Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:123116 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id A92A41A009C for ; Thu, 11 Apr 2024 21:03:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1712869418; bh=aT6qpzFKtlcmF22cgTAuUw8wNYfcd7PSF37o2Cb6qTs=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=jdvK+QQnD5VtJe1XMd9HyG5An0DqVfL2R9T27/I7ciai369fLJ/Uy+UkKbkGOMaBa wr5JHTsFIO/XYJ0+Lnca89BSIv1D+6kn6t8tTkYgo2Ir3biCaw/3m7HnashTWLQWc9 nIzceN2RRnGEf0STu8RWOT56uvKOQof52YiCtWPdbH1jWXN4FBEsyF4CwM43+g6K4s sB1lTXp/UZ1a1baUjRmYiOTNLZXf58MaR3UQif/UOq6Xc9+n9Xta4ozeMXgdXA9AFQ c2eaz36c2yRH+vIn5hyeYzI4Rid/9h4UWu1jH7kiHnBvyyuq97sC+gMRJHTgbXiWHE YVDewlmVRR8aQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 12879180080 for ; Thu, 11 Apr 2024 21:03:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_50,DMARC_MISSING, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-ed1-f44.google.com (mail-ed1-f44.google.com [209.85.208.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 11 Apr 2024 21:03:37 +0000 (UTC) Received: by mail-ed1-f44.google.com with SMTP id 4fb4d7f45d1cf-56e2b3e114fso227524a12.2 for ; Thu, 11 Apr 2024 14:03:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712869383; x=1713474183; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=H6sW5rRq4VgGRJXBFdKpfg+kd7r8GCvuHHaXRNI4NBk=; b=uVhyklhF5vB6ESZxEnZmtQCfzB9ALqhyFAMVDn8HC7CVFOGzTM1mW07b1NAA2EVEL8 nGkPECZTbu6SrpGBA08C42aiZxgybRgSi7KFW1FEWpjmq4sGJ6XYUG1qwMLBD1t0DTYr tyguzOuyWTfi/qsnFjISaAalIUtvnmhGk/idjccBKc7BP5ZP5KkA7zpwVIFe1L/fAAL0 1wWz/CQIyh6Cumbo/NdanPZ06iNITbxEvEFqql2bKwcscfwiQygIepgfkECpQcCSeAvc ggHEojimqJzAFwC6vHFTuphWu9ieFPkcOU0HZWoWLWMDFd27xCIdrAUGd/E88gbQWkT7 VOiA== X-Gm-Message-State: AOJu0Yz61OwhQ1BqI8YbAUqi20jSKEPIclZS62OFWE7IYSQr5y/1P2k0 WAmtT6wxLARL5X+ihne0H0KxDV92zrGiChzEAkDR0wpqnTHMfhnNXF0YzwDT66XlivIMPcfLc6g vCP6Hg6A0ru6ggnKAULfRocdUQJE= X-Google-Smtp-Source: AGHT+IGTI+6e+LdFLp7s6XA2q51+V5ef240v1//UE7+b/8nFALgPfqCpQDOYM4z+mgjLWlNgMThI0KBylNu2NK/4th0= X-Received: by 2002:a50:9357:0:b0:56e:232b:95cd with SMTP id n23-20020a509357000000b0056e232b95cdmr481589eda.41.1712869382627; Thu, 11 Apr 2024 14:03:02 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 References: <7051f9b8-6b03-4820-bc26-d3f12949c418@php.net> <0dd463e0-1cd6-4ad9-8a63-bf6bb02a9b17@php.net> In-Reply-To: <0dd463e0-1cd6-4ad9-8a63-bf6bb02a9b17@php.net> Date: Thu, 11 Apr 2024 22:02:51 +0100 Message-ID: Subject: Re: [PHP-DEV] PHP 8.3.6 Released To: ericmann@php.net Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary="000000000000192ca20615d87b7e" From: bukka@php.net (Jakub Zelenka) --000000000000192ca20615d87b7e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Apr 11, 2024 at 5:10=E2=80=AFPM wrote: > On 4/11/24 08:55, Athos Ribeiro wrote: > > On Thu, Apr 11, 2024 at 08:03:31AM -0700, ericmann@php.net wrote: > > The PHP development team announces the immediate availability of PHP > 8.3.6. This is a security release that addresses CVE-2024-1874, > CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757. > > > Thank you!!! > > May I ask what happened to 8.3.5 and why it was never released? > > -- > 8.3.5 was frozen at the RC1 stage and we elected to include the fixes for > the aforementioned CVEs in this release, bumping things instead to 8.3.6 = to > avoid any confusion as to why someting was in a stable release that > *wasn't* included in the RC. This is rare but does happen. > Just to add bit more details here. There was a regression in one of the fix that caused failure for the Windows build. This was missed in time because CI is not currently running on PR's in private forks for security fixes. We are looking into setting up private repo that would run CI instead of using GitHub private forks created in the advisories. That should hopefully prevent those skips. Regards Jakub --000000000000192ca20615d87b7e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Apr 11, 2024 at 5:10=E2=80=AFPM &= lt;ericmann@php.net> wrote:
<= /div>
=20 =20 =20
On 4/11/24 08:55, Athos Ribeiro wrote:
On Thu, Apr 11, 2024 at 08:03:31AM -0700, ericmann@php.net wrote:
The PHP development team announces the immediate availability of PHP 8.3.6. This is a security release that addresses CVE-2024-1874,
CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757.

Thank you!!!

May I ask what happened to 8.3.5 and why it was never released?

--
8.3.5 was frozen at the RC1 stage and we elected to include the fixes for the aforementioned CVEs in this release, bumping things instead to 8.3.6 to avoid any confusion as to why someting was in a stable release that wasn't included in the RC. This is rare but does happen.

Just to add bit more details here. There was a regression in one of the fi= x that caused failure for the Windows build. This was missed in time becaus= e CI is not currently running on PR's in private forks for security fix= es. We are looking into setting up private repo that would run CI instead o= f using GitHub private forks created in the advisories. That should hopeful= ly prevent those skips.

Regards

Jakub
--000000000000192ca20615d87b7e--