php-8.4.10

[Bruce Dubbs]

New point version.

[Bruce Dubbs]

03 Jul 2025, PHP 8.4.10

• BcMath:
  • Fixed bug GH-18641 (Accessing a BcMath\Number property by ref crashes).

• Core:
  • Fixed bugs GH-17711 and GH-18022 (Infinite recursion on deprecated attribute evaluation) and GH-18464 (Recursion protection for deprecation constants not released on bailout)
  • Fixed GH-18695 (zend_ast_export() - float number is not preserved).
  • Fix handling of references in zval_try_get_long().
  • Do not delete main chunk in zend_gc.
  • Fix compile issues with zend_alloc and some non-default options.

• Curl:
  • Fix memory leak when setting a list via curl_setopt fails.

• Date:
  • Fix leaks with multiple calls to DatePeriod iterator current().

• DOM:
  • Fixed bug GH-18744 (classList works not correctly if copy HTMLElement by clone keyword)

• FPM:
  • Fixed GH-18662 (fpm_get_status segfault).

• Hash:
  • Fixed bug GH-14551 (PGO build fails with xxhash).

• Intl:
  • Fix memory leak in intl_datetime_decompose() on failure.
  • Fix memory leak in locale lookup on failure.

• Opcache:
  • Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22).

• ODBC:
  • Fix memory leak on php_odbc_fetch_hash() failure.

• OpenSSL:
  • Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
  • Fixed bug #74796 (Requests through http proxy set peer name).

• PGSQL:
  • Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during escaping)- (CVE-2025-1735)

• PDO ODBC:
  • Fix memory leak if WideCharToMultiByte() fails.

• PDO Sqlite:
  • Fixed memory leak with Pdo_Sqlite::createCollation when the callback has an incorrect return type-

• Phar:
  • Add missing filter cleanups on phar failure.
  • Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek).

• PHPDBG:
  • Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0.

• PGSQL:
  • Fix warning not being emitted when failure to cancel a query with pg_cancel_query()

• Random:
  • Fix reference type confusion and leak in user random engine.

• Readline:
  • Fix memory leak when calloc() fails in php_readline_completion_cb().

• SimpleXML:
  • Fixed bug GH-18597 (Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes)-

• SOAP:
  • Fix memory leaks in php_http.c when call_user_function() fails. (nielsdos)
  • Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix)- (CVE-2025-6491)

• Standard:
  • Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames). (CVE-2025-1220)

• Tidy:
  • Fix memory leak in tidy output handler on error.
  • Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory.

[Bruce Dubbs]

​https://feedly.com/cve/CVE-2025-1735

CVE-2025-1735 is a moderate severity vulnerability in the pgsql extension that allows for SQL injection and potential crashes, affecting versions prior to 8.1.33, 8.2.29, 8.3.23, and 8.4.10. Patches are available in the aforementioned versions, which address the vulnerability. There is no information provided regarding exploitation in the wild, proof-of-concept exploits, mitigations, detections, or downstream impacts to other third-party vendors or technology

​https://feedly.com/cve/CVE-2025-6491

CVE-2025-6491 is a moderate severity vulnerability involving a NULL Pointer Dereference in the SOAP extension, affecting versions prior to 8.1.33, 8.2.29, 8.3.23, and 8.4.10, with patches available in these versions. There is no information provided regarding exploitation in the wild, proof-of-concept exploits, or specific mitigations and detections. The vulnerability's impact on downstream third-party vendors or technology is not mentioned.

CVE-2025-1220 - Feedly estimated the CVSS score as HIGH. See ​https://www.linuxcompatible.org/story/php-8133-released/

[Bruce Dubbs]

Fixed at commits

3388551c4c Update to php-8.4.10 (Security update).
a392b54b2b Update to libpng-1.6.50.

[Douglas R. Reno]

SA-12.3-068 issued