed bug #67606 (revised fix 67541, broke mod_fastcgi BC).
    • Fixed bug #67530 (error_log=syslog ignored).
    • Fixed bug #67635 (php links to systemd libraries without using pkg-config).
    • Fixed bug #67531 (syslog cannot be set in pool configuration).
    • Fixed bug #67541 (Fix Apache 2.4.10+ SetHandler proxy:fcgi:// incompatibilities).
    • Included apparmor support in fpm (RFC: https://wiki.php.net/rfc/fpm_change_hat).
    • Added clear_env configuration directive to disable clearenv() call.
    • Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
    • Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
    • Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure default configuration). (CVE-2014-0185)
  • GD:
    • Fixed bug #67730 (Null byte injection possible with imagexxx functions). (CVE-2014-5120)
    • Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). (CVE-2014-2497)
    • Fixed bug #67248 (imageaffinematrixget missing check of parameters).
    • Fixed imagettftext to load the correct character map rather than the last one.
    • Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop()). (CVE-2013-7226)
    • Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer). (CVE-2013-7327)
    • Fixed bug #66869 (Invalid 2nd argument crashes imageaffinematrixget).
    • Fixed bug #66887 (imagescale - poor quality of scaled image).
    • Fixed bug #66890 (imagescale segfault).
    • Fixed bug #66893 (imagescale ignore method argument).
  • GMP:
    • Fixed bug #66872 (invalid argument crashes gmp_testbit) (Pierre)
    • Fixed crashes in serialize/unserialize.
    • Moved GMP to use object as the underlying structure and implemented various improvements based on this.
    • Added gmp_root() and gmp_rootrem() functions for calculating nth roots.
  • Hash:
    • Added gost-crypto (CryptoPro S-box) GOST hash algo.
    • Fixed bug #66698 (Missing FNV1a32 and FNV1a64 hash functions). (Michael M Slusarz).
    • Implemented timing attack safe string comparison function (RFC: https://wiki.php.net/rfc/timing_attack).
    • hash_pbkdf2() now works correctly if the $length argument is not specified.
  • Intl:
    • Fixed bug #66873 (A reproductible crash in UConverter when given invalid encoding) (Stas)
    • Fixed bug #66921 (Wrong argument type hint for function intltz_from_date_time_zone).
    • Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).
    • Fixed bug #67349 (Locale::parseLocale Double Free).
    • Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)).
  • JSON:
    • Fixed case part of bug #64874 ("json_decode handles whitespace and case-sensitivity incorrectly")
    • Fixed bug #65753 (JsonSerializeable couldn't implement on module extension) (chobieeee@php.net)
    • Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).
  • ldap:
    • Added new function ldap_modify_batch().
    • Fixed issue with null bytes in LDAP bindings.
  • litespeed:
    • Fixed bug #63228 (-Werror=format-security error in lsapi code).
  • Mail:
    • Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script) (Tjerk)
  • Mcrypt:
    • No longer allow invalid key sizes, invalid IV sizes or missing required IV in mcrypt_encrypt, mcrypt_decrypt and the deprecated mode functions.
    • Use /dev/urandom as the default source for mcrypt_create_iv().
  • Mbstring:
    • Upgraded to oniguruma 5.9.5 (Anatol)
    • Fixed bug #67199 (mb_regex_encoding mismatch).
  • Milter:
    • Fixed bug #67715 (php-milter does not build and crashes randomly).
  • mysqli:
    • Added new function mysqli_get_links_stats() as well as new INI variable mysqli.rollback_on_cached_plink of type bool (Andrey)
    • Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed) (Remi)
    • Fixed building against an external libmysqlclient.
  • mysqlnd:
    • Disabled flag for SP OUT variables for 5.5+ servers as they are not natively supported by the overlying APIs.
    • Added a new fetching mode to mysqlnd.
    • Added support for gb18030 from MySQL 5.7.
  • Network:
    • Fixed bug #67717 (segfault in dns_get_record). (CVE-2014-3597)
    • Fixed bug #67432 (Fix potential segfault in dns_get_record()). (CVE-2014-4049)
  • OCI8:
    • Fixed bug #66875 (Improve performance of multi-row OCI_RETURN_LOB queries) (Perrier, Chris Jones)
  • ODBC:
    • Fixed bug #60616 (odbc_fetch_into returns junk at end of multi-byte char fields).
  • OpenSSL:
    • Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas).
    • Fixed bug #67609 (TLS connections fail behind HTTP proxy).
    • Fixed broken build against OpenSSL older than 0.9.8 where ECDH unavailable.
    • Fixed bug #67666 (Subject altNames doesn't support wildcard matching).
    • Fixed bug #67224 (Fall back to crypto_type from context if not specified explicitly in stream_socket_enable_crypto).
    • Fixed bug #65698 (certificates validity parsing does not work past 2050).
    • Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME).
    • Peer certificates now verified by default in client socket operations (RFC: https://wiki.php.net/rfc/tls-peer-verification).
    • New openssl.cafile and openssl.capath ini directives.
    • Added crypto_method option for the ssl stream context.
    • Added certificate fingerprint support.
    • Added explicit TLSv1.1 and TLSv1.2 stream transports.
    • Fixed bug #65729 (CN_match gives false positive).
    • Peer name verification matches SAN DNS names for certs using the Subject Alternative Name x509 extension.
    • Fixed segfault when built against OpenSSL>=1.0.1 (Daniel Lowrey)
    • Added SPKAC support.
    • Fallback to Windows CA cert store for peer verification if no openssl.cafile ini directive or "cafile" SSL context option specified in Windows.
    • The openssl.cafile and openssl.capath ini directives introduced in alpha2 now have PHP_INI_PERDIR accessibility (was PHP_INI_ALL).
    • New "peer_name" SSL context option replaces "CN_match" (which still works as before but triggers E_DEPRECATED).
    • Fixed segfault when accessing non-existent context for client SNI use (Daniel Lowrey)
    • Fixed bug #66501 (Add EC key support to php_openssl_is_private_key).
    • Fixed bug #47030 (add new boolean "verify_peer_name" SSL context option allowing clients to verify cert names separately from the cert itself). "verify_peer_name" is enabled by default for client streams.
    • Fixed bug #65538 ("cafile" SSL context option now supports stream wrappers).
    • New openssl_get_cert_locations() function to aid CA file and peer verification debugging.
    • Encrypted stream wrappers now disable TLS compression by default.
    • New "capture_session_meta" SSL context option allows encrypted client and server streams access to negotiated protocol/cipher information.
    • New "honor_cipher_order" SSL context option allows servers to prioritize cipher suites of their choosing when negotiating SSL/TLS handshakes.
    • New "single_ecdh_use" and "single_dh_use" SSL context options allow for improved forward secrecy in encrypted stream servers.
    • New "dh_param" SSL context option allows stream servers control over the parameters when negotiating DHE cipher suites.
    • New "ecdh_curve" SSL context option allowing stream servers to specify the curve to use when negotiating ephemeral ECDHE ciphers (defaults to NIST P-256).
    • New "rsa_key_size" SSL context option gives stream servers control over the key size (in bits) used for RSA key agreements.
    • Crypto methods for encrypted client and server streams now use bitwise flags for fine-grained protocol support.
    • Added new tlsv1.0 stream wrapper to specify TLSv1 client/server method. tls wrapper now negotiates TLSv1, TLSv1.1 or TLSv1.2.
    • Encrypted client streams now enable SNI by default.
    • Encrypted streams now prioritize ephemeral key agreement and high strength ciphers by default.
    • New OPENSSL_DEFAULT_STREAM_CIPHERS constant exposes default cipher list.
    • New STREAM_CRYPTO_METHOD_* constants for enhanced control over the crypto methods negotiated encrypted server/client sessions.
    • Encrypted stream servers now automatically mitigate potential DoS vector arising from client-initiated TLS renegotiation. New "reneg_limit", "reneg_window" and "reneg_limit_callback" SSL context options for custom renegotiation limiting control.
    • Fixed memory leak in windows cert verification on verify failure.
    • Peer certificate capturing via SSL context options now functions even if peer verification fails.
    • Encrypted TLS servers now support the server name indication TLS extension via the new "SNI_server_certs" SSL context option.
    • Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1).
    • Fixed bug #66942 (memory leak in openssl_seal()).
    • Fixed bug #66952 (memory leak in openssl_open()).
    • Fixed bug #66840 (Fix broken build when extension built separately).
  • OPcache:
    • Added an optimization of class constants and constant calls to some internal functions (Laruence, Dmitry)
    • Added an optimization pass to convert FCALL_BY_NAME into DO_FCALL.
    • Added an optimization pass to merged identical constants (and related cache_slots) in op_array->literals table.
    • Added script level constant replacement optimization pass.
    • Added function opcache_is_script_cached().
    • Added information about interned strings usage.
    • Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault happen) (Dmitry, Laruence)
  • PCRE:
    • Fixed bug #67238 (Ungreedy and min/max quantifier bug, applied patch from the upstream).
    • Upgraded to PCRE 8.34.
    • Added support for (*MARK) backtracking verbs.
  • pgsql:
    • Fixed bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756), which affected builds against libpq < 7.3.
    • pg_insert()/pg_select()/pg_update()/pg_delete() are no longer EXPERIMENTAL.
    • Implemented FR #25854 (Return value for pg_insert should be resource instead of bool).
    • Implemented FR #41146 (Add "description" with exteneded flag pg_meta_data(). pg_meta_data(resource $conn, string $table [, bool extended]) It also made pg_meta_data() return "is enum" always).
    • Read-only access to the socket stream underlying database connections is exposed via a new pg_socket() function to allow read/write polling when establishing asynchronous connections and executing queries in non-blocking applications.
    • Asynchronous connections are now possible using the PGSQL_CONNECT_ASYNC flag in conjunction with a new pg_connect_poll() function and connection polling status constants.
    • New pg_flush() and pg_consume_input() functions added to manually complete non-blocking reads/writes to underlying connection sockets.
    • pg_version() returns full report which obtained by PQparameterStatus().
    • Added pg_lo_truncate().
    • Added 64bit large object support for PostgreSQL 9.3 and later.
    • Fixed bug #67555 (Cannot build against libpq 7.3).
  • phpdbg:
    • Fixed bug #67575 (Compilation fails for phpdbg when the build directory != src directory).
    • Fixed bug #67499 (readline feature not enabled when build with libedit).
    • Fixed issue #94 (List behavior is inconsistent).
    • Fixed issue #97 (The prompt should always ensure it is on a newline).
    • Fixed issue #98 (break if does not seem to work).
    • Fixed issue #99 (register function has the same behavior as run).
    • Fixed issue #100 (No way to list the current stack/frames) (Help entry was missing).
    • Fixed bug which caused phpdbg to fail immediately on startup in non-debug builds.
    • Fixed bug #67212 (phpdbg uses non-standard TIOCGWINSZ).
    • Included phpdbg sapi (RFC: https://wiki.php.net/rfc/phpdbg).
    • Added watchpoints (watch command).
    • Renamed some commands (next => continue and how to step).
    • Fixed issue #85 (Added stdin/stdout/stderr constants and their php:// wrappers).
  • PDO:
    • Fixed bug #66604 ('pdo/php_pdo_error.h' not copied to the include dir).
  • PDO-ODBC:
    • Fixed bug #50444 (PDO-ODBC changes for 64-bit).
  • PDO_pgsql:
    • Fixed bug #42614 (PDO_pgsql: add pg_get_notify support).
    • Fixed bug #63657 (pgsqlCopyFromFile, pgsqlCopyToArray use Postgres < 7.3 syntax).
    • Cleaned up code by increasing the requirements to libpq versions providing PQexecParams, PQprepare, PQescapeStringConn, PQescapeByteaConn. According to the release notes that means 8.0.8+ or 8.1.4+.
    • Deprecated PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT, an undocument constant effectively equivalent to PDO::ATTR_EMULATE_PREPARES.
    • Added PDO::PGSQL_ATTR_DISABLE_PREPARES constant to execute the queries without preparing them, while still passing parameters separately from the command text using PQexecParams.
  • PDO_firebird:
    • Fixed bug #66071 (memory corruption in error handling) (Popa)
  • Phar:
    • Fixed bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name).
    • Fixed bug #67587 (Redirection loop on nginx with FPM).
  • readline:
    • Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt).
    • Fixed bug #67496 (Save command history when exiting interactive shell with control-c).
  • Reflection:
    • Implemented FR #67713 (loosen the restrictions on ReflectionClass::newInstanceWithoutConstructor()).
  • Session:
    • Fixed bug #67694 (Regression in session_regenerate_id()).
    • Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas).
    • Fixed bug #66827 (Session raises E_NOTICE when session name variable is array).
    • Fixed bug #65315 (session.hash_function silently fallback to default md5) (Yasuo)
    • Implemented FR #17860 (Session write short circuit).
    • Implemented FR #20421 (session_abort() and session_reset() function).
    • Remove session_gc() and session_serializer_name() wich were introduced in the first 5.6.0 alpha.
  • SimpleXML:
    • Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol)
  • SQLite:
    • Updated the bundled libsqlite to the version 3.8.3.1 (Anatol)
    • Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3).
  • SOAP:
    • Implemented FR #49898 (Add SoapClient::__getCookies()).
  • SPL:
    • Revert fix for #67064 (BC issues).
    • Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting). (CVE-2014-4698)
    • Fixed bug #67538 (SPL Iterators use-after-free). (CVE-2014-4670)
    • Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion). (CVE-2014-3515)
    • Fixed bug #67359 (Segfault in recursiveDirectoryIterator).
    • Fixed bug #66127 (Segmentation fault with ArrayObject unset).
    • Implemented FR #67453 (Allow to unserialize empty data).
    • Fixed bug #66834 (empty() does not work on classes that extend ArrayObject) (Tjerk)
    • Fixed bug #66702 (RegexIterator::INVERT_MATCH does not invert).
  • Standard:
    • Implemented FR #65634 (HTTP wrapper is very slow with protocol_version 1.1).
    • Implemented Change crypt() behavior w/o salt RFC. (Yasuo) https://wiki.php.net/rfc/crypt_function_salt
    • Implemented FR #49824 (Change array_fill() to allow creating empty array).
  • Streams:
    • Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects).
  • Tokenizer:
    • Fixed bug #67395 (token_name() does not return name for T_POW and T_POW_EQUAL token).
  • XMLReader:
    • Fixed bug #55285 (XMLReader::getAttribute/No/Ns methods inconsistency).
  • XSL:
    • Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded with "file://").
  • Zip:
    • update libzip to version 1.11.2. PHP don't use any ilibzip private symbol anymore.
    • new method ZipArchive::setPassword($password).
    • add --with-libzip option to build with system libzip.
    • new methods: ZipArchive::setExternalAttributesName($name, $opsys, $attr [, $flags]) ZipArchive::setExternalAttributesIndex($idx, $opsys, $attr [, $flags]) ZipArchive::getExternalAttributesName($name, &$opsys, &$attr [, $flags]) ZipArchive::getExternalAttributesIndex($idx, &$opsys, &$attr [, $flags])
  • Zlib:
    • Fixed bug #67865 (internal corruption phar error). Mike
    • Fixed bug #67724 (chained zlib filters silently fail with large amounts of data).

Version 5.5.16

  • COM:
    • Fixed missing type checks in com_event_sink.
  • Core:
    • Fixed bug #67693 (incorrect push to the empty array).
  • Fileinfo:
    • Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538).
    • Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587).
  • FPM:
    • Fixed bug #67635 (php links to systemd libraries without using pkg-config).
  • GD:
    • Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). (CVE-2014-2497).
    • Fixed bug #67730 (Null byte injection possible with imagexxx functions). (CVE-2014-5120).
  • Milter:
    • Fixed bug #67715 (php-milter does not build and crashes randomly).
  • Network:
    • Fixed bug #67717 (segfault in dns_get_record). (CVE-2014-3597).
  • OpenSSL:
    • Fixed missing type checks in OpenSSL options.
  • readline:
    • Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt).
    • Fixed bug #67496 (Save command history when exiting interactive shell with control-c).
  • Sessions:
    • Fixed missing type checks in php_session_create_id.
  • ODBC:
    • Fixed bug #60616 (odbc_fetch_into returns junk data at end of multi-byte char fields).

Version 5.4.32

  • Core:
    • Fixed bug #67717 (segfault in dns_get_record) (CVE-2014-3597).
    • Fixed bug #67693 (incorrect push to the empty array)
  • COM:
    • Fixed missing type checks in com_event_sink.
  • Fileinfo:
    • Fixed bug #67705 (extensive backtracking in rule regular expression) (CVE-2014-3538).
    • Fixed bug #67716 (Segfault in cdf.c) (CVE-2014-3587).
  • GD:
    • Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference) (CVE-2014-2497).
    • Fixed bug #67730 (Null byte injection possible with imagexxx functions) (CVE-2014-5120).
  • Milter:
    • Fixed bug #67715 (php-milter does not build and crashes randomly).
  • OpenSSL:
    • Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas).
  • Readline:
    • Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt).
    • Fixed bug #67496 (Save command history when exiting interactive shell with control-c).
  • Sessions:
    • Fixed missing type checks in php_session_create_id.
  • SPL:
    • Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting) (CVE-2014-4698).
    • Fixed bug #67538 (SPL Iterators use-after-free) (CVE-2014-4670).
  • ODBC:
    • Fixed bug #60616 (odbc_fetch_into returns junk data at end of multi-byte char fields).

Version 5.3.29

  • Core:
    • Fixed bug #66127 (Segmentation fault with ArrayObject unset).
    • Fixed bug #67247 (spl_fixedarray_resize integer overflow).
    • Fixed bug #67249 (printf out-of-bounds read).
    • Fixed bug #67250 (iptcparse out-of-bounds read).
    • Fixed bug #67252 (convert_uudecode out-of-bounds read).
    • Fixed bug #67359 (Segfault in recursiveDirectoryIterator).
    • Fixed bug #67390 (insecure temporary file use in the configure script). (CVE-2014-3981)
    • Fixed bug #67399 (putenv with empty variable may lead to crash).
    • Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion) (CVE-2014-3515).
    • Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability).
  • COM:
    • Fixed missing type checks in com_event_sink.
  • Date:
    • Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712)
    • Fixed bug #67251 (date_parse_from_format out-of-bounds read).
    • Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read).
  • Exif:
    • Fixed bug #65873 (Integer overflow in exif_read_data()).
  • Fileinfo:
    • Fixed bug #66307 (Fileinfo crashes with powerpoint files).
    • Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check). (CVE-2014-0207)
    • Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). (CVE-2014-0238)
    • Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in performance degradation). (CVE-2014-0237)
    • Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size) (CVE-2014-3478).
    • Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary check) (CVE-2014-3479).
    • Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check) (CVE-2014-3480).
    • Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check) (CVE-2014-3487).
  • Intl:
    • Fixed bug #67349 (Locale::parseLocale Double Free).
    • Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)).
  • Network:
    • Fixed bug #67432 (Fix potential segfault in dns_get_record()). (CVE-2014-4049)
  • OpenSSL:
    • Fixed missing type checks in OpenSSL options.
  • Session:
    • Fixed missing type checks in php_session_create_id.

Version 5.5.15

  • CLI server:
    • Fixed bug #67429 (CLI server is missing some new HTTP response codes).
    • Fixed bug #66830 (Empty header causes PHP built-in web server to hang).
  • Core:
    • Fixed bug #67428 (header('Location: foo') will override a 308-399 response code).
    • Fixed bug #67436 (Autoloader isn't called if two method definitions don't match).
    • Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0).
    • Fixed bug #67497 eval with parse error causes segmentation fault in generator).
    • Fixed bug #67151 (strtr with empty array crashes).
    • Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012).
  • FPM:
    • Fixed bug #67530 (error_log=syslog ignored).
    • Fixed bug #67531 (syslog cannot be set in pool configuratio).
  • Intl:
    • Fixed bug #66921 (Wrong argument type hint for function intltz_from_date_time_zone).
    • Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).
  • OPCache:
    • Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault happen).
  • pgsql:
    • Fixed bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756), which affected builds against libpq < 7.3).
  • Phar:
    • Fixed bug #67587 (Redirection loop on nginx with FPM).
  • SPL:
    • Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting). (CVE-2014-4698)
    • Fixed bug #67538 (SPL Iterators use-after-free) (CVE-2014-4670).
  • Streams:
    • Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects).

Version 5.4.31

  • Core:
    • Fixed bug #67428 (header('Location: foo') will override a 308-399 response code).
    • Fixed bug #67436 (Autoloader isn't called if two method definitions don't match).
    • Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0).
    • Fixed bug #67151 (strtr with empty array crashes).
    • Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012).
  • CLI server:
    • Implemented FR #67429 (CLI server is missing some new HTTP response codes).
    • Fixed bug #66830 (Empty header causes PHP built-in web server to hang).
  • FPM:
    • Fixed bug #67530 (error_log=syslog ignored).
    • Fixed bug #67531 (syslog cannot be set in pool configuration).
  • Intl:
    • Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).
  • pgsql:
    • Fixed bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756), which affected builds against libpq < 7.3.
  • Phar:
    • Fixed bug #67587 (Redirection loop on nginx with FPM).
  • Streams:
    • Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects).

Version 5.5.14

  • CLI server:
    • Fixed bug #67406 (built-in web-server segfaults on startup).
  • Core:
    • Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases).
    • Fixed bug #67390 (insecure temporary file use in the configure script). (CVE-2014-3981).
    • Fixed bug #67399 (putenv with empty variable may lead to crash).
    • Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability).
    • Fixed BC break introduced by patch for bug #67072.
  • Date:
    • Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
    • Fixed regression in fix for bug #67118 (constructor can't be called twice).
  • Fileinfo:
    • Fixed bug #67326 (cdf_read_short_sector insufficient boundary check). (CVE-2014-0207)).
    • Fixed bug #67410 (mconvert incorrect handling of truncated pascal string size). (CVE-2014-3478).
    • Fixed bug #67411 (cdf_check_stream_offset insufficient boundary check). (CVE-2014-3479).
    • Fixed bug #67412 (cdf_count_chain insufficient boundary check). (CVE-2014-3480).
    • Fixed bug #67413 (cdf_read_property_info insufficient boundary check). (CVE-2014-3487).
  • Intl:
    • Fixed bug #67349 (Locale::parseLocale Double Free).
    • Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)).
  • Network:
    • Fixed bug #67432 (Fix potential segfault in dns_get_record()). (CVE-2014-4049)).
  • OPCache:
    • Fixed issue #183 (TMP_VAR is not only used once).
  • OpenSSL:
    • Fixed bug #65698 (certificates validity parsing does not work past 2050).
    • Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME).
  • PDO-ODBC:
    • Fixed bug #50444 (PDO-ODBC changes for 64-bit).
  • SOAP:
    • Implemented FR #49898 (Add SoapClient::__getCookies()).
  • SPL:
    • Fixed bug #66127 (Segmentation fault with ArrayObject unset).
    • Fixed bug #67359 (Segfault in recursiveDirectoryIterator).
    • Fixed bug #67360 (Missing element after ArrayObject::getIterator).
    • Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion). (CVE-2014-3515).

Version 5.4.30

  • Core:
    • Fixed BC break introduced by patch for bug #67072.
    • Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases).
    • Fixed bug #67390 (insecure temporary file use in the configure script) (CVE-2014-3981).
    • Fixed bug #67399 (putenv with empty variable may lead to crash).
    • Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability).
  • CLI server:
    • Fixed bug #67406 (built-in web-server segfaults on startup).
  • Date:
    • Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
    • Fixed regression in fix for bug #67118 (constructor can't be called twice).
  • Fileinfo:
    • Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check) (CVE-2014-0207).
    • Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size) (CVE-2014-3478).
    • Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary check) (CVE-2014-3479).
    • Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check) (CVE-2014-3480).
    • Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check) (CVE-2014-3487).
  • Intl:
    • Fixed bug #67349 (Locale::parseLocale Double Free).
    • Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)).
  • Network:
    • Fixed bug #67432 (Fix potential segfault in dns_get_record()) (CVE-2014-4049).
  • OpenSSL:
    • Fixed bug #65698 (certificates validity parsing does not work past 2050).
    • Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME).
  • SOAP:
    • Implemented FR #49898 (Add SoapClient::__getCookies()).
  • SPL:
    • Fixed bug #66127 (Segmentation fault with ArrayObject unset).
    • Fixed bug #67359 (Segfault in recursiveDirectoryIterator).
    • Fixed bug #67360 (Missing element after ArrayObject::getIterator).
    • Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion) (CVE-2014-3515).

Version 5.5.13

  • CLI server:
    • Fixed bug #67079 (Missing MIME types for XML/XSL files).
  • COM:
    • Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)).
  • Core:
    • Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()).
    • Fixed bug #67072 (Echoing unserialized "SplFileObject" crash).
    • Fixed bug #67245 (usage of memcpy() with overlapping src and dst in zend_exceptions.c).
    • Fixed bug #67247 (spl_fixedarray_resize integer overflow).
    • Fixed bug #67249 (printf out-of-bounds read).
    • Fixed bug #67250 (iptcparse out-of-bounds read).
  • cURL:
    • Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset).
  • Date:
    • Fixed bug #67118 (DateTime constructor crash with invalid data).
    • Fixed bug #67251 (date_parse_from_format out-of-bounds read).
    • Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read).
  • DOM:
    • Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset).
  • Fileinfo:
    • Fixed bug #66307 (Fileinfo crashes with powerpoint files).
    • Fixed bug #67327 (CDF infinite loop in nelements DoS) (CVE-2014-0238).
    • Fixed bug #67328 (numerous file_printf calls resulting in performance degradation) (CVE-2014-0237).
  • FPM:
    • Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
  • GD:
    • Fixed bug #67248 (imageaffinematrixget missing check of parameters).
  • PCRE:
    • Fixed bug #67248 Ungreedy and min/max quantifier bug, applied patch from the upstream.
  • Phar:
    • Fixed bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name).

Version 5.4.29

  • COM:
    • Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)).
  • Core:
    • Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()).
    • Fixed bug #67072 (Echoing unserialized "SplFileObject" crash).
    • Fixed bug #67245 (usage of memcpy() with overlapping src and dst in zend_exceptions.c).
    • Fixed bug #67247 (spl_fixedarray_resize integer overflow).
    • Fixed bug #67249 (printf out-of-bounds read).
    • Fixed bug #67250 (iptcparse out-of-bounds read).
    • Fixed bug #67252 (convert_uudecode out-of-bounds read). (Stas) - Fileinfo:
    • Fixed bug #66307 (Fileinfo crashes with powerpoint files).
    • Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). (CVE-2014-0238)
    • Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in performance degradation). (CVE-2014-0237)
  • Date:
    • Fixed bug #67118 (DateTime constructor crash with invalid data).
    • Fixed bug #67251 (date_parse_from_format out-of-bounds read).
    • Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read).
  • DOM:
    • Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset).
  • FPM:
    • Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
  • Phar:
    • Fixed bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name).

Version 5.5.12

  • Core:
    • Fixed bug #61019 (Out of memory on command stream_get_contents).
    • Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).
    • Fixed bug #66182 (exit in stream filter produces segfault).
    • Fixed bug #66736 (fpassthru broken).
    • Fixed bug #67024 (getimagesize should recognize BMP files with negative heighty).
    • Fixed bug #67043 (substr_compare broke by previous change).
  • cURL:
    • Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
  • Date:
    • Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
  • Embed:
    • Fixed bug #65715 (php5embed.lib isn't provided anymore).
  • Fileinfo:
    • Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
  • FPM:
    • Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
    • Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185)).
  • Json:
    • Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).
  • LDAP:
    • Fixed issue with null bytes in LDAP bindings.
  • mysqli:
    • Fixed problem in mysqli_commit()/mysqli_rollback() with second parameter (extra comma) and third parameters (lack of escaping).
  • Openssl:
    • Fixed bug #66942 (memory leak in openssl_seal()).
    • Fixed bug #66952 (memory leak in openssl_open()).
  • SimpleXML:
    • Fixed bug #66084 (simplexml_load_string() mangles empty node name).
  • SQLite:
    • Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3)
  • XSL:
    • Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded with "file://")
  • Apache2 Handler SAPI:
    • Fixed Apache log issue caused by APR's lack of support for %zu (APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120)

Version 5.4.28

  • Core:
    • Fixed bug #61019 (Out of memory on command stream_get_contents).
    • Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).
    • Fixed bug #66171 (Symlinks and session handler allow open_basedir bypass).
    • Fixed bug #66182 (exit in stream filter produces segfault).
    • Fixed bug #66736 (fpassthru broken).
    • Fixed bug #67024 (getimagesize should recognize BMP files with negative height).
  • cURL:
    • Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
  • Date:
    • Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
  • Embed:
    • Fixed bug #65715 (php5embed.lib isn't provided anymore).
  • Fileinfo:
    • Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
  • FPM:
    • Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
    • Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure default configuration) (CVE-2014-0185).
  • JSON:
    • Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).
  • LDAP:
    • Fixed issue with null bytes in LDAP bindings.
  • OpenSSL:
    • Fixed bug #66942 (memory leak in openssl_seal()).
    • Fixed bug #66952 (memory leak in openssl_open()).
  • SimpleXML:
    • Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol)
  • XSL:
    • Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded with "file://").
  • Apache2 Handler SAPI:
    • Fixed Apache log issue caused by APR's lack of support for %zu (APR issue 56120).

Version 5.5.11

  • Core:
    • Fixed bug #60602 (proc_open() changes environment array).
    • Allow zero length comparison in substr_compare().
  • cURL:
    • Fixed bug #66109 (Can't reset CURLOPT_CUSTOMREQUEST to default behaviour).
    • Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive.
  • Fileinfo:
    • Fixed bug #66946 (fileinfo: extensive backtracking in awk rule regular expression (CVE-2013-7345)).
  • FPM:
    • Added clear_env configuration directive to disable clearenv() call.
  • GD:
    • Fixed bug #66714 (imageconvolution breakage).
    • Fixed bug #66869 (Invalid 2nd argument crashes imageaffinematrixget).
    • Fixed bug #66887 (imagescale - poor quality of scaled image).
    • Fixed bug #66890 (imagescale segfault).
    • Fixed bug #66893 (imagescale ignore method argument).
  • GMP:
    • Fixed bug #66872 (invalid argument crashes gmp_testbit).
  • Hash:
    • hash_pbkdf2() now works correctly if the $length argument is not specified.
  • Intl:
    • Fixed bug #66873 A reproductible crash in UConverter when given invalid encoding.
  • Mail:
    • Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script).
  • MySQLi:
    • Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed).
  • OPCache:
    • Added function opcache_is_script_cached().
    • Added information about interned strings usage.
  • Openssl:
    • Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1).
  • SQLite:
    • Updated bundled libsqlite to 3.8.3.1.
  • SPL:
    • Added feature #65545 (SplFileObject::fread()).

Version 5.4.27

  • Core:
    • Fixed bug #60602 (proc_open() changes environment array)
  • Fileinfo:
    • Fixed bug #66946 (fileinfo: extensive backtracking in awk rule regular expression (CVE-2013-7345))
  • FPM:
    • Added clear_env configuration directive to disable clearenv() call.
  • GMP:
    • Fixed bug #66872 (invalid argument crashes gmp_testbit)
  • Mail:
    • Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script)
  • MySQLi:
    • Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed)
  • Openssl:
    • Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1)

Version 5.5.10

  • Core:
    • Fixed bug #66574 (Allow multiple paths in php_ini_scanned_path).
  • Date:
    • Fixed bug #45528 (Allow the DateTimeZone constructor to accept timezones per offset too).
  • Fileinfo:
    • Fixed bug #66731 (file: infinite recursion (CVE-2014-1943)).
    • Fixed bug #66820 (out-of-bounds memory access in fileinfo (CVE-2014-2270)).
  • GD:
    • Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer (CVE-2013-7327)).
  • JSON:
    • Fixed bug #65753 (JsonSerializeable couldn't implement on module extension).
  • LDAP:
    • Implemented ldap_modify_batch (https://wiki.php.net/rfc/ldap_modify_batch).
  • Openssl:
    • Fixed bug #66501 (Add EC key support to php_openssl_is_private_key).
  • PCRE:
    • Upgraded to PCRE 8.34.
  • Pgsql:
    • Added warning for dangerous client encoding and remove possible injections for pg_insert()/pg_update()/pg_delete()/pg_select().

Version 5.4.26

  • JSON:
    • Fixed bug #65753 (JsonSerializeable couldn't implement on module extension)
  • Fileinfo:
    • Fixed bug #66731 (file: infinite recursion) (CVE-2014-1943).
    • Fixed bug #66820 (out-of-bounds memory access in fileinfo) (CVE-2014-2270).
  • LDAP:
    • Implemented ldap_modify_batch (https://wiki.php.net/rfc/ldap_modify_batch).
  • Openssl:
    • Fixed bug #66501 (Add EC key support to php_openssl_is_private_key).
  • Pgsql:
    • Added warning for dangerous client encoding and remove possible injections for pg_insert()/pg_update()/pg_delete()/pg_select().

Version 5.5.9

  • Core:
    • Fixed bug #66509 (copy() arginfo has changed starting from 5.4).
  • GD:
    • Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop(), CVE-2013-7226).
  • OPCache:
    • Fixed bug #66474 (Optimizer bug in constant string to boolean conversion).
    • Fixed bug #66461 (PHP crashes if opcache.interned_strings_buffer=0).
    • Fixed bug #66298 (ext/opcache/Optimizer/zend_optimizer.c has dos-style ^M as lineend).
  • PDO_pgsql:
    • Fixed bug #62479 (PDO-pgsql cannot connect if password contains spaces).
  • Readline:
    • Fixed bug #66412 (readline_clear_history() with libedit causes segfault after #65714).
  • Session:
    • Fixed bug #66469 (Session module is sending multiple set-cookie headers when session.use_strict_mode=1).
    • Fixed bug #66481 (Segfaults on session_name()).
  • Standard:
    • Fixed bug #66395 (basename function doesn't remove drive letter).
  • Sockets:
    • Fixed bug #66381 (__ss_family was changed on AIX 5.3).
  • Zend Engine:
    • Fixed bug #66009 (Failed compilation of PHP extension with C++ std library using VS 2012).

Version 5.4.25

  • Core:
    • Fixed bug #66286 (Incorrect object comparison with inheritance).
    • Fixed bug #66509 (copy() arginfo has changed starting from 5.4).
  • mysqlnd:
    • Fixed bug #66283 (Segmentation fault after memory_limit).
  • PDO_pgsql:
    • Fixed bug #62479 (PDO-psql cannot connect if password contains spaces).
  • Session:
    • Fixed bug #66481 (Calls to session_name() segfault when session.name is null).

Version 5.5.8

  • Core:
    • Disallowed JMP into a finally block.
    • Added validation of class names in the autoload process.
    • Fixed invalid C code in zend_strtod.c.
    • Fixed bug #66041 (list() fails to unpack yielded ArrayAccess object).
    • Fixed bug #65764 (generators/throw_rethrow FAIL with ZEND_COMPILE_EXTENDED_INFO).
    • Fixed bug #61645 (fopen and O_NONBLOCK).
    • Fixed bug #66218 (zend_register_functions breaks reflection).
  • Date:
    • Fixed bug #66060 (Heap buffer over-read in DateInterval, CVE-2013-6712).
    • Fixed bug #65768 (DateTimeImmutable::diff does not work).
  • DOM:
    • Fixed bug #65196 (Passing DOMDocumentFragment to DOMDocument::saveHTML() Produces invalid Markup).
  • Exif:
    • Fixed bug #65873 (Integer overflow in exif_read_data()).
  • Filter:
    • Fixed bug #66229 (128.0.0.0/16 isn't reserved any longer).
  • GD:
    • Fixed bug #64405 (Use freetype-config for determining freetype2 dir(s)).
  • PDO_odbc:
    • Fixed bug #66311 (Stack smashing protection kills PDO/ODBC queries).
  • MySQLi:
    • Fixed bug #65486 (mysqli_poll() is broken on win x64).
  • OPCache:
    • Fixed revalidate_path=1 behavior to avoid caching of symlinks values.
    • Fixed issue #140 ("opcache.enable_file_override" doesn't respect "opcache.revalidate_freq".)
  • SNMP:
    • Fixed SNMP_ERR_TOOBIG handling for bulk walk operations.
  • SOAP:
    • Fixed bug #66112 (Use after free condition in SOAP extension).
  • Sockets:
    • Fixed bug #65923 (ext/socket assumes AI_V4MAPPED is defined).
  • XSL:
    • Fixed bug #49634 (Segfault throwing an exception in a XSL registered function).
  • ZIP:
    • Fixed bug #66321 (ZipArchive::open() ze_obj->filename_len not real).

Version 5.4.24

  • Core:
    • Added validation of class names in the autoload process.
    • Fixed invalid C code in zend_strtod.c.
    • Fixed bug #61645 (fopen and O_NONBLOCK).
  • Date:
    • Fixed bug #66060 (Heap buffer over-read in DateInterval, CVE-2013-6712).
    • Fixed bug #63391 (Incorrect/inconsistent day of week prior to the year 1600).
    • Fixed bug #61599 (Wrong Day of Week).
  • DOM:
    • Fixed bug #65196 (Passing DOMDocumentFragment to DOMDocument::saveHTML() Produces invalid Markup).
  • Exif:
    • Fixed bug #65873 (Integer overflow in exif_read_data()).
  • Filter:
    • Fixed bug #66229 (128.0.0.0/16 isn't reserved any longer).
  • GD:
    • Fixed bug #64405 (Use freetype-config for determining freetype2 dir(s)).
  • PDO_odbc:
    • Fixed bug #66311 (Stack smashing protection kills PDO/ODBC queries).
  • SNMP:
    • Fixed SNMP_ERR_TOOBIG handling for bulk walk operations.
  • XSL:
    • Fixed bug #49634 (Segfault throwing an exception in a XSL registered function).
  • ZIP:
    • Fixed bug #66321 (ZipArchive::open() ze_obj->filename_len not real).

Version 5.5.7

  • Core:
    • Fixed bug #66094 (unregister_tick_function tries to cast a Closure to a string).
    • Fixed bug #65969 (Chain assignment with T_LIST failure).
  • CLI server:
    • Added some MIME types to the CLI web server.
    • Implemented FR #65917 (getallheaders() is not supported by the built-in web server) - also implements apache_response_headers()
  • OPCache:
    • Fixed bug #66176 (Invalid constant substitution).
    • Fixed bug #65915 (Inconsistent results with require return value).
    • Fixed bug #65559 (Opcache: cache not cleared if changes occur while running).
  • readline:
    • Fixed bug #65714 (PHP cli forces the tty to cooked mode).
  • Openssl:
    • Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420).

Version 5.5.6

  • Core:
    • Improved performance of array_merge() and func_get_args() by eliminating useless copying.
    • Fixed bug #65947 (basename is no more working after fgetcsv in certain situation).
    • Fixed bug #65939 (Space before ";" breaks php.ini parsing).
    • Fixed bug #65911 (scope resolution operator - strange behavior with $this).
    • Fixed bug #65936 (dangling context pointer causes crash).
  • FPM:
    • Changed default listen() backlog to 65535.
  • JSON:
    • Fixed bug #64874 (json_decode handles whitespace incorrectly).
  • MySQLi:
    • Fixed bug #66043 (Segfault calling bind_param() on mysqli).
  • OPCache:
    • Increased limit for opcache.max_accelerated_files to 1,000,000.
    • Fixed issue #115 (path issue when using phar).
    • Fixed issue #149 (Phar mount points not working with OPcache enabled).
  • ODBC:
    • Fixed bug #65950 (Field name truncation if the field name is bigger than 32 characters).
  • PDO:
    • Fixed bug #66033 (Segmentation Fault when constructor of PDO statement throws an exception).
    • Fixed bug #65946 (sql_parser permanently converts values bound to strings).
  • Standard:
    • Fixed bug #64760 (var_export() does not use full precision for floating-point numbers).

Version 5.4.23

  • Core:
    • Fixed bug #66094 (unregister_tick_function tries to cast a Closure to a string).
    • Fixed bug #65947 (basename is no more working after fgetcsv in certain situation).
  • JSON:
    • Fixed whitespace part of #64874 ("json_decode handles whitespace and case-sensitivity incorrectly").
  • MySQLi:
    • Fixed bug #66043 (Segfault calling bind_param() on mysqli).
  • mysqlnd:
    • Fixed bug #66124 (mysqli under mysqlnd loses precision when bind_param with 'i').
    • Fixed bug #66141 (mysqlnd quote function is wrong with NO_BACKSLASH_ESCAPES after failed query).
  • OpenSSL:
    • Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420). (Stefan Esser).
  • PDO:
    • Fixed bug #65946 (sql_parser permanently converts values bound to strings).

Version 5.4.22

  • Core:
    • Fixed bug #65911 (scope resolution operator - strange behavior with $this).
  • CLI server:
    • Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding).
  • Exif:
    • Fixed crash on unknown encoding.
  • FTP:
    • Fixed bug #65667 (ftp_nb_continue produces segfault).
  • ODBC:
    • Fixed bug #65950 (Field name truncation if the field name is bigger than 32 characters).
  • Sockets:
    • Fixed bug #65808 (the socket_connect() won't work with IPv6 address).
  • Standard:
    • Fixed bug #64760 (var_export() does not use full precision for floating-point numbers).
  • XMLReader:
    • Fixed bug #51936 (Crash with clone XMLReader).
    • Fixed bug #64230 (XMLReader does not suppress errors).

Version 5.5.5

  • Core:
    • Fixed bug #64979 (Wrong behavior of static variables in closure generators).
    • Fixed bug #65322 (compile time errors won't trigger auto loading).
    • Fixed bug #65821 (By-ref foreach on property access of string offset segfaults).
  • CLI Server:
    • Fixed bug #65633 (built-in server treat some http headers as case-sensitive).
    • Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding).
    • Added application/pdf to PHP CLI Web Server mime types
  • Datetime:
    • Fixed bug #64157 (DateTime::createFromFormat() reports confusing error message).
    • Fixed bug #65502 (DateTimeImmutable::createFromFormat returns DateTime).
    • Fixed bug #65548 (Comparison for DateTimeImmutable doesn't work).
  • DBA:
    • Fixed bug #65708 (dba functions cast $key param to string in-place, bypassing copy on write).
  • Filter:
    • Add RFC 6598 IPs to reserved addresses.
    • Fixed bug #64441 (FILTER_VALIDATE_URL rejects fully qualified domain names).
  • FTP:
    • Fixed bug #65667 (ftp_nb_continue produces segfault).
  • GD:
    • Ensure that the defined interpolation method is used with the generic scaling methods.
  • IMAP:
    • Fixed bug #65721 (configure script broken in 5.5.4 and 5.4.20 when enabling imap).
  • OPCache:
    • Fixed bug #65845 (Error when Zend Opcache Optimizer is fully enabled).
    • Fixed bug #65665 (Exception not properly caught when opcache enabled).
    • Fixed bug #65510 (5.5.2 crashes in _get_zval_ptr_ptr_var).
    • Fixed issue #135 (segfault in interned strings if initial memory is too low).
    • Added function opcache_compile_file() to load PHP scripts into cache without execution.
    • Added support for GNU Hurd.
  • Sockets:
    • Fixed bug #65808 (the socket_connect() won't work with IPv6 address).
  • SPL:
    • Fixed bug #64782 (SplFileObject constructor make $context optional / give it a default value).
  • Standard:
    • Fixed bug #61548 content-type must appear at the end of headers for 201 Location to work in http.
  • XMLReader:
    • Fixed bug #51936 Crash with clone XMLReader.
    • Fixed bug #64230 XMLReader does not suppress errors.
  • Build system:
    • Fixed bug #51076 Race condition in shtool's mkdir -p implementation.
    • Fixed bug #62396 'make test' crashes starting with 5.3.14 (missing gzencode()).

Version 5.4.21

  • Core:
    • Fixed bug #65322 (compile time errors won't trigger auto loading).
  • CLI server:
    • Fixed bug #65633 (built-in server treat some http headers as case-sensitive).
  • Datetime:
    • Fixed bug #64157 (DateTime::createFromFormat() reports confusing error message).
  • DBA extension:
    • Fixed bug #65708 (dba functions cast $key param to string in-place, bypassing copy on write).
  • Filter:
    • Add RFC 6598 IPs to reserved addresses.
    • Fixed bug #64441 (FILTER_VALIDATE_URL rejects fully qualified domain names).
  • IMAP:
    • Fixed bug #65721 (configure script broken in 5.5.4 and 5.4.20 when enabling imap).
  • Standard:
    • Fixed bug #61548 (content-type must appear at the end of headers for 201 Location to work in http).
  • Build system:
    • Fixed bug #62396 ('make test' crashes starting with 5.3.14 (missing gzencode())).

Version 5.5.4

  • Core:
    • Fixed bug #60598 (cli/apache sapi segfault on objects manipulation).
    • Improved fputcsv() to allow specifying escape character.
    • Fixed bug #65483 (quoted-printable encode stream filter incorrectly encoding spaces).
    • Fixed bug #65470 (Segmentation fault in zend_error() with --enable-dtrace).
    • Fixed bug #65490 (Duplicate calls to get lineno & filename for DTRACE_FUNCTION_*).
    • Fixed bug #65225 (PHP_BINARY incorrectly set).
    • Fixed bug #62692 (PHP fails to build with DTrace).
    • Fixed bug #61759 (class_alias() should accept classes with leading backslashes).
    • Fixed bug #46311 (Pointer aliasing issue results in miscompile on gcc4.4).
  • cURL:
    • Fixed bug #65458 (curl memory leak).
  • Datetime:
    • Fixed bug #65554 (createFromFormat broken when weekday name is followed by some delimiters).
    • Fixed bug #65564 (stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer).
  • OPCache:
    • Fixed bug #65561 (Zend Opcache on Solaris 11 x86 needs ZEND_MM_ALIGNMENT=4).
  • Openssl:
    • Fixed bug #64802 (openssl_x509_parse fails to parse subject properly in some cases).
  • Session:
    • Fixed bug #65475 (Session ID is not initialized properly when strict session is enabled).
    • Fixed bug #51127 and #65359, FR #25630/#43980/#54383 (Added php_serialize session serialize handler that uses plain serialize())
  • Standard:
    • Fix issue with return types of password API helper functions. Found via static analysis by cjones.

Version 5.4.20

  • Core:
    • Fixed bug #60598 (cli/apache sapi segfault on objects manipulation).
    • Fixed bug #65579 (Using traits with get_class_methods causes segfault).
    • Fixed bug #65490 (Duplicate calls to get lineno & filename for DTRACE_FUNCTION_*).
    • Fixed bug #65483 (quoted-printable encode stream filter incorrectly encoding spaces).
    • Fixed bug #65481 (shutdown segfault due to serialize).
    • Fixed bug #65470 (Segmentation fault in zend_error() with --enable-dtrace).
    • Fixed bug #65372 (Segfault in gc_zval_possible_root when return reference fails).
    • Fixed bug #65304 (Use of max int in array_sum).
    • Fixed bug #65291 (get_defined_constants() causes PHP to crash in a very limited case).
    • Fixed bug #65225 (PHP_BINARY incorrectly set).
    • Improved fix for bug #63186 (compile failure on netbsd).
    • Fixed bug #62692 (PHP fails to build with DTrace).
    • Fixed bug #61759 (class_alias() should accept classes with leading backslashes).
    • Fixed bug #61345 (CGI mode - make install don't work).
    • Cherry-picked some DTrace build commits (allowing builds on Linux, bug #62691 and bug #63706) from PHP 5.5 branch.
    • Fixed bug #61268 (--enable-dtrace leads make to clobber Zend/zend_dtrace.d)
  • cURL:
    • Fixed bug #65458 (curl memory leak).
  • Datetime:
    • Fixed bug #65554 (createFromFormat broken when weekday name is followed by some delimiters)
    • Fixed bug #65564 (stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer)
  • Openssl:
    • Fixed bug #64802 (openssl_x509_parse fails to parse subject properly in some cases).
  • Session:
    • Fixed bug #62129 (rfc1867 crashes php even though turned off).
    • Fixed bug #50308 (session id not appended properly for empty anchor tags).
    • Fixed possible buffer overflow under Windows. Note: Not a security fix.
    • Changed session.auto_start to PHP_INI_PERDIR.
  • SOAP:
    • Fixed bug #65018 (SoapHeader problems with SoapServer).
  • SPL:
    • Fixed bug #65328 (Segfault when getting SplStack object Value).
  • PDO:
    • Fixed bug #64953 (Postgres prepared statement positional parameter casting).
  • Phar:
    • Fixed bug #65028 (Phar::buildFromDirectory creates corrupt archives for some specific contents).
  • Pgsql:
    • Fixed bug #65336 (pg_escape_literal/identifier() silently returns false).
    • Fixed bug #62978 (Disallow possible SQL injections with pg_select()/pg_update() /pg_delete()/pg_insert()).
  • Zlib:
    • Fixed bug #65391 (Unable to send vary header user-agent when ob_start('ob_gzhandler') is called).

Version 5.5.3

  • Openssl:
    • Fixed UMR in fix for CVE-2013-4248.

Version 5.4.19

  • Core:
    • Fixed bug #64503 (Compilation fails with error: conflicting types for 'zendparse').
  • Openssl:
    • Fixed UMR in fix for CVE-2013-4248.

Version 5.5.2

  • Core:
    • Fixed bug #65372 (Segfault in gc_zval_possible_root when return reference fails).
    • Fixed value of FILTER_SANITIZE_FULL_SPECIAL_CHARS constant (previously was erroneously set to FILTER_SANITIZE_SPECIAL_CHARS value).
    • Fixed bug #65304 (Use of max int in array_sum).
    • Fixed bug #65291 (get_defined_constants() causes PHP to crash in a very limited case).
    • Fixed bug #62691 (solaris sed has no -i switch).
    • Fixed bug #61345 (CGI mode - make install don't work).
    • Fixed bug #61268 (--enable-dtrace leads make to clobber Zend/zend_dtrace.d).
  • DOM:
    • Added flags option to DOMDocument::schemaValidate() and DOMDocument::schemaValidateSource(). Added LIBXML_SCHEMA_CREATE flag.
  • OPcache:
    • Added opcache.restrict_api configuration directive that may limit usage of OPcahce API functions only to patricular script(s).
    • Added support for glob symbols in blacklist entries (?, *, **).
    • Fixed bug #65338 (Enabling both php_opcache and php_wincache AVs on shutdown).
  • Openssl:
    • Fixed handling null bytes in subjectAltName (CVE-2013-4248).
  • PDO_mysql:
    • Fixed bug #65299 (pdo mysql parsing errors).
  • Phar:
    • Fixed bug #65028 (Phar::buildFromDirectory creates corrupt archives for some specific contents).
  • Pgsql:
    • Fixed bug #62978 (Disallow possible SQL injections with pg_select()/pg_update() /pg_delete()/pg_insert()).
    • Fixed bug #65336 (pg_escape_literal/identifier() silently returns false).
  • Sessions:
    • Implemented strict sessions RFC (https://wiki.php.net/rfc/strict_sessions) which protects against session fixation attacks and session collisions (CVE-2011-4718).
    • Fixed possible buffer overflow under Windows. Note: Not a security fix.
    • Changed session.auto_start to PHP_INI_PERDIR.
  • SOAP:
    • Fixed bug #65018 (SoapHeader problems with SoapServer).
  • SPL:
    • Fixed bug #65328 (Segfault when getting SplStack object Value).
    • Added RecursiveTreeIterator setPostfix and getPostifx methods.
    • Fixed bug #61697 (spl_autoload_functions returns lambda functions incorrectly).
  • Streams:
    • Fixed bug #65268 (select() implementation uses outdated tick API).

Version 5.4.18

  • Core:
    • Fixed value of FILTER_SANITIZE_FULL_SPECIAL_CHARS constant (previously was erroneously set to FILTER_SANITIZE_SPECIAL_CHARS value).
    • Fixed bug #65254 (Exception not catchable when exception thrown in autoload with a namespace).
    • Fixed bug #65108 (is_callable() triggers Fatal Error).
    • Fixed bug #65088 (Generated configure script is malformed on OpenBSD).
    • Fixed bug #62964 (Possible XSS on "Registered stream filters" info).
    • Fixed bug #62672 (Error on serialize of ArrayObject).
    • Fixed bug #62475 (variant_* functions causes crash when null given as an argument).
    • Fixed bug #60732 (php_error_docref links to invalid pages).
    • Fixed bug #65226 (chroot() does not get enabled).
  • CGI:
    • Fixed bug #65143 (Missing php-cgi man page).
  • CLI server:
    • Fixed bug #65066 (Cli server not responsive when responding with 422 http status code).
  • CURL:
    • Fixed bug #62665 (curl.cainfo doesn't appear in php.ini).
  • FPM:
    • Fixed bug #63983 (enabling FPM borks compile on FreeBSD).
  • FTP:
    • Fixed bug #65228 (FTPs memory leak with SSL).
  • GMP:
    • Fixed bug #65227 (Memory leak in gmp_cmp second parameter).
  • Imap:
    • Fixed bug #64467 (Segmentation fault after imap_reopen failure).
  • Intl:
    • Fixed bug #62759 (Buggy grapheme_substr() on edge case).
    • Fixed bug #61860 (Offsets may be wrong for grapheme_stri* functions).
  • mysqlnd:
    • Fixed segfault in mysqlnd when doing long prepare.
  • ODBC:
    • Fixed bug #61387 (NULL valued anonymous column causes segfault in odbc_fetch_array).
  • Openssl:
    • Fixed handling null bytes in subjectAltName (CVE-2013-4248).
  • PDO:
    • Allowed PDO_OCI to compile with Oracle Database 12c client libraries.
  • PDO_dblib:
    • Fixed bug #65219 (PDO/dblib not working anymore ("use dbName" not sent)).
  • PDO_pgsql:
    • Fixed meta data retrieve when OID is larger than 2^31.
  • Phar:
    • Fixed bug #65142 (Missing phar man page).
  • Session:
    • Fixed bug #62535 ($_SESSION[$key]["cancel_upload"] doesn't work as documented).
    • Fixed bug #35703 (when session_name("123") consist only digits, should warning).
    • Fixed bug #49175 (mod_files.sh does not support hash bits).
  • Sockets:
    • Implemented FR #63472 (Setting SO_BINDTODEVICE with socket_set_option).
  • SPL:
    • Fixed bug #65136 (RecursiveDirectoryIterator segfault).
    • Fixed bug #61828 (Memleak when calling Directory(Recursive)Iterator /Spl(Temp)FileObject ctor twice).
    • Fixed bug #60560 (SplFixedArray un-/serialize, getSize(), count() return 0, keys are strings).
  • XML:
    • Fixed bug #65236 (heap corruption in xml parser, CVE-2013-4113).

Version 5.5.1

  • Core:
    • Fixed bug #65254 (Exception not catchable when exception thrown in autoload with a namespace).
    • Fixed bug #65088 (Generated configure script is malformed on OpenBSD).
    • Fixed bug #65108 (is_callable() triggers Fatal Error).
    • Fixed bug #65035 (yield / exit segfault).
    • Fixed bug #65161 (Generator + autoload + syntax error = segfault).
    • Fixed bug #65226 (chroot() does not get enabled).
    • hex2bin() raises E_WARNING for invalid hex string.
  • OPcache:
    • Fixed bug #64827 (Segfault in zval_mark_grey (zend_gc.c)).
    • OPcache is now compatible with LiteSpeed SAPI.
  • CGI:
    • Fixed bug #65143 (Missing php-cgi man page).
  • CLI server:
    • Fixed bug #65066 (Cli server not responsive when responding with 422 http status code).
  • DateTime:
    • Fixed bug #65184 (strftime() returns insufficient-length string under multibyte locales).
  • GD:
    • Fixed bug #65070 (bgcolor does not use the same format as the input image with imagerotate).
    • Fixed bug #65060 (imagecreatefrom... crashes with user streams).
    • Fixed bug #65084 (imagecreatefromjpeg fails with URL).
    • Fix gdImageCreateFromWebpCtx and use same logic to load WebP image that other formats.
  • Intl:
    • Add IntlCalendar::setMinimalDaysInFirstWeek()/intlcal_set_minimal_days_in_first_week().
    • Fixed trailing space in name of constant IntlCalendar::FIELD_FIELD_COUNT.
    • Fixed bug #62759 (Buggy grapheme_substr() on edge case).
    • Fixed bug #61860 (Offsets may be wrong for grapheme_stri* functions).
  • OCI8:
    • Bump PECL package info version check to allow PECL installs with PHP 5.5+.
  • PDO:
    • Allowed PDO_OCI to compile with Oracle Database 12c client libraries.
  • Pgsql:
    • pg_unescape_bytea() raises E_WARNING for invalid inputs.
  • Phar:
    • Fixed bug #65142 (Missing phar man page).
  • Session:
    • Added optional create_sid() argument to session_set_save_handler(), SessionHandler and new SessionIdInterface.
  • Sockets:
    • #63472Setting SO_BINDTODEVICE with socket_set_option.
    • Allowed specifying paths in the abstract namespace for the functions socket_bind(), socket_connect() and socket_sendmsg().
    • Fixed bug #65260sendmsg() ancillary data construction for SCM_RIGHTS is faulty.
  • SPL:
    • Fixed bug #65136RecursiveDirectoryIterator segfault.
    • Fixed bug #61828Memleak when calling Directory(Recursive)Iterator/Spl(Temp)FileObject ctor twice.
  • CGI/FastCGI SAPI:
    • Added PHP_FCGI_BACKLOG, overrides the default listen backlog.

Version 5.3.28

  • Openssl:
    • Fixed handling null bytes in subjectAltName (CVE-2013-4248).
    • Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420). (Stefan Esser).

Version 5.3.27

  • Core:
    • Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC).
    • Fixed bug #64960 (Segfault in gc_zval_possible_root).
    • Fixed bug #64934 (Apache2 TS crash with get_browser()).
    • Fixed bug #63186 (compile failure on netbsd).
  • DateTime:
    • Fixed bug #53437 (Crash when using unserialized DatePeriod instance).
  • PDO_firebird:
    • Fixed bug #64037 (Firebird return wrong value for numeric field).
    • Fixed bug #62024 (Cannot insert second row with null using parametrized query).
  • PDO_pgsql:
    • Fixed bug #64949 (Buffer overflow in _pdo_pgsql_error).
  • pgsql:
    • Fixed bug #64609 (pg_convert enum type support).
  • SPL:
    • Fixed bug #64997 (Segfault while using RecursiveIteratorIterator on 64-bits systems).
  • XML:
    • Fixed bug #65236 (heap corruption in xml parser).

Version 5.5.0

  • Drop support for bison < 2.4 when building PHP from GIT source
  • Improved Zend Engine:
    • Added ARMv7/v8 versions of various Zend arithmetic functions that are implemented using inline assembler
    • Added systemtap support by enabling systemtap compatible dtrace probes on linux
    • Optimized access to temporary and compiled VM variables. 8% less memory reads
    • The VM stacks for passing function arguments and syntaticaly nested calls were merged into a single stack. The stack size needed for op_array execution is calculated at compile time and preallocated at once. As result all the stack push operations don't require checks for stack overflow any more
  • General improvements:
    • Added generators and coroutines.
    • Added "finally" keyword.
    • Added simplified password hashing API.
    • Added support for constant array/string dereferencing.
    • Added Class Name Resolution As Scalar Via "class" Keyword
    • Added support for using empty() on the result of function calls and other expressions
    • Added support for non-scalar Iterator keys in foreach
    • Added support for list in foreach
  • Core:
    • Added Zend Opcache extension and enable building it by default.
    • Added array_column function which returns a column in a multidimensional array
    • Added boolval()
    • Added "Z" option to pack/unpack
    • Added optional second argument for assert() to specify custom message
    • Added support for changing the process's title in CLI/CLI-Server SAPIs. The implementation is more robust that the proctitle PECL module
    • Improve set_exception_handler while doing reset
    • Return previous handler when passing NULL to set_error_handler and set_exception_handler
    • Implemented FR #64175 (Added HTTP codes as of RFC 6585)
    • Implemented FR #60738 (Allow 'set_error_handler' to handle NULL)
    • Implemented FR #60524 (specify temp dir by php.ini)
    • Implemented FR #46487 (Dereferencing process-handles no longer waits on those processes)
    • Fixed bug #65051 (count() off by one inside unset())
    • Fixed bug #64988 (Class loading order affects E_STRICT warning)
    • Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC)
    • Fixed bug #64960 (Segfault in gc_zval_possible_root)
    • Fixed bug #64936 (doc comments picked up from previous scanner run)
    • Fixed bug #64934 (Apache2 TS crash with get_browser())
    • Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode, CVE 2013-2110)
    • Fixed bug #64853 (Use of no longer available ini directives causes crash on TS build)
    • Fixed bug #64821 (Custom Exceptions crash when internal properties overridden)
    • Fixed bug #64720 (SegFault on zend_deactivate).
    • Fixed bug #64677 (execution operator `` stealing surrounding arguments)
    • Fixed bug #64660 (Segfault on memory exhaustion within function definition)
    • Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault)
    • Fixed bug #64565 (copy doesn't report failure on partial copy)
    • Fixed bug #64555 (foreach no longer copies keys if they are interned)
    • Fixed bug #47675 and Fixed bug #64577 (fd leak on Solaris)
    • Fixed bug #64544 (Valgrind warnings after using putenv)
    • Fixed bug #64515 (Memoryleak when using the same variablename 2times in function declaration)
    • Fixed bug #64503 (Compilation fails with error: conflicting types for 'zendparse')
    • Fixed bug #64239 (Debug backtrace changed behavior since 5.4.10 or 5.4.11)
    • Fixed bug #64523 allow XOR in php.ini
    • Fixed bug #64354 (Unserialize array of objects whose class can't be autoloaded fail)
    • Fixed bug #64370 (microtime(true) less than $_SERVER['REQUEST_TIME_FLOAT'])
    • Fixed bug #64166 (quoted-printable-encode stream filter incorrectly discarding whitespace)
    • Fixed bug #64142 (dval to lval different behavior on ppc64)
    • Fixed bug #64135 (Exceptions from set_error_handler are not always propagated)
    • Fixed bug #63980 (object members get trimmed by zero bytes)
    • Fixed bug #63874 (Segfault if php_strip_whitespace has heredoc)
    • Fixed bug #63830 (Segfault on undefined function call in nested generator)
    • Fixed bug #63822 (Crash when using closures with ArrayAccess)
    • Fixed bug #61681 (Malformed grammar)
    • Fixed bug #61038 (unpack("a5", "str\0\0") does not work as expected)
    • Fixed bug #61025 (__invoke() visibility not honored)
    • Fixed bug #60833 (self, parent, static behave inconsistently case-sensitive)
    • Fixed bug #52126 timestamp for mail.log
    • Fixed bug #49348 (Uninitialized ++$foo->bar; does not cause a notice)
    • Fixed bug #23955 allow specifying Max-Age attribute in setcookie()
    • Fixed bug #18556 (Engine uses locale rules to handle class names)
    • Fix undefined behavior when converting double variables to integers. The double is now always rounded towards zero, the remainder of its division by 2^32 or 2^64 (depending on sizeof(long)) is calculated and it's made signed assuming a two's complement representation
  • Removed legacy features:
    • Remove php_logo_guid(), php_egg_logo_guid(), php_real_logo_guid(), zend_logo_guid()
    • Drop Windows XP and 2003 support
  • Apache2 Handler SAPI:
    • Enabled Apache 2.4 configure option for Windows.
  • Calendar:
    • Fixed bug #64895 (Integer overflow in SndToJewish).
    • Fixed bug #54254 (cal_from_jd returns month = 6 when there is only one Adar).
  • CLI server:
    • Fixed bug #64128 (buit-in web server is broken on ppc64).
  • CURL:
    • Remove curl stream wrappers.
    • Implemented FR #46439 (added CURLFile for safer file uploads).
    • Added support for CURLOPT_FTP_RESPONSE_TIMEOUT, CURLOPT_APPEND, CURLOPT_DIRLISTONLY, CURLOPT_NEW_DIRECTORY_PERMS, CURLOPT_NEW_FILE_PERMS, CURLOPT_NETRC_FILE, CURLOPT_PREQUOTE, CURLOPT_KRBLEVEL, CURLOPT_MAXFILESIZE, CURLOPT_FTP_ACCOUNT, CURLOPT_COOKIELIST, CURLOPT_IGNORE_CONTENT_LENGTH, CURLOPT_CONNECT_ONLY, CURLOPT_LOCALPORT, CURLOPT_LOCALPORTRANGE, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_SSL_SESSIONID_CACHE, CURLOPT_FTP_SSL_CCC, CURLOPT_HTTP_CONTENT_DECODING, CURLOPT_HTTP_TRANSFER_DECODING, CURLOPT_PROXY_TRANSFER_MODE, CURLOPT_ADDRESS_SCOPE, CURLOPT_CRLFILE, CURLOPT_ISSUERCERT, CURLOPT_USERNAME, CURLOPT_PASSWORD, CURLOPT_PROXYUSERNAME, CURLOPT_PROXYPASSWORD, CURLOPT_NOPROXY, CURLOPT_SOCKS5_GSSAPI_NEC, CURLOPT_SOCKS5_GSSAPI_SERVICE, CURLOPT_TFTP_BLKSIZE, CURLOPT_SSH_KNOWNHOSTS, CURLOPT_FTP_USE_PRET, CURLOPT_MAIL_FROM, CURLOPT_MAIL_RCPT, CURLOPT_RTSP_CLIENT_CSEQ, CURLOPT_RTSP_SERVER_CSEQ, CURLOPT_RTSP_SESSION_ID, CURLOPT_RTSP_STREAM_URI, CURLOPT_RTSP_TRANSPORT, CURLOPT_RTSP_REQUEST, CURLOPT_RESOLVE, CURLOPT_ACCEPT_ENCODING, CURLOPT_TRANSFER_ENCODING, CURLOPT_DNS_SERVERS and CURLOPT_USE_SSL
    • Fixed bug #55635 (CURLOPT_BINARYTRANSFER no longer used. The constant still exists for backward compatibility but is doing nothing)
    • Fixed bug #54995 (Missing CURLINFO_RESPONSE_CODE support)
    • Added new functions curl_escape, curl_multi_setopt, curl_multi_strerror curl_pause, curl_reset, curl_share_close, curl_share_init, curl_share_setopt curl_strerror and curl_unescape
    • Addes new curl options CURLOPT_TELNETOPTIONS, CURLOPT_GSSAPI_DELEGATION, CURLOPT_ACCEPTTIMEOUT_MS, CURLOPT_SSL_OPTIONS, CURLOPT_TCP_KEEPALIVE, CURLOPT_TCP_KEEPIDLE and CURLOPT_TCP_KEEPINTVL
  • DateTime:
    • Added DateTimeImmutable - a variant of DateTime that only returns the modified state instead of changing itself.
    • Fixed bug #64825 (Invalid free when unserializing DateTimeZone).
    • Fixed bug #64359 (strftime crash with VS2012)
    • Fixed bug #62852 (Unserialize Invalid Date causes crash)
    • Fixed bug #61642 (modify("+5 weekdays") returns Sunday)
    • Fixed bug #60774 (DateInterval::format("%a") is always zero when an interval is created using the createFromDateString method)
    • Fixed bug #54567 (DateTimeZone serialize/unserialize)
    • Fixed bug #53437 (Crash when using unserialized DatePeriod instance)
  • dba:
    • Fixed bug #62489 (dba_insert not working as expected)
  • Filter:
    • Implemented FR #49180 (added MAC address validation)
  • Fileinfo:
    • Upgraded libmagic to 5.14.
    • Fixed bug #64830 (mimetype detection segfaults on mp3 file)
    • Fixed bug #63590 (Different results in TS and NTS under Windows)
    • Fixed bug #63248 (Load multiple magic files from a directory under Windows)
  • FPM:
    • Add --with-fpm-systemd option to report health to systemd, and systemd_interval option to configure this. The service can now use Type=notify in the systemd unit file.
    • Ignore QUERY_STRING when sent in SCRIPT_FILENAME
    • Log a warning when a syscall fails
    • Implemented FR #64764 (add support for FPM init.d script)
    • Fixed bug #64915 (error_log ignored when daemonize=0)
    • Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11)
    • Fixed some possible memory or resource leaks and possible null dereference detected by code coverity scan
  • GD:
    • Fixed bug #64962 (imagerotate produces corrupted image).
    • Fixed bug #64961 (segfault in imagesetinterpolation)
    • Fix build with system libgd >= 2.1 which is now the minimal version required (as build with previous version is broken). No change when bundled libgd is used
    • Upgraded libgd to 2.1
  • hash:
    • Added support for PBKDF2 via hash_pbkdf2().
    • Fixed bug #64745 (hash_pbkdf2() truncates data when using default length and hex output)
  • intl:
    • Added UConverter wrapper.
    • The intl extension now requires ICU 4.0+
    • Added intl.use_exceptions INI directive, which controls what happens when global errors are set together with intl.error_level
    • MessageFormatter::format() and related functions now accepted named arguments and mixed numeric/named arguments in ICU 4.8+
    • MessageFormatter::format() and related functions now don't error out when an insufficient argument count is provided. Instead, the placeholders will remain unsubstituted
    • MessageFormatter::parse() and MessageFormat::format() (and their static equivalents) don't throw away better than second precision in the arguments
    • IntlDateFormatter::__construct and datefmt_create() now accept for the $timezone argument time zone identifiers, IntlTimeZone objects, DateTimeZone objects and NULL
    • IntlDateFormatter::__construct and datefmt_create() no longer accept invalid timezone identifiers or empty strings
    • The default time zone used in IntlDateFormatter::__construct and datefmt_create() (when the corresponding argument is not passed or NULL is passed) is now the one given by date_default_timezone_get(), not the default ICU time zone
    • The time zone passed to the IntlDateFormatter is ignored if it is NULL and if the calendar passed is an IntlCalendar object -- in this case, the IntlCalendar's time zone will be used instead. Otherwise, the time zone specified in the $timezone argument is used instead. This does not affect old code, as IntlCalendar was introduced in this version
    • IntlDateFormatter::__construct and datefmt_create() now accept for the $calendar argument also IntlCalendar objects
    • IntlDateFormatter::getCalendar() and datefmt_get_calendar() return false if the IntlDateFormatter was set up with an IntlCalendar instead of the constants IntlDateFormatter::GREGORIAN/TRADITIONAL. IntlCalendar did not exist before this version
    • IntlDateFormatter::setCalendar() and datefmt_set_calendar() now also accept an IntlCalendar object, in which case its time zone is taken. Passing a constant is still allowed, and still keeps the time zone
    • IntlDateFormatter::setTimeZoneID() and datefmt_set_timezone_id() are deprecated. Use IntlDateFormatter::setTimeZone() or datefmt_set_timezone() instead
    • IntlDateFormatter::format() and datefmt_format() now also accept an IntlCalendar object for formatting
    • Added the classes: IntlCalendar, IntlGregorianCalendar, IntlTimeZone, IntlBreakIterator, IntlRuleBasedBreakIterator and IntlCodePointBreakIterator
    • Added the functions: intlcal_get_keyword_values_for_locale(), intlcal_get_now(), intlcal_get_available_locales(), intlcal_get(), intlcal_get_time(), intlcal_set_time(), intlcal_add(), intlcal_set_time_zone(), intlcal_after(), intlcal_before(), intlcal_set(), intlcal_roll(), intlcal_clear(), intlcal_field_difference(), intlcal_get_actual_maximum(), intlcal_get_actual_minimum(), intlcal_get_day_of_week_type(), intlcal_get_first_day_of_week(), intlcal_get_greatest_minimum(), intlcal_get_least_maximum(), intlcal_get_locale(), intlcal_get_maximum(), intlcal_get_minimal_days_in_first_week(), intlcal_get_minimum(), intlcal_get_time_zone(), intlcal_get_type(), intlcal_get_weekend_transition(), intlcal_in_daylight_time(), intlcal_is_equivalent_to(), intlcal_is_lenient(), intlcal_is_set(), intlcal_is_weekend(), intlcal_set_first_day_of_week(), intlcal_set_lenient(), intlcal_equals(), intlcal_get_repeated_wall_time_option(), intlcal_get_skipped_wall_time_option(), intlcal_set_repeated_wall_time_option(), intlcal_set_skipped_wall_time_option(), intlcal_from_date_time(), intlcal_to_date_time(), intlcal_get_error_code(), intlcal_get_error_message(), intlgregcal_create_instance(), intlgregcal_set_gregorian_change(), intlgregcal_get_gregorian_change() and intlgregcal_is_leap_year()
    • Added the functions: intltz_create_time_zone(), intltz_create_default(), intltz_get_id(), intltz_get_gmt(), intltz_get_unknown(), intltz_create_enumeration(), intltz_count_equivalent_ids(), intltz_create_time_zone_id_enumeration(), intltz_get_canonical_id(), intltz_get_region(), intltz_get_tz_data_version(), intltz_get_equivalent_id(), intltz_use_daylight_time(), intltz_get_offset(), intltz_get_raw_offset(), intltz_has_same_rules(), intltz_get_display_name(), intltz_get_dst_savings(), intltz_from_date_time_zone(), intltz_to_date_time_zone(), intltz_get_error_code(), intltz_get_error_message()
    • Added the methods: IntlDateFormatter::formatObject(), IntlDateFormatter::getCalendarObject(), IntlDateFormatter::getTimeZone(), IntlDateFormatter::setTimeZone()
    • Added the functions: datefmt_format_object(), datefmt_get_calendar_object(), datefmt_get_timezone(), datefmt_set_timezone(), datefmt_get_calendar_object(), intlcal_create_instance()
  • mbstring:
    • Fixed bug #64769 (mbstring PHPTs crash on Windows x64).
  • MCrypt:
    • mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb() and mcrypt_ofb() now throw E_DEPRECATED.
  • mysql:
    • This extension is now deprecated, and deprecation warnings will be generated when connections are established to databases via mysql_connect(), mysql_pconnect(), or through implicit connection: use MySQLi or PDO_MySQL instead
    • Dropped support for LOAD DATA LOCAL INFILE handlers when using libmysql. Known for stability problems
    • Added support for SHA256 authentication available with MySQL 5.6.6+
  • mysqli:
    • Added mysqli_begin_transaction()/mysqli::begin_transaction(). Implemented all options, per MySQL 5.6, which can be used with START TRANSACTION, COMMIT and ROLLBACK through options to mysqli_commit()/mysqli_rollback() and their respective OO counterparts. They work in libmysql and mysqlnd mode
    • Added mysqli_savepoint(), mysqli_release_savepoint()
    • Fixed bug #64726 (Segfault when calling fetch_object on a use_result and DB pointer has closed)
    • Fixed bug #64394 (MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS undeclared when using Connector/C)
  • mysqlnd:
    • Add new begin_transaction() call to the connection object. Implemented all options, per MySQL 5.6, which can be used with START TRANSACTION, COMMIT and ROLLBACK
    • Added mysqlnd_savepoint(), mysqlnd_release_savepoint()
    • Fixed bug #63530 (mysqlnd_stmt::bind_one_parameter crashes, uses wrong alloc for stmt->param_bind)
    • Fixed return value of mysqli_stmt_affected_rows() in the time after prepare() and before execute()
  • PCRE:
    • Merged PCRE 8.32
    • Deprecated the /e modifier
    • Fixed bug #63284 (Upgrade PCRE to 8.31)
  • PDO:
    • Fixed bug #63176 (Segmentation fault when instantiate 2 persistent PDO to the same db server)
  • PDO_DBlib:
    • Fixed bug #63638 (Cannot connect to SQL Server 2008 with PDO dblib)
    • Fixed bug #64338 (pdo_dblib can't connect to Azure SQL)
    • Fixed bug #64808 (FreeTDS PDO getColumnMeta on a prepared but not executed statement crashes)
  • PDO_pgsql:
    • Fixed bug #64949 (Buffer overflow in _pdo_pgsql_error)
  • PDO_mysql:
    • Fixed bug #48724 (getColumnMeta() doesn't return native_type for BIT, TINYINT and YEAR)
  • pgsql:
    • Added pg_escape_literal() and pg_escape_identifier()
    • Fixed bug #46408 Locale number format settings can cause pg_query_params to break with numerics
  • Phar:
    • Fixed timestamp update on Phar contents modification
  • readline:
    • Fixed bug #55694 (Expose additional readline variable to prevent default filename completion)
  • Reflection:
    • Fixed bug #64007 (There is an ability to create instance of Generator by hand)
  • Sockets:
    • Added socket_cmsg_space(), socket_sendmsg(), and socket_recvmsg() functions
    • Fixed bug #64508 (Fails to build with --disable-ipv6)
    • Fixed bug #64287 (sendmsg/recvmsg shutdown handler causes segfault)
  • SPL:
    • Fixed bug #64997 (Segfault while using RecursiveIteratorIterator on 64-bits systems)
    • Fixed bug #64264 (SPLFixedArray toArray problem)
    • Fixed bug #64228 (RecursiveDirectoryIterator always assumes SKIP_DOTS)
    • Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended)
    • Fixed bug #60560 (SplFixedArray un-/serialize, getSize(), count() return 0, keys are strings)
    • Fixed bug #52861 (unset fails with ArrayObject and deep arrays)
    • Implement #48358 (Add SplDoublyLinkedList::add() to insert an element at a given offset)
  • SNMP:
    • Fixed bug #64765 (Some IPv6 addresses get interpreted wrong)
    • Fixed bug #64159 (Truncated snmpget)
    • Fixed bug #64124 (IPv6 malformed)
    • Fixed bug #61981 (OO API, walk: $suffix_as_key is not working correctly)
  • SOAP:
    • Added SoapClient constructor option 'ssl_method' to specify ssl method
  • Streams:
    • Fixed bug #64770 (stream_select() fails with pipes returned by proc_open() on Windows x64)
    • Fixed Windows x64 version of stream_socket_pair() and improved error handling
  • Tokenizer:
    • Fixed bug #60097 (token_get_all fails to lex nested heredoc)
  • Zip:
    • Upgraded libzip to 0.10.1
    • Fixed bug #64452 (Zip crash intermittently)
    • Fixed bug #64342 (ZipArchive::addFile() has to check for file existence)

Version 5.4.17

  • Core:
    • Fixed bug #64988 (Class loading order affects E_STRICT warning).
    • Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC).
    • Fixed bug #64960 (Segfault in gc_zval_possible_root).
    • Fixed bug #64936 (doc comments picked up from previous scanner run).
    • Fixed bug #64934 (Apache2 TS crash with get_browser()).
    • Fixed bug #64166 (quoted-printable-encode stream filter incorrectly discarding whitespace).
  • DateTime:
    • Fixed bug #53437 (Crash when using unserialized DatePeriod instance).
  • FPM:
    • Fixed bug #64915 (error_log ignored when daemonize=0).
    • Implemented FR #64764 (add support for FPM init.d script).
  • PDO:
    • Fixed bug #63176 (Segmentation fault when instantiate 2 persistent PDO to the same db server).
  • PDO_DBlib:
    • Fixed bug #63638 (Cannot connect to SQL Server 2008 with PDO dblib).
    • Fixed bug #64338 (pdo_dblib can't connect to Azure SQL).
    • Fixed bug #64808 (FreeTDS PDO getColumnMeta on a prepared but not executed statement crashes).
  • PDO_firebird:
    • Fixed bug #64037 (Firebird return wrong value for numeric field).
    • Fixed bug #62024 (Cannot insert second row with null using parametrized query).
  • PDO_mysql:
    • Fixed bug #48724 (getColumnMeta() doesn't return native_type for BIT, TINYINT and YEAR).
  • PDO_pgsql:
    • Fixed bug #64949 (Buffer overflow in _pdo_pgsql_error).
  • pgsql:
    • Fixed bug #64609 (pg_convert enum type support).
  • Readline:
    • Implement FR #55694 (Expose additional readline variable to prevent default filename completion).
  • SPL:
    • Fixed bug #64997 (Segfault while using RecursiveIteratorIterator on 64-bits systems).

Version 5.4.16

  • Core:
    • Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode, CVE-2013-2110).
    • Fixed bug #64853 (Use of no longer available ini directives causes crash on TS build).
    • Fixed bug #64729 (compilation failure on x32).
    • Fixed bug #64720 (SegFault on zend_deactivate).
    • Fixed bug #64660 (Segfault on memory exhaustion within function definition).
  • Calendar:
    • Fixed bug #64895 (Integer overflow in SndToJewish).
  • Fileinfo:
    • Fixed bug #64830 (mimetype detection segfaults on mp3 file).
  • FPM:
    • Ignore QUERY_STRING when sent in SCRIPT_FILENAME.
    • Fixed some possible memory or resource leaks and possible null dereference detected by code coverity scan.
    • Log a warning when a syscall fails.
    • Add --with-fpm-systemd option to report health to systemd, and systemd_interval option to configure this. The service can now use Type=notify in the systemd unit file.
  • MySQLi
    • Fixed bug #64726 (Segfault when calling fetch_object on a use_result and DB pointer has closed).
  • Phar:
    • Fixed bug #64214 (PHAR PHPTs intermittently crash when run on DFS, SMB or with non std tmp dir).
  • SNMP:
    • Fixed bug #64765 (Some IPv6 addresses get interpreted wrong).
    • Fixed bug #64159 (Truncated snmpget).
  • Streams:
    • Fixed bug #64770 (stream_select() fails with pipes returned by proc_open() on Windows x64).
  • Zend Engine:
    • Fixed bug #64821 (Custom Exceptions crash when internal properties overridden).

Version 5.3.26

  • Core:
    • Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode, CVE-2013-2110).
  • Calendar:
    • Fixed bug #64895 (Integer overflow in SndToJewish).
  • FPM:
    • Fixed some possible memory or resource leaks and possible null dereference detected by code coverity scan.
    • Log a warning when a syscall fails.
  • MySQLi:
    • Fixed bug #64726 (Segfault when calling fetch_object on a use_result and DB pointer has closed).
  • Phar:
    • Fixed bug #64214 (PHAR PHPTs intermittently crash when run on DFS, SMB or with non std tmp dir).
  • Streams:
    • Fixed bug #64770 (stream_select() fails with pipes returned by proc_open() on Windows x64).
  • Zend Engine:
    • Fixed bug #64821 (Custom Exception crash when internal properties overridden).

Version 5.4.15

  • Core:
    • Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault).
    • Fixed bug #64458 (dns_get_record result with string of length -1).
    • Fixed bug #64433 (follow_location parameter of context is ignored for most response codes).
    • Fixed bug #47675 (fd leak on Solaris).
    • Fixed bug #64577 (fd leak on Solaris).
  • Fileinfo:
    • Upgraded libmagic to 5.14.
  • Streams:
    • Fixed Windows x64 version of stream_socket_pair() and improved error handling.
  • Zip:
    • Fixed bug #64342 (ZipArchive::addFile() has to check for file existence).

Version 5.3.25

  • Core:
    • Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault).
    • Fixed bug #64458 (dns_get_record result with string of length -1).
    • Fixed bug #47675 (fd leak on Solaris).
    • Fixed bug #64577 (fd leak on Solaris).
  • Streams:
    • Fixed Windows x64 version of stream_socket_pair() and improved error handling.
  • Zip:
    • Fixed bug #64342 (ZipArchive::addFile() has to check for file existence).

Version 5.4.14

  • Core:
    • Fixed bug #64529 (Ran out of opcode space).
    • Fixed bug #64515 (Memoryleak when using the same variablename two times in function declaration).
    • Fixed bug #64432 (more empty delimiter warning in strX methods).
    • Fixed bug #64417 (ArrayAccess::&offsetGet() in a trait causes fatal error).
    • Fixed bug #64370 (microtime(true) less than $_SERVER['REQUEST_TIME_FLOAT']).
    • Fixed bug #64239 (Debug backtrace changed behavior since 5.4.10 or 5.4.11).
    • Fixed bug #63976 (Parent class incorrectly using child constant in class property).
    • Fixed bug #63914 (zend_do_fcall_common_helper_SPEC does not handle exceptions properly).
    • Fixed bug #62343 (Show class_alias In get_declared_classes()).
  • PCRE:
    • Merged PCRE 8.32.
  • SNMP:
    • Fixed bug #61981 (OO API, walk: $suffix_as_key is not working correctly).
  • Zip:
    • Fixed bug #64452 (Zip crash intermittently). (Anatol)

Version 5.3.24

  • Core:
    • Fixed bug #64370 (microtime(true) less than $_SERVER['REQUEST_TIME_FLOAT']).
    • Fixed bug #63914 (zend_do_fcall_common_helper_SPEC does not handle exceptions properly).
    • Fixed bug #62343 (Show class_alias In get_declared_classes()).
  • PCRE:
    • Merged PCRE 8.32.
  • mysqlnd:
    • Fixed bug #63530 (mysqlnd_stmt::bind_one_parameter crashes, uses wrong alloc for stmt->param_bind).
  • DateTime:
    • Fixed bug #62852 (Unserialize Invalid Date causes crash).
  • Zip:
    • Fixed bug #64452 (Zip crash intermittently).

Version 5.4.13

  • Core:
    • Fixed bug #64235 (Insteadof not work for class method in 5.4.11).
    • Implemented FR #64175 (Added HTTP codes as of RFC 6585).
    • Fixed bug #64142 (dval to lval different behavior on ppc64).
    • Fixed bug #64070 (Inheritance with Traits failed with error).
  • CLI server:
    • Fixed bug #64128 (buit-in web server is broken on ppc64).
  • Mbstring:
    • mb_split() can now handle empty matches like preg_split() does.
  • OpenSSL:
    • Fixed bug #61930 (openssl corrupts ssl key resource when using openssl_get_publickey()).
  • PDO_mysql:
    • Fixed bug #60840 (undefined symbol: mysqlnd_debug_std_no_trace_funcs).
  • Phar:
    • Fixed timestamp update on Phar contents modification.
  • SOAP:
    • Added check that soap.wsdl_cache_dir conforms to open_basedir (CVE-2013-1635).
    • Disabled external entities loading (CVE-2013-1643, CVE-2013-1824).
  • SPL:
    • Fixed bug #64264 (SPLFixedArray toArray problem).
    • Fixed bug #64228 (RecursiveDirectoryIterator always assumes SKIP_DOTS).
    • Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended).
    • Fixed bug #52861 (unset fails with ArrayObject and deep arrays).
  • SNMP:
    • Fixed bug #64124 (IPv6 malformed).

Version 5.3.23

  • Phar:
    • Fixed timestamp update on Phar contents modification.
  • SOAP
    • Added check that soap.wsdl_cache_dir conforms to open_basedir (CVE-2013-1635).
    • Disabled external entities loading (CVE-2013-1643, CVE-2013-1824).
  • SPL:
    • Fixed bug #64264 (SPLFixedArray toArray problem).
    • Fixed bug #64228 (RecursiveDirectoryIterator always assumes SKIP_DOTS).
    • Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended).
    • Fixed bug #52861 (unset fails with ArrayObject and deep arrays).

Version 5.4.12

  • Core:
    • Fixed bug #64099 (Wrong TSRM usage in zend_register_class alias).
    • Fixed bug #64011 (get_html_translation_table() output incomplete with HTML_ENTITIES and ISO-8859-1).
    • Fixed bug #63982 (isset() inconsistently produces a fatal error on protected property).
    • Fixed bug #63943 (Bad warning text from strpos() on empty needle).
    • Fixed bug #63899 (Use after scope error in zend_compile).
    • Fixed bug #63893 (Poor efficiency of strtr() using array with keys of very different length).
    • Fixed bug #63882 (zend_std_compare_objects crash on recursion).
    • Fixed bug #63462 (Magic methods called twice for unset protected properties).
    • Fixed bug #62524 (fopen follows redirects for non-3xx statuses).
    • Support BITMAPV5HEADER in getimagesize().
  • Date:
    • Fixed bug #63699 (Performance improvements for various ext/date functions).
    • Fixed bug #55397 Comparsion of incomplete DateTime causes SIGSEGV.
  • FPM:
    • Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11).
  • Litespeed:
    • Fixed bug #63228 (-Werror=format-security error in lsapi code).
  • sqlite3:
    • Fixed bug #63921 (sqlite3::bindvalue and relative PHP functions aren't using sqlite3_*_int64 API).
  • PDO_OCI:
    • Fixed bug #57702 (Multi-row BLOB fetches).
    • Fixed bug #52958 (Segfault in PDO_OCI on cleanup after running a long testsuite).
  • PDO_sqlite:
    • Fixed bug #63916 (PDO::PARAM_INT casts to 32bit int internally even on 64bit builds in pdo_sqlite).

Version 5.3.22

  • Zend Engine:
    • Fixed bug #64099 (Wrong TSRM usage in zend_Register_class alias).
    • Fixed bug #63899 (Use after scope error in zend_compile).
  • Core:
    • Fixed bug #63943 (Bad warning text from strpos() on empty needle).
  • Date:
    • Fixed bug #55397 (comparsion of incomplete DateTime causes SIGSEGV).
  • FPM:
    • Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11).
  • SPL:
    • Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended).

Version 5.4.11

  • Core:
    • Fixed bug #63762 (Sigsegv when Exception::$trace is changed by user).
    • Fixed bug #43177 (Errors in eval()'ed code produce status code 500).
  • Filter:
    • Fixed bug #63757 (getenv() produces memory leak with CGI SAPI).
    • Fixed bug #54096 (FILTER_VALIDATE_INT does not accept +0 and -0).
  • JSON:
    • Fixed bug #63737 (json_decode does not properly decode with options parameter).
  • CLI server:
    • Update list of common mime types. Added webm, ogv, ogg.
  • cURL extension:
    • Fixed bug (segfault due to libcurl connection caching).
    • Fixed bug #63859 (Memory leak when reusing curl-handle).
    • Fixed bug #63795 (CURL >= 7.28.0 no longer support value 1 for CURLOPT_SSL_VERIFYHOST).
    • Fixed bug #63352 (Can't enable hostname validation when using curl stream wrappers).
    • Fixed bug #55438 (Curlwapper is not sending http header randomly).

Version 5.3.21

  • Zend Engine:
    • Fixed bug #63762 (Sigsegv when Exception::$trace is changed by user).
  • cURL extension:
    • Fixed bug (segfault due to libcurl connection caching).
    • Fixed bug #63795 (CURL >= 7.28.0 no longer support value 1 for CURLOPT_SSL_VERIFYHOST).
    • Fixed bug #63352 (Can't enable hostname validation when using curl stream wrappers).
    • Fixed bug #55438 (Curlwapper is not sending http header randomly).

Version 5.4.10

  • Core:
    • Fixed bug #63635 (Segfault in gc_collect_cycles).
    • Fixed bug #63512 (parse_ini_file() with INI_SCANNER_RAW removes quotes from value).
    • Fixed bug #63468 (wrong called method as callback with inheritance).
    • Fixed bug #63451 (config.guess file does not have AIX 7 defined, shared objects are not created).
    • Fixed bug #61557 (Crasher in tt-rss backend.php).
    • Fixed bug #61272 (ob_start callback gets passed empty string).
  • Date:
    • Fixed bug #63666 (Poor date() performance).
    • Fixed bug #63435 (Datetime::format('u') sometimes wrong by 1 microsecond).
  • Imap:
    • Fixed bug #63126 (DISABLE_AUTHENTICATOR ignores array).
  • Json:
    • Fixed bug #63588 (use php_next_utf8_char and remove duplicate implementation).
  • MySQLi:
    • Fixed bug #63361 (missing header).
  • MySQLnd:
    • Fixed bug #63398 (Segfault when polling closed link).
  • Fileinfo:
    • Fixed bug #63590 (Different results in TS and NTS under Windows).
  • FPM:
    • Fixed bug #63581 Possible null dereference and buffer overflow.
  • Pdo_sqlite:
    • Fixed bug #63149 getColumnMeta should return the table name when system SQLite used.
  • Apache2 Handler SAPI:
    • Enabled Apache 2.4 configure option for Windows.
  • Reflection:
    • Fixed bug #63614 (Fatal error on Reflection).
  • SOAP:
    • Fixed bug #63271 (SOAP wsdl cache is not enabled after initial requests).
  • Sockets:
    • Fixed bug #49341 (Add SO_REUSEPORT support for socket_set_option()).

Version 5.3.20

  • Zend Engine:
    • Fixed bug #63635 (Segfault in gc_collect_cycles).
    • Fixed bug #63512 (parse_ini_file() with INI_SCANNER_RAW removes quotes from value).
    • Fixed bug #63468 (wrong called method as callback with inheritance).
  • Core:
    • Fixed bug #63451 (config.guess file does not have AIX 7 defined, shared objects are not created).
    • Fixed bug #63377 (Segfault on output buffer).
  • Apache2 Handler SAPI:
    • Enabled Apache 2.4 configure option for Windows.
  • Date:
    • Fixed bug #63435 (Datetime::format('u') sometimes wrong by 1 microsecond).
  • Fileinfo:
    • Fixed bug #63248 (Load multiple magic files from a directory under Windows).
    • Fixed bug #63590 (Different results in TS and NTS under Windows).
  • FPM:
    • Fixed bug #63581 (Possible null dereference and buffer overflow).
  • Imap:
    • Fixed bug #63126 (DISABLE_AUTHENTICATOR ignores array).
  • MySQLnd:
    • Fixed bug #63398 (Segfault when polling closed link).
  • Reflection:
    • Fixed bug #63614 (Fatal error on Reflection).
  • SOAP:
    • Fixed bug #63271 (SOAP wsdl cache is not enabled after initial requests).

Version 5.4.9

  • Core:
    • Fixed bug #63305 (zend_mm_heap corrupted with traits).
    • Fixed bug #63369 ((un)serialize() leaves dangling pointers, causes crashes).
    • Fixed bug #63241 (PHP fails to open Windows deduplicated files).
    • Fixed bug #62444 (Handle leak in is_readable on windows).
  • Curl:
    • Fixed bug #63363 (Curl silently accepts boolean true for SSL_VERIFYHOST).
  • Fileinfo:
    • Fixed bug #63248 (Load multiple magic files from a directory under Windows).
  • Libxml
    • Fixed bug #63389 (Missing context check on libxml_set_streams_context() causes memleak).
  • Mbstring:
    • Fixed bug #63447 (max_input_vars doesn't filter variables when mbstring.encoding_translation = On).
  • OCI8:
    • Fixed bug #63265 (Add ORA-00028 to the PHP_OCI_HANDLE_ERROR macro)
  • PCRE:
    • Fixed bug #63180 (Corruption of hash tables).
    • Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite).
    • Fixed bug #63284 (Upgrade PCRE to 8.31).
  • PDO:
    • Fixed bug #63235 (buffer overflow in use of SQLGetDiagRec).
  • PDO_pgsql:
    • Fixed bug #62593 (Emulate prepares behave strangely with PARAM_BOOL).
  • Phar:
    • Fixed bug #63297 (Phar fails to write an openssl based signature).
  • Streams:
    • Fixed bug #63240 (stream_get_line() return contains delimiter string).
  • Reflection:
    • Fixed bug #63399 (ReflectionClass::getTraitAliases() incorrectly resolves traitnames).

Version 5.3.19

  • Core:
    • Fixed bug #63241 (PHP fails to open Windows deduplicated files).
    • Fixed bug #62444 (Handle leak in is_readable on windows).
  • Libxml:
    • Fixed bug #63389 (Missing context check on libxml_set_streams_context() causes memleak).
  • Mbstring:
    • Fixed bug #63447 (max_input_vars doesn't filter variables when mbstring.encoding_translation = On).
  • MySQL:
    • Fixed compilation failure on mixed 32/64 bit systems.
  • OCI8:
    • Fixed bug #63265 (Add ORA-00028 to the PHP_OCI_HANDLE_ERROR macro)
  • PCRE:
    • Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite).
    • Fixed bug #63284 (Upgrade PCRE to 8.31).
  • PDO:
    • Fixed bug #63235 (buffer overflow in use of SQLGetDiagRec).
  • PDO_pgsql:
    • Fixed bug #62593 (Emulate prepares behave strangely with PARAM_BOOL).
  • Phar:
    • Fixed bug #63297 (Phar fails to write an openssl based signature).
  • Streams:
    • Fixed bug #63240 (stream_get_line() return contains delimiter string).

Version 5.4.8

  • CLI server
    • Changed response to unknown HTTP method to 501 according to RFC.
    • Support HTTP PATCH method.
  • Core
    • Added optional second argument for assert() to specify custom message.
    • Support building PHP with the native client toolchain.
    • Added --offline option for tests.
    • Fixed bug #63162 (parse_url does not match password component).
    • Fixed bug #63111 (is_callable() lies for abstract static method).
    • Fixed bug #63093 (Segfault while load extension failed in zts-build).
    • Fixed bug #62976 (Notice: could not be converted to int when comparing some builtin classes).
    • Fixed bug #62955 (Only one directive is loaded from "Per Directory Values" Windows registry).
    • Fixed bug #62907 (Double free when use traits).
    • Fixed bug #61767 (Shutdown functions not called in certain error situation).
    • Fixed bug #60909 (custom error handler throwing Exception + fatal error = no shutdown function).
    • Fixed bug #60723 (error_log error time has changed to UTC ignoring default timezone).
  • cURL
    • Fixed bug #62085 (file_get_contents a remote file by Curl wrapper will cause cpu Soaring).
  • Date
    • Fixed bug #62896 ("DateTime->modify('+0 days')" modifies DateTime object)
    • Fixed bug #62561 (DateTime add 'P1D' adds 25 hours).
  • DOM
    • Fixed bug #63015 (Incorrect arginfo for DOMErrorHandler).
  • FPM
    • Fixed bug #62954 (startup problems fpm / php-fpm).
    • Fixed bug #62886 (PHP-FPM may segfault/hang on startup).
    • Fixed bug #63085 (Systemd integration and daemonize).
    • Fixed bug #62947 (Unneccesary warnings on FPM).
    • Fixed bug #62887 (Only /status?plain&full gives "last request cpu").
    • Fixed bug #62216 (Add PID to php-fpm init.d script).
  • OpenSSL
    • Implemented FR #61421 (OpenSSL signature verification missing RMD160, SHA224, SHA256, SHA384, SHA512).
  • SOA
    • Fixed bug #50997 (SOAP Error when trying to submit 2nd Element of a choice).
  • SPL
    • Fixed bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined variables).
  • mbstring
    • Allow passing null as a default value to mb_substr() and mb_strcut(). Patch by Alexander Moskaliov via GitHub PR #133.
  • Filter extension
    • Fixed bug #49510 (Boolean validation fails with FILTER_NULL_ON_FAILURE with empty string or false.)
  • Socket
    • Fixed bug #63000 (MCAST_JOIN_GROUP on OSX is broken, merge of PR 185 by Igor Wiedler).

Version 5.3.18

  • Core
    • Fixed bug #63111 (is_callable() lies for abstract static method).
    • Fixed bug #63093 (Segfault while load extension failed in zts-build).
    • Fixed bug #62976 (Notice: could not be converted to int when comparing some builtin classes).
    • Fixed bug #61767 (Shutdown functions not called in certain error situation).
    • Fixed bug #61442 (exception threw in __autoload can not be catched).
    • Fixed bug #60909 (custom error handler throwing Exception + fatal error = no shutdown function).
  • cURL
    • Fixed bug #62085 (file_get_contents a remote file by Curl wrapper will cause cpu Soaring).
  • FPM
    • Fixed bug #62954 (startup problems fpm / php-fpm).
    • Fixed bug #62886 (PHP-FPM may segfault/hang on startup).
    • Fixed bug #63085 (Systemd integration and daemonize).
    • Fixed bug #62947 (Unneccesary warnings on FPM).
    • Fixed bug #62887 (Only /status?plain&full gives "last request cpu").
    • Fixed bug #62216 (Add PID to php-fpm init.d script).
  • Intl
    • Fixed bug #62915 (defective cloning in several intl classes).
  • SOAP
    • Fixed bug #50997 (SOAP Error when trying to submit 2nd Element of a choice).
  • SPL
    • Fixed bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined variables).

Version 5.4.7

  • Core
    • Fixed bug (segfault while build with zts and GOTO vm-kind)
    • Fixed bug #62955 (Only one directive is loaded from "Per Directory Values" Windows registry)
    • Fixed bug #62844 (parse_url() does not recognize //)
    • Fixed bug #62829 (stdint.h included on platform where HAVE_STDINT_H is not set)
    • Fixed bug #62763 (register_shutdown_function and extending class)
    • Fixed bug #62725 (Calling exit() in a shutdown function does not return the exit value)
    • Fixed bug #62744 (dangling pointers made by zend_disable_class)
    • Fixed bug #62716 (munmap() is called with the incorrect length)
    • Fixed bug #62358 (Segfault when using traits a lot)
    • Fixed bug #62328 (implementing __toString and a cast to string fails)
    • Fixed bug #51363 (Fatal error raised by var_export() not caught by error handler)
    • Fixed bug #40459 (Stat and Dir stream wrapper methods do not call constructor)
  • CURL
    • Fixed bug #62912 (CURLINFO_PRIMARY_* AND CURLINFO_LOCAL_* not exposed)
    • Fixed bug #62839 (curl_copy_handle segfault with CURLOPT_FILE)
  • DateTime
    • Fixed bug #62852 (Unserialize invalid DateTime causes crash)
  • Intl
    • Fixed Spoofchecker not being registered on ICU 49.1
    • Fixed bug #62933 (ext/intl compilation error on icu 3.4.1)
    • Fixed bug #62915 (defective cloning in several intl classes)
  • Installation
    • Fixed bug #62460 (php binaries installed as binary.dSYM)
  • PCRE
    • Fixed bug #55856 (preg_replace should fail on trailing garbage)
  • PDO
    • Fixed bug #62685 (Wrong return datatype in PDO::inTransaction())
  • Reflection
    • Fixed bug #62892 (ReflectionClass::getTraitAliases crashes on importing trait methods as private)
    • Fixed bug #62715 (ReflectionParameter::isDefaultValueAvailable() wrong result)
  • Session
    • Fixed bug (segfault due to retval is not initialized)
    • Fixed bug (segfault due to PS(mod_user_implemented) not be reseted when close handler call exit)
  • SPL
    • Fixed bug #62904 (Crash when cloning an object which inherits SplFixedArray)
    • Implemented FR #62840 (Add sort flag to ArrayObject::ksort)
  • Standard
    • Fixed bug #62836 (Seg fault or broken object references on unserialize())
  • FPM
    • Merged PR 121 by minitux to add support for slow request counting on PHP FPM status page

Version 5.3.17

  • Core
    • Fixed bug (segfault while build with zts and GOTO vm-kind)
    • Fixed bug #62955 (Only one directive is loaded from "Per Directory Values" Windows registry)
    • Fixed bug #62763 (register_shutdown_function and extending class)
    • Fixed bug #62744 (dangling pointers made by zend_disable_class)
    • Fixed bug #62716 (munmap() is called with the incorrect length)
    • Fixed bug #62460 (php binaries installed as binary.dSYM)
  • CURL
    • Fixed bug #62839 (curl_copy_handle segfault with CURLOPT_FILE)
  • DateTime
    • Fixed bug #62852 (Unserialize invalid DateTime causes crash)
  • Intl
    • Fix null pointer dereferences in some classes of ext/intl
  • MySQLnd
    • Fixed bug #62885 (mysqli_poll - Segmentation fault)
  • PDO
    • Fixed bug #62685 (Wrong return datatype in PDO::inTransaction())
  • Session
    • Fixed bug (segfault due to retval is not initialized)
  • SPL
    • Fixed bug #62904 (Crash when cloning an object which inherits SplFixedArray)
  • Enchant
    • Fixed bug #62838 (enchant_dict_quick_check() destroys zval, but fails to initialize it)

Version 5.4.6

  • CLI Server
    • Implemented FR #62700 (have the console output 'Listening on http://localhost:8000').
  • Core
    • Fixed bug #62661 (Interactive php-cli crashes if include() is used in auto_prepend_file).
    • Fixed bug #62653: (unset($array[$float]) causes a crash).
    • Fixed bug #62565 (Crashes due non-initialized internal properties_table).
    • Fixed bug #60194 (--with-zend-multibyte and --enable-debug reports LEAK with run-test.php).
  • CURL
    • Fixed bug #62499 (curl_setopt($ch, CURLOPT_COOKIEFILE, "") returns false).
  • DateTime
    • Fixed bug #62500 (Segfault in DateInterval class when extended).
  • Fileinfo
    • Fixed bug #61964 (finfo_open with directory causes invalid free).
  • Intl
    • Fixed bug #62564 (Extending MessageFormatter and adding property causes crash).
  • MySQLnd
    • Fixed bug #62594 (segfault in mysqlnd_res_meta::set_mode).
  • readline
    • Fixed bug #62612 (readline extension compilation fails with sapi/cli/cli.h: No such file).
  • Reflection
    • Implemented FR #61602 (Allow access to name of constant used as default value).
  • SimpleXML
    • Implemented FR #55218 (Get namespaces from current node).
  • SPL
    • Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault).
    • Fixed bug #61527 (ArrayIterator gives misleading notice on next() when moved to the end).
  • Streams
    • Fixed bug #62597 (segfault in php_stream_wrapper_log_error with ZTS build).
  • Zlib
    • Fixed bug #55544 (ob_gzhandler always conflicts with zlib.output_compression).

Version 5.3.16

  • Core
    • Fixed bug #62763 (register_shutdown_function and extending class).
    • Fixed bug #62744 (dangling pointers made by zend_disable_class).
    • Fixed bug #62716 (munmap() is called with the incorrect length).
    • Fixed bug #62460 (php binaries installed as binary.dSYM).
    • Fixed bug #60194 (--with-zend-multibyte and --enable-debug reports LEAK with run-test.php).
  • CURL
    • Fixed bug #62839 (curl_copy_handle segfault with CURLOPT_FILE).
    • Fixed bug #62499 (curl_setopt($ch, CURLOPT_COOKIEFILE, "") returns false).
  • DateTime
    • Fixed bug #62500 (Segfault in DateInterval class when extended).
  • Enchant
    • Fixed bug #62838 (enchant_dict_quick_check() destroys zval, but fails to initialize it).
  • PDO
    • Fixed bug #62685 (Wrong return datatype in PDO::inTransaction()).
  • Reflection
    • Fixed bug #62715 (ReflectionParameter::isDefaultValueAvailable() wrong result).
  • Session
    • Fixed bug (segfault due to retval is not initialized).
  • SPL
    • Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault).

Version 5.4.5

  • Core
    • Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)
    • Fixed bug #62432 (ReflectionMethod random corrupt memory on high concurrent)
    • Fixed bug #62373 (serialize() generates wrong reference to the object).
    • Fixed bug #62357 (compile failure: (S) Arguments missing for built-in function __memcmp)
    • Fixed bug #61998 (Using traits with method aliases appears to result in crash during execution)
    • Fixed bug #51094 (parse_ini_file() with INI_SCANNER_RAW cuts a value that includes a semi-colon)
    • Fixed potential overflow in _php_stream_scandir (CVE-2012-2688)
  • EXIF
    • Fixed information leak in ext exif
  • FPM
    • Fixed bug #62205 (php-fpm segfaults (null passed to strstr)
    • Fixed bug #62160 (Add process.priority to set nice(2) priorities)
    • Fixed bug #62153 (when using unix sockets, multiples FPM instances)
    • Fixed bug #62033 (php-fpm exits with status 0 on some failures to start)
    • Fixed bug #61839 (Unable to cross-compile PHP with --enable-fpm)
    • Fixed bug #61835 (php-fpm is not allowed to run as root)
    • Fixed bug #61295 (php-fpm should not fail with commented 'user'
    • Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI requests)
    • Fixed bug #61045 (fpm don't send error log to fastcgi clients). (fat) for non-root start)
    • Fixed bug #61026 (FPM pools can listen on the same address). (fat) can be launched without errors)
  • Iconv
    • Fixed bug #55042 (Erealloc in iconv.c unsafe)
  • Intl
    • Fixed bug #62083 (grapheme_extract() memory leaks)
    • Fixed bug #62081 (IntlDateFormatter constructor leaks memory when called twice)
    • Fixed bug #62070 (Collator::getSortKey() returns garbage)
    • Fixed bug #62017 (datefmt_create with incorrectly encoded timezone leaks pattern)
    • Fixed bug #60785 (memory leak in IntlDateFormatter constructor)
    • ResourceBundle constructor now accepts NULL for the first two arguments
  • JSON
    • Fixed bug #61359 (json_encode() calls too many reallocs)
  • libxml
    • Fixed bug #62266 (Custom extension segfaults during xmlParseFile with FPM SAPI)
  • Phar
    • Fixed bug #62227 (Invalid phar stream path causes crash)
  • Readline
    • Fixed bug #62186 (readline fails to compile - void function should not return a value)
  • Reflection
    • Fixed bug #62384 (Attempting to invoke a Closure more than once causes segfault)
    • Fixed bug #62202 (ReflectionParameter::getDefaultValue() memory leaks with constant)
  • Sockets
    • Fixed bug #62025 (__ss_family was changed on AIX 5.3)
  • SPL
    • Fixed bug #62433 (Inconsistent behavior of RecursiveDirectoryIterator to dot files)
    • Fixed bug #62262 (RecursiveArrayIterator does not implement Countable)
  • XML Writer
    • Fixed bug #62064 (memory leak in the XML Writer module)
  • Zip
    • Upgraded libzip to 0.10.

Version 5.3.15

  • Zend Engine
    • Fixed bug #51094 (parse_ini_file() with INI_SCANNER_RAW cuts a value that includes a semi-colon)
  • COM
    • Fixed bug #62146 com_dotnet cannot be built shared
  • Core
    • Fixed potential overflow in _php_stream_scandir, CVE-2012-2688
    • Fixed bug #62432 (ReflectionMethod random corrupt memory on high concurrent)
    • Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)
  • Fileinfo
    • Fixed magic file regex support
  • FPM
    • Fixed bug #61045 (fpm don't send error log to fastcgi clients)
    • Fixed bug #61835 (php-fpm is not allowed to run as root)
    • Fixed bug #61295 (php-fpm should not fail with commented 'user' for non-root start)
    • Fixed bug #61026 (FPM pools can listen on the same address)
    • Fixed bug #62033 (php-fpm exits with status 0 on some failures to start)
    • Fixed bug #62153 (when using unix sockets, multiples FPM instances can be launched without errors)
    • Fixed bug #62160 (Add process.priority to set nice(2) priorities)
    • Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI requests)
    • Fixed bug #62205 (php-fpm segfaults (null passed to strstr))
  • Intl
    • Fixed bug #62083 (grapheme_extract() memory leaks)
    • Fixed bug #62081 (IntlDateFormatter constructor leaks memory when called twice)
    • Fixed bug #62070 (Collator::getSortKey() returns garbage)
    • Fixed bug #62017 (datefmt_create with incorrectly encoded timezone leaks pattern)
    • Fixed bug #60785 (memory leak in IntlDateFormatter constructor)
  • JSON
  • Phar
    • Fixed bug #62227 (Invalid phar stream path causes crash)
  • Reflection
    • Fixed bug #62384 (Attempting to invoke a Closure more than once causes segfault)
    • Fixed bug #62202 (ReflectionParameter::getDefaultValue() memory leaks with constant)
  • SPL
    • Fixed bug #62262 (RecursiveArrayIterator does not implement Countable)
  • SQLite
    • Fixed open_basedir bypass, CVE-2012-3365
  • XML Write
    • Fixed bug #62064 (memory leak in the XML Writer module)
  • Zip
    • Upgraded libzip to 0.10

Version 5.4.4

  • CLI SAPI
    • Implemented FR #61977 (Need CLI web-server support for files with .htm & svg extensions)
    • Improved performance while sending error page, this also fixed bug Fixed bug #61785 (Memory leak when access a non-exists file without router)
    • Fixed bug #61546 (functions related to current script failed when chdir() in cli sapi)
  • Core
    • Fixed missing bound check in iptcparse()
    • Fixed CVE-2012-2143
    • Fixed bug #62097 (fix for bug #54547)
    • Fixed bug #62005 (unexpected behavior when incrementally assigning to a member of a null object)
    • Fixed bug #61978 (Object recursion not detected for classes that implement JsonSerializable)
    • Fixed bug #61991 (long overflow in realpath_cache_get())
    • Fixed bug #61922 (ZTS build doesn't accept zend.script_encoding config)
    • Fixed bug #61827 (incorrect \e processing on Windows)
    • Fixed bug #61782 (__clone/__destruct do not match other methods when checking access controls)
    • Fixed bug #61761 ('Overriding' a private static method with a different signature causes crash)
    • Fixed bug #61730 (Segfault from array_walk modifying an array passed by reference)
    • Fixed bug #61728 (PHP crash when calling ob_start in request_shutdown phase)
    • Fixed bug #61660 (bin2hex(hex2bin($data)) != $data)
    • Fixed bug #61650 (ini parser crashes when using ${xxxx} ini variables (without apache2))
    • Fixed bug #61605 (header_remove() does not remove all headers)
    • Fixed bug #54547 (wrong equality of string numbers)
    • Fixed bug #54197 ([PATH=] sections incompatibility with user_ini.filename set to null)
    • Changed php://fd to be available only for CLI
  • CURL
    • Fixed bug #61948 (CURLOPT_COOKIEFILE '' raises open_basedir restriction)
  • COM
    • Fixed bug #62146 com_dotnet cannot be built shared
  • Fileinfo
    • Fixed bug #61812 (Uninitialised value used in libmagic)
  • FPM
    • Fixed bug #61812 (Uninitialised value used in libmagic)
    • Fixed bug #61565 where php_stream_open_wrapper_ex tries to open a directory descriptor under windows
    • Fixed bug #61566 failure caused by the posix lseek and read versions under windows in cdf_read()
  • Intl
    • Fixed bug #62082 (Memory corruption in internal function get_icu_disp_value_src_php()
  • JSON
    • Fixed bug #61537 (json_encode() incorrectly truncates/discards information)
  • LibXML
    • Fixed bug #61617 (Libxml tests failed(ht is already destroyed))
  • PDO
    • Fixed bug #61755 (A parsing bug in the prepared statements can lead to access violations)
  • Phar
    • Fixed bug #61065 (Secunia SA44335) (CVE-2012-2386)
  • Streams
    • Fixed bug #61961 (file_get_contents leaks when access empty file with maxlen set)
  • zlib
    • Fixed bug #61820 (using ob_gzhandler will complain about headers already sent when no compression)
    • Fixed bug #61443 (can't change zlib.output_compression on the fly)
    • Fixed bug #60761 (zlib.output_compression fails on refresh)

Version 5.3.14

  • CLI SAPI
    • Fixed bug #61546 (functions related to current script failed when chdir() in cli sapi)
  • Core
    • Fixed CVE-2012-2143
    • Fixed bug #62005 (unexpected behavior when incrementally assigning to a member of a null object)
    • Fixed bug #61730 (Segfault from array_walk modifying an array passed by reference)
    • Fixed missing bound check in iptcparse()
    • Fixed bug #61764 ('I' unpacks n as signed if n > 2^31-1 on LP64)
    • Fixed bug #54197 ([PATH=] sections incompatibility with user_ini.filename set to null)
    • Fixed bug #61713 (Logic error in charset detection for htmlentities)
    • Fixed bug #61991 (long overflow in realpath_cache_get())
    • Changed php://fd to be available only for CLI.
  • CURL
    • Fixed bug #61948 (CURLOPT_COOKIEFILE '' raises open_basedir restriction)
  • COM
    • Fixed bug #62146 com_dotnet cannot be built shared
  • Fileinfo
    • Fixed bug #61812 (Uninitialised value used in libmagic)
  • Intl
    • Fixed bug #62082 (Memory corruption in internal function get_icu_disp_value_src_php()
  • JSON
    • Fixed bug #61537 (json_encode() incorrectly truncates/discards information)
  • PDO
    • Fixed bug #61755 (A parsing bug in the prepared statements can lead to access violations)
  • Phar
    • Fixed bug #61065 (Secunia SA44335)
  • Streams
    • Fixed bug #61961 (file_get_contents leaks when access empty file with maxlen set)

Version 5.4.3

  • Fixed bug #61807 Buffer Overflow in apache_request_headers, CVE-2012-2329.
  • Fixed bug #61910 Improve fix for PHP-CGI query string parameter vulnerability, CVE-2012-2311.

Version 5.3.13

  • Fixed bug #61910 Improve fix for PHP-CGI query string parameter vulnerability, CVE-2012-2311.

Version 5.4.2

  • Fixed bug #61910 Fix PHP-CGI query string parameter vulnerability, CVE-2012-1823.

Version 5.3.12

  • Fixed bug #61910 Fix PHP-CGI query string parameter vulnerability, CVE-2012-1823.

Version 5.4.1

  • CLI Server
    • Fixed bug #61461 (missing checks around malloc() calls).
    • Implemented FR #60850 (Built in web server does not set $_SERVER['SCRIPT_FILENAME'] when using router).
  • Core
    • Fixed crash in ZTS using same class in many threads.
    • Fixed bug #61374 (html_entity_decode tries to decode code points that don't exist in ISO-8859-1).
    • Fixed bug #61225 (Incorrect lexing of 0b00*+<NUM>).
    • Fixed bug #61106 (Segfault when using header_register_callback).
    • Fixed bug #61052 (Missing error check in trait 'insteadof' clause).
    • Fixed bug #61011 (Crash when an exception is thrown by __autoload accessing a static property).
    • Fixed bug #60978 (exit code incorrect).
    • Fixed bug #60911 (Confusing error message when extending traits).
    • Fixed bug #60717 (Order of traits in use statement can cause a fatal error).
    • Fixed bug #60573 (type hinting with "self" keyword causes weird errors).
  • Fileinfo
    • Fix fileinfo test problems.
  • Intl
    • Fixed bug #61487 (Incorrent bounds checking in grapheme_strpos).
  • mbstring
    • MFH mb_ereg_replace_callback() for security enhancements.
  • mysqlnd
    • Fixed bug #60948 (mysqlnd FTBFS when -Wformat-security is enabled).
  • Standard
    • Fixed memory leak in substr_replace.
    • Make max_file_uploads ini directive settable outside of php.
    • Fixed bug #61409 (Bad formatting on phpinfo()).
    • Fixed bug #60222 (time_nanosleep() does validate input params).
    • Fixed bug #60106 (stream_socket_server silently truncates long unix socket paths).

Version 5.3.11

  • Core
    • Fixed bug #61650 (ini parser crashes when using ${xxxx} ini variables (without apache2)).
    • Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes).
    • Fixed bug #61165 (Segfault - strip_tags()).
    • Fixed bug #61095 (Incorect lexing of 0x00*+<NUM>).
    • Fixed bug #61087 (Memory leak in parse_ini_file when specifying invalid scanner mode).
    • Fixed bug #61072 (Memory leak when restoring an exception handler).
    • Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX).
    • Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical vars).
    • Fixed bug #60895 (Possible invalid handler usage in windows random functions).
    • Fixed bug #60825 (Segfault when running symfony 2 tests).
    • Fixed bug #60801 (strpbrk() mishandles NUL byte).
    • Fixed bug #60569 (Nullbyte truncates Exception $message).
    • Fixed bug #60227 (header() cannot detect the multi-line header with CR).
    • Fixed bug #60222 (time_nanosleep() does validate input params).
    • Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).
    • Fixed bug #52719 (array_walk_recursive crashes if third param of the function is by reference).
    • Improve performance of set_exception_handler while doing reset.
    • Fixed bug #51860 (Include fails with toplevel symlink to /).
  • DOM
    • Added debug info handler to DOM objects.
  • FPM
    • Fixed bug #61430 (Transposed memset() params in sapi/fpm/fpm/fpm_shm.)
    • Fixed bug #60811 (php-fpm compilation problem).
  • Fileinfo
    • Upgraded libmagic to 5.
    • Fixed bug #61565 where php_stream_open_wrapper_ex tries to open a directory descriptor under windows.
    • Fixed bug #61566 failure caused by the posix lseek and read versions under windows in cdf_read().
    • Fixed bug #61173 (Unable to detect error from finfo constructor).
  • Firebird Database extension (ibase)
    • Fixed bug #60802 (ibase_trans() gives segfault when passing params).
  • Ibase
    • Fixed bug #60947 (Segmentation fault while executing ibase_db_info).
  • Installation
    • Fixed bug #61172 (Add Apache 2.4 support).
  • mysqli
    • Fixed bug #61003 (mysql_stat() require a valid connection).
  • PDO_mysql
    • Fixed bug #61207 (PDO::nextRowset() after a multi-statement query doesn't always work).
    • Fixed bug #61194 (PDO should export compression flag with myslqnd).
  • PDO_odbc
    • Fixed bug #61212 (PDO ODBC Segfaults on SQL_SUCESS_WITH_INFO).
  • PDO_pgsql
    • Fixed bug #61267 (pdo_pgsql's PDO::exec() returns the number of SELECTed rows on postgresql >= 9).
  • PDO_Sqlite extension
    • Add createCollation support.
  • pgsql
    • Fixed bug #60718 (Compile problem with libpq (PostgreSQL 7.3 or less).
  • Phar
    • Fixed bug #61184 (Phar::webPhar() generates headers with trailing NUL bytes).
  • Readline
    • Fixed bug #61088 (Memory leak in readline_callback_handler_install).
    • Add open_basedir checks to readline_write_history and readline_read_history.
  • Reflection
    • Fixed bug #61388 (ReflectionObject:getProperties() issues invalid reads when get_properties returns a hash table with (inaccessible) dynamic numeric properties).
    • Fixed bug #60968 (Late static binding doesn't work with ReflectionMethod::invokeArgs()).
  • Session
    • Fixed bug #60860 (session.save_handler=user without defined function core dumps).
    • Fixed bug #60634 (Segmentation fault when trying to die() in SessionHandler::write()).
  • SOAP
    • Fixed bug #61423 (gzip compression fails).
    • Fixed bug #60887 (SoapClient ignores user_agent option and sends no User-Agent header).
    • Fixed bug #60842, Fixed bug #51775 (Chunked response parsing error when chunksize length line is > 10 bytes).
    • Fixed bug #49853 (Soap Client stream context header option ignored).
  • SPL
    • Fixed memory leak when calling SplFileInfo's constructor twice.
    • Fixed bug #61418 (Segmentation fault when DirectoryIterator's or FilesystemIterator's iterators are requested more than once without having had its dtor callback called in between).
    • Fixed bug #61347 (inconsistent isset behavior of Arrayobject).
    • Fixed bug #61326 (ArrayObject comparison).
  • SQLite3 extension
    • Add createCollation() method.
  • Streams
    • Fixed bug #61371 (stream_context_create() causes memory leaks on use streams_socket_create).
    • Fixed bug #61253 (Wrappers opened with errors concurrency problem on ZTS).
    • Fixed bug #61115 (stream related segfault on fatal error in php_stream_context_link).
    • Fixed bug #60817 (stream_get_line() reads from stream even when there is already sufficient data buffered). stream_get_line() now behaves more like fgets(), as is documented.
    • Further fix for bug Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together with the last read).
    • Fixed bug #60106 (stream_socket_server silently truncates long unix socket paths).
  • Tidy
    • Fixed bug #54682 (tidy null pointer dereference).
  • XMLRPC
    • Fixed bug #61264 (xmlrpc_parse_method_descriptions leaks temporary variable).
    • Fixed bug #61097 (Memory leak in xmlrpc functions copying zvals).
  • Zlib
    • Fixed bug #61306 (initialization of global inappropriate for ZTS).
    • Fixed bug #61287 (A particular string fails to decompress).
    • Fixed bug #61139 (gzopen leaks when specifying invalid mode).

Version 5.4.0

  • autoconf 2.59+ is now supported (and required) for generating the configure script with ./buildconf. Autoconf 2.60+ is desirable otherwise the configure help order may be incorrect.
  • Removed legacy features
    • break/continue $var syntax.
    • Safe mode and all related ini options.
    • register_globals and register_long_arrays ini options.
    • import_request_variables().
    • allow_call_time_pass_reference.
    • define_syslog_variables ini option and its associated function.
    • highlight.bg ini option.
    • Session bug compatibility mode (session.bug_compat_42 and session.bug_compat_warn ini options).
    • session_is_registered(), session_register() and session_unregister() functions.
    • y2k_compliance ini option.
    • magic_quotes_gpc, magic_quotes_runtime and magic_quotes_sybase ini options. get_magic_quotes_gpc, get_magic_quotes_runtime are kept but always return false, set_magic_quotes_runtime raises an E_CORE_ERROR.
    • Removed support for putenv("TZ=..") for setting the timezone.
    • Removed the timezone guessing algorithm in case the timezone isn't set with date.timezone or date_default_timezone_set(). Instead of a guessed timezone, "UTC" is now used instead.
  • Moved extensions to PECL
    • ext/sqlite. (Note: the ext/sqlite3 and ext/pdo_sqlite extensions are not affected)
  • General improvements
    • Added short array syntax support ([1,2,3]), see UPGRADING guide for full details.
    • Added binary numbers format (0b001010).
    • Added support for Class::{expr}() syntax.
    • Added multibyte support by default. Previously php had to be compiled with --enable-zend-multibyte. Now it can be enabled or disabled through zend.multibyte directive in php.ini.
    • Removed compile time dependency from ext/mbstring.
    • Added support for Traits.
    • Added closure $this support back.
    • Added array dereferencing support.
    • Added callable typehint.
    • Added indirect method call through array. #47160.
    • Added DTrace support.
    • Added class member access on instantiation (e.g. (new foo)->bar()) support.
    • <?= is now always available regardless of the short_open_tag setting.
    • Implemented Zend Signal Handling (configurable option --enable-zend-signals, off by default).
    • Improved output layer, see README.NEW-OUTPUT-API for internals.
    • Improved unix build system to allow building multiple PHP binary SAPIs and one SAPI module the same time. #53271, #52419.
    • Implemented closure rebinding as parameter to bindTo.
    • Improved the warning message of incompatible arguments.
    • Improved ternary operator performance when returning arrays.
    • Changed error handlers to only generate docref links when the docref_root INI setting is not empty.
    • Changed silent conversion of array to string to produce a notice.
    • Changed default value of "default_charset" php.ini option from ISO-8859-1 to UTF-8.
    • Changed silent casting of null/''/false into an Object when adding a property into a warning.
    • Changed E_ALL to include E_STRICT.
    • Disabled windows CRT warning by default, can be enabled again using the ini directive windows_show_crt_warnings.
    • Fixed bug #55378: Binary number literal returns float number though its value is small enough.
  • Improved Zend Engine memory usage
    • Improved parse error messages.
    • Replaced zend_function.pass_rest_by_reference by ZEND_ACC_PASS_REST_BY_REFERENCE in zend_function.fn_flags.
    • Replaced zend_function.return_reference by ZEND_ACC_RETURN_REFERENCE in zend_function.fn_flags.
    • Removed zend_arg_info.required_num_args as it was only needed for internal functions. Now the first arg_info for internal functions (which has special meaning) is represented by zend_internal_function_info structure.
    • Moved zend_op_array.size, size_var, size_literal, current_brk_cont, backpatch_count into CG(context) as they are used only during compilation.
    • Moved zend_op_array.start_op into EG(start_op) as it's used only for 'interactive' execution of single top-level op-array.
    • Replaced zend_op_array.done_pass_two by ZEND_ACC_DONE_PASS_TWO in zend_op_array.fn_flags.
    • op_array.vars array is trimmed (reallocated) during pass_two.
    • Replaced zend_class_entry.constants_updated by ZEND_ACC_CONSTANTS_UPDATED in zend_class_entry.ce_flags.
    • Reduced the size of zend_class_entry by sharing the same memory space by different information for internal and user classes. See zend_class_entry.info union.
    • Reduced size of temp_variable.
  • Improved Zend Engine, performance tweaks and optimizations
    • Inlined most probable code-paths for arithmetic operations directly into executor.
    • Eliminated unnecessary iterations during request startup/shutdown.
    • Changed $GLOBALS into a JIT autoglobal, so it's initialized only if used. (this may affect opcode caches!)
    • Improved performance of @ (silence) operator.
    • Simplified string offset reading. $str[1][0] is now a legal construct.
    • Added caches to eliminate repeatable run-time bindings of functions, classes, constants, methods and properties.
    • Added concept of interned strings. All strings constants known at compile time are allocated in a single copy and never changed.
    • ZEND_RECV now always has IS_CV as its result.
    • ZEND_CATCH now has to be used only with constant class names.
    • ZEND_FETCH_DIM_? may fetch array and dimension operands in different order.
    • Simplified ZEND_FETCH_*_R operations. They can't be used with the EXT_TYPE_UNUSED flag any more. This is a very rare and useless case. ZEND_FREE might be required after them instead.
    • Split ZEND_RETURN into two new instructions ZEND_RETURN and ZEND_RETURN_BY_REF.
    • Optimized access to global constants using values with pre-calculated hash_values from the literals table.
    • Optimized access to static properties using executor specialization. A constant class name may be used as a direct operand of ZEND_FETCH_* instruction without previous ZEND_FETCH_CLASS.
    • zend_stack and zend_ptr_stack allocation is delayed until actual usage.
  • Other improvements to Zend Engine
    • Added an optimization which saves memory and emalloc/efree calls for empty HashTables.
    • Added ability to reset user opcode handlers.
    • Changed the structure of op_array.opcodes. The constant values are moved from opcode operands into a separate literal table.
    • Fixed (disabled) inline-caching for ZEND_OVERLOADED_FUNCTION methods.
    • Fixed bug #43200 (Interface implementation / inheritence not possible in abstract classes).
  • Improved core functions
    • Added optional argument to debug_backtrace() and debug_print_backtrace() to limit the amount of stack frames returned.
    • Added hex2bin() function.
    • number_format() no longer truncates multibyte decimal points and thousand separators to the first byte. #53457.
    • Added support for object references in recursive serialize() calls. #36424.
    • Added support for SORT_NATURAL and SORT_FLAG_CASE in array sort functions (sort, rsort, ksort, krsort, asort, arsort and array_multisort). #55158.
    • Added stream metadata API support and stream_metadata() stream class handler.
    • User wrappers can now define a stream_truncate() method that responds to truncation, e.g. through ftruncate(). #53888.
    • Improved unserialize() performance.
    • Changed array_combine() to return empty array instead of FALSE when both parameter arrays are empty. #34857.
    • Fixed invalid free in call_user_method() function.
    • Fixed crypt_blowfish handling of 8-bit characters. (CVE-2011-2483).
    • Fixed bug #61095 (Incorect lexing of 0x00*+<NUM>).
    • Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with $double=false).
    • Fixed bug #60895 (Possible invalid handler usage in windows random functions).
    • Fixed bug #60879 (unserialize() Does not invoke __wakeup() on object).
    • Fixed bug #60825 (Segfault when running symfony 2 tests).
    • Fixed bug #60809 (TRAITS - PHPDoc Comment Style Bug).
    • Fixed bug #60627 (httpd.worker segfault on startup with php_value).
    • Fixed bug #60613 (Segmentation fault with $cls->{expr}() syntax).
    • Fixed bug #60611 (Segmentation fault with Cls::{expr}() syntax).
    • Fixed bug #60558 (Invalid read and writes).
    • Fixed bug #60536 (Traits Segfault).
    • Fixed bug #60444 (Segmentation fault with include & class extending).
    • Fixed bug #60362 (non-existent sub-sub keys should not have values).
    • Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e).
    • Fixed bug #60321 (ob_get_status(true) no longer returns an array when buffer is empty).
    • Fixed bug #60282 (Segfault when using ob_gzhandler() with open buffers).
    • Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings).
    • Fixed bug #60227 (header() cannot detect the multi-line header with CR(0x0D)).
    • Fixed bug #60174 (Notice when array in method prototype error).
    • Fixed bug #60169 (Conjunction of ternary and list crashes PHP).
    • Fixed bug #60120 (proc_open's streams may hang with stdin/out/err when the data exceeds or is equal to 2048 bytes).
    • Fixed bug #60099 (__halt_compiler() works in braced namespaces).
    • Fixed bug #60038 (SIGALRM cause segfault in php_error_cb).
    • Fixed bug #55874 (GCC does not provide __sync_fetch_and_add on some archs).
    • Fixed bug #55871 (Interruption in substr_replace()).
    • Fixed bug #55825 (Missing initial value of static locals in trait methods).
    • Fixed bug #55801 (Behavior of unserialize has changed).
    • Fixed bug #55622 (memory corruption in parse_ini_string).
    • Fixed bug #55758 (Digest Authenticate missed in 5.4) .
    • Fixed bug #55748 (multiple NULL Pointer Dereference with zend_strndup()) (CVE-2011-4153).
    • Fixed bug #55749 (TOCTOU issue in getenv() on Windows builds).
    • Fixed bug #55707 (undefined reference to `__sync_fetch_and_add_4' on Linux parisc).
    • Fixed bug #55705 (Omitting a callable typehinted argument causes a segfault).
    • Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).
    • Fixed bug #55471 (ZTS build broken with dtrace).
    • Fixed bug #55124 (recursive mkdir fails with current (dot) directory in path).
    • Fixed bug #55084 (Function registered by header_register_callback is called only once per process).
    • Implement #54514 (Get php binary path during script execution).
    • Fixed bug #52624 (tempnam() by-pass open_basedir with nonexistent directory).
    • Fixed bug #52211 (iconv() returns part of string on error).
    • Fixed bug #51860 (Include fails with toplevel symlink to /).
  • Improved generic SAPI support
    • Added $_SERVER['REQUEST_TIME_FLOAT'] to include microsecond precision.
    • Added max_input_vars directive to prevent attacks based on hash collisions.
    • Added header_register_callback() which is invoked immediately prior to the sending of headers and after default headers have been added.
    • Added http_response_code() function. #52555.
    • Fixed bug #55500 (Corrupted $_FILES indices lead to security concern).
    • Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices).
  • Improved Apache SAPI
    • Fixed bug #60205 (possible integer overflow in content_length).
  • Improved CLI SAPI
    • Added friendly log messages. #55109.
    • Added built-in web server that is intended for testing purpose.
    • Added command line option --rz <name> which shows information of the named Zend extension.
    • Interactive readline shell improvements
      • Added "cli.pager" php.ini setting to set a pager for output.
      • Added "cli.prompt" php.ini setting to configure the shell prompt.
      • Added shortcut #inisetting=value to change ini settings at run-time.
      • Changed shell not to terminate on fatal errors.
      • Interactive shell works with shared readline extension. #53878.
    • Fixed bug #60591 (Memory leak when access a non-exists file).
    • Fixed bug #60523 (PHP Errors are not reported in browsers using built-in SAPI).
    • Fixed bug #60477 (Segfault after two multipart/form-data POST requests, one 200 RQ and one 404).
    • Implement #60390 (Missing $_SERVER['SERVER_PORT']).
    • Fixed bug #60180 ($_SERVER["PHP_SELF"] incorrect).
    • Fixed bug #60159 (Router returns false, but POST is not passed to requested resource).
    • Fixed bug #60146 (Last 2 lines of page not being output).
    • Fixed bug #60115 (memory definitely lost in cli server).
    • Fixed bug #60112 (If URI does not contain a file, index.php is not served).
    • Fixed bug #55759 (memory leak when using built-in server).
    • Fixed bug #55755 (SegFault when outputting header WWW-Authenticate).
    • Fixed bug #55747 (request headers missed in $_SERVER).
    • Fixed bug #55726 (Changing the working directory makes router script inaccessible).
    • Fixed bug #55463 (cli-server missing _SERVER[REMOTE_ADDR]).
    • Fixed bug #55450 (Built in web server not accepting file uploads).
    • Fixed bug #55423 (cli-server could not output correctly in some case).
  • Improved CGI/FastCGI SAPI
    • Added apache compatible functions: apache_child_terminate(), getallheaders(), apache_request_headers() and apache_response_headers().
    • Improved performance of FastCGI request parsing.
    • Fixed reinitialization of SAPI callbacks after php_module_startup().
  • Improved PHP-FPM SAPI
    • Added partial syslog support (on error_log only). #52052.
    • Added .phar to default authorized extensions.
    • Added process.max to control the number of process FPM can fork. #55166.
    • Dropped restriction of not setting the same value multiple times, the last one holds.
    • Lowered default value for Process Manager. #54098.
    • Enhanced security by limiting access to user defined extensions. #55181.
    • Enhanced error log when the primary script can't be open. #60199.
    • Removed EXPERIMENTAL flag.
    • Fixed bug #60659 (FPM does not clear auth_user on request accept).
    • Fixed bug #60629 (memory corruption when web server closed the fcgi fd).
  • Improved Litespeed SAPI
    • Fixed bug #55769 (Make Fails with "Missing Separator" error).
  • Improved BCmath extension
    • Fixed bug #60377 (bcscale related crashes on 64bits platforms).
  • Improved CURL extension
    • Added support for CURLOPT_MAX_RECV_SPEED_LARGE and CURLOPT_MAX_SEND_SPEED_LARGE. #51815.
    • Fixed bug #60439 (curl_copy_handle segfault when used with CURLOPT_PROGRESSFUNCTION).
  • Improved Date extension
    • Added the + modifier to parseFromFormat to allow trailing text in the string to parse without throwing an error.
  • Improved DBA extension
    • Added Tokyo Cabinet abstract DB support.
    • Added Berkeley DB 5 support.
  • Improved DOM extension
    • Added the ability to pass options to loadHTML.
  • Improved filesystem functions
    • scandir() now accepts SCANDIR_SORT_NONE as a possible sorting_order value. #53407.
  • Improved fileinfo extension
    • Fixed possible memory leak in finfo_open().
    • Fixed memory leak when calling the Finfo constructor twice.
    • Fixed bug #60094 (C++ comment fails in c89).
  • Improved HASH extension
    • Added Jenkins's one-at-a-time hash support.
    • Added FNV-1 hash support.
    • Made Adler32 algorithm faster. #53213.
    • Removed Salsa10/Salsa20, which are actually stream ciphers.
    • Fixed bug #60221 (Tiger hash output byte order).
  • Improved intl extension
    • Added Spoofchecker class, allows checking for visibly confusable characters and other security issues.
    • Added Transliterator class, allowing transliteration of strings.
    • Added support for UTS #46.
    • Fixed memory leak in several Intl locale functions.
    • Fixed build on Fedora 15 / Ubuntu 11.
    • Fixed bug #55562 (grapheme_substr() returns false on big length).
  • Improved JSON extension
    • Added new json_encode() option JSON_UNESCAPED_UNICODE. #53946.
    • Added JsonSerializable interface.
    • Added JSON_BIGINT_AS_STRING, extended json_decode() sig with $options.
    • Added support for JSON_NUMERIC_CHECK option in json_encode() that converts numeric strings to integers.
    • Added new json_encode() option JSON_UNESCAPED_SLASHES. #49366.
    • Added new json_encode() option JSON_PRETTY_PRINT. #44331.
  • Improved LDAP extension
    • Added paged results support. #42060.
  • Improved mbstring extension
    • Added Shift_JIS/UTF-8 Emoji (pictograms) support.
    • Added JIS X0213:2004 (Shift_JIS-2004, EUC-JP-2004, ISO-2022-JP-2004) support.
    • Ill-formed UTF-8 check for security enhancements.
    • Added MacJapanese (Shift_JIS) and gb18030 encoding support.
    • Added encode/decode in hex format to mb_[en|de]code_numericentity().
    • Added user JIS X0213:2004 (Shift_JIS-2004, EUC-JP-2004, ISO-2022-JP-2004) support.
    • Added the user defined area for CP936 and CP950.
    • Fixed possible crash in mb_ereg_search_init() using empty pattern.
    • Fixed bug #60306 (Characters lost while converting from cp936 to utf8).
  • Improved MS SQL extension
    • Fixed bug #60267 (Compile failure with freetds 0.91).
  • Improved MySQL extensions
    • MySQL: Deprecated mysql_list_dbs(). #50667.
    • mysqlnd: Added named pipes support. #48082.
    • MySQLi: Added iterator support in MySQLi. mysqli_result implements Traversable.
    • PDO_mysql: Removed support for linking with MySQL client libraries older than 4.1.
    • ext/mysql, mysqli and pdo_mysql now use mysqlnd by default.
    • Fixed bug #55473 (mysql_pconnect leaks file descriptors on reconnect).
    • Fixed bug #55653 (PS crash with libmysql when binding same variable as param and out).
  • Improved OpenSSL extension
    • Added AES support. #48632.
    • Added a "no_ticket" SSL context option to disable the SessionTicket TLS extension. #53447.
    • Added no padding option to openssl_encrypt()/openssl_decrypt().
    • Use php's implementation for Windows Crypto API in openssl_random_pseudo_bytes.
    • On error in openssl_random_pseudo_bytes() made sure we set strong result to false.
    • Fixed segfault with older versions of OpenSSL.
    • Fixed possible attack in SSL sockets with SSL 3.0 / TLS 1.0. CVE-2011-3389.
    • Fixed bug #61124 (Crash when decoding an invalid base64 encoded string).
    • Fixed bug #60279 (Fixed NULL pointer dereference in stream_socket_enable_crypto, case when ssl_handle of session_stream is not initialized.
  • Improved Oracle Database extension (OCI8)
    • Increased maximum Oracle error message buffer length for new 11.2.0.3 size.
    • Improved internal initalization failure error messages.
    • Fixed bug #59985 (show normal warning text for OCI_NO_DATA).
  • Improved PDO
    • Fixed PDO objects binary incompatibility.
  • PDO DBlib driver
    • Added nextRowset support.
    • Fixed bug #60033 (Incorrectly merged PDO dblib patches break uniqueidentifier column type).
    • Fixed bug #50755 (PDO DBLIB Fails with OOM).
  • Improved Pdo Firebird driver
    • Fixed bug #53280 (segfaults if query column count less than param count).
    • Fixed bug #48877 ("bindValue" and "bindParam" do not work for PDO Firebird).
    • Fixed bug #47415 (segfaults when passing lowercased column name to bindColumn).
  • Improved PostgreSQL extension
    • Added support for "extra" parameter for PGNotify().
  • Improved preg extension
    • Changed third parameter of preg_match_all() to optional. #53238.
  • Improved readline extension
    • Fixed bug #54450 (Enable callback support when built against libedit).
  • Improved Reflection extension
    • Added ReflectionClass::newInstanceWithoutConstructor() to create a new instance of a class without invoking its constructor. #55490.
    • Added ReflectionExtension::isTemporary() and ReflectionExtension::isPersistent() methods.
    • Added ReflectionZendExtension class.
    • Added ReflectionClass::isCloneable().
    • Fixed bug #60367 (Reflection and Late Static Binding).
    • Fixed bug #60357 (__toString() method triggers E_NOTICE "Array to string conversion").
  • Improved Session extension
    • Expose session status via new function, session_status. #52982.
    • Added support for object-oriented session handlers.
    • Added support for storing upload progress feedback in session data.
    • Changed session.entropy_file to default to /dev/urandom or /dev/arandom if either is present at compile time.
    • Fixed bug #60860 (session.save_handler=user without defined function core dumps).
    • Implement #60551 (session_set_save_handler should support a core's session handler interface).
    • Fixed bug #60640 (invalid return values).
  • Improved SNMP extension
    • Added OO API. #53594 (php-snmp rewrite).
    • Sanitized return values of existing functions. Now it returns FALSE on failure.
    • Allow ~infinite OIDs in GET/GETNEXT/SET queries. Autochunk them to max_oids upon request.
    • Introducing unit tests for extension with ~full coverage. IPv6 support. (#42918)
    • Way of representing OID value can now be changed when SNMP_VALUE_OBJECT is used for value output mode. Use or'ed SNMP_VALUE_LIBRARY(default if not specified) or SNMP_VALUE_PLAIN. (#54502)
    • Fixed bug #60749 (SNMP module should not strip non-standard SNMP port from hostname).
    • Fixed bug #60585 (php build fails with USE flag snmp when IPv6 support is disabled).
    • Fixed bug #53862 (snmp_set_oid_output_format does not allow returning to default).
    • Fixed bug #51336 (snmprealwalk (snmp v1) does not handle end of OID tree correctly).
    • Fixed bug #46065 (snmp_set_quick_print() persists between requests).
    • Fixed bug #45893 (Snmp buffer limited to 2048 char).
    • Fixed bug #44193 (snmp v3 noAuthNoPriv doesn't work).
  • Improved SOAP extension
    • Added new SoapClient option "keep_alive". #60329.
    • Fixed basic HTTP authentication for WSDL sub requests.
  • Improved SPL extension
    • Added RegexIterator::getRegex() method.
    • Added SplObjectStorage::getHash() hook.
    • Added CallbackFilterIterator and RecursiveCallbackFilterIterator.
    • Added missing class_uses(..) as pointed out by #55266.
    • Immediately reject wrong usages of directories under Spl(Temp)FileObject and friends.
    • FilesystemIterator, GlobIterator and (Recursive)DirectoryIterator now use the default stream context.
    • Fixed bug #60201 (SplFileObject::setCsvControl does not expose third argument via Reflection).
    • Fixed bug #55807 (Wrong value for splFileObject::SKIP_EMPTY).
    • Fixed bug #55287 (spl_classes() not includes CallbackFilter classes)
  • Improved Sysvshm extension
    • Fixed bug #55750 (memory copy issue in sysvshm extension).
  • Improved Tidy extension
    • Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference).
  • Improved Tokenizer extension
    • Fixed bug #54089 (token_get_all with regards to __halt_compiler is not binary safe).
  • Improved XSL extension
    • Added XsltProcessor::setSecurityPrefs($options) and getSecurityPrefs() to define forbidden operations within XSLT stylesheets, default is not to enable write operations from XSLT. Fixed bug #54446.
    • XSL doesn't stop transformation anymore, if a PHP function can't be called
  • Improved ZLIB extension
    • Re-implemented non-file related functionality.
    • Fixed bug #55544 (ob_gzhandler always conflicts with zlib.output_compression).

Version 5.3.10

  • Core:
    • Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.

Version 5.3.9

  • Core:
    • Added max_input_vars directive to prevent attacks based on hash collisions (Dmitry).
    • Fixed bug #60205 (possible integer overflow in content_length). (Laruence)
    • Fixed bug #60139 (Anonymous functions create cycles not detected by the GC). (Dmitry)
    • Fixed bug #60138 (GC crash with referenced array in RecursiveArrayIterator) (Dmitry).
    • Fixed bug #60120 (proc_open's streams may hang with stdin/out/err when the data exceeds or is equal to 2048 bytes). (Pierre, Pascal Borreli)
    • Fixed bug #60099 (__halt_compiler() works in braced namespaces). (Felipe)
    • Fixed bug #60019 (Function time_nanosleep() is undefined on OS X). (Ilia)
    • Fixed bug #55874 (GCC does not provide __sync_fetch_and_add on some archs). (klightspeed at netspace dot net dot au)
    • Fixed bug #55798 (serialize followed by unserialize with numeric object prop. gives integer prop). (Gustavo)
    • Fixed bug #55749 (TOCTOU issue in getenv() on Windows builds). (Pierre)
    • Fixed bug #55707 (undefined reference to `__sync_fetch_and_add_4' on Linux parisc). (Felipe)
    • Fixed bug #55674 (fgetcsv & str_getcsv skip empty fields in some tab-separated records). (Laruence)
    • Fixed bug #55649 (Undefined function Bug()). (Laruence)
    • Fixed bug #55622 (memory corruption in parse_ini_string). (Pierre)
    • Fixed bug #55576 (Cannot conditionally move uploaded file without race condition). (Gustavo)
    • Fixed bug #55510: $_FILES 'name' missing first character after upload. (Arpad)
    • Fixed bug #55509 (segfault on x86_64 using more than 2G memory). (Laruence)
    • Fixed bug #55504 (Content-Type header is not parsed correctly on HTTP POST request). (Hannes)
    • Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of). (alan_k)
    • Fixed bug #52461 (Incomplete doctype and missing xmlns). (virsacer at web dot de, Pierre)
    • Fixed bug #55366 (keys lost when using substr_replace an array). (Arpad)
    • Fixed bug #55273 (base64_decode() with strict rejects whitespace after pad). (Ilia)
    • Fixed bug #52624 (tempnam() by-pass open_basedir with nonnexistent directory). (Felipe)
    • Fixed bug #50982 (incorrect assumption of PAGE_SIZE size). (Dmitry)
    • Fixed invalid free in call_user_method() function. (Felipe)
    • Fixed bug #43200 (Interface implementation / inheritence not possible in abstract classes). (Felipe)
  • BCmath:
    • Fixed bug #60377 (bcscale related crashes on 64bits platforms). (shm)
  • Calendar:
    • Fixed bug #55797 (Integer overflow in SdnToGregorian leads to segfault (in optimized builds). (Gustavo)
  • cURL:
    • Fixed bug #60439 (curl_copy_handle segfault when used with CURLOPT_PROGRESSFUNCTION). (Pierrick)
    • Fixed bug #54798 (Segfault when CURLOPT_STDERR file pointer is closed before calling curl_exec). (Hannes)
    • Fixed issues were curl_copy_handle() would sometimes lose copied preferences. (Hannes)
  • DateTime:
    • Fixed bug #60373 (Startup errors with log_errors on cause segfault). (Derick)
    • Fixed bug #60236 (TLA timezone dates are not converted properly from timestamp). (Derick)
    • Fixed bug #55253 (DateTime::add() and sub() result -1 hour on objects with time zone type 2). (Derick)
    • Fixed bug #54851 (DateTime::createFromFormat() doesn't interpret "D"). (Derick)
    • Fixed bug #53502 (strtotime with timezone memory leak). (Derick)
    • Fixed bug #52062 (large timestamps with DateTime::getTimestamp and DateTime::setTimestamp). (Derick)
    • Fixed bug #51994 (date_parse_from_format is parsing invalid date using 'yz' format). (Derick)
    • Fixed bug #52113 (Seg fault while creating (by unserialization) DatePeriod). (Derick)
    • Fixed bug #48476 (cloning extended DateTime class without calling parent::__constr crashed PHP). (Hannes)
  • EXIF:
    • Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (Stas, flolechaud at gmail dot com)
  • Fileinfo:
    • Fixed bug #60094 (C++ comment fails in c89). (Laruence)
    • Fixed possible memory leak in finfo_open(). (Felipe)
    • Fixed memory leak when calling the Finfo constructor twice. (Felipe)
  • Filter:
    • Fixed bug #55478 (FILTER_VALIDATE_EMAIL fails with internationalized domain name addresses containing >1 -). (Ilia)
  • FTP:
    • Fixed bug #60183 (out of sync ftp responses). (bram at ebskamp dot me, rasmus)
  • Gd:
    • Fixed bug #60160 (imagefill() doesn't work correctly for small images). (Florian)
  • Intl:
    • Fixed bug #60192 (SegFault when Collator not constructed properly). (Florian)
    • Fixed memory leak in several Intl locale functions. (Felipe)
  • JSON:
    • Fixed bug #55543 (json_encode() with JSON_NUMERIC_CHECK fails on objects with numeric string properties). (Ilia, dchurch at sciencelogic dot com)
  • mbstring:
    • Fixed possible crash in mb_ereg_search_init() using empty pattern. (Felipe)
  • MS SQL:
    • Fixed bug #60267 (Compile failure with freetds 0.91). (Felipe)
  • MySQL:
    • Fixed bug #55550 (mysql.trace_mode miscounts result sets). (Johannes)
  • MySQLi extension:
    • Fixed bug #55859 (mysqli->stat property access gives error). (Andrey)
    • Fixed bug #55582 (mysqli_num_rows() returns always 0 for unbuffered, when mysqlnd is used). (Andrey)
    • Fixed bug #55703 (PHP crash when calling mysqli_fetch_fields). (eran at zend dot com, Laruence)
  • mysqlnd:
    • Fixed bug #55609 (mysqlnd cannot be built shared). (Johannes)
    • Fixed bug #55067 (MySQL doesn't support compression - wrong config option). (Andrey)
  • NSAPI SAPI:
    • Don't set $_SERVER['HTTPS'] on unsecure connection (bug #55403). (Uwe Schindler)
  • OpenSSL:
    • Fixed bug #60279 (Fixed NULL pointer dereference in stream_socket_enable_crypto, case when ssl_handle of session_stream is not initialized.) (shm)
    • Fix segfault with older versions of OpenSSL. (Scott)
  • Oracle Database extension (OCI8):
    • Fixed bug #59985 (show normal warning text for OCI_NO_DATA). (Chris Jones)
    • Increased maximum Oracle error message buffer length for new 11.2.0.3 size. (Chris Jones)
    • Improve internal initalization failure error messages. (Chris Jones)
  • PDO
    • Fixed bug #55776 (PDORow to session bug). (Johannes)
  • PDO Firebird:
    • Fixed bug #48877 ("bindValue" and "bindParam" do not work for PDO Firebird). (Mariuz)
    • Fixed bug #47415 (PDO_Firebird segfaults when passing lowercased column name to bindColumn).
    • Fixed bug #53280 (PDO_Firebird segfaults if query column count less than param count). (Mariuz)
  • PDO MySQL driver:
    • Fixed bug #60155 (pdo_mysql.default_socket ignored). (Johannes)
    • Fixed bug #55870 (PDO ignores all SSL parameters when used with mysql native driver). (Pierre)
    • Fixed bug #54158 (MYSQLND+PDO MySQL requires #define MYSQL_OPT_LOCAL_INFILE). (Andrey)
  • PDO OCI driver:
    • Fixed bug #55768 (PDO_OCI can't resume Oracle session after it's been killed). (mikhail dot v dot gavrilov at gmail dot com, Chris Jones, Tony)
  • Phar:
    • Fixed bug #60261 (NULL pointer dereference in phar). (Felipe)
    • Fixed bug #60164 (Stubs of a specific length break phar_open_from_fp scanning for __HALT_COMPILER). (Ralph Schindler)
    • Fixed bug #53872 (internal corruption of phar). (Hannes)
    • Fixed bug #52013 (Unable to decompress files in a compressed phar). (Hannes)
  • PHP-FPM SAPI:
    • Fixed bug #60659 (FPM does not clear auth_user on request accept). (bonbons at linux-vserver dot org)
    • Fixed bug #60629 (memory corruption when web server closed the fcgi fd). (fat)
    • Fixed bug #60179 (php_flag and php_value does not work properly). (fat)
    • Fixed bug #55526 (Heartbeat causes a lot of unnecessary events). (fat)
    • Fixed bug #55533 (The -d parameter doesn't work). (fat)
    • Implemented FR #52569 (Add the "ondemand" process-manager to allow zero children). (fat)
    • Fixed bug #55486 (status show BIG processes number). (fat)
    • Fixed bug #55577 (status.html does not install). (fat)
    • Backported from 5.4 branch (Dropped restriction of not setting the same value multiple times, the last one holds). (giovanni at giacobbi dot net, fat)
    • Backported FR #55166 from 5.4 branch (Added process.max to control the number of process FPM can fork). (fat)
    • Backported FR #55181 from 5.4 branch (Enhance security by limiting access to user defined extensions). (fat)
    • Backported FR #54098 from 5.4 branch (Lowered process manager default value). (fat)
    • Backported FR #52052 from 5.4 branch (Added partial syslog support). (fat)
    • Implemented FR #54577 (Enhanced status page with full status and details about each processes. Also provide a web page (status.html) for real-time FPM status. (fat)
    • Enhance error log when the primary script can't be open. FR #60199. (fat)
    • Added .phar to default authorized extensions. (fat)
  • Postgres:
    • Fixed bug #60244 (pg_fetch_* functions do not validate that row param is >0). (Ilia)
  • Reflection:
    • Fixed bug #60367 (Reflection and Late Static Binding). (Laruence)
  • Session:
    • Fixed bug #55267 (session_regenerate_id fails after header sent). (Hannes)
  • SimpleXML:
    • Reverted the SimpleXML->query() behaviour to returning empty arrays instead of false when no nodes are found as it was since 5.3.3 (bug #48601). (chregu, rrichards)
  • SOAP
    • Fixed bug #54911 (Access to a undefined member in inherit SoapClient may cause Segmentation Fault). (Dmitry)
    • Fixed bug #48216 (PHP Fatal error: SOAP-ERROR: Parsing WSDL: Extra content at the end of the doc, when server uses chunked transfer encoding with spaces after chunk size). (Dmitry)
    • Fixed bug #44686 (SOAP-ERROR: Parsing WSDL with references). (Dmitry)
  • Sockets:
    • Fixed bug #60048 (sa_len a #define on IRIX). (china at thewrittenword dot com)
  • SPL:
    • Fixed bug #60082 (Crash in ArrayObject() when using recursive references). (Tony)
    • Fixed bug #55807 (Wrong value for splFileObject::SKIP_EMPTY). (jgotti at modedemploi dot fr, Hannes)
    • Fixed bug #54304 (RegexIterator::accept() doesn't work with scalar values). (Hannes)
  • Streams:
    • Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together with the last read). (Gustavo)
  • Tidy:
    • Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference). (Maksymilian Arciemowicz, Felipe)
  • XSL:
    • Added xsl.security_prefs ini option to define forbidden operations within XSLT stylesheets, default is not to enable write operations. This option won't be in 5.4, since there's a new method. Fixes Bug #54446. (Chregu, Nicolas Gregoire)

Version 5.3.8

  • Core:
    • Fixed bug #55439 (crypt() returns only the salt for MD5). (Stas)
  • OpenSSL:
    • Reverted a change in timeout handling restoring PHP 5.3.6 behavior, as the new behavior caused mysqlnd SSL connections to hang ( bug #55283). (Pierre, Andrey, Johannes)

Version 5.3.7

  • Upgraded bundled SQLite to version 3.7.7.1. (Scott)
  • Upgraded bundled PCRE to version 8.12. (Scott)
  • Zend Engine:
    • Fixed bug #55156 (ReflectionClass::getDocComment() returns comment even though the class has none). (Felipe)
    • Fixed bug #55007 (compiler fail after previous fail). (Felipe)
    • Fixed bug #54910 (Crash when calling call_user_func with unknown function name). (Dmitry)
    • Fixed bug #54804 (__halt_compiler and imported namespaces). (Pierrick, Felipe)
    • Fixed bug #54624 (class_alias and type hint). (Felipe)
    • Fixed bug #54585 (track_errors causes segfault). (Dmitry)
    • Fixed bug #54423 (classes from dl()'ed extensions are not destroyed). (Tony, Dmitry)
    • Fixed bug #54372 (Crash accessing global object itself returned from its __get() handle). (Dmitry)
    • Fixed bug #54367 (Use of closure causes problem in ArrayAccess). (Dmitry)
    • Fixed bug #54358 (Closure, use and reference). (Dmitry)
    • Fixed bug #54262 (Crash when assigning value to a dimension in a non-array). (Dmitry)
    • Fixed bug #54039 (use() of static variables in lambda functions can break staticness). (Dmitry)
  • Core:
    • Updated crypt_blowfish to 1.2. (CVE-2011-2483) (Solar Designer) (more info)
    • Removed warning when argument of is_a() or is_subclass_of() is not a known class. (Stas)
    • Fixed crash in error_log(). (Felipe) Reported by Mateusz Kocielski.
    • Added PHP_MANDIR constant telling where the manpages were installed into, and an --man-dir argument to php-config. (Hannes)
    • Fixed a crash inside dtor for error handling. (Ilia)
    • Fixed buffer overflow on overlog salt in crypt(). (Clément LECIGNE, Stas
    • Implemented FR #54459 (Range function accuracy). (Adam)
    • Fixed bug #55399 (parse_url() incorrectly treats ':' as a valid path). (Ilia)
    • Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off). (Dmitry)
    • Fixed bug #55295 [NEW]: popen_ex on windows, fixed possible heap overflow (Pierre)
    • Fixed bug #55258 (Windows Version Detecting Error). ( xiaomao5 at live dot com, Pierre)
    • Fixed bug #55187 (readlink returns weird characters when false result). (Pierre)
    • Fixed bug #55082 (var_export() doesn't escape properties properly). (Gustavo)
    • Fixed bug #55014 (Compile failure due to improper use of ctime_r()). (Ilia)
    • Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). (Felipe) Reported by Krzysztof Kotowicz. (CVE-2011-2202)
    • Fixed bug #54935 php_win_err can lead to crash. (Pierre)
    • Fixed bug #54924 (assert.* is not being reset upon request shutdown). (Ilia)
    • Fixed bug #54895 (Fix compiling with older gcc version without need for membar_producer macro). (mhei at heimpold dot de)
    • Fixed bug #54866 (incorrect accounting for realpath_cache_size). (Dustin Ward)
    • Fixed bug #54723 (getimagesize() doesn't check the full ico signature). (Scott)
    • Fixed bug #54721 (Different Hashes on Windows, BSD and Linux on wrong Salt size). (Pierre, os at irj dot ru)
    • Fixed bug #54580 (get_browser() segmentation fault when browscap ini directive is set through php_admin_value). (Gustavo)
    • Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption). (Dmitry)
    • Fixed bug #54305 (Crash in gc_remove_zval_from_buffer). (Dmitry)
    • Fixed bug #54238 (use-after-free in substr_replace()). (Stas) (CVE-2011-1148)
    • Fixed bug #54204 (Can't set a value with a PATH section in php.ini). (Pierre)
    • Fixed bug #54180 (parse_url() incorrectly parses path when ? in fragment). (tomas dot brastavicius at quantum dot lt, Pierrick)
    • Fixed bug #54137 (file_get_contents POST request sends additional line break). (maurice-php at mertinkat dot net, Ilia)
    • Fixed bug #53848 (fgetcsv() ignores spaces at beginnings of fields). (Ilia)
    • Alternative fix for bug Fixed bug #52550, as applied to the round() function (signed overflow), as the old fix impacted the algorithm for numbers with magnitude smaller than 0. (Gustavo)
    • Fixed bug #53727 (Inconsistent behavior of is_subclass_of with interfaces) (Ralph Schindler, Dmitry)
    • Fixed bug #52935 (call exit in user_error_handler cause stream relate core). (Gustavo)
    • Fixed bug #51997 (SEEK_CUR with 0 value, returns a warning). (Ilia)
    • Fixed bug #50816 (Using class constants in array definition fails). (Pierrick, Dmitry)
    • Fixed bug #50363 (Invalid parsing in convert.quoted-printable-decode filter). (slusarz at curecanti dot org)
    • Fixed bug #48465 (sys_get_temp_dir() possibly inconsistent when using TMPDIR on Windows). (Pierre)
  • Apache2 Handler SAPI:
    • Fixed bug #54529 (SAPI crashes on apache_config.c:197). (hebergement at riastudio dot fr)
  • CLI SAPI:
    • Fixed bug #52496 (Zero exit code on option parsing failure). (Ilia)
  • cURL extension:
    • Added ini option curl.cainfo (support for custom cert db). (Pierre)
    • Added CURLINFO_REDIRECT_URL support. (Daniel Stenberg, Pierre)
    • Added support for CURLOPT_MAX_RECV_SPEED_LARGE and CURLOPT_MAX_SEND_SPEED_LARGE. FR Fixed bug #51815. (Pierrick)
  • DateTime extension:
    • Fixed bug where the DateTime object got changed while using date_diff(). (Derick)
    • Fixed bug #54340 (DateTime::add() method bug). (Adam)
    • Fixed bug #54316 (DateTime::createFromFormat does not handle trailing '|' correctly). (Adam)
    • Fixed bug #54283 (new DatePeriod(NULL) causes crash). (Felipe)
    • Fixed bug #51819 (Case discrepancy in timezone names cause Uncaught exception and fatal error). (Hannes)
  • DBA extension:
    • Supress warning on non-existent file open with Berkeley DB 5.2 (Chris Jones)
    • Fixed bug #54242 (dba_insert returns true if key already exists). (Felipe)
  • Exif extesion:
    • Fixed bug #54121 (error message format string typo). (Ilia)
  • Fileinfo extension:
    • Fixed bug #54934 (Unresolved symbol strtoull in HP-UX 11.11). (Felipe)
  • Filter extension:
    • Added 3rd parameter to filter_var_array() and filter_input_array() functions that allows disabling addition of empty elements. (Ilia)
    • Fixed bug #53037 (FILTER_FLAG_EMPTY_STRING_NULL is not implemented). (Ilia)
  • Interbase extension:
    • Fixed bug #54269 (Short exception message buffer causes crash). (Felipe)
  • intl extension:
    • Implemented FR #54561 (Expose ICU version info). (David Zuelke, Ilia)
    • Implemented FR #54540 (Allow loading of arbitrary resource bundles when fallback is disabled). (David Zuelke, Stas)
  • Imap extension:
    • Fixed bug #55313 (Number of retries not set when params specified). (kevin at kevinlocke dot name)
  • json extension:
    • Fixed bug #54484 (Empty string in json_decode doesn't reset json_last_error()). (Ilia)
  • LDAP extension:
    • Fixed bug #53339 (Fails to build when compilng with gcc 4.5 and DSO libraries). (Clint Byrum, Raphael)
  • libxml extension:
    • Fixed bug #54601 (Removing the doctype node segfaults). (Hannes)
    • Fixed bug #54440 (libxml extension ignores default context). (Gustavo)
  • mbstring extension:
    • Fixed bug #54494 (mb_substr() mishandles UTF-32LE and UCS-2LE). (Gustavo)
  • MCrypt extension:
    • Change E_ERROR to E_WARNING in mcrypt_create_iv when not enough data has been fetched (Windows). (Pierre)
    • Fixed bug #55169 (mcrypt_create_iv always fails to gather sufficient random data on Windows). (Pierre)
  • MySQL Improved extension:
    • Fixed Bug Fixed bug #54221 (mysqli::get_warnings segfault when used in multi queries). (Andrey)
  • mysqlnd
    • Fixed crash when using more than 28,000 bound parameters. Workaround is to set mysqlnd.net_cmd_buffer_size to at least 9000. (Andrey)
    • Fixed bug #54674 mysqlnd valid_sjis_(head|tail) is using invalid operator and range). (nihen at megabbs dot com, Andrey)
  • MySQLi extension:
    • Fixed bug #55283 (SSL options set by mysqli_ssl_set ignored for MySQLi persistent connections). (Andrey)
  • OpenSSL extension:
    • openssl_encrypt()/openssl_decrypt() truncated keys of variable length ciphers to the OpenSSL default for the algorithm. (Scott)
    • On blocking SSL sockets respect the timeout option where possible. (Scott)
    • Fixed bug #54992 (Stream not closed and error not returned when SSL CN_match fails). (Gustavo, laird_ngrps at dodo dot com dot au)
  • Oracle Database extension (OCI8):
    • Added oci_client_version() returning the runtime Oracle client library version (Chris Jones)
  • PCRE extension:
    • Increased the backtrack limit from 100000 to 1000000 (Rasmus)
  • PDO extension:
    • Fixed bug #54929 (Parse error with single quote in sql comment). (Felipe)
    • Fixed bug #52104 (bindColumn creates Warning regardless of ATTR_ERRMODE settings). (Ilia)
  • PDO DBlib driver:
    • Fixed bug #54329 (MSSql extension memory leak). (dotslashpok at gmail dot com)
    • Fixed bug #54167 (PDO_DBLIB returns null on SQLUNIQUE field). (mjh at hodginsmedia dot com, Felipe)
  • PDO ODBC driver:
    • Fixed data type usage in 64bit. (leocsilva at gmail dot com)
  • PDO MySQL driver:
    • Fixed bug #54644 (wrong pathes in php_pdo_mysql_int.h). (Tony, Johannes)
    • Fixed bug #53782 (foreach throws irrelevant exception). (Johannes, Andrey)
    • Implemented FR #48587 (MySQL PDO driver doesn't support SSL connections). (Rob)
  • PDO PostgreSQL driver:
    • Fixed bug #54318 (Non-portable grep option used in PDO pgsql configuration). (bwalton at artsci dot utoronto dot ca)
  • PDO Oracle driver:
    • Fixed bug #44989 (64bit Oracle RPMs still not supported by pdo-oci). (jbnance at tresgeek dot net)
  • Phar extension:
    • Fixed bug #54395 (Phar::mount() crashes when calling with wrong parameters). (Felipe)
  • PHP-FPM SAPI:
    • Implemented FR #54499 (FPM ping and status_path should handle HEAD request). (fat)
    • Implemented FR #54172 (Overriding the pid file location of php-fpm). (fat)
    • Fixed missing Expires and Cache-Control headers for ping and status pages. (fat)
    • Fixed memory leak. (fat) Reported and fixed by Giovanni Giacobbi.
    • Fixed wrong value of log_level when invoking fpm with -tt. (fat)
    • Added xml format to the status page. (fat)
    • Removed timestamp in logs written by children processes. (fat)
    • Fixed exit at FPM startup on fpm_resources_prepare() errors. (fat)
    • Added master rlimit_files and rlimit_core in the global configuration settings. (fat)
    • Removed pid in debug logs written by chrildren processes. (fat)
    • Added custom access log (also added per request %CPU and memory mesurement). (fat)
    • Added a real scoreboard and several improvements to the status page. (fat)
  • Reflection extension:
    • Fixed bug #54347 (reflection_extension does not lowercase module function name). (Felipe, laruence at yahoo dot com dot cn)
  • SOAP extension:
    • Fixed bug #55323 (SoapClient segmentation fault when XSD_TYPEKIND_EXTENSION contains itself). (Dmitry)
    • Fixed bug #54312 (soap_version logic bug). (tom at samplonius dot org)
  • Sockets extension:
    • Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938) Found by Mateusz Kocielski, Marek Kroemeke and Filip Palian. (Felipe)
    • Changed socket_set_block() and socket_set_nonblock() so they emit warnings on error. (Gustavo)
    • Fixed bug #51958 (socket_accept() fails on IPv6 server sockets). (Gustavo)
  • SPL extension:
    • Fixed bug #54971 (Wrong result when using iterator_to_array with use_keys on true). (Pierrick)
    • Fixed bug #54970 (SplFixedArray::setSize() isn't resizing). (Felipe)
    • Fixed bug #54609 (Certain implementation(s) of SplFixedArray cause hard crash). (Felipe)
    • Fixed bug #54384 (Dual iterators, GlobIterator, SplFileObject and SplTempFileObject crash when user-space classes don't call the paren constructor). (Gustavo)
    • Fixed bug #54292 (Wrong parameter causes crash in SplFileObject::__construct()). (Felipe)
    • Fixed bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0). (Gustavo)
    • Fixed bug #54281 (Crash in non-initialized RecursiveIteratorIterator). (Felipe)
  • Streams:
    • Fixed bug #54946 (stream_get_contents infinite loop). (Hannes)
    • Fixed bug #54623 (Segfault when writing to a persistent socket after closing a copy of the socket). (Gustavo)
    • Fixed bug #54681 (addGlob() crashes on invalid flags). (Felipe)

Version 5.3.6

  • Upgraded bundled Sqlite3 to version 3.7.4. (Ilia)
  • Upgraded bundled PCRE to version 8.11. (Ilia)
  • Zend Engine:
    • Indirect reference to $this fails to resolve if direct $this is never used in method. (Scott)
    • Fixed bug numerous crashes due to setlocale (crash on error, pcre, mysql etc.) on Windows in thread safe mode. (Pierre)
    • Added options to debug backtrace functions. (Stas)
    • Fixed bug #53971 (isset() and empty() produce apparently spurious runtime error). (Dmitry)
    • Fixed bug #53958 (Closures can't 'use' shared variables by value and by reference). (Dmitry)
    • Fixed bug #53629 (memory leak inside highlight_string()). (Hannes, Ilia)
    • Fixed bug #51458 (Lack of error context with nested exceptions). (Stas)
    • Fixed bug #47143 (Throwing an exception in a destructor causes a fatal error). (Stas)
    • Fixed bug #43512 (same parameter name can be used multiple times in method/function definition). (Felipe)
  • Core:
    • Added ability to connect to HTTPS sites through proxy with basic authentication using stream_context/http/header/Proxy-Authorization (Dmitry)
    • Changed default value of ini directive serialize_precision from 100 to 17. (Gustavo)
    • Fixed bug #54055 (buffer overrun with high values for precision ini setting). (Gustavo)
    • Fixed bug #53959 (reflection data for fgetcsv out-of-date). (Richard)
    • Fixed bug #53577 (Regression introduced in 5.3.4 in open_basedir with a trailing forward slash). (lekensteyn at gmail dot com, Pierre)
    • Fixed bug #53682 (Fix compile on the VAX). (Rasmus, jklos)
    • Fixed bug #48484 (array_product() always returns 0 for an empty array). (Ilia)
    • Fixed bug #48607 (fwrite() doesn't check reply from ftp server before exiting). (Ilia)
  • Calendar extension:
    • Fixed bug #53574 (Integer overflow in SdnToJulian, sometimes leading to segfault). (Gustavo)
  • DOM extension:
    • Implemented FR #39771 (Made DOMDocument::saveHTML accept an optional DOMNode like DOMDocument::saveXML). (Gustavo)
  • DateTime extension:
    • Fixed a bug in DateTime->modify() where absolute date/time statements had no effect. (Derick)
    • Fixed bug #53729 (DatePeriod fails to initialize recurrences on 64bit big-endian systems). (Derick, rein@basefarm.no)
    • Fixed bug #52808 (Segfault when specifying interval as two dates). (Stas)
    • Fixed bug #52738 (Can't use new properties in class extended from DateInterval). (Stas)
    • Fixed bug #52290 (setDate, setISODate, setTime works wrong when DateTime created from timestamp). (Stas)
    • Fixed bug #52063 (DateTime constructor's second argument doesn't have a null default value). (Gustavo, Stas)
  • Exif extension:
    • Fixed bug #54002 (crash on crafted tag, reported by Luca Carettoni). (Pierre) (CVE-2011-0708)
  • Filter extension:
    • Fixed bug #53924 (FILTER_VALIDATE_URL doesn't validate port number). (Ilia, Gustavo)
    • Fixed bug #53150 (FILTER_FLAG_NO_RES_RANGE is missing some IP ranges). (Ilia)
    • Fixed bug #52209 (INPUT_ENV returns NULL for set variables (CLI)). (Ilia)
    • Fixed bug #47435 (FILTER_FLAG_NO_RES_RANGE don't work with ipv6). (Ilia, valli at icsurselva dot ch)
  • Fileinfo extension:
    • Fixed bug #54016 (finfo_file() Cannot determine filetype in archives). (Hannes)
  • Gettext
    • Fixed bug #53837 (_() crashes on Windows when no LANG or LANGUAGE environment variable are set). (Pierre)
  • IMAP extension:
    • Implemented FR #53812 (get MIME headers of the part of the email). (Stas)
    • Fixed bug #53377 (imap_mime_header_decode() doesn't ignore \t during long MIME header unfolding). (Adam)
  • Intl extension:
    • Fixed bug #53612 (Segmentation fault when using cloned several intl objects). (Gustavo)
    • Fixed bug #53512 (NumberFormatter::setSymbol crash on bogus $attr values). (Felipe)
    • Implemented clone functionality for number, date & message formatters. (Stas).
  • JSON extension:
    • Fixed bug #53963 (Ensure error_code is always set during some failed decodings). (Scott)
  • mysqlnd
    • Fixed problem with always returning 0 as num_rows for unbuffered sets. (Andrey, Ulf)
  • MySQL Improved extension:
    • Added 'db' and 'catalog' keys to the field fetching functions (FR #39847). (Kalle)
    • Fixed buggy counting of affected rows when using the text protocol. The collected statistics were wrong when multi_query was used with mysqlnd (Andrey)
    • Fixed bug #53795 (Connect Error from MySqli (mysqlnd) when using SSL). (Kalle)
    • Fixed bug #53503 (mysqli::query returns false after successful LOAD DATA query). (Kalle, Andrey)
    • Fixed bug #53425 (mysqli_real_connect() ignores client flags when built to call libmysql). (Kalle, tre-php-net at crushedhat dot com)
  • OpenSSL extension:
    • Fixed stream_socket_enable_crypto() not honoring the socket timeout in server mode. (Gustavo)
    • Fixed bug #54060 (Memory leaks when openssl_encrypt). (Pierre)
    • Fixed bug #54061 (Memory leaks when openssl_decrypt). (Pierre)
    • Fixed bug #53592 (stream_socket_enable_crypto() busy-waits in client mode). (Gustavo)
    • Implemented FR #53447 (Cannot disable SessionTicket extension for servers that do not support it) by adding a no_ticket SSL context option. (Adam, Tony)
  • PDO MySQL driver:
    • Fixed bug #53551 (PDOStatement execute segfaults for pdo_mysql driver). (Johannes)
    • Implemented FR #47802 (Support for setting character sets in DSN strings). (Kalle)
  • PDO Oracle driver:
    • Fixed bug #39199 (Cannot load Lob data with more than 4000 bytes on ORACLE 10). (spatar at mail dot nnov dot ru)
  • PDO PostgreSQL driver:
    • Fixed bug #53517 (segfault in pgsql_stmt_execute() when postgres is down). (gyp at balabit dot hu)
  • Phar extension:
    • Fixed bug #54247 (format-string vulnerability on Phar). (Felipe) (CVE-2011-1153)
    • Fixed bug #53541 (format string bug in ext/phar). (crrodriguez at opensuse dot org, Ilia)
    • Fixed bug #53898 (PHAR reports invalid error message, when the directory does not exist). (Ilia)
  • PHP-FPM SAPI:
    • Enforce security in the fastcgi protocol parsing. (ef-lists at email dotde)
    • Fixed bug #53777 (php-fpm log format now match php_error log format). (fat)
    • Fixed bug #53527 (php-fpm --test doesn't set a valuable return value). (fat)
    • Fixed bug #53434 (php-fpm slowlog now also logs the original request). (fat)
  • Readline extension:
    • Fixed bug #53630 (Fixed parameter handling inside readline() function). (jo at feuersee dot de, Ilia)
  • Reflection extension:
    • Fixed bug #53915 (ReflectionClass::getConstant(s) emits fatal error on constants with self::). (Gustavo)
  • Shmop extension:
    • Fixed bug #54193 (Integer overflow in shmop_read()). (Felipe) Reported by Jose Carlos Norte (CVE-2011-1092)
  • SNMP extension:
    • Fixed bug #51336 (snmprealwalk (snmp v1) does not handle end of OID tree correctly). (Boris Lytochkin)
  • SOAP extension:
    • Fixed possible crash introduced by the NULL poisoning patch. (Mateusz Kocielski, Pierre)
  • SPL extension:
    • Fixed memory leak in DirectoryIterator::getExtension() and SplFileInfo::getExtension(). (Felipe)
    • Fixed bug #53914 (SPL assumes HAVE_GLOB is defined). (Chris Jones)
    • Fixed bug #53515 (property_exists incorrect on ArrayObject null and 0 values). (Felipe)
    • Added SplFileInfo::getExtension(). FR #48767. (Peter Cowburn)
  • SQLite3 extension:
    • Fixed memory leaked introduced by the NULL poisoning patch. (Mateusz Kocielski, Pierre)
    • Fixed memory leak on SQLite3Result and SQLite3Stmt when assigning to a reference. (Felipe)
    • Add SQlite3_Stmt::readonly() for checking if a statement is read only. (Scott)
    • Implemented FR #53466 (SQLite3Result::columnType() should return false after all of the rows have been fetched). (Scott)
  • Streams:
    • Fixed bug #54092 (Segmentation fault when using HTTP proxy with the FTP wrapper). (Gustavo)
    • Fixed bug #53913 (Streams functions assume HAVE_GLOB is defined). (Chris Jones)
    • Fixed bug #53903 (userspace stream stat callback does not separate the elements of the returned array before converting them). (Gustavo)
    • Implemented FR #26158 (open arbitrary file descriptor with fopen). (Gustavo)
  • Tokenizer Extension
    • Fixed bug #54089 (token_get_all() does not stop after __halt_compiler). (Ilia)
  • XSL extension:
    • Fixed memory leaked introduced by the NULL poisoning patch. (Mateusz Kocielski, Pierre)
  • Zip extension:
    • Added the filename into the return value of stream_get_meta_data(). (Hannes)
    • Fixed bug #53923 (Zip functions assume HAVE_GLOB is defined). (Adam)
    • Fixed bug #53893 (Wrong return value for ZipArchive::extractTo()). (Pierre)
    • Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive). (Stas, Maksymilian Arciemowicz). (CVE-2011-0421)
    • Fixed bug #53854 (Missing constants for compression type). (Richard, Adam)
    • Fixed bug #53603 (ZipArchive should quiet stat errors). (brad dot froehle at gmail dot com, Gustavo)
    • Fixed bug #53579 (stream_get_contents() segfaults on ziparchive streams). (Hannes)
    • Fixed bug #53568 (swapped memset arguments in struct initialization). (crrodriguez at opensuse dot org)
    • Fixed bug #53166 (Missing parameters in docs and reflection definition). (Richard)
    • Fixed bug #49072 (feof never returns true for damaged file in zip). (Gustavo, Richard Quadling)

Version 5.3.5

  • Fixed bug #53632 (PHP hangs on numeric value 2.2250738585072011e-308). (CVE-2010-4645) (Rasmus, Scott)

Version 5.2.17

  • Fixed bug #53632 (PHP hangs on numeric value 2.2250738585072011e-308). (CVE-2010-4645) (Rasmus, Scott)

Version 5.2.16

  • Fixed bug #53517 (segfault in pgsql_stmt_execute() when postgres is down). (gyp at balabit dot hu)
  • Fixed bug #53516 (Regression in open_basedir handling). (Ilia)

Version 5.3.4

  • Upgraded bundled Sqlite3 to version 3.7.3. (Ilia)
  • Upgraded bundled PCRE to version 8.10. (Ilia)
  • Security enhancements:
    • Fixed crash in zip extract method (possible CWE-170). (Maksymilian Arciemowicz, Pierre)
    • Paths with NULL in them (foo\0bar.txt) are now considered as invalid. (Rasmus)
    • Fixed a possible double free in imap extension (Identified by Mateusz Kocielski). (CVE-2010-4150). (Ilia)
    • Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709). (Maksymilian Arciemowicz)
    • Fixed possible flaw in open_basedir (CVE-2010-3436). (Pierre)
    • Fixed MOPS-2010-24, fix string validation. (CVE-2010-2950). (Pierre)
    • Fixed symbolic resolution support when the target is a DFS share. (Pierre)
    • Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data) (CVE-2010-3710). (Adam)
  • General improvements:
    • Added stat support for zip stream. (Pierre)
    • Added follow_location (enabled by default) option for the http stream support. (Pierre)
    • Improved support for is_link and related functions on Windows. (Pierre)
    • Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al. (Gustavo)
  • Implemented feature requests:
    • Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend multibyte at runtime. (Kalle)
    • Implemented FR #52173, added functions pcntl_get_last_error() and pcntl_strerror(). (nick dot telford at gmail dot com, Arnaud)
    • Implemented symbolic links support for open_basedir checks. (Pierre)
    • Implemented FR #51804, SplFileInfo::getLinkTarget on Windows. (Pierre)
    • Implemented FR #50692, not uploaded files don't count towards max_file_uploads limit. As a side improvement, temporary files are not opened for empty uploads and, in debug mode, 0-length uploads. (Gustavo)
  • Improved MySQLnd:
    • Added new character sets to mysqlnd, which are available in MySQL 5.5 (Andrey)
  • Improved PHP-FPM SAPI:
    • Added '-p/--prefix' to php-fpm to use a custom prefix and run multiple instances. (fat)
    • Added custom process title for FPM. (fat)
    • Added '-t/--test' to php-fpm to check and validate FPM conf file. (fat)
    • Added statistics about listening socket queue length for FPM. (andrei dot nigmatulin at gmail dot com, fat)
  • Core:
    • Fixed extract() to do not overwrite $GLOBALS and $this when using EXTR_OVERWRITE. (jorto at redhat dot com)
    • Fixed bug in the Windows implementation of dns_get_record, where the two last parameters wouldn't be filled unless the type were DNS_ANY (Gustavo).
    • Changed the $context parameter on copy() to actually have an effect. (Kalle)
    • Fixed htmlentities/htmlspecialchars accepting certain ill-formed UTF-8 sequences. (Gustavo)
    • Fixed bug #53409 (sleep() returns NULL on Windows). (Pierre)
    • Fixed bug #53319 (strip_tags() may strip '<br />' incorrectly). (Felipe)
    • Fixed bug #53304 (quot_print_decode does not handle lower-case hex digits). (Ilia, daniel dot mueller at inexio dot net)
    • Fixed bug #53248 (rawurlencode RFC 3986 EBCDIC support misses tilde char). (Justin Martin)
    • Fixed bug #53226 (file_exists fails on big filenames). (Adam)
    • Fixed bug #53198 (changing INI setting "from" with ini_set did not have any effect). (Gustavo)
    • Fixed bug #53180 (post_max_size=0 not disabling the limit when the content type is application/x-www-form-urlencoded or is not registered with PHP). (gm at tlink dot de, Gustavo)
    • Fixed bug #53141 (autoload misbehaves if called from closing session). (ladislav at marek dot su)
    • Fixed bug #53021 (In html_entity_decode, failure to convert numeric entities with ENT_NOQUOTES and ISO-8859-1). Fixed and extended the fix of ENT_NOQUOTES in html_entity_decode that had introduced the bug (rev #185591) to other encodings. Additionaly, html_entity_decode() now doesn't decode &#34; if ENT_NOQUOTES is given. (Gustavo)
    • Fixed bug #52931 (strripos not overloaded with function overloading enabled). (Felipe)
    • Fixed bug #52772 (var_dump() doesn't check for the existence of get_class_name before calling it). (Kalle, Gustavo)
    • Fixed bug #52534 (var_export array with negative key). (Felipe)
    • Fixed bug #52327 (base64_decode() improper handling of leading padding in strict mode). (Ilia)
    • Fixed bug #52260 (dns_get_record fails with non-existing domain on Windows). (a_jelly_doughnut at phpbb dot com, Pierre)
    • Fixed bug #50953 (socket will not connect to IPv4 address when the host has both IPv4 and IPv6 addresses, on Windows). (Gustavo, Pierre)
    • Fixed bug #50524 (proc_open on Windows does not respect cwd as it does on other platforms). (Pierre)
    • Fixed bug #49687 (utf8_decode vulnerabilities and deficiencies in the number of reported malformed sequences). (CVE-2010-3870) (Gustavo)
    • Fixed bug #49407 (get_html_translation_table doesn't handle UTF-8). (Gustavo)
    • Fixed bug #48831 (php -i has different output to php --ini). (Richard, Pierre)
    • Fixed bug #47643 (array_diff() takes over 3000 times longer than php 5.2.4). (Felipe)
    • Fixed bug #47168 (printf of floating point variable prints maximum of 40 decimal places). (Ilia)
    • Fixed bug #46587 (mt_rand() does not check that max is greater than min). (Ilia)
    • Fixed bug #29085 (bad default include_path on Windows). (Pierre)
    • Fixed bug #25927 (get_html_translation_table calls the ' &#39; instead of &#039;). (Gustavo)
  • Zend engine:
    • Reverted fix for bug #51176 (Static calling in non-static method behaves like $this->). (Felipe)
    • Changed deprecated ini options on startup from E_WARNING to E_DEPRECATED. (Kalle)
    • Fixed NULL dereference in lex_scan on zend multibyte builds where the script had a flex incompatible encoding and there was no converter. (Gustavo)
    • Fixed covariance of return-by-ref constraints. (Etienne)
    • Fixed bug #53305 (E_NOTICE when defining a constant starts with __COMPILER_HALT_OFFSET__). (Felipe)
    • Fixed bug #52939 (zend_call_function does not respect ZEND_SEND_PREFER_REF). (Dmitry)
    • Fixed bug #52879 (Objects unreferenced in __get, __set, __isset or __unset can be freed too early). (mail_ben_schmidt at yahoo dot com dot au, Dmitry)
    • Fixed bug #52786 (PHP should reset section to [PHP] after ini sections). (Fedora at famillecollet dot com)
    • Fixed bug #52508 (newline problem with parse_ini_file+INI_SCANNER_RAW). (Felipe)
    • Fixed bug #52484 (__set() ignores setting properties with empty names). (Felipe)
    • Fixed bug #52361 (Throwing an exception in a destructor causes invalid catching). (Dmitry)
    • Fixed bug #51008 (Zend/tests/bug45877.phpt fails). (Dmitry)
  • Build issues:
    • Fixed bug #52436 (Compile error if systems do not have stdint.h) (Sriram Natarajan)
    • Fixed bug #50345 (nanosleep not detected properly on some solaris versions). (Ulf, Tony)
    • Fixed bug #49215 (make fails on glob_wrapper). (Felipe)
  • Calendar extension:
    • Fixed bug #52744 (cal_days_in_month incorrect for December 1 BCE). (gpap at internet dot gr, Adam)
  • cURL extension:
    • Fixed bug #52828 (curl_setopt does not accept persistent streams). (Gustavo, Ilia)
    • Fixed bug #52827 (cURL leaks handle and causes assertion error (CURLOPT_STDERR)). (Gustavo)
    • Fixed bug #52202 (CURLOPT_PRIVATE gets corrupted). (Ilia)
    • Fixed bug #50410 (curl extension slows down PHP on Windows). (Pierre)
  • DateTime extension:
    • Fixed bug #53297 (gettimeofday implementation in php/win32/time.c can return 1 million microsecs). (ped at 7gods dot org)
    • Fixed bug #52668 (Iterating over a dateperiod twice is broken). (Derick)
    • Fixed bug #52454 (Relative dates and getTimestamp increments by one day). (Derick)
    • Fixed bug #52430 (date_parse parse 24:xx:xx as valid time). (Derick)
    • Added support for the ( and ) delimiters/separators to DateTime::createFromFormat(). (Derick)
  • DBA extension:
    • Added Berkeley DB 5.1 support to the DBA extension. (Oracle Corp.)
  • DOM extension:
    • Fixed bug #52656 (DOMCdataSection does not work with splitText). (Ilia)
  • Filter extension:
    • Fixed the filter extension accepting IPv4 octets with a leading 0 as that belongs to the unsupported "dotted octal" representation. (Gustavo)
    • Fixed bug #53236 (problems in the validation of IPv6 addresses with leading and trailing :: in the filter extension). (Gustavo)
    • Fixed bug #50117 (problems in the validation of IPv6 addresses with IPv4 addresses and ::). (Gustavo)
  • GD extension:
    • Fixed bug #53492 (fix crash if anti-aliasing steps are invalid). (Pierre)
  • GMP extension:
    • Fixed bug #52906 (gmp_mod returns negative result when non-negative is expected). (Stas)
    • Fixed bug #52849 (GNU MP invalid version match). (Adam)
  • Hash extension:
    • Fixed bug #51003 (unaligned memory access in ext/hash/hash_tiger.c). (Mike, Ilia)
  • Iconv extension:
    • Fixed bug #52941 (The 'iconv_mime_decode_headers' function is skipping headers). (Adam)
    • Fixed bug #52599 (iconv output handler outputs incorrect content type when flags are used). (Ilia)
    • Fixed bug #51250 (iconv_mime_decode() does not ignore malformed Q-encoded words). (Ilia)
  • Intl extension:
    • Fixed crashes on invalid parameters in intl extension. (CVE-2010-4409). (Stas, Maksymilian Arciemowicz)
    • Added support for formatting the timestamp stored in a DateTime object. (Stas)
    • Fixed bug #50590 (IntlDateFormatter::parse result is limited to the integer range). (Stas)
  • Mbstring extension:
    • Fixed bug #53273 (mb_strcut() returns garbage with the excessive length parameter). (CVE-2010-4156) (Mateusz Kocielski, Pierre, Moriyoshi)
    • Fixed bug #52981 (Unicode casing table was out-of-date. Updated with UnicodeData-6.0.0d7.txt and included the source of the generator program with the distribution) (Gustavo).
    • Fixed bug #52681 (mb_send_mail() appends an extra MIME-Version header). (Adam)
  • MSSQL extension:
    • Fixed possible crash in mssql_fetch_batch(). (Kalle)
    • Fixed bug #52843 (Segfault when optional parameters are not passed in to mssql_connect). (Felipe)
  • MySQL extension:
    • Fixed bug #52636 (php_mysql_fetch_hash writes long value into int). (Kalle, rein at basefarm dot no)
  • MySQLi extension:
    • Fixed bug #52891 (Wrong data inserted with mysqli/mysqlnd when using mysqli_stmt_bind_param and value> PHP_INT_MAX). (Andrey)
    • Fixed bug #52686 (mysql_stmt_attr_[gs]et argument points to incorrect type). (rein at basefarm dot no)
    • Fixed bug #52654 (mysqli doesn't install headers with structures it uses). (Andrey)
    • Fixed bug #52433 (Call to undefined method mysqli::poll() - must be static). (Andrey)
    • Fixed bug #52417 (MySQLi build failure with mysqlnd on MacOS X). (Andrey)
    • Fixed bug #52413 (MySQLi/libmysql build failure on OS X, FreeBSD). (Andrey)
    • Fixed bug #52390 (mysqli_report() should be per-request setting). (Kalle)
    • Fixed bug #52302 (mysqli_fetch_all does not work with MYSQLI_USE_RESULT). (Andrey)
    • Fixed bug #52221 (Misbehaviour of magic_quotes_runtime (get/set)). (Andrey)
    • Fixed bug #45921 (Can't initialize character set hebrew). (Andrey)
  • MySQLnd:
    • Fixed bug #52613 (crash in mysqlnd after hitting memory limit). (Andrey)
  • ODBC extension:
    • Fixed bug #52512 (Broken error handling in odbc_execute). (mkoegler at auto dot tuwien dot ac dot at)
  • Openssl extension:
    • Fixed possible blocking behavior in openssl_random_pseudo_bytes on Windows. (Pierre)
    • Fixed bug #53136 (Invalid read on openssl_csr_new()). (Felipe)
    • Fixed bug #52947 (segfault when ssl stream option capture_peer_cert_chain used). (Felipe)
  • Oracle Database extension (OCI8):
    • Fixed bug #53284 (Valgrind warnings in oci_set_* functions) (Oracle Corp.)
    • Fixed bug #51610 (Using oci_connect causes PHP to take a long time to exit). Requires Oracle 11.2.0.2 client libraries (or Oracle bug fix 9891199) for this patch to have an effect. (Oracle Corp.)
  • PCNTL extension:
    • Fixed bug #52784 (Race condition when handling many concurrent signals). (nick dot telford at gmail dot com, Arnaud)
  • PCRE extension:
    • Fixed bug #52971 (PCRE-Meta-Characters not working with utf-8). (Felipe)
    • Fixed bug #52732 (Docs say preg_match() returns FALSE on error, but it returns int(0)). (slugonamission at gmail dot com)
  • PHAR extension:
    • Fixed bug #50987 (unaligned memory access in phar.c). (geissert at debian dot org, Ilia)
  • PHP-FPM SAPI:
    • Fixed bug #53412 (segfault when using -y). (fat)
    • Fixed inconsistent backlog default value (-1) in FPM on many systems. (fat)
    • Fixed bug #52501 (libevent made FPM crashed when forking - libevent has been removed). (fat)
    • Fixed bug #52725 (gcc builtin atomic functions were sometimes used when they were not available). (fat)
    • Fixed bug #52693 (configuration file errors are not logged to stderr). (fat)
    • Fixed bug #52674 (FPM Status page returns inconsistent Content-Type headers). (fat)
    • Fixed bug #52498 (libevent was not only linked to php-fpm). (fat)
  • PDO:
    • Fixed bug #52699 (PDO bindValue writes long int 32bit enum). (rein at basefarm dot no)
    • Fixed bug #52487 (PDO::FETCH_INTO leaks memory). (Felipe)
  • PDO DBLib driver:
    • Fixed bug #52546 (pdo_dblib segmentation fault when iterating MONEY values). (Felipe)
  • PDO Firebird driver:
    • Restored firebird support (VC9 builds only). (Pierre)
    • Fixed bug #53335 (pdo_firebird did not implement rowCount()). (preeves at ibphoenix dot com)
    • Fixed bug #53323 (pdo_firebird getAttribute() crash). (preeves at ibphoenix dot com)
  • PDO MySQL driver:
    • Fixed bug #52745 (Binding params doesn't work when selecting a date inside a CASE-WHEN). (Andrey)
  • PostgreSQL extension:
    • Fixed bug #47199 (pg_delete() fails on NULL). (ewgraf at gmail dot com)
  • Reflection extension:
    • Fixed ReflectionProperty::isDefault() giving a wrong result for properties obtained with ReflectionClass::getProperties(). (Gustavo)
    • Fixed bug #53366 (Reflection doesnt get dynamic property value from getProperty()). (Felipe)
    • Fixed bug #52854 (ReflectionClass::newInstanceArgs does not work for classes without constructors). (Johannes)
  • SOAP extension:
    • Fixed bug #44248 (RFC2616 transgression while HTTPS request through proxy with SoapClient object). (Dmitry)
  • SPL extension:
    • Fixed bug #53362 (Segmentation fault when extending SplFixedArray). (Felipe)
    • Fixed bug #53279 (SplFileObject doesn't initialise default CSV escape character). (Adam)
    • Fixed bug #53144 (Segfault in SplObjectStorage::removeAll()). (Felipe)
    • Fixed bug #53071 (SPLObjectStorage defeats gc_collect_cycles). (Gustavo)
    • Fixed bug #52573 (SplFileObject::fscanf Segmentation fault). (Felipe)
    • Fixed bug #51763 (SplFileInfo::getType() does not work symbolic link and directory). (Pierre)
    • Fixed bug #50481 (Storing many SPLFixedArray in an array crashes). (Felipe)
    • Fixed bug #50579 (RegexIterator::REPLACE doesn't work). (Felipe)
  • SQLite3 extension:
    • Fixed bug #53463 (sqlite3 columnName() segfaults on bad column_number). (Felipe)
  • Streams:
    • Fixed forward stream seeking emulation in streams that don't support seeking in situations where the read operation gives back less data than requested and when there was data in the buffer before the emulation started. Also made more consistent its behavior -- should return failure every time less data than was requested was skipped. (Gustavo)
    • Fixed bug #53241 (stream casting that relies on fdopen/fopencookie fails with streams opened with, inter alia, the 'xb' mode). (Gustavo)
    • Fixed bug #53006 (stream_get_contents has an unpredictable behavior when the underlying stream does not support seeking). (Gustavo)
    • Fixed bug #52944 (Invalid write on second and subsequent reads with an inflate filter fed invalid data). (Gustavo)
    • Fixed bug #52820 (writes to fopencookie FILE* not commited when seeking the stream). (Gustavo)
  • WDDX extension:
    • Fixed bug #52468 (wddx_deserialize corrupts integer field value when left empty). (Felipe)
  • Zlib extension:
    • Fixed bug #52926 (zlib fopen wrapper does not use context). (Gustavo)

Version 5.2.15

  • Fixed extract() to do not overwrite $GLOBALS and $this when using EXTR_OVERWRITE. (jorto at redhat dot com)
  • Fixed crash in zip extract method (possible CWE-170). (Maksymilian Arciemowicz, Pierre)
  • Fixed a possible double free in imap extension (Identified by Mateusz Kocielski). (CVE-2010-4150). (Ilia)
  • Fixed possible flaw in open_basedir (CVE-2010-3436). (Pierre)
  • Fixed possible crash in mssql_fetch_batch(). (Kalle)
  • Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709). (Maksymilian Arciemowicz)
  • Fixed bug #53492 (fix crash if anti-aliasing steps are invalid). (Pierre)
  • Fixed bug #53323 (pdo_firebird getAttribute() crash). (preeves at ibphoenix dot com)
  • Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data). (CVE-2010-3709). (Adam)
  • Fixed bug #52879 (Objects unreferenced in __get, __set, __isset or __unset can be freed too early). (mail_ben_schmidt at yahoo dot com dot au, Dmitry)
  • Fixed bug #52772 (var_dump() doesn't check for the existence of get_class_name before calling it). (Kalle, Gustavo)
  • Fixed bug #52546 (pdo_dblib segmentation fault when iterating MONEY values). (Felipe, Adam)
  • Fixed bug #52436 (Compile error if systems do not have stdint.h) (Sriram Natarajan)
  • Fixed bug #52390 (mysqli_report() should be per-request setting). (Kalle)
  • Fixed bug #51008 (Zend/tests/bug45877.phpt fails). (Dmitry)
  • Fixed bug #47643 (array_diff() takes over 3000 times longer than php 5.2.4). (Felipe)
  • Fixed bug #44248 (RFC2616 transgression while HTTPS request through proxy with SoapClient object). (Dmitry)

Version 5.3.3

  • Upgraded bundled sqlite to version 3.6.23.1. (Ilia)
  • Upgraded bundled PCRE to version 8.02. (Ilia)
  • Added support for JSON_NUMERIC_CHECK option in json_encode() that converts numeric strings to integers. (Ilia)
  • Added stream_set_read_buffer, allows to set the buffer for read operation. (Pierre)
  • Added stream filter support to mcrypt extension (ported from mcrypt_filter). (Stas)
  • Added full_special_chars filter to ext/filter. (Rasmus)
  • Added backlog socket context option for stream_socket_server(). (Mike)
  • Added fifth parameter to openssl_encrypt()/openssl_decrypt() (string $iv) to use non-NULL IV. Made implicit use of NULL IV a warning. (Sara)
  • Added openssl_cipher_iv_length(). (Sara)
  • Added FastCGI Process Manager (FPM) SAPI. (Tony)
  • Added recent Windows versions to php_uname and fix undefined windows version support. (Pierre)
  • Added Berkeley DB 5 support to the DBA extension. (Johannes, Chris Jones)
  • Added support for copy to/from array/file for pdo_pgsql extension. (Denis Gasparin, Ilia)
  • Added inTransaction() method to PDO, with specialized support for Postgres. (Ilia, Denis Gasparin)
  • Changed namespaced classes so that the ctor can only be named __construct now. (Stas)
  • Reset error state in PDO::beginTransaction() reset error state. (Ilia)
  • Implemented FR #51295 (SQLite3::busyTimeout not existing). (Mark)
  • Implemented FR #35638 (Adding udate to imap_fetch_overview results). (Charles_Duffy at dell dot com )
  • Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531). (Scott)
  • Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user. (Andrey)
  • Fixed possible buffer overflows when handling error packets in mysqlnd. Reported by Stefan Esser. (Andrey)
  • Fixed very rare memory leak in mysqlnd, when binding thousands of columns. (Andrey)
  • Fixed a crash when calling an inexistent method of a class that inherits PDOStatement if instantiated directly instead of doing by the PDO methods. (Felipe)
  • Fixed memory leak on error in mcrypt_create_iv on Windows. (Pierre)
  • Fixed a possible crash because of recursive GC invocation. (Dmitry)
  • Fixed a possible resource destruction issues in shm_put_var(). Reported by Stefan Esser. (Dmitry)
  • Fixed a possible information leak because of interruption of XOR operator. Reported by Stefan Esser. (Dmitry)
  • Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks. Reported by Stefan Esser. (Dmitry)
  • Fixed a possible memory corruption in ArrayObject::uasort(). Reported by Stefan Esser. (Dmitry)
  • Fixed a possible memory corruption in parse_str(). Reported by Stefan Esser. (Dmitry)
  • Fixed a possible memory corruption in pack(). Reported by Stefan Esser. (Dmitry)
  • Fixed a possible memory corruption in substr_replace(). Reported by Stefan Esser. (Dmitry)
  • Fixed a possible memory corruption in addcslashes(). Reported by Stefan Esser. (Dmitry)
  • Fixed a possible stack exhaustion inside fnmatch(). Reported by Stefan Esser. (Ilia)
  • Fixed a possible dechunking filter buffer overflow. Reported by Stefan Esser. (Pierre)
  • Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz Kocielski. (Ilia)
  • Fixed string format validation inside phar extension. Reported by Stefan Esser. (Ilia)
  • Fixed handling of session variable serialization on certain prefix characters. Reported by Stefan Esser. (Ilia)
  • Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
  • Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas)
  • Fixed SplObjectStorage unserialization problems (CVE-2010-2225). (Stas)
  • Fixed the mail.log ini setting when no filename was given. (Johannes)
  • Fixed bug #52317 (Segmentation fault when using mail() on a rhel 4.x (only 64 bit)). (Adam)
  • Fixed bug #52262 (json_decode() shows no errors on invalid UTF-8). (Scott)
  • Fixed bug #52240 (hash_copy() does not copy the HMAC key, causes wrong results and PHP crashes). (Felipe)
  • Fixed bug #52238 (Crash when an Exception occured in iterator_to_array). (Johannes)
  • Fixed bug #52193 (converting closure to array yields empty array). (Felipe)
  • Fixed bug #52183 (Reflectionfunction reports invalid number of arguments for function aliases). (Felipe)
  • Fixed bug #52162 (custom request header variables with numbers are removed). (Sriram Natarajan)
  • Fixed bug #52160 (Invalid E_STRICT redefined constructor error). (Felipe)
  • Fixed bug #52138 (Constants are parsed into the ini file for section names). (Felipe)
  • Fixed bug #52115 (mysqli_result::fetch_all returns null, not an empty array). (Andrey)
  • Fixed bug #52101 (dns_get_record() garbage in 'ipv6' field on Windows). (Pierre)
  • Fixed bug #52082 (character_set_client & character_set_connection reset after mysqli_change_user()). (Andrey)
  • Fixed bug #52043 (GD doesn't recognize latest libJPEG versions). (php at group dot apple dot com, Pierre)
  • Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function). (Dmitry)
  • Fixed bug #52060 (Memory leak when passing a closure to method_exists()). (Felipe)
  • Fixed bug #52057 (ReflectionClass fails on Closure class). (Felipe)
  • Fixed bug #52051 (handling of case sensitivity of old-style constructors changed in 5.3+). (Felipe)
  • Fixed bug #52037 (Concurrent builds fail in install-programs). (seanius at debian dot org, Kalle)
  • Fixed bug #52019 (make lcov doesn't support TESTS variable anymore). (Patrick)
  • Fixed bug #52010 (open_basedir restrictions mismatch on vacuum command). (Ilia)
  • Fixed bug #52001 (Memory allocation problems after using variable variables). (Dmitry)
  • Fixed bug #51991 (spl_autoload and *nix support with namespace). (Felipe)
  • Fixed bug #51943 (AIX: Several files are out of ANSI spec). (Kalle, coreystup at gmail dot com)
  • Fixed bug #51911 (ReflectionParameter::getDefaultValue() memory leaks with constant array). (Felipe)
  • Fixed bug #51905 (ReflectionParameter fails if default value is an array with an access to self::). (Felipe)
  • Fixed bug #51899 (Parse error in parse_ini_file() function when empy value followed by no newline). (Felipe)
  • Fixed bug #51844 (checkdnsrr does not support types other than MX). (Pierre)
  • Fixed bug #51827 (Bad warning when register_shutdown_function called with wrong num of parameters). (Felipe)
  • Fixed bug #51822 (Segfault with strange __destruct() for static class variables). (Dmitry)
  • Fixed bug #51791 (constant() aborts execution when fail to check undefined constant). (Felipe)
  • Fixed bug #51732 (Fileinfo __construct or open does not work with NULL). (Pierre)
  • Fixed bug #51725 (xmlrpc_get_type() returns true on invalid dates). (Mike)
  • Fixed bug #51723 (Content-length header is limited to 32bit integer with Apache2 on Windows). (Pierre)
  • Fixed bug #51721 (mark DOMNodeList and DOMNamedNodeMap as Traversable). (David Zuelke)
  • Fixed bug #51712 (Test mysql_mysqlnd_read_timeout_long must fail on MySQL4). (Andrey)
  • Fixed bug #51697 (Unsafe operations in free_storage of SPL iterators, causes crash during shutdown). (Etienne)
  • Fixed bug #51690 (Phar::setStub looks for case-sensitive __HALT_COMPILER()). (Ilia)
  • Fixed bug #51688 (ini per dir crashes when invalid document root are given). (Pierre)
  • Fixed bug #51671 (imagefill does not work correctly for small images). (Pierre)
  • Fixed bug #51670 (getColumnMeta causes segfault when re-executing query after calling nextRowset). (Pierrick)
  • Fixed bug #51647 Certificate file without private key (pk in another file) doesn't work. (Andrey)
  • Fixed bug #51629 (CURLOPT_FOLLOWLOCATION error message is misleading). (Pierre)
  • Fixed bug #51627 (script path not correctly evaluated). (russell dot tempero at rightnow dot com)
  • Fixed bug #51624 (Crash when calling mysqli_options()). (Felipe)
  • Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML). (Felipe)
  • Fixed bug #51609 (pg_copy_to: Invalid results when using fourth parameter). (Felipe)
  • Fixed bug #51608 (pg_copy_to: WARNING: nonstandard use of \\ in a string literal). (cbandy at jbandy dot com)
  • Fixed bug #51607 (pg_copy_from does not allow schema in the tablename argument). (cbandy at jbandy dot com)
  • Fixed bug #51605 (Mysqli - zombie links). (Andrey)
  • Fixed bug #51604 (newline in end of header is shown in start of message). (Daniel Egeberg)
  • Fixed bug #51590 (JSON_ERROR_UTF8 is undefined). (Felipe)
  • Fixed bug #51583 (Bus error due to wrong alignment in mysqlnd). (Rainer Jung)
  • Fixed bug #51582 (Don't assume UINT64_C it's ever available). (reidrac at usebox dot net, Pierre)
  • Fixed bug #51577 (Uninitialized memory reference with oci_bind_array_by_name) (Oracle Corp.)
  • Fixed bug #51562 (query timeout in mssql can not be changed per query). (ejsmont dot artur at gmail dot com)
  • Fixed bug #51552 (debug_backtrace() causes segmentation fault and/or memory issues). (Dmitry)
  • Fixed bug #51445 (var_dump() invalid/slow *RECURSION* detection). (Felipe)
  • Fixed bug #51435 (Missing ifdefs / logic bug in crypt code cause compile errors). (Felipe)
  • Fixed bug #51424 (crypt() function hangs after 3rd call). (Pierre, Sriram)
  • Fixed bug #51394 (Error line reported incorrectly if error handler throws an exception). (Stas)
  • Fixed bug #51393 (DateTime::createFromFormat() fails if format string contains timezone). (Adam)
  • Fixed bug #51347 (mysqli_close / connection memory leak). (Andrey, Johannes)
  • Fixed bug #51338 (URL-Rewriter is still enabled if use_only_cookies is on). (Ilia, j dot jeising at gmail dot com)
  • Fixed bug #51291 (oci_error doesn't report last error when called two times) (Oracle Corp.)
  • Fixed bug #51276 (php_load_extension() is missing when HAVE_LIBDL is undefined). (Tony)
  • Fixed bug #51273 (Faultstring property does not exist when the faultstring is empty) (Ilia, dennis at transip dot nl)
  • Fixed bug #51269 (zlib.output_compression Overwrites Vary Header). (Adam)
  • Fixed bug #51257 (CURL_VERSION_LARGEFILE incorrectly used after libcurl version 7.10.1). (aron dot ujvari at microsec dot hu)
  • Fixed bug #51242 (Empty mysql.default_port does not default to 3306 anymore, but 0). (Adam)
  • Fixed bug #51237 (milter SAPI crash on startup). (igmar at palsenberg dot com)
  • Fixed bug #51213 (pdo_mssql is trimming value of the money column). (Ilia, alexr at oplot dot com)
  • Fixed bug #51190 (ftp_put() returns false when transfer was successful). (Ilia)
  • Fixed bug #51183 (ext/date/php_date.c fails to compile with Sun Studio). (Sriram Natarajan)
  • Fixed bug #51176 (Static calling in non-static method behaves like $this->). (Felipe)
  • Fixed bug #51171 (curl_setopt() doesn't output any errors or warnings when an invalid option is provided). (Ilia)
  • Fixed bug #51128 (imagefill() doesn't work with large images). (Pierre)
  • Fixed bug #51096 ('last day' and 'first day' are handled incorrectly when parsing date strings). (Derick)
  • Fixed bug #51086 (DBA DB4 doesn't work with Berkeley DB 4.8). (Chris Jones)
  • Fixed bug #51062 (DBA DB4 uses mismatched headers and libraries). (Chris Jones)
  • Fixed bug #51026 (mysqli_ssl_set not working). (Andrey)
  • Fixed bug #51023 (filter doesn't detect int overflows with GCC 4.4). (Raphael Geissert)
  • Fixed bug #50999 (unaligned memory access in dba_fetch()). (Felipe)
  • Fixed bug #50976 (Soap headers Authorization not allowed). (Brain France, Dmitry)
  • Fixed bug #50828 (DOMNotation is not subclass of DOMNode). (Rob)
  • Fixed bug #50810 (property_exists does not work for private). (Felipe)
  • Fixed bug #50762 (in WSDL mode Soap Header handler function only being called if defined in WSDL). (mephius at gmail dot com)
  • Fixed bug #50731 (Inconsistent namespaces sent to functions registered with spl_autoload_register). (Felipe)
  • Fixed bug #50563 (removing E_WARNING from parse_url). (ralph at smashlabs dot com, Pierre)
  • Fixed bug #50578 (incorrect shebang in phar.phar). (Fedora at FamilleCollet dot com)
  • Fixed bug #50392 (date_create_from_format enforces 6 digits for 'u' format character). (Derick)
  • Fixed bug #50383 (Exceptions thrown in __call / __callStatic do not include file and line in trace). (Felipe)
  • Fixed bug #50358 (Compile failure compiling ext/phar/util.lo). (Felipe)
  • Fixed bug #50101 (name clash between global and local variable). (patch by yoarvi at gmail dot com)
  • Fixed bug #50055 (DateTime::sub() allows 'relative' time modifications). (Derick)
  • Fixed bug #51002 (fix possible memory corruption with very long names). (Pierre)
  • Fixed bug #49893 (Crash while creating an instance of Zend_Mail_Storage_Pop3). (Dmitry)
  • Fixed bug #49819 (STDOUT losing data with posix_isatty()). (Mike)
  • Fixed bug #49778 (DateInterval::format("%a") is always zero when an interval is created from an ISO string). (Derick)
  • Fixed bug #49700 (memory leaks in php_date.c if garbage collector is enabled). (Dmitry)
  • Fixed bug #49576 (FILTER_VALIDATE_EMAIL filter needs updating) (Rasmus)
  • Fixed bug #49490 (XPath namespace prefix conflict). (Rob)
  • Fixed bug #49429 (odbc_autocommit doesn't work). (Felipe)
  • Fixed bug #49320 (PDO returns null when SQLite connection fails). (Felipe)
  • Fixed bug #49234 (mysqli_ssl_set not found). (Andrey)
  • Fixed bug #49216 (Reflection doesn't seem to work properly on MySqli). (Andrey)
  • Fixed bug #49192 (PHP crashes when GC invoked on COM object). (Stas)
  • Fixed bug #49081 (DateTime::diff() mistake if start in January and interval > 28 days). (Derick)
  • Fixed bug #49059 (DateTime::diff() repeats previous sub() operation). (yoarvi@gmail.com, Derick)
  • Fixed bug #48983 (DomDocument : saveHTMLFile wrong charset). (Rob)
  • Fixed bug #48930 (__COMPILER_HALT_OFFSET__ incorrect in PHP >= 5.3). (Felipe)
  • Fixed bug #48902 (Timezone database fallback map is outdated). (Derick)
  • Fixed bug #48781 (Cyclical garbage collector memory leak). (Dmitry)
  • Fixed bug #48601 (xpath() returns FALSE for legitimate query). (Rob)
  • Fixed bug #48361 (SplFileInfo::getPathInfo should return the parent dir). (Etienne)
  • Fixed bug #48289 (iconv_mime_encode() quoted-printable scheme is broken). (Adam, patch from hiroaki dot kawai at gmail dot com).
  • Fixed bug #47842 (sscanf() does not support 64-bit values). (Mike)
  • Fixed bug #46111 (Some timezone identifiers can not be parsed). (Derick)
  • Fixed bug #45808 (stream_socket_enable_crypto() blocks and eats CPU). (vincent at optilian dot com)
  • Fixed bug #43233 (sasl support for ldap on Windows). (Pierre)
  • Fixed bug #35673 (formatOutput does not work with saveHTML). (Rob)
  • Fixed bug #33210 (getimagesize() fails to detect width/height on certain JPEGs). (Ilia)

Version 5.2.14

  • Reverted bug fix #49521 (PDO fetchObject sets values before calling constructor). (Felipe)
  • Updated timezone database to version 2010.5. (Derick)
  • Upgraded bundled PCRE to version 8.02. (Ilia)
  • Rewrote var_export() to use smart_str rather than output buffering, revents data disclosure if a fatal error occurs (CVE-2010-2531). (Scott)
  • Fixed a possible interruption array leak in strrchr(). Reported by Péter Veres. (CVE-2010-2484) (Felipe)
  • Fixed a possible interruption array leak in strchr(), strstr(), substr(), chunk_split(), strtok(), addcslashes(), str_repeat(), trim(). (Felipe)
  • Fixed a possible memory corruption in substr_replace() (Dmitry)
  • Fixed SplObjectStorage unserialization problems (CVE-2010-2225). (Stas)
  • Fixed a possible stack exaustion inside fnmatch(). Reporeted by Stefan Esser (Ilia)
  • Reset error state in PDO::beginTransaction() reset error state. (Ilia)
  • Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
  • Fixed handling of session variable serialization on certain prefix characters. Reported by Stefan Esser (Ilia)
  • Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz Kocielski. (Ilia)
  • Fixed a crash when calling an inexistent method of a class that inherits PDOStatement if instantiated directly instead of doing by the PDO methods. (Felipe)
  • Fixed bug #52317 (Segmentation fault when using mail() on a rhel 4.x (only 64 bit)). (Adam)
  • Fixed bug #52238 (Crash when an Exception occured in iterator_to_array). (Johannes)
  • Fixed bug #52237 (Crash when passing the reference of the property of a non-object). (Dmitry)
  • Fixed bug #52163 (SplFileObject::fgetss() fails due to parameter that can't be set). (Felipe)
  • Fixed bug #52162 (custom request header variables with numbers are removed). (Sriram Natarajan)
  • Fixed bug #52160 (Invalid E_STRICT redefined constructor error). (Felipe)
  • Fixed bug #52061 (memory_limit above 2G). (Felipe)
  • Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function). (Dmitry)
  • Fixed bug #52037 (Concurrent builds fail in install-programs). (seanius at debian dot org, Kalle)
  • Fixed bug #52019 (make lcov doesn't support TESTS variable anymore). (Patrick)
  • Fixed bug #52010 (open_basedir restrictions mismatch on vacuum command). (Ilia, Felipe)
  • Fixed bug #51943 (AIX: Several files are out of ANSI spec). (Kalle, coreystup at gmail dot com)
  • Fixed bug #51911 (ReflectionParameter::getDefaultValue() memory leaks with constant array). (Felipe)
  • Fixed bug #51905 (ReflectionParameter fails if default value is an array with an access to self::). (Felipe)
  • Fixed bug #51822 (Segfault with strange __destruct() for static class variables). (Dmitry)
  • Fixed bug #51671 (imagefill does not work correctly for small images). (Pierre)
  • Fixed bug #51670 (getColumnMeta causes segfault when re-executing query after calling nextRowset). (Pierrick)
  • Fixed bug #51629 (CURLOPT_FOLLOWLOCATION error message is misleading). (Pierre)
  • Fixed bug #51617 (PDO PGSQL still broken against PostGreSQL <7.4). (Felipe, wdierkes at 5dollarwhitebox dot org)
  • Fixed bug #51615 (PHP crash with wrong HTML in SimpleXML). (Felipe)
  • Fixed bug #51609 (pg_copy_to: Invalid results when using fourth parameter). (Felipe)
  • Fixed bug #51608 (pg_copy_to: WARNING: nonstandard use of \\ in a string literal). (cbandy at jbandy dot com)
  • Fixed bug #51607 (pg_copy_from does not allow schema in the tablename argument). (cbandy at jbandy dot com)
  • Fixed bug #51604 (newline in end of header is shown in start of message). (Daniel Egeberg)
  • Fixed bug #51562 (query timeout in mssql can not be changed per query). (ejsmont dot artur at gmail dot com)
  • Fixed bug #51552 (debug_backtrace() causes segmentation fault and/or memory issues). (Dmitry)
  • Fixed bug #51532 (Wrong prototype for SplFileObject::fscanf()). (Etienne)
  • Fixed bug #51445 (var_dump() invalid/slow *RECURSION* detection). (Felipe)
  • Fixed bug #51393 (DateTime::createFromFormat() fails if format string contains timezone). (Adam)
  • Fixed bug #51374 (Wrongly initialized object properties). (Etienne)
  • Fixed bug #51338 (URL-Rewriter is still enabled if use_only_cookies is on). (Ilia, j dot jeising at gmail dot com)
  • Fixed bug #51273 (Faultstring property does not exist when the faultstring is empty) (Ilia, dennis at transip dot nl)
  • Fixed bug #51269 (zlib.output_compression Overwrites Vary Header). (Adam)
  • Fixed bug #51263 (imagettftext and rotated text uses wrong baseline) (cschneid at cschneid dot com, Takeshi Abe)
  • Fixed bug #51237 (milter SAPI crash on startup). (igmar at palsenberg dot com)
  • Fixed bug #51213 (pdo_mssql is trimming value of the money column). (Ilia, alexr at oplot dot com)
  • Fixed bug #51192 (FILTER_VALIDATE_URL will invalidate a hostname that includes '-'). (Adam, solar at azrael dot ws).
  • Fixed bug #51190 (ftp_put() returns false when transfer was successful). (Ilia)
  • Fixed bug #51183 (ext/date/php_date.c fails to compile with Sun Studio). (Sriram Natarajan)
  • Fixed bug #51171 (curl_setopt() doesn't output any errors or warnings when an invalid option is provided). (Ilia)
  • Fixed bug #51128 (imagefill() doesn't work with large images). (Pierre)
  • Fixed bug #51086 (DBA DB4 doesn't work with Berkeley DB 4.8). (Chris Jones)
  • Fixed bug #51062 (DBA DB4 uses mismatched headers and libraries). (Chris Jones)
  • Fixed bug #51023 (filter doesn't detect int overflows with GCC 4.4). (Raphael Geissert)
  • Fixed bug #50762 (in WSDL mode Soap Header handler function only being called if defined in WSDL). (mephius at gmail dot com)
  • Fixed bug #50698 (SoapClient should handle wsdls with some incompatiable endpoints). (Justin Dearing)
  • Fixed bug #50383 (Exceptions thrown in __call() / __callStatic() do not include file and line in trace). (Felipe)
  • Fixed bug #49730 (Firebird - new PDO() returns NULL). (Felipe)
  • Fixed bug #49723 (LimitIterator with empty SeekableIterator). (Etienne)
  • Fixed bug #49576 (FILTER_VALIDATE_EMAIL filter needs updating) (Rasmus)
  • Fixed bug #49320 (PDO returns null when SQLite connection fails). (Felipe)
  • Fixed bug #49267 (Linking fails for iconv). (Moriyosh)
  • Fixed bug #48601 (xpath() returns FALSE for legitimate query). (Rob)
  • Fixed bug #48289 (iconv_mime_encode() quoted-printable scheme is broken). (Adam, patch from hiroaki dot kawai at gmail dot com).
  • Fixed bug #43314 (iconv_mime_encode(), broken Q scheme). (Rasmus)
  • Fixed bug #33210 (getimagesize() fails to detect width/height on certain JPEGs). (Ilia)
  • Fixed bug #23229 (syslog() truncates messages). (Adam)

Version 5.3.2

  • Security Fixes
    • Improved LCG entropy. (Rasmus, Samy Kamkar)
    • Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
    • Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia)
  • Upgraded bundled sqlite to version 3.6.22. (Ilia)
  • Upgraded bundled libmagic to version 5.03. (Mikko)
  • Upgraded bundled PCRE to version 8.00. (Scott)
  • Updated timezone database to version 2010.3. (Derick)
  • Improved LCG entropy. (Rasmus, Samy Kamkar)
  • Improved crypt support for edge cases (UFC compatibility). (Solar Designer, Joey, Pierre)
  • Changed gmp_strval() to use full range from 2 to 62, and -2 to -36. FR #50283 (David Soria Parra)
  • Changed "post_max_size" php.ini directive to allow unlimited post size by setting it to 0. (Rasmus)
  • Changed tidyNode class to disallow manual node creation. (Pierrick)
  • Removed automatic file descriptor unlocking happening on shutdown and/or stream close (on all OSes). (Tony, Ilia)
  • Added libpng 1.4.0 support. (Pierre)
  • Added support for DISABLE_AUTHENTICATOR for imap_open. (Pierre)
  • Added missing host validation for HTTP urls inside FILTER_VALIDATE_URL. (Ilia)
  • Added stream_resolve_include_path(). (Mikko)
  • Added INTERNALDATE support to imap_append. (nick at mailtrust dot com)
  • Added support for SHA-256 and SHA-512 to php's crypt. (Pierre)
  • Added realpath_cache_size() and realpath_cache_get() functions. (Stas)
  • Added FILTER_FLAG_STRIP_BACKTICK option to the filter extension. (Ilia)
  • Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check. (Stas)
  • Added LIBXML_PARSEHUGE constant to override the maximum text size of a single text node when using libxml2.7.3+. (Kalle)
  • Added ReflectionMethod::setAccessible() for invoking non-public methods through the Reflection API. (Sebastian)
  • Added Collator::getSortKey for intl extension. (Stas)
  • Added support for CURLOPT_POSTREDIR. FR #49571. (Sriram Natarajan)
  • Added support for CURLOPT_CERTINFO. FR #49253. (Linus Nielsen Feltzing <linus@haxx.se>)
  • Added client-side server name indication support in openssl. (Arnaud)
  • Improved fix for bug #50006 (Segfault caused by uksort()). (Stas)
  • Fixed mysqlnd hang when queries exactly 16777214 bytes long are sent. (Andrey)
  • Fixed incorrect decoding of 5-byte BIT sequences in mysqlnd. (Andrey)
  • Fixed error_log() to be binary safe when using message_type 3. (Jani)
  • Fixed unnecessary invocation of setitimer when timeouts have been disabled. (Arvind Srinivasan)
  • Fixed memory leak in extension loading when an error occurs on Windows. (Pierre)
  • Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
  • Fixed a possible open_basedir/safe_mode bypass in session extension identified by Grzegorz Stachowiak. (Ilia)
  • Fixed possible crash when a error/warning is raised during php startup. (Pierre)
  • Fixed possible bad behavior of rename on windows when used with symbolic links or invalid paths. (Pierre)
  • Fixed error output to stderr on Windows. (Pierre)
  • Fixed memory leaks in is_writable/readable/etc on Windows. (Pierre)
  • Fixed memory leaks in the ACL function on Windows. (Pierre)
  • Fixed memory leak in the realpath cache on Windows. (Pierre)
  • Fixed memory leak in zip_close. (Pierre)
  • Fixed crypt's blowfish sanity check of the "setting" string, to reject iteration counts encoded as 36 through 39. (Solar Designer, Joey, Pierre)
  • Fixed bug #51059 (crypt crashes when invalid salt are given). (Pierre)
  • Fixed bug #50952 (allow underscore _ in constants parsed in php.ini files). (Jani)
  • Fixed bug #50940 (Custom content-length set incorrectly in Apache SAPIs). (Brian France, Rasmus)
  • Fixed bug #50930 (Wrong date by php_date.c patch with ancient gcc/glibc versions). (Derick)
  • Fixed bug #50907 (X-PHP-Originating-Script adding two new lines in *NIX). (Ilia)
  • Fixed bug #50859 (build fails with openssl 1.0 due to md2 deprecation). (Ilia, hanno at hboeck dot de)
  • Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes long). (Ilia)
  • Fixed bug #50829 (php.ini directive pdo_mysql.default_socket is ignored). (Ilia)
  • Fixed bug #50832 (HTTP fopen wrapper does not support passwordless HTTP authentication). (Jani)
  • Fixed bug #50787 (stream_set_write_buffer() has no effect on socket streams). (vnegrier at optilian dot com, Ilia)
  • Fixed bug #50761 (system.multiCall crashes in xmlrpc extension). (hiroaki dot kawai at gmail dot com, Ilia)
  • Fixed bug #50756 (CURLOPT_FTP_SKIP_PASV_IP does not exist). (Sriram)
  • Fixed bug #50732 (exec() adds single byte twice to $output array). (Ilia)
  • Fixed bug #50728 (All PDOExceptions hardcode 'code' property to 0). (Joey, Ilia)
  • Fixed bug #50723 (Bug in garbage collector causes crash). (Dmitry)
  • Fixed bug #50690 (putenv does not set ENV when the value is only one char). (Pierre)
  • Fixed bug #50680 (strtotime() does not support eighth ordinal number). (Ilia)
  • Fixed bug #50661 (DOMDocument::loadXML does not allow UTF-16). (Rob)
  • Fixed bug #50657 (copy() with an empty (zero-byte) HTTP source succeeds but returns false). (Ilia)
  • Fixed bug #50632 (filter_input() does not return default value if the variable does not exist). (Ilia)
  • Fixed bug #50576 (XML_OPTION_SKIP_TAGSTART option has no effect). (Pierrick)
  • Fixed bug #50558 (Broken object model when extending tidy). (Pierrick)
  • Fixed bug #50540 (Crash while running ldap_next_reference test cases). (Sriram)
  • Fixed bug #50519 (segfault in garbage collection when using set_error_handler and DomDocument). (Dmitry)
  • Fixed bug #50508 (compile failure: Conflicting HEADER type declarations). (Jani)
  • Fixed bug #50496 (Use of <stdbool.h> is valid only in a c99 compilation environment. (Sriram)
  • Fixed bug #50464 (declare encoding doesn't work within an included file). (Felipe)
  • Fixed bug #50458 (PDO::FETCH_FUNC fails with Closures). (Felipe, Pierrick)
  • Fixed bug #50445 (PDO-ODBC stored procedure call from Solaris 64-bit causes seg fault). (davbrown4 at yahoo dot com, Felipe)
  • Fixed bug #50416 (PROCEDURE db.myproc can't return a result set in the given context). (Andrey)
  • Fixed bug #50394 (Reference argument converted to value in __call). (Stas)
  • Fixed bug #50351 (performance regression handling objects, ten times slowerin 5.3 than in 5.2). (Dmitry)
  • Fixed bug #50392 (date_create_from_format() enforces 6 digits for 'u' format character). (Ilia)
  • Fixed bug #50345 (nanosleep not detected properly on some solaris versions). (Jani)
  • Fixed bug #50340 (php.ini parser does not allow spaces in ini keys). (Jani)
  • Fixed bug #50334 (crypt ignores sha512 prefix). (Pierre)
  • Fixed bug #50323 (Allow use of ; in values via ;; in PDO DSN). (Ilia, Pierrick)
  • Fixed bug #50285 (xmlrpc does not preserve keys in encoded indexed arrays). (Felipe)
  • Fixed bug #50282 (xmlrpc_encode_request() changes object into array in calling function). (Felipe)
  • Fixed bug #50267 (get_browser(null) does not use HTTP_USER_AGENT). (Jani)
  • Fixed bug #50266 (conflicting types for llabs). (Jani)
  • Fixed bug #50261 (Crash When Calling Parent Constructor with call_user_func()). (Dmitry)
  • Fixed bug #50255 (isset() and empty() silently casts array to object). (Felipe)
  • Fixed bug #50240 (pdo_mysql.default_socket in php.ini shouldn't used if it is empty). (foutrelis at gmail dot com, Ilia)
  • Fixed bug #50231 (Socket path passed using --with-mysql-sock is ignored when mysqlnd is enabled). (Jani)
  • Fixed bug #50219 (soap call Segmentation fault on a redirected url). (Pierrick)
  • Fixed bug #50212 (crash by ldap_get_option() with LDAP_OPT_NETWORK_TIMEOUT). (Ilia, shigeru_kitazaki at cybozu dot co dot jp)
  • Fixed bug #50209 (Compiling with libedit cannot find readline.h). (tcallawa at redhat dot com)
  • Fixed bug #50207 (segmentation fault when concatenating very large strings on 64bit linux). (Ilia)
  • Fixed bug #50196 (stream_copy_to_stream() produces warning when source is not file). (Stas)
  • Fixed bug #50195 (pg_copy_to() fails when table name contains schema. (Ilia)
  • Fixed bug #50185 (ldap_get_entries() return false instead of an empty array when there is no error). (Jani)
  • Fixed bug #50174 (Incorrectly matched docComment). (Felipe)
  • Fixed bug #50168 (FastCGI fails with wrong error on HEAD request to non-existant file). (Dmitry)
  • Fixed bug #50162 (Memory leak when fetching timestamp column from Oracle database). (Felipe)
  • Fixed bug #50159 (wrong working directory in symlinked files). (Dmitry)
  • Fixed bug #50158 (FILTER_VALIDATE_EMAIL fails with valid addresses containing = or ?). (Pierrick)
  • Fixed bug #50152 (ReflectionClass::hasProperty behaves like isset() not property_exists). (Felipe)
  • Fixed bug #50146 (property_exists: Closure object cannot have properties). (Felipe)
  • Fixed bug #50145 (crash while running bug35634.phpt). (Felipe)
  • Fixed bug #50140 (With default compilation option, php symbols are unresolved for nsapi). (Uwe Schindler)
  • Fixed bug #50087 (NSAPI performance improvements). (Uwe Schindler)
  • Fixed bug #50073 (parse_url() incorrect when ? in fragment). (Ilia)
  • Fixed bug #50023 (pdo_mysql doesn't use PHP_MYSQL_UNIX_SOCK_ADDR). (Ilia)
  • Fixed bug #50005 (Throwing through Reflection modified Exception object makes segmentation fault). (Felipe)
  • Fixed bug #49990 (SNMP3 warning message about security level printed twice). (Jani)
  • Fixed bug #49985 (pdo_pgsql prepare() re-use previous aborted transaction). (ben dot pineau at gmail dot com, Ilia, Matteo)
  • Fixed bug #49938 (Phar::isBuffering() returns inverted value). (Greg)
  • Fixed bug #49936 (crash with ftp stream in php_stream_context_get_option()). (Pierrick)
  • Fixed bug #49921 (Curl post upload functions changed). (Ilia)
  • Fixed bug #49866 (Making reference on string offsets crashes PHP). (Dmitry)
  • Fixed bug #49855 (import_request_variables() always returns NULL). (Ilia, sjoerd at php dot net)
  • Fixed bug #49851, #50451 (http wrapper breaks on 1024 char long headers). (Ilia)
  • Fixed bug #49800 (SimpleXML allow (un)serialize() calls without warning). (Ilia, wmeler at wp-sa dot pl)
  • Fixed bug #49719 (ReflectionClass::hasProperty returns true for a private property in base class). (Felipe)
  • Fixed bug #49677 (ini parser crashes with apache2 and using ${something} ini variables). (Jani)
  • Fixed bug #49660 (libxml 2.7.3+ limits text nodes to 10MB). (Felipe)
  • Fixed bug #49647 (DOMUserData does not exist). (Rob)
  • Fixed bug #49600 (imageTTFText text shifted right). (Takeshi Abe)
  • Fixed bug #49585 (date_format buffer not long enough for >4 digit years). (Derick, Adam)
  • Fixed bug #49560 (oci8: using LOBs causes slow PHP shutdown). (Oracle Corp.)
  • Fixed bug #49521 (PDO fetchObject sets values before calling constructor). (Pierrick)
  • Fixed bug #49472 (Constants defined in Interfaces can be overridden). (Felipe)
  • Fixed bug #49463 (setAttributeNS fails setting default namespace). (Rob)
  • Fixed bug #49244 (Floating point NaN cause garbage characters). (Sjoerd)
  • Fixed bug #49224 (Compile error due to old DNS functions on AIX systems). (Scott)
  • Fixed bug #49174 (crash when extending PDOStatement and trying to set queryString property). (Felipe)
  • Fixed bug #48811 (Directives in PATH section do not get applied to subdirectories). (Patch by: ct at swin dot edu dot au)
  • Fixed bug #48590 (SoapClient does not honor max_redirects). (Sriram)
  • Fixed bug #48190 (Content-type parameter "boundary" is not case-insensitive in HTTP uploads). (Ilia)
  • Fixed bug #47848 (importNode doesn't preserve attribute namespaces). (Rob)
  • Fixed bug #47409 (extract() problem with array containing word "this"). (Ilia, chrisstocktonaz at gmail dot com)
  • Fixed bug #47281 ($php_errormsg is limited in size of characters) (Oracle Corp.)
  • Fixed bug #46478 (htmlentities() uses obsolete mapping table for character entity references). (Moriyoshi)
  • Fixed bug #45599 (strip_tags() truncates rest of string with invalid attribute). (Ilia, hradtke)
  • Fixed bug #45120 (PDOStatement->execute() returns true then false for same statement). (Pierrick)
  • Fixed bug #44827 (define() allows :: in constant names). (Ilia)
  • Fixed bug #44098 (imap_utf8() returns only capital letters). (steffen at dislabs dot de, Pierre)
  • Fixed bug #34852 (Failure in odbc_exec() using oracle-supplied odbc driver). (tim dot tassonis at trivadis dot com)

Version 5.2.13

  • Security Fixes
    • Improved LCG entropy. (Rasmus, Samy Kamkar)
    • Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
    • Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia)
  • Updated timezone database to version 2010.2. (Derick)
  • Upgraded bundled PCRE to version 7.9. (Ilia)
  • Removed automatic file descriptor unlocking happening on shutdown and/or stream close (on all OSes excluding Windows). (Tony, Ilia)
  • Changed tidyNode class to disallow manual node creation. (Pierrick)
  • Added missing host validation for HTTP urls inside FILTER_VALIDATE_URL. (Ilia)
  • Fixed bug in bundled libgd causing spurious horizontal lines drawn by gdImageFilledPolygon (libgd #100). (Takeshi Abe)
  • Fixed build of mysqli with MySQL 5.5.0-m2. (Andrey)
  • Fixed bug #50940 (Custom content-length set incorrectly in Apache sapis). (Brian France, Rasmus)
  • Fixed bug #50930 (Wrong date by php_date.c patch with ancient gcc/glibc versions). (Derick)
  • Fixed bug #50859 (build fails with openssl 1.0 due to md2 deprecation). (Ilia, hanno at hboeck dot de)
  • Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes long). (Ilia)
  • Fixed bug #50832 (HTTP fopen wrapper does not support passwordless HTTP authentication). (Jani)
  • Fixed bug #50823 (ReflectionFunction::isDeprecated producing "cannot be called statically" error). (Jani, Felipe)
  • Fixed bug #50791 (Compile failure: Bad logic in defining fopencookie emulation). (Jani)
  • Fixed bug #50787 (stream_set_write_buffer() has no effect on socket streams). (vnegrier at optilian dot com, Ilia)
  • Fixed bug #50772 (mysqli constructor without parameters does not return a working mysqli object). (Andrey)
  • Fixed bug #50761 (system.multiCall crashes in xmlrpc extension). (hiroaki dot kawai at gmail dot com, Ilia)
  • Fixed bug #50732 (exec() adds single byte twice to $output array). (Ilia)
  • Fixed bug #50728 (All PDOExceptions hardcode 'code' property to 0). (Joey, Ilia)
  • Fixed bug #50727 (Accessing mysqli->affected_rows on no connection causes segfault). (Andrey, Johannes)
  • Fixed bug #50680 (strtotime() does not support eighth ordinal number). (Ilia)
  • Fixed bug #50661 (DOMDocument::loadXML does not allow UTF-16). (Rob)
  • Fixed bug #50657 (copy() with an empty (zero-byte) HTTP source succeeds but returns false). (Ilia)
  • Fixed bug #50636 (MySQLi_Result sets values before calling constructor). (Pierrick)
  • Fixed bug #50632 (filter_input() does not return default value if the variable does not exist). (Ilia)
  • Fixed bug #50576 (XML_OPTION_SKIP_TAGSTART option has no effect). (Pierrick)
  • Fixed bug #50575 (PDO_PGSQL LOBs are not compatible with PostgreSQL 8.5). (Matteo)
  • Fixed bug #50558 (Broken object model when extending tidy). (Pierrick)
  • Fixed bug #50540 (Crash while running ldap_next_reference test cases). (Sriram)
  • Fixed bug #50508 (compile failure: Conflicting HEADER type declarations). (Jani)
  • Fixed bug #50394 (Reference argument converted to value in __call). (Stas)
  • Fixed bug #49851 (http wrapper breaks on 1024 char long headers). (Ilia)
  • Fixed bug #49600 (imageTTFText text shifted right). (Takeshi Abe)
  • Fixed bug #49585 (date_format buffer not long enough for >4 digit years). (Derick, Adam)
  • Fixed bug #49463 (setAttributeNS fails setting default namespace). (Rob)
  • Fixed bug #48667 (Implementing Iterator and IteratorAggregate). (Etienne)
  • Fixed bug #48590 (SoapClient does not honor max_redirects). (Sriram)
  • Fixed bug #48190 (Content-type parameter "boundary" is not case-insensitive in HTTP uploads). (Ilia)
  • Fixed bug #47601 (defined() requires class to exist when testing for class constants). (Ilia)
  • Fixed bug #47409 (extract() problem with array containing word "this"). (Ilia, chrisstocktonaz at gmail dot com)
  • Fixed bug #47002 (Field truncation when reading from dbase dbs with more then 1024 fields). (Ilia, sjoerd-php at linuxonly dot nl)
  • Fixed bug #45599 (strip_tags() truncates rest of string with invalid attribute). (Ilia, hradtke)
  • Fixed bug #44827 (define() allows :: in constant names). (Ilia)

Version 5.3.1

  • Security Fixes
    • Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion. (Ilia)
    • Added missing sanity checks around exif processing. (Ilia)
    • Fixed a safe_mode bypass in tempnam(). (Rasmus)
    • Fixed a open_basedir bypass in posix_mkfifo(). (Rasmus)
    • Fixed bug #50063 (safe_mode_include_dir fails). (Johannes, christian at elmerot dot se)
  • Added error constant when json_encode() detects an invalid UTF-8 sequence. (Scott)
  • Added support for ACL on Windows for thread safe SAPI (Apache2 for example) and fix its support on NTS. (Pierre)
  • Upgraded bundled sqlite to version 3.6.19. (Scott)
  • Updated timezone database to version 2009.17 (2009q). (Derick)
  • Fixed crash in com_print_typeinfo when an invalid typelib is given. (Pierre)
  • Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (Rasmus)
  • Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (Rasmus)
  • Fixed certificate validation inside php_openssl_apply_verification_policy (Ryan Sleevi, Ilia)
  • Fixed crash in SQLiteDatabase::ArrayQuery() and SQLiteDatabase::SingleQuery() when calling using Reflection. (Felipe)
  • Fixed crash when instantiating PDORow and PDOStatement through Reflection. (Felipe)
  • Fixed sanity check for the color index in imagecolortransparent. (Pierre)
  • Fixed scandir/readdir when used mounted points on Windows. (Pierre)
  • Fixed zlib.deflate compress filter to actually accept level parameter. (Jani)
  • Fixed leak on error in popen/exec (and related functions) on Windows. (Pierre)
  • Fixed possible bad caching of symlinked directories in the realpath cache on Windows. (Pierre)
  • Fixed atime and mtime in stat related functions on Windows. (Pierre)
  • Fixed spl_autoload_unregister/spl_autoload_functions wrt. Closures and Functors. (Christian Seiler)
  • Fixed open_basedir circumvention for "mail.log" ini directive. (Maksymilian Arciemowicz, Stas)
  • Fixed signature generation/validation for zip archives in ext/phar. (Greg)
  • Fixed memory leak in stream_is_local(). (Felipe, Tony)
  • Fixed BC break in mime_content_type(), removes the content encoding. (Scott)
  • Changed ini file directives [PATH=](on Win32) and [HOST=](on all) to be case insensitive (garretts)
  • Restored shebang line check to CGI sapi (not checked by scanner anymore). (Jani)
  • Improve symbolic, mounted volume and junctions support for realpath on Windows. (Pierre)
  • Improved readlink on Windows, suppress \??\ and use the drive syntax only. (Pierre)
  • Improved dns_get_record() AAAA support on windows. Always available when IPv6 is support is installed, format is now the same than on unix. (Pierre)
  • Improved the DNS functions on OSX to use newer APIs, also use Bind 9 API where available on other platforms. (Scott)
  • Improved shared extension loading on OSX to use the standard Unix dlopen() API. (Scott)
  • Fixed bug #50063 (safe_mode_include_dir fails). (Johannes, christian at elmerot dot se)
  • Fixed bug #50052 (Different Hashes on Windows and Linux on wrong Salt size). (Pierre)
  • Fixed bug #49910 (no support for ././@LongLink for long filenames in phar tar support). (Greg)
  • Fixed bug #49908 (throwing exception in __autoload crashes when interface is not defined). (Felipe)
  • Fixed bug #49847 (exec() fails to return data inside 2nd parameter, given output lines >4095 bytes). (Ilia)
  • Fixed bug #49809 (time_sleep_until() is not available on OpenSolaris). (Jani)
  • Fixed bug #49757 (long2ip() can return wrong value in a multi-threaded applications). (Ilia, Florian Anderiasch)
  • Fixed bug #49738 (calling mcrypt after mcrypt_generic_deinit crashes). (Sriram Natarajan)
  • Fixed bug #49732 (crashes when using fileinfo when timestamp conversion fails). (Pierre)
  • Fixed bug #49698 (Unexpected change in strnatcasecmp()). (Rasmus)
  • Fixed bug #49630 (imap_listscan function missing). (Felipe)
  • Fixed bug #49572 (use of C++ style comments causes build failure). (Sriram Natarajan)
  • Fixed bug #49531 (CURLOPT_INFILESIZE sometimes causes warning "CURLPROTO_FILE cannot be set"). (Felipe)
  • Fixed bug #49517 (cURL's CURLOPT_FILE prevents file from being deleted after fclose). (Ilia)
  • Fixed bug #49470 (FILTER_SANITIZE_EMAIL allows disallowed characters). (Ilia)
  • Fixed bug #49447 (php engine need to correctly check for socket API return status on windows). (Sriram Natarajan)
  • Fixed bug #49391 (ldap.c utilizing deprecated ldap_modify_s). (Ilia)
  • Fixed bug #49361 (wordwrap() wraps incorrectly on end of line boundaries). (Ilia, code-it at mail dot ru)
  • Fixed bug #49372 (segfault in php_curl_option_curl). (Pierre)
  • Fixed bug #49306 (inside pdo_mysql default socket settings are ignored). (Ilia)
  • Fixed bug #49289 (bcmath module doesn't compile with phpize configure). (Jani)
  • Fixed bug #49286 (php://input (php_stream_input_read) is broken). (Jani)
  • Fixed bug #49269 (Ternary operator fails on Iterator object when used inside foreach declaration). (Etienne, Dmitry)
  • Fixed bug #49236 (Missing PHP_SUBST(PDO_MYSQL_SHARED_LIBADD)). (Jani)
  • Fixed bug #49223 (Inconsistency using get_defined_constants). (Garrett)
  • Fixed bug #49193 (gdJpegGetVersionString() inside gd_compact identifies wrong type in declaration). (Ilia)
  • Fixed bug #49183 (dns_get_record does not return NAPTR records). (Pierre)
  • Fixed bug #49144 (Import of schema from different host transmits original authentication details). (Dmitry)
  • Fixed bug #49142 (crash when exception thrown from __tostring()). (David Soria Parra)
  • Fixed bug #49986 (Missing ICU DLLs on windows package). (Pierre)
  • Fixed bug #49132 (posix_times returns false without error). (phpbugs at gunnu dot us)
  • Fixed bug #49125 (Error in dba_exists C code). (jdornan at stanford dot edu)
  • Fixed bug #49122 (undefined reference to mysqlnd_stmt_next_result on compile with --with-mysqli and MySQL 6.0). (Jani)
  • Fixed bug #49108 (2nd scan_dir produces segfault). (Felipe)
  • Fixed bug #49098 (mysqli segfault on error). (Rasmus)
  • Fixed bug #49095 (proc_get_status['exitcode'] fails on win32). (Felipe)
  • Fixed bug #49092 (ReflectionFunction fails to work with functions in fully qualified namespaces). (Kalle, Jani)
  • Fixed bug #49074 (private class static fields can be modified by using reflection). (Jani)
  • Fixed bug #49072 (feof never returns true for damaged file in zip). (Pierre)
  • Fixed bug #49065 ("disable_functions" php.ini option does not work on Zend extensions). (Stas)
  • Fixed bug #49064 (--enable-session=shared does not work: undefined symbol: php_url_scanner_reset_vars). (Jani)
  • Fixed bug #49056 (parse_ini_file() regression in 5.3.0 when using non-ASCII strings as option keys). (Jani)
  • Fixed bug #49052 (context option headers freed too early when using --with-curlwrappers). (Jani)
  • Fixed bug #49047 (The function touch() fails on directories on Windows). (Pierre)
  • Fixed bug #49032 (SplFileObject::fscanf() variables passed by reference). (Jani)
  • Fixed bug #49027 (mysqli_options() doesn't work when using mysqlnd). (Andrey)
  • Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars restrictions). (Ilia)
  • Fixed bug #49012 (phar tar signature algorithm reports as Unknown (0) in getSignature() call). (Greg)
  • Fixed bug #49020 (phar misinterprets ustar long filename standard). (Greg)
  • Fixed bug #49018 (phar tar stores long filenames wit prefix/name reversed). (Greg)
  • Fixed bug #49014 (dechunked filter broken when serving more than 8192 bytes in a chunk). (andreas dot streichardt at globalpark dot com, Ilia)
  • Fixed bug #49000 (PHP CLI in Interactive mode (php -a) crashes when including files from function). (Stas)
  • Fixed bug #48994 (zlib.output_compression does not output HTTP headers when set to a string value). (Jani)
  • Fixed bug #48980 (Crash when compiling with pdo_firebird). (Felipe)
  • Fixed bug #48962 (cURL does not upload files with specified filename). (Ilia)
  • Fixed bug #48929 (Double \r\n after HTTP headers when "header" context option is an array). (David Zülke)
  • Fixed bug #48913 (Too long error code strings in pdo_odbc driver). (naf at altlinux dot ru, Felipe)
  • Fixed bug #48912 (Namespace causes unexpected strict behaviour with extract()). (Dmitry)
  • Fixed bug #48909 (Segmentation fault in mysqli_stmt_execute()). (Andrey)
  • Fixed bug #48899 (is_callable returns true even if method does not exist in parent class). (Felipe)
  • Fixed bug #48893 (Problems compiling with Curl). (Felipe)
  • Fixed bug #48872 (string.c: errors: duplicate case values). (Kalle)
  • Fixed bug #48854 (array_merge_recursive modifies arrays after first one). (Felipe)
  • Fixed bug #48805 (IPv6 socket transport is not working). (Ilia)
  • Fixed bug #48802 (printf() returns incorrect outputted length). (Jani)
  • Fixed bug #48880 (Random Appearing open_basedir problem). (Rasmus, Gwynne)
  • Fixed bug #48791 (open office files always reported as corrupted). (Greg)
  • Fixed bug #48788 (RecursiveDirectoryIterator doesn't descend into symlinked directories). (Ilia)
  • Fixed bug #48783 (make install will fail saying phar file exists). (Greg)
  • Fixed bug #48774 (SIGSEGVs when using curl_copy_handle()). (Sriram Natarajan)
  • Fixed bug #48771 (rename() between volumes fails and reports no error on Windows). (Pierre)
  • Fixed bug #48768 (parse_ini_*() crash with INI_SCANNER_RAW). (Jani)
  • Fixed bug #48763 (ZipArchive produces corrupt archive). (dani dot church at gmail dot com, Pierre)
  • Fixed bug #48762 (IPv6 address filter still rejects valid address). (Felipe)
  • Fixed bug #48757 (ReflectionFunction::invoke() parameter issues). (Kalle)
  • Fixed bug #48754 (mysql_close() crash php when no handle specified). (Johannes, Andrey)
  • Fixed bug #48752 (Crash during date parsing with invalid date). (Pierre)
  • Fixed bug #48746 (Unable to browse directories within Junction Points). (Pierre, Kanwaljeet Singla)
  • Fixed bug #48745 (mysqlnd: mysql_num_fields returns wrong column count for mysql_list_fields). (Andrey)
  • Fixed bug #48740 (PHAR install fails when INSTALL_ROOT is not the final install location). (james dot cohen at digitalwindow dot com, Greg)
  • Fixed bug #48733 (CURLOPT_WRITEHEADER|CURLOPT_FILE|CURLOPT_STDERR warns on files that have been opened with r+). (Ilia)
  • Fixed bug #48719 (parse_ini_*(): scanner_mode parameter is not checked for sanity). (Jani)
  • Fixed bug #48718 (FILTER_VALIDATE_EMAIL does not allow numbers in domain components). (Ilia)
  • Fixed bug #48681 (openssl signature verification for tar archives broken). (Greg)
  • Fixed bug #48660 (parse_ini_*(): dollar sign as last character of value fails). (Jani)
  • Fixed bug #48645 (mb_convert_encoding() doesn't understand hexadecimal html-entities). (Moriyoshi)
  • Fixed bug #48637 ("file" fopen wrapper is overwritten when using --with-curlwrappers). (Jani)
  • Fixed bug #48608 (Invalid libreadline version not detected during configure). (Jani)
  • Fixed bug #48400 (imap crashes when closing stream opened with OP_PROTOTYPE flag). (Jani)
  • Fixed bug #48377 (error message unclear on converting phar with existing file). (Greg)
  • Fixed bug #48247 (Infinite loop and possible crash during startup with errors when errors are logged). (Jani)
  • Fixed bug #48198 error: 'MYSQLND_LLU_SPEC' undeclared. Cause for #48780 and #46952 - both fixed too. (Andrey)
  • Fixed bug #48189 (ibase_execute error in return param). (Kalle)
  • Fixed bug #48182 (ssl handshake fails during asynchronous socket connection). (Sriram Natarajan)
  • Fixed bug #48116 (Fixed build with Openssl 1.0). (Pierre, Al dot Smith at aeschi dot ch dot eu dot org)
  • Fixed bug #48057 (Only the date fields of the first row are fetched, others are empty). (info at programmiernutte dot net)
  • Fixed bug #47481 (natcasesort() does not sort extended ASCII characters correctly). (Herman Radtke)
  • Fixed bug #47351 (Memory leak in DateTime). (Derick, Tobias John)
  • Fixed bug #47273 (Encoding bug in SoapServer->fault). (Dmitry)
  • Fixed bug #46682 (touch() afield returns different values on windows). (Pierre)
  • Fixed bug #46614 (Extended MySQLi class gives incorrect empty() result). (Andrey)
  • Fixed bug #46020 (with Sun Java System Web Server 7.0 on HPUX, #define HPUX). (Uwe Schindler)
  • Fixed bug #45905 (imagefilledrectangle() clipping error). (markril at hotmail dot com, Pierre)
  • Fixed bug #45554 (Inconsistent behavior of the u format char). (Derick)
  • Fixed bug #45141 (setcookie will output expires years of >4 digits). (Ilia)
  • Fixed bug #44683 (popen crashes when an invalid mode is passed). (Pierre)
  • Fixed bug #43510 (stream_get_meta_data() does not return same mode as used in fopen). (Jani)
  • Fixed bug #42434 (ImageLine w/ antialias = 1px shorter). (wojjie at gmail dot com, Kalle)
  • Fixed bug #40013 (php_uname() does not return nodename on Netware (Guenter Knauf)
  • Fixed bug #38091 (Mail() does not use FQDN when sending SMTP helo). (Kalle, Rick Yorgason)
  • Fixed bug #28038 (Sent incorrect RCPT TO commands to SMTP server) (Garrett)
  • Fixed bug #27051 (Impersonation with FastCGI does not exec process as impersonated user). (Pierre)
  • Fixed PECL bug #16842 (oci_error return false when NO_DATA_FOUND is raised). (Chris Jones)

Version 5.3.0

  • Upgraded bundled PCRE to version 7.9. (Nuno)
  • Upgraded bundled sqlite to version 3.6.15. (Scott)
  • Moved extensions to PECL (Derick, Lukas, Pierre, Scott):
    • ext/dbase
    • ext/fbsql
    • ext/fdf
    • ext/ncurses
    • ext/mhash (BC layer is now entirely within ext/hash)
    • ext/ming
    • ext/msql
    • ext/sybase (not maintained anymore, sybase_ct has to be used instead)
  • Removed the experimental RPL (master/slave) functions from mysqli. (Andrey)
  • Removed zend.ze1_compatibility_mode. (Dmitry)
  • Removed all zend_extension_* php.ini directives. Zend extensions are now always loaded using zend_extension directive. (Derick)
  • Removed special treatment of "/tmp" in sessions for open_basedir. Note: This undocumented behaviour was introduced in 5.2.2. (Alexey)
  • Removed shebang line check from CGI sapi (checked by scanner). (Dmitry)
  • Changed PCRE, Reflection and SPL extensions to be always enabled. (Marcus)
  • Changed md5() to use improved implementation. (Solar Designer, Dmitry)
  • Changed HTTP stream wrapper to accept any code between and including 200 to 399 as successful. (Mike, Noah Fontes)
  • Changed __call() to be invoked on private/protected method access, similar to properties and __get(). (Andrei)
  • Changed dl() to be disabled by default. Enabled only when explicitly registered by the SAPI. Currently enabled with cli, cgi and embed SAPIs. (Dmitry)
  • Changed opendir(), dir() and scandir() to use default context when no context argument is passed. (Sara)
  • Changed open_basedir to allow tightening in runtime contexts. (Sara)
  • Changed PHP/Zend extensions to use flexible build IDs. (Stas)
  • Changed error level E_ERROR into E_WARNING in Soap extension methods parameter validation. (Felipe)
  • Changed openssl info to show the shared library version number. (Scott)
  • Changed floating point behaviour to consistently use double precision on all platforms and with all compilers. (Christian Seiler)
  • Changed round() to act more intuitively when rounding to a certain precision and round very large and very small exponents correctly. (Christian Seiler)
  • Changed session_start() to return false when session startup fails. (Jani)
  • Changed property_exists() to check the existence of a property independent of accessibility (like method_exists()). (Felipe)
  • Changed array_reduce() to allow mixed $initial (Christian Seiler)
  • Improved PHP syntax and semantics:
    • Added lambda functions and closures. (Christian Seiler, Dmitry)
    • Added "jump label" operator (limited "goto"). (Dmitry, Sara)
    • Added NOWDOC syntax. (Gwynne Raskind, Stas, Dmitry)
    • Added HEREDOC syntax with double quotes. (Lars Strojny, Felipe)
    • Added support for using static HEREDOCs to initialize static variables and class members or constants. (Matt)
    • Improved syntax highlighting and consistency for variables in double-quoted strings and literal text in HEREDOCs and backticks. (Matt)
    • Added "?:" operator. (Marcus)
    • Added support for namespaces. (Dmitry, Stas, Gregory, Marcus)
    • Added support for Late Static Binding. (Dmitry, Etienne Kneuss)
    • Added support for __callStatic() magic method. (Sara)
    • Added forward_static_call(_array) to complete LSB. (Mike Lively)
    • Added support for dynamic access of static members using $foo::myFunc(). (Etienne Kneuss)
    • Improved checks for callbacks. (Marcus)
    • Added __DIR__ constant. (Lars Strojny)
    • Added new error modes E_USER_DEPRECATED and E_DEPRECATED. E_DEPRECATED is used to inform about stuff being scheduled for removal in future PHP versions. (Lars Strojny, Felipe, Marcus)
    • Added "request_order" INI variable to control specifically $_REQUEST behavior. (Stas)
    • Added support for exception linking. (Marcus)
    • Added ability to handle exceptions in destructors. (Marcus)
  • Improved PHP runtime speed and memory usage:
    • Substitute global-scope, persistent constants with their values at compile time. (Matt)
    • Optimized ZEND_SIGNED_MULTIPLY_LONG(). (Matt)
    • Removed direct executor recursion. (Dmitry)
    • Use fastcall calling convention in executor on x86. (Dmitry)
    • Use IS_CV for direct access to $this variable. (Dmitry)
    • Use ZEND_FREE() opcode instead of ZEND_SWITCH_FREE(IS_TMP_VAR). (Dmitry)
    • Lazy EG(active_symbol_table) initialization. (Dmitry)
    • Optimized ZEND_RETURN opcode to not allocate and copy return value if it is not used. (Dmitry)
    • Replaced all flex based scanners with re2c based scanners. (Marcus, Nuno, Scott)
    • Added garbage collector. (David Wang, Dmitry).
    • Improved PHP binary size and startup speed with GCC4 visibility control. (Nuno)
    • Improved engine stack implementation for better performance and stability. (Dmitry)
    • Improved memory usage by moving constants to read only memory. (Dmitry, Pierre)
    • Changed exception handling. Now each op_array doesn't contain ZEND_HANDLE_EXCEPTION opcode in the end. (Dmitry)
    • Optimized require_once() and include_once() by eliminating fopen(3) on second usage. (Dmitry)
    • Optimized ZEND_FETCH_CLASS + ZEND_ADD_INTERFACE into single ZEND_ADD_INTERFACE opcode. (Dmitry)
    • Optimized string searching for a single character. (Michal Dziemianko, Scott)
    • Optimized interpolated strings to use one less opcode. (Matt)
  • Improved php.ini handling: (Jani)
    • Added ".htaccess" style user-defined php.ini files support for CGI/FastCGI.
    • Added support for special [PATH=/opt/httpd/www.example.com/] and [HOST=www.example.com] sections. Directives set in these sections can not be overridden by user-defined ini-files or during runtime.
    • Added better error reporting for php.ini syntax errors.
    • Allowed using full path to load modules using "extension" directive.
    • Allowed "ini-variables" to be used almost everywhere ini php.ini files.
    • Allowed using alphanumeric/variable indexes in "array" ini options.
    • Added 3rd optional parameter to parse_ini_file() to specify the scanning mode of INI_SCANNER_NORMAL or INI_SCANNER_RAW. In raw mode option values and section values are treated as-is.
    • Fixed get_cfg_var() to be able to return "array" ini options.
    • Added optional parameter to ini_get_all() to only retrieve the current value. (Hannes)
  • Improved Windows support:
    • Update all libraries to their latest stable version. (Pierre, Rob, Liz, Garrett).
    • Added Windows support for stat(), touch(), filemtime(), filesize() and related functions. (Pierre)
    • Re-added socket_create_pair() for Windows in sockets extension. (Kalle)
    • Added inet_pton() and inet_ntop() also for Windows platforms. (Kalle, Pierre)
    • Added mcrypt_create_iv() for Windows platforms. (Pierre)
    • Added ACL Cache support on Windows. (Kanwaljeet Singla, Pierre, Venkat Raman Don)
    • Added constants based on Windows' GetVersionEx information. PHP_WINDOWS_VERSION_* and PHP_WINDOWS_NT_*. (Pierre)
    • Added support for ACL (is_writable, is_readable, reports now correct results) on Windows. (Pierre, Venkat Raman Don, Kanwaljeet Singla)
    • Added support for fnmatch() on Windows. (Pierre)
    • Added support for time_nanosleep() and time_sleep_until() on Windows. (Pierre)
    • Added support for symlink(), readlink(), linkinfo() and link() on Windows. They are available only when the running platform supports them. (Pierre)
    • the GMP extension now relies on MPIR instead of the GMP library. (Pierre)
    • Added Windows support for stream_socket_pair(). (Kalle)
    • Drop all external dependencies for the core features. (Pierre)
    • Drastically improve the build procedure (Pierre, Kalle, Rob):
      • VC9 (Visual C++ 2008) or later support
      • Initial experimental x64 support
    • MSI installer now supports all recent Windows versions, including Windows 7. (John, Kanwaljeet Singla)
  • Improved and cleaned CGI code:
    • FastCGI is now always enabled and cannot be disabled. See sapi/cgi/CHANGES for more details. (Dmitry)
    • Added CGI SAPI -T option which can be used to measure execution time of script repeated several times. (Dmitry)
  • Improved streams:
    • Fixed confusing error message on failure when no errors are logged. (Greg)
    • Added stream_supports_lock() function. (Benjamin Schulz)
    • Added context parameter for copy() function. (Sara)
    • Added "glob://" stream wrapper. (Marcus)
    • Added "params" as optional parameter for stream_context_create(). (Sara)
    • Added ability to use stream wrappers in include_path. (Gregory, Dmitry)
  • Improved DNS API
    • Added Windows support for dns_check_record(), dns_get_mx(), checkdnsrr() and getmxrr(). (Pierre)
    • Added support for old style DNS functions (supports OSX and FBSD). (Scott)
    • Added a new "entries" array in dns_check_record() containing the TXT elements. (Felipe, Pierre)
  • Improved hash extension:
    • Changed mhash to be a wrapper layer around the hash extension. (Scott)
    • Added hash_copy() function. (Tony)
    • Added sha224 hash algorithm to the hash extension. (Scott)
  • Improved IMAP support (Pierre):
    • Added imap_gc() to clear the imap cache
    • Added imap_utf8_to_mutf7() and imap_mutf7_to_utf8()
  • Improved mbstring extension:
    • Added "mbstring.http_output_conv_mimetypes" INI directive that allows common non-text types such as "application/xhtml+xml" to be converted by mb_output_handler(). (Moriyoshi)
  • Improved OCI8 extension (Chris Jones/Oracle Corp.):
    • Added Database Resident Connection Pooling (DRCP) and Fast Application Notification (FAN) support.
    • Added support for Oracle External Authentication (not supported on Windows).
    • Improve persistent connection handling of restarted DBs.
    • Added SQLT_AFC (aka CHAR datatype) support to oci_bind_by_name.
    • Fixed bug #45458 (Numeric keys for associative arrays are not handled properly)
    • Fixed bug #41069 (Segmentation fault with query over DB link).
    • Fixed define of SQLT_BDOUBLE and SQLT_BFLOAT constants with Oracle 10g ORACLE_HOME builds.
    • Changed default value of oci8.default_prefetch from 10 to 100.
    • Fixed PECL bug #16035 (OCI8: oci_connect without ORACLE_HOME defined causes segfault) (Chris Jones/Oracle Corp.)
    • Fixed PECL bug #15988 (OCI8: sqlnet.ora isn't read with older Oracle libraries) (Chris Jones/Oracle Corp.)
    • Fixed PECL bug #14268 (Allow "pecl install oci8" command to "autodetect" an Instant Client RPM install) (Chris Jones/Oracle Corp.)
    • Fixed PECL bug #12431 (OCI8 ping functionality is broken).
    • Allow building (e.g from PECL) the PHP 5.3-based OCI8 code with PHP 4.3.9 onwards.
    • Provide separate extensions for Oracle 11g and 10g on Windows. (Pierre, Chris)
  • Improved OpenSSL extension:
    • Added support for OpenSSL digest and cipher functions. (Dmitry)
    • Added access to internal values of DSA, RSA and DH keys. (Dmitry)
    • Fixed a memory leak on openssl_decrypt(). (Henrique)
    • Fixed segfault caused by openssl_pkey_new(). (Henrique)
    • Fixed bug caused by uninitilized variables in openssl_pkcs7_encrypt() and openssl_pkcs7_sign(). (Henrique)
    • Fixed error message in openssl_seal(). (Henrique)
  • Improved pcntl extension: (Arnaud)
    • Added pcntl_signal_dispatch().
    • Added pcntl_sigprocmask().
    • Added pcntl_sigwaitinfo().
    • Added pcntl_sigtimedwait().
  • Improved SOAP extension:
    • Added support for element names in context of XMLSchema's <any>. (Dmitry)
    • Added ability to use Traversable objects instead of plain arrays. (Joshua Reese, Dmitry)
    • Fixed possible crash bug caused by an uninitialized value. (Zdash Urf)
  • Improved SPL extension:
    • Added SPL to list of standard extensions that cannot be disabled. (Marcus)
    • Added ability to store associative information with objects in SplObjectStorage. (Marcus)
    • Added ArrayAccess support to SplObjectStorage. (Marcus)
    • Added SplDoublyLinkedList, SplStack, SplQueue classes. (Etienne)
    • Added FilesystemIterator. (Marcus)
    • Added GlobIterator. (Marcus)
    • Added SplHeap, SplMinHeap, SplMaxHeap, SplPriorityQueue classes. (Etienne)
    • Added new parameter $prepend to spl_autoload_register(). (Etienne)
    • Added SplFixedArray. (Etienne, Tony)
    • Added delaying exceptions in SPL's autoload mechanism. (Marcus)
    • Added RecursiveTreeIterator. (Arnaud, Marcus)
    • Added MultipleIterator. (Arnaud, Marcus, Johannes)
  • Improved Zend Engine:
    • Added "compact" handler for Zend MM storage. (Dmitry)
    • Added "+" and "*" specifiers to zend_parse_parameters(). (Andrei)
    • Added concept of "delayed early binding" that allows opcode caches to perform class declaration (early and/or run-time binding) in exactly the same order as vanilla PHP. (Dmitry)
  • Improved crypt() function: (Pierre)
    • Added Blowfish and extended DES support. (Using Blowfish implementation from Solar Designer).
    • Made crypt features portable by providing our own implementations for crypt_r and the algorithms which are used when OS does not provide them. PHP implementations are always used for Windows builds.
  • Deprecated session_register(), session_unregister() and session_is_registered(). (Hannes)
  • Deprecated define_syslog_variables(). (Kalle)
  • Deprecated ereg extension. (Felipe)
  • Added new extensions:
    • Added Enchant extension as a way to access spell checkers. (Pierre)
    • Added fileinfo extension as replacement for mime_magic extension. (Derick)
    • Added intl extension for Internationalization. (Ed B., Vladimir I., Dmitry L., Stanislav M., Vadim S., Kirti V.)
    • Added mysqlnd extension as replacement for libmysql for ext/mysql, mysqli and PDO_mysql. (Andrey, Johannes, Ulf)
    • Added phar extension for handling PHP Archives. (Greg, Marcus, Steph)
    • Added SQLite3 extension. (Scott)
  • Added new date/time functionality: (Derick)
    • date_parse_from_format(): Parse date/time strings according to a format.
    • date_create_from_format()/DateTime::createFromFormat(): Create a date/time object by parsing a date/time string according to a given format.
    • date_get_last_errors()/DateTime::getLastErrors(): Return a list of warnings and errors that were found while parsing a date/time string through:
      • strtotime() / new DateTime
      • date_create_from_format() / DateTime::createFromFormat()
      • date_parse_from_format().
    • support for abbreviation and offset based timezone specifiers for the 'e' format specifier, DateTime::__construct(), DateTime::getTimeZone() and DateTimeZone::getName().
    • support for selectively listing timezone identifiers by continent or country code through timezone_identifiers_list() / DateTimezone::listIdentifiers().
    • timezone_location_get() / DateTimezone::getLocation() for retrieving location information from timezones.
    • date_timestamp_set() / DateTime::setTimestamp() to set a Unix timestamp without invoking the date parser. (Scott, Derick)
    • date_timestamp_get() / DateTime::getTimestamp() to retrieve the Unix timestamp belonging to a date object.
    • two optional parameters to timezone_transitions_get() / DateTimeZone::getTranstions() to limit the range of transitions being returned.
    • support for "first/last day of <month>" style texts.
    • support for date/time strings returned by MS SQL.
    • support for serialization and unserialization of DateTime objects.
    • support for diffing date/times through date_diff() / DateTime::diff().
    • support for adding/subtracting weekdays with strtotime() and DateTime::modify().
    • DateInterval class to represent the difference between two date/times.
    • support for parsing ISO intervals for use with DateInterval.
    • date_add() / DateTime::add(), date_sub() / DateTime::sub() for applying an interval to an existing date/time.
    • proper support for "this week", "previous week"/"last week" and "next week" phrases so that they actually mean the week and not a seven day period around the current day.
    • support for "<xth> <weekday> of" and "last <weekday> of" phrases to be used with months - like in "last saturday of februari 2008".
    • support for "back of <hour>" and "front of <hour>" phrases that are used in Scotland.
    • DatePeriod class which supports iterating over a DateTime object applying DateInterval on each iteration, up to an end date or limited by maximum number of occurences.
  • Added compatibility mode in GD, imagerotate, image(filled)ellipse imagefilter, imageconvolution and imagecolormatch are now always enabled. (Pierre)
  • Added array_replace() and array_replace_recursive() functions. (Matt)
  • Added ReflectionProperty::setAccessible() method that allows non-public property's values to be read through ::getValue() and set through ::setValue(). (Derick, Sebastian)
  • Added msg_queue_exists() function to sysvmsg extension. (Benjamin Schulz)
  • Added Firebird specific attributes that can be set via PDO::setAttribute() to control formatting of date/timestamp columns: PDO::FB_ATTR_DATE_FORMAT, PDO::FB_ATTR_TIME_FORMAT and PDO::FB_ATTR_TIMESTAMP_FORMAT. (Lars W)
  • Added gmp_testbit() function. (Stas)
  • Added icon format support to getimagesize(). (Scott)
  • Added LDAP_OPT_NETWORK_TIMEOUT option for ldap_set_option() to allow setting network timeout (FR #42837). (Jani)
  • Added optional escape character parameter to fgetcsv(). (David Soria Parra)
  • Added an optional parameter to strstr() and stristr() for retrieval of either the part of haystack before or after first occurrence of needle. (Johannes, Felipe)
  • Added xsl->setProfiling() for profiling stylesheets. (Christian)
  • Added long-option feature to getopt() and made getopt() available also on win32 systems by adding a common getopt implementation into core. (David Soria Parra, Jani)
  • Added support for optional values, and = as separator, in getopt(). (Hannes)
  • Added lcfirst() function. (David C)
  • Added PREG_BAD_UTF8_OFFSET_ERROR constant. (Nuno)
  • Added native support for asinh(), acosh(), atanh(), log1p() and expm1(). (Kalle)
  • Added LIBXML_LOADED_VERSION constant (libxml2 version currently used). (Rob)
  • Added JSON_FORCE_OBJECT flag to json_encode(). (Scott, Richard Quadling)
  • Added timezone_version_get() to retrieve the version of the used timezone database. (Derick)
  • Added 'n' flag to fopen to allow passing O_NONBLOCK to the underlying open(2) system call. (Mikko)
  • Added "dechunk" filter which can decode HTTP responses with chunked transfer-encoding. HTTP streams use this filter automatically in case "Transfer-Encoding: chunked" header is present in response. It's possible to disable this behaviour using "http"=>array("auto_decode"=>0) in stream context. (Dmitry)
  • Added support for CP850 encoding in mbstring extension. (Denis Giffeler, Moriyoshi)
  • Added stream_cast() and stream_set_options() to user-space stream wrappers, allowing stream_select(), stream_set_blocking(), stream_set_timeout() and stream_set_write_buffer() to work with user-space stream wrappers. (Arnaud)
  • Added header_remove() function. (chsc at peytz dot dk, Arnaud)
  • Added stream_context_get_params() function. (Arnaud)
  • Added optional parameter "new" to sybase_connect(). (Timm)
  • Added parse_ini_string() function. (grange at lemonde dot fr, Arnaud)
  • Added str_getcsv() function. (Sara)
  • Added openssl_random_pseudo_bytes() function. (Scott)
  • Added ability to send user defined HTTP headers with SOAP request. (Brian J.France, Dmitry)
  • Added concatenation option to bz2.decompress stream filter. (Keisial at gmail dot com, Greg)
  • Added support for using compressed connections with PDO_mysql. (Johannes)
  • Added the ability for json_decode() to take a user specified depth. (Scott)
  • Added support for the mysql_stmt_next_result() function from libmysql. (Andrey)
  • Added function preg_filter() t