The PHP development team announces the immediate availability of PHP 8.3.6. This is a security release that addresses CVE-2024-1874,
CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757.
All PHP 8.3 users are encouraged to upgrade to this version.
For source downloads of PHP 8.3.6 please visit our downloads page:https://www.php.net/downloads
Windows binaries can be found on the PHP for Windows site.
The list of changes is recorded in the ChangeLog.
Release Announcement:https://php.net/releases/8_3_6.php
Downloads:https://php.net/downloads
Windows downloads:https://windows.php.net/download#php-8.3
Changelog:https://php.net/ChangeLog-8.php#8.3.6
Release Manifest:https://gist.github.com/ericmann/93ec7609f372b05e55f24136c8b826c0
Many thanks to all the contributors and supporters!
Eric Mann, Jakub Zelenka, and Pierrick Charron
php-8.3.6.tar.bz2
SHA256 hash: 6324b1ddd8eb3025b041034b88dc2bc0b4819b0022129eeaeba37e47803108bc
PGP signature:
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEESx/A2d+SMhztn2FdvsVV4ioUNVMFAmYWoT4ACgkQvsVV4ioU
NVMHChAAsuI3dN/SSY9XMzAykH8yxfzL410WCgPaDGK+AU1PEGUEtHUtY5Z1L6G0
rDXvAIDVQKVFE4AV0rREILMmlRAo4L6vTesNU8yCy+KtgAoWvc7Fbp2+hO5Vmjq+
X59OR8qvESmjOGptCMJaOKUr7tc7kO30+GsTVajH38sSkzYVUNN18eFTd1ysuQwG
09extkGnuiTT5nHdzOA9XJ92P9Cshu3Gy6zutf6Ae55hkW8fFupR55FuacGccUTo
wJMXwFEGF6+8QJAoN3OFxQAH+khY8ypY/8ILHbA7NpG/KOZSdGa4ve4itaDfZ0e2
YiA6V484vHULeO5h7Wa8Eeqy1HsaimF9egAwiRnBC+F0UM+oIF9Z+QSTOJplczq8
Uee8hohTab0oongPGAx8DfnEcSNHbm02iyDxO9GD+Q97K+cydDpV4CXcy3XsFuj+
q3XIS7uBZGOMDTUgcIQ2312Vjgtovj18QoJdnjvUG0WoYtGAyfUw+Wg1T9lmwgM8
S/izGJSPUPvvGrUhy7kWIpaDfijT302nNpAMrxawl2kmFUZScbvbUpKu4o6VIepF
3dIL/McEt95ZI4wdQimVfKEdVtr3354RgBsJ3QQ2TqKKy53BzD7c1GKE0vJYrUwY
vKCf2IcqLcoSDQtEDONdvNifK+A09vwLNqxx6YoroE6jM7GFyRc=
=Flu2
-----END PGP SIGNATURE-----
php-8.3.6.tar.gz
SHA256 hash: 39695f5bd107892e36fd2ed6b3d3a78140fd4b05d556d6c6531a921633cacb5f
PGP signature:
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEESx/A2d+SMhztn2FdvsVV4ioUNVMFAmYWoT8ACgkQvsVV4ioU
NVNthRAAloon80NuktD8PfAPE9Qy6LtmlteozmfHdtOyCN+EhW9BR707CV7JK5CD
3jpdUkzZUsqUTWrgc2BTLGlAtRW0P42TVPuvGbHAMG/JmQ1TT1iqdiXwTfTojHI1
xGUmrWqZFOhFNMcf6vc/tj3dP2HMn72UB2SqMjfQZDAYHG/R1BlhU0hT6yJ2I+XM
9sE7h8v4eYq1IA0mpIpDppLYLX/nR4Hj1Ni+k4Zgu8i/naGd3LaqtnXQbHoU290r
1EKb5eqTjl+dQV58k5A7B2r1k1zYNZiJ1b/Oc264GRNlmjHjwlo+8Q9YEbaUMN96
RueOXuyMUQNPdpY+vkgjOzFt1IcJDAkycrCPoBBydXtdXimzrGRFKh4uP01L938c
oUOr3laNq8h3jG27XVcm2ZyflLnqZ1B9UMqDcCbzJpgnQdgk3Cl01CgMtxlksN3z
+QMjXcSmjTUJ/kzA+Zd6+9lWglV1g5Nuhw8o603Df1r13PEZ61rzOKXCpq6mvrT4
cCTKOCSKgRJheVDbmehX0ThTUKvfVa06CiCZrTaE+90mnF9F8gvl5CEwjIdiMKG6
3lunnPZ2zaf0pThQWfGQx87hkUTL4PoAuVLuLJcqXV5hWH+Rg+PQviq/rV0OiVmF
0P/uzLPsBZcP5U0vKRThvWxPgVYbm61tNBd3m0XUeLmyOwFLrEA=
=ZtXH
-----END PGP SIGNATURE-----
php-8.3.6.tar.xz
SHA256 hash: 53c8386b2123af97626d3438b3e4058e0c5914cb74b048a6676c57ac647f5eae
PGP signature:
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEESx/A2d+SMhztn2FdvsVV4ioUNVMFAmYWoT8ACgkQvsVV4ioU
NVP+wA//dpAy9SQpgX9I/5KRvnd3B1NJxNIrncqUu7C/cZtUh2go5l3UfuVVzaxo
5PKYANC/izRDvLSPjgYp8dvrHjFeZhzuqgjlF2mzZGXMgxlRHzg8eWQn+6FEGhAS
gw4jH0DjI748oTTQn8jrEq0SLl9sEx+fN10UBGQcEiQEPRMmBd6hzoGHxjesbdSE
smGQWQMZTlQyT4k0JQoaUQVH4a3rBP+fkmqZzA5p4VbS63ybfZovNO/IgIPccCD1
/52KfXwh4GJdmoMlfLwQRUqnSKkDkltNOx4WN7qHWgleoSkPctDpb5+SSfYaBORA
UH93TT+htnKtW37pJlICQklRfGnVL4ukcbPbz2HcYSBEY3oqevt2C3O1Kl47rTgT
E7LPI+UKdTx3SfogiainlMACUZL0SeqGY7O6w7Hrhn5WktliSvIZ/7932b9Vi3du
70/fI+Zj4om3eKSn0sXRLoyW52CBH0WyV0FLwmlWM9y60kSSUISaYwqptpPg5QzH
JiZxbM34g1tveFZs1F7B1XXDNdwsV8Eq93U7ggtzRCacotVJU/wnQlfLs9XP2FB1
1daia26X7PmSLCJVZbSNdgEmcaHj/X0LVgIpJ5B97O4z7rXAOQIAwCgHRy2BRQWP
knDVvdJUx++BGrbOggrHF2CKoID32BJVJXnbmobkglNnQaOujwo=
=UZez
-----END PGP SIGNATURE
The PHP development team announces the immediate availability of PHP 8.3.6. This is a security release that addresses CVE-2024-1874,
CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757.
Thank you!!!
May I ask what happened to 8.3.5 and why it was never released?
--
Athos Ribeiro
The PHP development team announces the immediate availability of PHP
8.3.6. This is a security release that addresses CVE-2024-1874,
CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757.Thank you!!!
May I ask what happened to 8.3.5 and why it was never released?
--
8.3.5 was frozen at the RC1 stage and we elected to include the fixes
for the aforementioned CVEs in this release, bumping things instead to
8.3.6 to avoid any confusion as to why someting was in a stable release
that /wasn't/ included in the RC. This is rare but does happen.
The PHP development team announces the immediate availability of PHP
8.3.6. This is a security release that addresses CVE-2024-1874,
CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757.Thank you!!!
May I ask what happened to 8.3.5 and why it was never released?
--
8.3.5 was frozen at the RC1 stage and we elected to include the fixes for
the aforementioned CVEs in this release, bumping things instead to 8.3.6 to
avoid any confusion as to why someting was in a stable release that
wasn't included in the RC. This is rare but does happen.
Just to add bit more details here. There was a regression in one of the fix
that caused failure for the Windows build. This was missed in time because
CI is not currently running on PR's in private forks for security fixes. We
are looking into setting up private repo that would run CI instead of using
GitHub private forks created in the advisories. That should hopefully
prevent those skips.
Regards
Jakub