Dev news

Commit 75962399ee0 for php.net

commit 75962399ee0d89bd5301628e1009c019c1ff6ae5
Merge: f30cb4409a6 e77f582d5a7
Author: Ilija Tovilo <ilija.tovilo@me.com>
Date:   Wed May 6 13:49:42 2026 +0200

    Merge branch 'PHP-8.4' into PHP-8.5

    * PHP-8.4:
      [skip ci] Add NEWS entries for 8.2.31 security issues

diff --cc NEWS
index abd76d8555f,c4c7f989638..d28a38d91f5
--- a/NEWS
+++ b/NEWS
@@@ -42,14 -44,29 +42,27 @@@ PH
    . Add support for brotli and zstd on Windows. (Shivam Mathur)

  - DOM:
-   . Fixed bug GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns
-     declarations after setAttributeNS()). (David Carlier)
+   . Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits
+     duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263)
+     (David Carlier)
 -  . Fixed bug GH-21688 (segmentation fault on empty HTMLDocument).
 -    (David Carlier)
 -  . Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079)
 -    (ndossche, ilutov)
 -  . Fixed bug GH-21544 (Dom\XMLDocument::C14N*( drops namespace declarations
 -    on DOM-built documents). (David Carlier, ndossche)
+
+ - FPM:
+   . Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735)
+     (Jakub Zelenka)

  - Iconv:
    . Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)

 +- Lexbor:
-   . Upgrade to lexbor v2.7.0. (ndossche, ilutov)
++  . Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079)
++    (ndossche, ilutov)
++
+ - MBString:
+   . Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in
+     php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259)
+     (vi3tL0u1s)
+   . Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()).
+     (CVE-2026-6104) (ilutov)

  - Opcache:
    . Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in
@@@ -59,13 -76,12 +72,17 @@@
    . Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)

  - OpenSSL:
 +  . Fix memory leak regression in openssl_pbkdf2(). (ndossche)
    . Fix a bunch of memory leaks and crashes on edge cases. (ndossche)

+ - PDO_Firebird:
+   . Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings).
+     (CVE-2025-14179) (SakiTakamachi)
+
 +- PDO_PGSQL:
 +  . Fixed bug GH-21683 (pdo_pgsql throws with ATTR_PREFETCH=0
 +    on empty result set). (thomasschiet)
 +
  - Phar:
    . Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
    . Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when
@@@ -91,9 -115,12 +116,15 @@@
    . Fix concurrent iteration and deletion issues in SplObjectStorage.
      (ndossche)

 +- Sqlite3:
 +  . Fixed wrong free list comparator pointer type. (David Carlier)
 +
+ - Standard:
+   . Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset).
+     (CVE-2026-7568) (TimWolla)
+   . Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h
+     functions). (CVE-2026-7258) (ilutov)
+
  - Streams:
    . Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL
      and a proxy set). (ndossche)