PHP Changelog

What's new in PHP 8.3.6

Apr 11, 2024

Core:
Fixed GH-13569 (GC buffer unnecessarily grows up to GC_MAX_BUF_SIZE when scanning WeakMaps).
Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
Fixed bug GH-13446 (Restore exception handler after it finishes).
Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure).
Fixed bug GH-13670 (GC does not scale well with a lot of objects created in destructor).
DOM:
Add some missing ZPP checks.
Fix potential memory leak in XPath evaluation results.
FPM:
Fixed GH-11086 (FPM: config test runs twice in daemonised mode).
Fix incorrect check in fpm_shm_free().
GD:
Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests).
Gettext:
Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5 with category set to LC_ALL.
MySQLnd:
Fix GH-13452 (Fixed handshake response [mysqlnd]).
Fix incorrect charset length in check_mb_eucjpms().
Opcache:
Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null).
Fixed GH-13712 (Segmentation fault for enabled observers when calling trait method of internal trait when opcache is loaded).
Random:
Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown modes).
Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between requests when MT_RAND_PHP is used).
Session:
Fixed bug GH-13680 (Segfault with session_decode and compilation error).
SPL:
Fixed bug GH-13685 (Unexpected null pointer in zend_string.h).
Standard:
Fixed bug GH-11808 (Live filesystem modified by tests).
Fixed GH-13402 (Added validation of `n` in $additional_headers of mail()).
Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874)
Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756)
Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096)
Fixed bug GHSA-fjp9-9hwx-59fq (mb_encode_mimeheader runs endlessly for some inputs). (CVE-2024-2757)
Fix bug GH-13932 (Attempt to fix mbstring on windows build) (msvc).

New in PHP 8.1.25 (Oct 27, 2023)

New in PHP 8.0.30 (Sep 27, 2023)

New in PHP 8.1.23 (Sep 4, 2023)

New in PHP 8.2.10 (Sep 1, 2023)

CLI:
Fixed bug GH-11716 (cli server crashes on SIGINT when compiled with ZEND_RC_DEBUG=1).
Fixed bug GH-10964 (Improve man page about the built-in server).
Date:
Fixed bug GH-11416 (Crash with DatePeriod when uninitialised objects are passed in).
Core:
Fixed strerror_r detection at configuration time.
Fixed trait typed properties using a DNF type not being correctly bound.
Fixed trait property types not being arena allocated if copied from an internal trait.
Fixed deep copy of property DNF type during lazy class load.
Fixed memory freeing of DNF types for non arena allocated types.
DOM:
Fix DOMEntity field getter bugs.
Fix incorrect attribute existence check in DOMElement::setAttributeNodeNS.
Fix DOMCharacterData::replaceWith() with itself.
Fix empty argument cases for DOMParentNode methods.
Fixed bug GH-11791 (Wrong default value of DOMDocument::xmlStandalone).
Fix json_encode result on DOMDocument.
Fix manually calling __construct() on DOM classes.
Fixed bug GH-11830 (ParentNode methods should perform their checks upfront).
Fix viable next sibling search for replaceWith.
Fix segfault when DOMParentNode::prepend() is called when the child disappears.
FFI:
Fix leaking definitions when using FFI::cdef()->new(...).
Hash:
Fix use-of-uninitialized-value in hash_pbkdf2(), fix missing $options parameter in signature.
MySQLnd:
Fixed bug GH-11440 (authentication to a sha256_password account fails over SSL).
Fixed bug GH-11438 (mysqlnd fails to authenticate with sha256_password accounts using passwords longer than 19 characters).
Fixed bug GH-11550 (MySQL Statement has a empty query result when the response field has changed, also Segmentation fault).
Fixed invalid error message "Malformed packet" when connection is dropped.
Opcache:
Fixed bug GH-11715 (opcache.interned_strings_buffer either has no effect or opcache_get_status() / phpinfo() is wrong).
Avoid adding an unnecessary read-lock when loading script from shm if restart is in progress.
PCNTL:
Revert behaviour of receiving SIGCHLD signals back to the behaviour before 8.1.22.
SPL:
Fixed bug #81992 (SplFixedArray::setSize() causes use-after-free).
Standard:
Prevent int overflow on $decimals in number_format.
Fixed bug GH-11870 (Fix off-by-one bug when truncating tempnam prefix) (athos-ribeiro)

New in PHP 8.2.7 (Jun 21, 2023)

Core:
Fixed bug GH-11152 (Unable to alias namespaces containing reserved class names).
Fixed bug GH-9068 (Conditional jump or move depends on uninitialised value(s)).
Fixed bug GH-11189 (Exceeding memory limit in zend_hash_do_resize leaves the array in an invalid state).
Fixed bug GH-11063 (Compilation error on old GCC versions).
Fixed bug GH-11222 (foreach by-ref may jump over keys during a rehash).
Date:
Fixed bug GH-11281 (DateTimeZone::getName() does not include seconds in offset).
Exif:
Fixed bug GH-10834 (exif_read_data() cannot read smaller stream wrapper chunk sizes).
FPM:
Fixed bug GH-10461 (PHP-FPM segfault due to after free usage of child->ev_std(out|err)).
Fixed bug #64539 (FPM status page: query_string not properly JSON encoded).
Fixed memory leak for invalid primary script file handle.
Hash:
Fixed bug GH-11180 (hash_file() appears to be restricted to 3 arguments).
LibXML:
Fixed bug GH-11160 (Few tests failed building with new libxml 2.11.0).
MBString:
Fix bug GH-11217 (Segfault in mb_strrpos / mb_strripos when using negative offset and ASCII encoding).
Opcache:
Fixed bug GH-11134 (Incorrect match default branch optimization).
Fixed too wide OR and AND range inference.
Fixed missing class redeclaration error with OPcache enabled.
Fixed bug GH-11245 (In some specific cases SWITCH with one default statement will cause segfault).
PCNTL:
Fixed maximum argument count of pcntl_forkx().
PGSQL:
Fixed parameter parsing of pg_lo_export().
Phar:
Fixed bug GH-11099 (Generating phar.php during cross-compile can't be done).
Soap:
Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP).
Fixed bug GH-8426 (make test fail while soap extension build).
SPL:
Fixed bug GH-11178 (Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18)).
Standard:
Fixed bug GH-11138 (move_uploaded_file() emits open_basedir warning for source file).
Fixed bug GH-11274 (POST/PATCH request switches to GET after a HTTP 308 redirect).
Streams:
Fixed bug GH-10031 ([Stream] STREAM_NOTIFY_PROGRESS over HTTP emitted irregularly for last chunk of data).
Fixed bug GH-11175 (Stream Socket Timeout).
Fixed bug GH-11177 (ASAN UndefinedBehaviorSanitizer when timeout = -1 passed to stream_socket_accept/stream_socket_client).

New in PHP 8.2.4 (Apr 12, 2023)

Core:
Fixed incorrect check condition in ZEND_YIELD.
Fixed incorrect check condition in type inference.
Fix incorrect check in zend_internal_call_should_throw().
Fixed overflow check in OnUpdateMemoryConsumption.
Fixed bug GH-9916 (Entering shutdown sequence with a fiber suspended in a Generator emits an unavoidable fatal error or crashes).
Fixed bug GH-10437 (Segfault/assertion when using fibers in shutdown function after bailout).
Fixed SSA object type update for compound assignment opcodes.
Fixed language scanner generation build.
Fixed zend_update_static_property() calling zend_update_static_property_ex() misleadingly with the wrong return type.
Fix bug GH-10570 (Fixed unknown string hash on property fetch with integer constant name).
Fixed php_fopen_primary_script() call resulted on zend_destroy_file_handle() freeing dangling pointers on the handle as it was uninitialized.
Curl:
Fixed deprecation warning at compile time.
Fixed bug GH-10270 (Unable to return CURL_READFUNC_PAUSE in readfunc callback).
Date:
Fix GH-10447 ('p' format specifier does not yield 'Z' for 00:00).
Fix GH-10152 (Custom properties of Date's child classes are not serialised).
Fixed bug GH-10747 (Private and protected properties in serialized Date* objects throw).
FFI:
Fixed incorrect bitshifting and masking in ffi bitfield.
Fiber:
Fixed assembly on alpine x86.
Fixed bug GH-10496 (segfault when garbage collector is invoked inside of fiber).
FPM:
Fixed bug GH-10315 (FPM unknown child alert not valid).
Fixed bug GH-10385 (FPM successful config test early exit).
GMP:
Properly implement GMP::__construct().
Intl:
Fixed bug GH-10647 (Spoolchecker isSuspicious/areConfusable methods error code's argument always returning NULL0.
JSON:
Fixed JSON scanner and parser generation build.
MBString:
ext/mbstring: fix new_value length check.
Fix bug GH-10627 (mb_convert_encoding crashes PHP on Windows).
Opcache:
Fix incorrect page_size check.
OpenSSL:
Fixed php_openssl_set_server_dh_param() DH params errors handling.
PDO OCI:
Fixed bug #60994 (Reading a multibyte CLOB caps at 8192 chars).
PHPDBG:
Fixed bug GH-10715 (heap buffer overflow on --run option misuse).
PGSQL:
Fix GH-10672 (pg_lo_open segfaults in the strict_types mode).
Phar:
Fix incorrect check in phar tar parsing.
Random:
Fix GH-10390 (Do not trust arc4random_buf() on glibc).
Fix GH-10292 (Made the default value of the first param of srand() and mt_srand() unknown).
Reflection:
Fixed bug GH-10623 (Reflection::getClosureUsedVariables opcode fix with variadic arguments).
Fix Segfault when using ReflectionFiber suspended by an internal function.
Session:
Fixed ps_files_cleanup_dir() on failure code paths with -1 instead of 0 as the latter was considered success by callers. (nielsdos).
Standard:
Fixed bug GH-8086 (Introduce mail.mixed_lf_and_crlf INI).
Fixed bug GH-10292 (Made the default value of the first param of srand() and mt_srand() unknown).
Fix incorrect check in cs_8559_5 in map_from_unicode().
Fix bug GH-9697 for reset/end/next/prev() attempting to move pointer of properties table for certain internal classes such as FFI classes
Fix incorrect error check in browsecap for pcre2_match().
Streams:
Fixed bug GH-10370 (File corruption in _php_stream_copy_to_stream_ex when using copy_file_range).
Fixed bug GH-10548 (copy() fails on cifs mounts because of incorrect copy_file_range() len).
Tidy:
Fix memory leaks when attempting to open a non-existing file or a file over 4GB.
Add missing error check on tidyLoadConfig.
Zlib:
Fixed output_handler directive value's length which counted the string terminator.

New in PHP 8.2.3 (Mar 1, 2023)

New in PHP 8.2.2 (Feb 14, 2023)

New in PHP 8.1.12 (Nov 22, 2022)

New in PHP 7.4.32 (Nov 3, 2022)

New in PHP 8.1.9 (Aug 30, 2022)

New in PHP 8.1.8 (Aug 2, 2022)

New in PHP 8.0.20 (Jun 8, 2022)

New in PHP 7.4.29 (Apr 14, 2022)

New in PHP 8.0.17 (Mar 17, 2022)

New in PHP 8.1.3 (Mar 2, 2022)

New in PHP 8.0.12 (Oct 21, 2021)

New in PHP 8.0.11 (Sep 21, 2021)

New in PHP 7.3.30 (Aug 27, 2021)

New in PHP 8.0.9 (Jul 30, 2021)

New in PHP 7.4.15 RC2 (Jan 20, 2021)

New in PHP 7.3.26 (Jan 7, 2021)

New in PHP 8.0.0 (Dec 15, 2020)

New in PHP 7.4.7 (Jul 7, 2020)

New in PHP 7.3.20 (Jul 7, 2020)

New in PHP 7.4.6 (May 12, 2020)

New in PHP 7.2.30 (Apr 18, 2020)

New in PHP 7.3.9 (Sep 24, 2019)

New in PHP 7.2.19 (May 30, 2019)

New in PHP 7.3.5 (May 1, 2019)

New in PHP 7.2.17 (Apr 4, 2019)

New in PHP 7.2.17 RC1 (Mar 22, 2019)

New in PHP 7.3.4 RC1 (Mar 22, 2019)

New in PHP 7.1.27 (Mar 8, 2019)

New in PHP 7.2.16 (Mar 8, 2019)

New in PHP 7.3.3 (Mar 8, 2019)

New in PHP 7.1.26 (Jan 11, 2019)

New in PHP 7.1.25 (Jan 3, 2019)

New in PHP 7.0.33 (Dec 7, 2018)

New in PHP 7.1.23 (Oct 12, 2018)

New in PHP 7.2.11 (Oct 12, 2018)

New in PHP 7.1.22 (Sep 14, 2018)

New in PHP 7.3.0 RC1 (Sep 13, 2018)

New in PHP 7.1.20 (Jul 20, 2018)

New in PHP 7.0.31 - Old Stable (Jul 20, 2018)

New in PHP 7.2.7 (Jun 21, 2018)

New in PHP 7.2.6 (May 25, 2018)

New in PHP 7.2.5 (May 10, 2018)

New in PHP 7.2.4 (Mar 29, 2018)

New in PHP 7.2.3 (Mar 28, 2018)

New in PHP 7.2.2 (Feb 1, 2018)

New in PHP 7.2.1 (Jan 4, 2018)

New in PHP 7.1.12 (Nov 29, 2017)

New in PHP 7.2.0 RC 6 (Nov 9, 2017)

New in PHP 7.2.0 RC 5 (Oct 27, 2017)

New in PHP 7.2.0 RC 4 (Oct 12, 2017)

New in PHP 7.1.10 (Sep 27, 2017)

New in PHP 7.1.9 (Aug 31, 2017)

New in PHP 7.2.0 RC 1 (Aug 30, 2017)

New in PHP 7.2.0 Beta 3 (Aug 17, 2017)

New in PHP 7.1.8 (Aug 3, 2017)

New in PHP 7.2.0 Beta 1 (Jul 20, 2017)

New in PHP 7.1.7 (Jul 7, 2017)

New in PHP 7.1.6 (Jun 12, 2017)

New in PHP 7.1.4 (Apr 12, 2017)

New in PHP 7.1.3 (Apr 12, 2017)

Core:
Fixed bug #73989 (PHP 7.1 Segfaults within Symfony test suite).
Fixed bug #74084 (Out of bound read - zend_mm_alloc_small).
Fixed bug #73807 (Performance problem with processing large post request).
Fixed bug #73998 (array_key_exists fails on arrays created by get_object_vars).
Fixed bug #73954 (NAN check fails on Alpine Linux with musl).
Fixed bug #74039 (is_infinite(-INF) returns false).
Fixed bug #73677 (Generating phar.phar core dump with gcc ASAN enabled build).
Apache:
Fixed bug #61471 (Incomplete POST does not timeout but is passed to PHP).
Date:
Fixed bug #72719 (Relative datetime format ignores weekday on sundays only).
Fixed bug #73294 (DateTime wrong when date string is negative).
Fixed bug #73489 (wrong timestamp when call setTimeZone multi times with UTC offset).
Fixed bug #73858 (first/last day of' flag is not being reset).
Fixed bug #73942 ($date->modify('Friday this week') doesn't return a Friday if $date is a Sunday).
Fixed bug #74057 (wrong day when using "this week" in strtotime).
FPM:
Fixed bug #69860 (php-fpm process accounting is broken with keepalive).
Hash:
Fixed bug #73127 (gost-crypto hash incorrect if input data contains long 0xFF sequence).
GD:
Fixed bug #74031 (ReflectionFunction for imagepng is missing last two parameters).
Mysqlnd:
Fixed bug #74021 (fetch_array broken data. Data more then MEDIUMBLOB).
Opcache:
Fixed bug #74152 (if statement says true to a null variable).
Fixed bug #74019 (Segfault with list).
OpenSSL:
Fixed bug #74022 (PHP Fast CGI crashes when reading from a pfx file).
Standard:
Fixed bug #74148 (ReflectionFunction incorrectly reports the number of arguments).
Fixed bug #74005 (mail.add_x_header causes RFC-breaking lone line feed).
Fixed bug #73118 (is_callable callable name reports misleading value for anonymous classes).
Fixed bug #74105 (PHP on Linux should use /dev/urandom when getrandom is not available).
Streams:
Fixed bug #73496 (Invalid memory access in zend_inline_hash_func).
Fixed bug #74090 (stream_get_contents maxlength>-1 returns empty string).

New in PHP 7.1.2 (Mar 16, 2017)

Released on 16 Feb 2017
Core:
Improved GENERATOR_CREATE opcode handler.
Fixed bug #73877 (readlink() returns garbage for UTF-8 paths).
Fixed bug #73876 (Crash when exporting **= in expansion of assign op).
Fixed bug #73962 (bug with symlink related to cyrillic directory).
Fixed bug #73969 (segfault in debug_print_backtrace).
Fixed bug #73994 (arginfo incorrect for unpack).
Fixed bug #73973 (assertion error in debug_zval_dump).
DOM:
Fixed bug #54382 (getAttributeNodeNS doesn't get xmlns* attributes).
DTrace:
Fixed bug #73965 (DTrace reported as enabled when disabled).
FCGI:
Fixed bug #73904 (php-cgi fails to load -c specified php.ini file).
Fixed bug #72898 (PHP_FCGI_CHILDREN is not included in phpinfo()).
FPM:
Fixed bug #69865 (php-fpm does not close stderr when using syslog).
GD:
Fixed bug #73968 (Premature failing of XBM reading).
GMP:
Fixed bug #69993 (test for gmp.h needs to test machine includes).
Hash:
Added hash_hkdf() function.
Fixed bug #73961 (environmental build dependency in hash sha3 source).
Intl:
Fix bug #73956 (Link use CC instead of CXX).
LDAP:
Fixed bug #73933 (error/segfault with ldap_mod_replace and opcache).
MySQLi:
Fixed bug #73949 (leak in mysqli_fetch_object).
Mysqlnd:
Fixed bug #69899 (segfault on close() after free_result() with mysqlnd).
Opcache:
Fixed bug #73983 (crash on finish work with phar in cli + opcache).
OpenSSL:
Fixed bug #71519 (add serial hex to return value array).
Fixed bug #73692 (Compile ext/openssl with openssl 1.1.0 on Win).
Fixed bug #73978 (openssl_decrypt triggers bug in PDO).
PDO_Firebird:
Implemented FR #72583 (All data are fetched as strings).
PDO_PgSQL:
Fixed bug #73959 (lastInsertId fails to throw an exception for wrong sequence name).
Phar:
Fixed bug #70417 (PharData::compress() doesn't close temp file).
posix:
Fixed bug #71219 (configure script incorrectly checks for ttyname_r).
Session:
Fixed bug #69582 (session not readable by root in CLI).
SPL:
Fixed bug #73896 (spl_autoload() crashes when calls magic _call()).
Standard:
Fixed bug #69442 (closing of fd incorrect when PTS enabled).
Fixed bug #47021 (SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked").
Fixed bug #72974 (imap is undefined service on AIX).
Fixed bug #72979 (money_format stores wrong length AIX).
Fixed bug #73374 (intval() with base 0 should detect binary).
Fixed bug #69061 (mail.log = syslog contains double information).
ZIP:
Fixed bug #70103 (ZipArchive::addGlob ignores remove_all_path option).

New in PHP 7.0.16 (Mar 16, 2017)

New in PHP 7.0.15 (Mar 16, 2017)

Released on 19 Jan 2017
Core:
Fixed bug #73792 (invalid foreach loop hangs script).
Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created with list()).
Fixed bug #73585 (Logging of "Internal Zend error - Missing class information" missing class name).
Fixed bug #73753 (unserialized array pointer not advancing).
Fixed bug #73825 (Heap out of bounds read on unserialize in finish_nested_data()). (CVE-2016-10161)
Fixed bug #73831 (NULL Pointer Dereference while unserialize php object). (CVE-2016-10162)
Fixed bug #73832 (Use of uninitialized memory in unserialize()). (CVE-2017-5340)
Fixed bug #73092 (Unserialize use-after-free when resizing object's properties hash table). (CVE-2016-7479)
Fixed bug #69425 (Use After Free in unserialize()).
Fixed bug #72731 (Type Confusion in Object Deserialization).
COM:
Fixed bug #73679 (DOTNET read access violation using invalid codepage).
DOM:
Fixed bug #67474 (getElementsByTagNameNS filter on default ns).
EXIF:
Fixed bug #73737 (FPE when parsing a tag format). (CVE-2016-10158)
GD:
Fixed bug #73869 (Signed Integer Overflow gd_io.c). (CVE-2016-10168)
Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (CVE-2016-10167)
GMP:
Fixed bug #70513 (GMP Deserialization Type Confusion Vulnerability).
Mysqli:
Fixed bug #73462 (Persistent connections don't set $connect_errno).
Mysqlnd:
Fixed issue with decoding BIT columns when having more than one rows in the result set. 7.0+ problem.
Fixed bug #73800 (sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
PCRE:
Fixed bug #73612 (preg_*() may leak memory).
PDO_Firebird:
Fixed bug #72931 (PDO_FIREBIRD with Firebird 3.0 not work on returning statement).
Phar:
Fixed bug #73773 (Seg fault when loading hostile phar).
Fixed bug #73768 (Memory corruption when loading hostile phar). (CVE-2016-10160)
Fixed bug #73764 (Crash while loading hostile phar archive). (CVE-2016-10159)
Phpdbg:
Fixed bug #73615 (phpdbg without option never load .phpdbginit at startup).
Fixed issue getting executable lines from custom wrappers.
Fixed bug #73704 (phpdbg shows the wrong line in files with shebang).
Reflection:
Fixed bug #46103 (ReflectionObject memory leak).
Streams:
Fixed bug #73586 (php_user_filter::$stream is not set to the stream the filter is working on).
SQLite3:
Reverted fix for #73530 (Unsetting result set may reset other result set).
Standard:
Fixed bug #73594 (dns_get_record does not populate $additional out parameter).
Fixed bug #70213 (Unserialize context shared on double class lookup).
Fixed bug #73154 (serialize object with __sleep function crash).
Fixed bug #70490 (get_browser function is very slow).
Fixed bug #73265 (Loading browscap.ini at startup causes high memory usage).
Fixed bug #31875 (get_defined_functions additional param to exclude disabled functions).
Zlib:
Fixed bug #73373 (deflate_add does not verify that output was not truncated).

New in PHP 7.1.1 (Mar 16, 2017)

Released on 19 Jan 2017
Core
Fixed bug #73792 (invalid foreach loop hangs script).
Fixed bug #73686 (Adding settype()ed values to ArrayObject results in references).
Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created with list()).
Fixed bug #73727 (ZEND_MM_BITSET_LEN is "undefined symbol" in zend_bitset.h).
Fixed bug #73753 (unserialized array pointer not advancing).
Fixed bug #73783 (SIG_IGN doesn't work when Zend Signals is enabled).
Fixed bug #73825 (Heap out of bounds read on unserialize in finish_nested_data()). (CVE-2016-10161)
Fixed bug #73831 (NULL Pointer Dereference while unserialize php object). (CVE-2016-10162)
Fixed bug #73832 (Use of uninitialized memory in unserialize()). (CVE-2017-5340)
CLI
Fixed bug #72555 (CLI output(japanese) on Windows).
COM
Fixed bug #73679 (DOTNET read access violation using invalid codepage).
DOM
Fixed bug #67474 (getElementsByTagNameNS filter on default ns).
EXIF
Fixed bug #73737 (FPE when parsing a tag format). (CVE-2016-10158)
Fixed bug #73869 (Signed Integer Overflow gd_io.c). (CVE-2016-10168)
Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (CVE-2016-10167)
mbstring
Fixed bug #73646 (mb_ereg_search_init null pointer dereference).
MySQLi
Fixed bug #73462 (Persistent connections don't set $connect_errno).
mysqlnd
Optimized handling of BIT fields - less memory copies and lower memory usage.
Fixed bug #73800 (sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
opcache
Fixed bug #73789 (Strange behavior of class constants in switch/case block).
Fixed bug #73746 (Method that returns string returns UNKNOWN:0 instead).
Fixed bug #73654 (Segmentation fault in zend_call_function).
Fixed bug #73668 ("SIGFPE Arithmetic exception" in opcache when divide by minus 1).
Fixed bug #73847 (Recursion when a variable is redefined as array).
PDO Firebird
Fixed bug #72931 (PDO_FIREBIRD with Firebird 3.0 not work on returning statement).
Phar:
Fixed bug #73773 (Seg fault when loading hostile phar).
Fixed bug #73768 (Memory corruption when loading hostile phar). (CVE-2016-10160)
Fixed bug #73764 (Crash while loading hostile phar archive). (CVE-2016-10159)
phpdbg
Fixed bug #73794 (Crash (out of memory) when using run and # command separator).
Fixed bug #73704 (phpdbg shows the wrong line in files with shebang).
SQLite3
Reverted fix for Fixed bug #73530 (Unsetting result set may reset other result set).
Standard
Fixed bug #73594 (dns_get_record does not populate $additional out parameter).
Fixed bug #70213 (Unserialize context shared on double class lookup).
Fixed bug #73154 (serialize object with __sleep function crash).
Fixed bug #70490 (get_browser function is very slow).
Fixed bug #73265 (Loading browscap.ini at startup causes high memory usage).
(add subject to mail log).
Fixed bug #31875 (get_defined_functions additional param to exclude disabled functions).
zlib
Fixed bug #73373 (deflate_add does not verify that output was not truncated).

New in PHP 7.0.14 (Mar 16, 2017)

New in PHP 7.1.0 (Dec 2, 2016)

Core:
Added nullable types.
Added DFA optimization framework based on e-SSA form.
Added specialized opcode handlers (e.g. ZEND_ADD_LONG_NO_OVERFLOW).
Added [] = as alternative construct to list() =.
Added void return type.
Added support for negative string offsets in string offset syntax and various string functions.
Added a form of the list() construct where keys can be specified.
Implemented safe execution timeout handling, that prevents random crashes after "Maximum execution time exceeded" error.
Implemented the RFC `Support Class Constant Visibility`.
Implemented the RFC `Catching multiple exception types`.
Implemented logging to syslog with dynamic error levels.
Implemented FR #72614 (Support "nmake test" on building extensions by phpize).
Implemented RFC: Iterable.
Implemented RFC: Closure::fromCallable (Danack)
Implemented RFC: Replace "Missing argument" warning with "ArgumentCountError" exception.
Implemented RFC: Fix inconsistent behavior of $this variable.
Fixed bug #73585 (Logging of "Internal Zend error - Missing class information" missing class name).
Fixed memory leak(null coalescing operator with Spl hash).
Fixed bug #72736 (Slow performance when fetching large dataset with mysqli / PDO).
Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow).
Fixed bug #72696 (imagefilltoborder stackoverflow on truecolor images).
Fixed bug #73350 (Exception::__toString() cause circular references).
Fixed bug #73329 ((Float)"Nano" == NAN).
Fixed bug #73288 (Segfault in __clone > Exception.toString > __get).
Fixed for #73240 (Write out of bounds at number_format).
Fix pthreads detection when cross-compiling (ffontaine)
Fixed bug #73337 (try/catch not working with two exceptions inside a same operation).
Fixed bug #73156 (segfault on undefined function).
Fixed bug #73163 (PHP hangs if error handler throws while accessing undef const in default value).
Fixed bug #73172 (parse error: Invalid numeric literal).
Fixed bug #73181 (parse_str() without a second argument leads to crash).
Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c).
Fixed bug #73058 (crypt broken when salt is 'too' long).
Fixed bug #72944 (Null pointer deref in zval_delref_p).
Fixed bug #72943 (assign_dim on string doesn't reset hval).
Fixed bug #72598 (Reference is lost after array_slice()) (Nikita)
Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by password_verify).
Fixed bug #72813 (Segfault with __get returned by ref).
Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator).
TypeError messages for arg_info type checks will now say "must be ... or null" where the parameter or return type accepts null.
Fixed bug #72857 (stream_socket_recvfrom read access violation).
Fixed bug #72663 (Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization).
Fixed bug #72681 (PHP Session Data Injection Vulnerability).
Fixed bug #72742 (memory allocator fails to realloc small block to large one).
Fixed URL rewriter. It would not rewrite '//example.com/' URL unconditionally. URL rewrite target hosts whitelist is implemented.
Fixed bug #72641 (phpize (on Windows) ignores PHP_PREFIX).
Fixed bug #72683 (getmxrr broken).
Fixed bug #72629 (Caught exception assignment to variables ignores references).
Fixed bug #72594 (Calling an earlier instance of an included anonymous class fatals).
Fixed bug #72581 (previous property undefined in Exception after deserialization).
Fixed bug #72543 (Different references behavior comparing to PHP 5) (Laruence, Dmitry, Nikita)
Fixed bug #72347 (VERIFY_RETURN type casts visible in finally).
Fixed bug #72216 (Return by reference with finally is not memory safe).
Fixed bug #72215 (Wrong return value if var modified in finally).
Fixed bug #71818 (Memory leak when array altered in destructor).
Fixed bug #71539 (Memory error on $arr[$a] =& $arr[$b] if RHS rehashes) (Dmitry, Nikita)
Added new constant PHP_FD_SETSIZE.
Added optind parameter to getopt().
Added PHP to SAPI error severity mapping for logs.
Fixed bug #71911 (Unable to set --enable-debug on building extensions by phpize on Windows).
Fixed bug #29368 (The destructor is called when an exception is thrown from the constructor).
Implemented RFC: RNG Fixes.
Implemented email validation as per RFC 6531.
Fixed bug #72513 (Stack-based buffer overflow vulnerability in virtual_file_ex).
Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications).
Fixed bug #72523 (dtrace issue with reflection (failed test)).
Fixed bug #72508 (strange references after recursive function call and "switch" statement).
Fixed bug #72441 (Segmentation fault: RFC list_keys).
Fixed bug #72395 (list() regression).
Fixed bug #72373 (TypeError after Generator function w/declared return type finishes).
Fixed bug #69489 (tempnam() should raise notice if falling back to temp dir).
Fixed UTF-8 and long path support on Windows.
Fixed bug #53432 (Assignment via string index access on an empty string converts to array).
Fixed bug #62210 (Exceptions can leak temporary variables).
Fixed bug #62814 (It is possible to stiffen child class members visibility).
Fixed bug #69989 (Generators don't participate in cycle GC).
Fixed bug #70228 (Memleak if return in finally block).
Fixed bug #71266 (Missing separation of properties HT in foreach etc).
Fixed bug #71604 (Aborted Generators continue after nested finally).
Fixed bug #71572 (String offset assignment from an empty string inserts null byte).
Fixed bug #71897 (ASCII 0x7F Delete control character permitted in identifiers).
Fixed bug #72188 (Nested try/finally blocks losing return value).
Fixed bug #72213 (Finally leaks on nested exceptions).
Fixed bug #47517 (php-cgi.exe missing UAC manifest).
Change statement and fcall extension handlers to accept frame.
Number operators taking numeric strings now emit E_NOTICEs or E_WARNINGs when given malformed numeric strings.
(int), intval() where $base is 10 or unspecified, settype(), decbin(), decoct(), dechex(), integer operators and other conversions now always respect scientific notation in numeric strings.
Raise a compile-time warning on octal escape sequence overflow.
Apache2handler:
Enable per-module logging in Apache 2.4+.
BCmath:
Fix bug #73190 (memcpy negative parameter _bc_new_num_ex).
Bz2:
Fixed bug #72837 (integer overflow in bzdecompress caused heap corruption).
Fixed bug #72613 (Inadequate error handling in bzread()).
Calendar:
Fix integer overflows (Joshua Rogers)
Fixed bug #67976 (cal_days_month() fails for final month of the French calendar).
Fixed bug #71894 (AddressSanitizer: global-buffer-overflow in zif_cal_from_jd).
CLI Server:
Fixed bug #73360 (Unable to work in root with unicode chars).
Fixed bug #71276 (Built-in webserver does not send Date header).
COM:
Fixed bug #73126 (Cannot pass parameter 1 by reference).
Fixed bug #69579 (Invalid free in extension trait).
Fixed bug #72922 (COM called from PHP does not return out parameters).
Fixed bug #72569 (DOTNET/COM array parameters broke in PHP7).
Fixed bug #72498 (variant_date_from_timestamp null dereference).
Curl:
Implement support for handling HTTP/2 Server Push.
Add curl_multi_errno(), curl_share_errno() and curl_share_strerror() functions.
Fixed bug #72674 (Heap overflow in curl_escape).
Fixed bug #72541 (size_t overflow lead to heap corruption). (Stas).
Fixed bug #71709 (curl_setopt segfault with empty CURLOPT_HTTPHEADER).
Fixed bug #71929 (CURLINFO_CERTINFO data parsing error).
Date:
Fixed bug #69587 (DateInterval properties and isset).
Fixed bug #73426 (createFromFormat with 'z' format char results in incorrect time).
Fixed bug #45554 (Inconsistent behavior of the u format char).
Fixed bug #48225 (DateTime parser doesn't set microseconds for "now").
Fixed bug #52514 (microseconds are missing in DateTime class).
Fixed bug #52519 (microseconds in DateInterval are missing).
Fixed bug #60089 (DateTime::createFromFormat() U after u nukes microtime).
Fixed bug #64887 (Allow DateTime modification with subsecond items).
Fixed bug #68506 (General DateTime improvments needed for microseconds to become useful).
Fixed bug #73109 (timelib_meridian doesn't parse dots correctly).
Fixed bug #73247 (DateTime constructor does not initialise microseconds property).
Fixed bug #73147 (Use After Free in PHP7 unserialize()).
Fixed bug #73189 (Memcpy negative size parameter php_resolve_path).
Fixed bug #66836 (DateTime::createFromFormat 'U' with pre 1970 dates fails parsing).
Invalid serialization data for a DateTime or DatePeriod object will now throw an instance of Error from __wakeup() or __set_state() instead of resulting in a fatal error.
Timezone initialization failure from serialized data will now throw an instance of Error from __wakeup() or __set_state() instead of resulting in a fatal error.
Export date_get_interface_ce() for extension use.
Fixed bug #63740 (strtotime seems to use both sunday and monday as start of week).
Dba:
Fixed bug #70825 (Cannot fetch multiple values with group in ini file).
Data modification functions (e.g.: dba_insert()) now throw an instance of Error instead of triggering a catchable fatal error if the key is does not contain exactly two elements.
DOM:
Fixed bug #73150 (missing NULL check in dom_document_save_html).
Fixed bug #66502 (DOM document dangling reference).
Invalid schema or RelaxNG validation contexts will throw an instance of Error instead of resulting in a fatal error.
Attempting to register a node class that does not extend the appropriate base class will now throw an instance of Error instead of resulting in a fatal error.
Attempting to read an invalid or write to a readonly property will throw an instance of Error instead of resulting in a fatal error.
DTrace:
Disabled PHP call tracing by default (it makes significant overhead). This may be enabled again using envirionment variable USE_ZEND_DTRACE=1.
EXIF:
Fixed bug #72735 (Samsung picture thumb not read (zero size)).
Fixed bug #72627 (Memory Leakage In exif_process_IFD_in_TIFF).
Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).
Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).
Filter:
Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE).
Fixed bug #73054 (default option ignored when object passed to int filter).
Fixed bug #71745 (FILTER_FLAG_NO_RES_RANGE does not cover whole 127.0.0.0/8 range).
FPM:
Fixed bug #72575 (using --allow-to-run-as-root should ignore missing user).
FTP:
Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with require_ssl_reuse).
Implemented FR #55651 (Option to ignore the returned FTP PASV address).
GD:
Fixed bug #73213 (Integer overflow in imageline() with antialiasing).
Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()).
Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()).
Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf).
Fixed bug #50194 (imagettftext broken on transparent background w/o alphablending).
Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c).
Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box).
Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given).
Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries).
Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted files).
Fixed bug #73161 (imagecreatefromgd2() may leak memory).
Fixed bug #67325 (imagetruecolortopalette: white is duplicated in palette).
Fixed bug #66005 (imagecopy does not support 1bit transparency on truecolor images).
Fixed bug #72913 (imagecopy() loses single-color transparency on palette images).
Fixed bug #68716 (possible resource leaks in _php_image_convert()).
Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles).
Fixed bug #72697 (select_colors write out-of-bounds).
Fixed bug #72730 (imagegammacorrect allows arbitrary write access).
Fixed bug #72596 (imagetypes function won't advertise WEBP support).
Fixed bug #72604 (imagearc() ignores thickness for full arcs).
Fixed bug #70315 (500 Server Error but page is fully rendered).
Fixed bug #43828 (broken transparency of imagearc for truecolor in blendingmode).
Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).
Fixed bug #72519 (imagegif/output out-of-bounds access).
Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).
Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow).
Fixed bug #72494 (imagecropauto out-of-bounds access).
Fixed bug #72404 (imagecreatefromjpeg fails on selfie).
Fixed bug #43475 (Thick styled lines have scrambled patterns).
Fixed bug #53640 (XBM images require width to be multiple of 8).
Fixed bug #64641 (imagefilledpolygon doesn't draw horizontal line).
Hash:
Added SHA3 fixed mode algorithms (224, 256, 384, and 512 bit).
Added SHA512/256 and SHA512/224 algorithms.
iconv:
Fixed bug #72320 (iconv_substr returns false for empty strings).
IMAP:
Fixed bug #73418 (Integer Overflow in "_php_imap_mail" leads to crash).
An email address longer than 16385 bytes will throw an instance of Error instead of resulting in a fatal error.
Interbase:
Fixed bug #73512 (Fails to find firebird headers as don't use fb_config output).
Intl:
Fixed bug #73007 (add locale length check).
Fixed bug #73218 (add mitigation for ICU int overflow).
Fixed bug #65732 (grapheme_*() is not Unicode compliant on CR LF sequence).
Fixed bug #73007 (add locale length check).
Fixed bug #72639 (Segfault when instantiating class that extends IntlCalendar and adds a property).
Fixed bug #72658 (Locale::lookup() / locale_lookup() hangs if no match found).
Partially fixed #72506 (idn_to_ascii for UTS #46 incorrect for long domain names).
Fixed bug #72533 (locale_accept_from_http out-of-bounds access).
Failure to call the parent constructor in a class extending Collator before invoking the parent methods will throw an instance of Error instead of resulting in a recoverable fatal error.
Cloning a Transliterator object may will now throw an instance of Error instead of resulting in a fatal error if cloning the internal transliterator fails.
Added IntlTimeZone::getWindowsID() and IntlTimeZone::getIDForWindowsID().
Fixed bug #69374 (IntlDateFormatter formatObject returns wrong utf8 value).
Fixed bug #69398 (IntlDateFormatter formatObject returns wrong value when time style is NONE).
JSON:
Introduced encoder struct instead of global which fixes bugs #66025 and #73254 related to pretty print indentation.
Fixed bug #73113 (Segfault with throwing JsonSerializable).
Implemented earlier return when json_encode fails, fixes bugs #68992 (Stacking exceptions thrown by JsonSerializable) and #70275 (On recursion error, json_encode can eat up all system memory).
Implemented FR #46600 ("_empty_" key in objects).
Exported JSON parser API including json_parser_method that can be used for implementing custom logic when parsing JSON.
Escaped U+2028 and U+2029 when JSON_UNESCAPED_UNICODE is supplied as json_encode options and added JSON_UNESCAPED_LINE_TERMINATORS to restore the previous behaviour.
LDAP:
Providing an unknown modification type to ldap_batch_modify() will now throw an instance of Error instead of resulting in a fatal error.
Mbstring:
Fixed bug #73532 (Null pointer dereference in mb_eregi).
Fixed bug #66964 (mb_convert_variables() cannot detect recursion) (Yasuo)
Fixed bug #72992 (mbstring.internal_encoding doesn't inherit default_charset).
Fixed bug #66797 (mb_substr only takes 32-bit signed integer).
Fixed bug #72711 (`mb_ereg` does not clear the `$regs` parameter on failure).
Fixed bug #72691 (mb_ereg_search raises a warning if a match zero-width).
Fixed bug #72693 (mb_ereg_search increments search position when a match zero-width).
Fixed bug #72694 (mb_ereg_search_setpos does not accept a string's last position).
Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error).
Deprecated mb_ereg_replace() eval option.
Fixed bug #69151 (mb_ereg should reject ill-formed byte sequence).
Fixed bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) - oob read access).
Fixed bug #72399 (Use-After-Free in MBString (search_re)).
mb_ereg() and mb_eregi() will now throw an instance of ParseError if an invalid PHP expression is provided and the 'e' option is used.
Mcrypt:
Deprecated ext/mcrypt.
Fixed bug #72782 (Heap Overflow due to integer overflows).
Fixed bug #72551, bug #72552 (In correct casting from size_t to int lead to heap overflow in mdecrypt_generic).
mcrypt_encrypt() and mcrypt_decrypt() will throw an instance of Error instead of resulting in a fatal error if mcrypt cannot be initialized.
Mysqli:
Attempting to read an invalid or write to a readonly property will throw an instance of Error instead of resulting in a fatal error.
Mysqlnd:
Fixed bug #64526 (Add missing mysqlnd.* parameters to php.ini-*).
Fixed bug #71863 (Segfault when EXPLAIN with "Unknown column" error when using MariaDB).
Fixed bug #72701 (mysqli_get_host_info() wrong output).
OCI8:
Fixed bug #71148 (Bind reference overwritten on PHP 7).
Fixed invalid handle error with Implicit Result Sets.
Fixed bug #72524 (Binding null values triggers ORA-24816 error).
ODBC:
Fixed bug #73448 (odbc_errormsg returns trash, always 513 bytes).
Opcache:
Fixed bug #73583 (Segfaults when conditionally declared class and function have the same name).
Fixed bug #69090 (check cached files permissions)
Fixed bug #72982 (Memory leak in zend_accel_blacklist_update_regexp() function).
Fixed bug #72949 (Typo in opcache error message).
Fixed bug #72762 (Infinite loop while parsing a file with opcache enabled).
Fixed bug #72590 (Opcache restart with kill_all_lockers does not work).
OpenSSL:
Fixed bug #73478 (openssl_pkey_new() generates wrong pub/priv keys with Diffie Hellman).
Fixed bug #73276 (crash in openssl_random_pseudo_bytes function).
Fixed bug #73072 (Invalid path SNI_server_certs causes segfault).
Fixed bug #72360 (ext/openssl build failure with OpenSSL 1.1.0).
Bumped a minimal version to 1.0.1.
Dropped support for SSL2.
Implemented FR #61204 (Add elliptic curve support for OpenSSL).
Implemented FR #67304 (Added AEAD support [CCM and GCM modes] to openssl_encrypt and openssl_decrypt).
Implemented error storing to the global queue and cleaning up the OpenSSL error queue (resolves bugs #68276 and #69882).
Pcntl:
Implemented asynchronous signal handling without TICKS.
Added pcntl_signal_get_handler() that returns the current signal handler for a particular signal. Addresses FR #72409.
Add signinfo to pcntl_signal() handler args (Bishop Bettini, David Walker)
PCRE:
Fixed bug #73483 (Segmentation fault on pcre_replace_callback).
Fixed bug #73612 (preg_*() may leak memory).
Fixed bug #73392 (A use-after-free in zend allocator management).
Fixed bug #73121 (Bundled PCRE doesn't compile because JIT isn't supported on s390).
Fixed bug #72688 (preg_match missing group names in matches).
Downgraded to PCRE 8.38.
Fixed bug #72476 (Memleak in jit_stack).
Fixed bug #72463 (mail fails with invalid argument).
Upgraded to PCRE 8.39.
PDO:
Fixed bug #72788 (Invalid memory access when using persistent PDO connection).
Fixed bug #72791 (Memory leak in PDO persistent connection handling).
Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY returns false).
PDO_DBlib:
Fixed bug #72414 (Never quote values as raw binary data).
Allow PDO::setAttribute() to set query timeouts.
Handle SQLDECIMAL/SQLNUMERIC types, which are used by later TDS versions.
Add common PDO test suite.
Free error and message strings when cleaning up PDO instances.
Fixed bug #67130 (PDOStatement::nextRowset() should succeed when all rows in current rowset haven't been fetched).
Ignore potentially misleading dberr values.
Implemented stringify 'uniqueidentifier' fields.
PDO_Firebird:
Fixed bug #73087, #61183, #71494 (Memory corruption in bindParam).
Fixed bug #60052 (Integer returned as a 64bit integer on X86_64).
PDO_pgsql:
Fixed bug #70313 (PDO statement fails to throw exception).
Fixed bug #72570 (Segmentation fault when binding parameters on a query without placeholders).
Implemented FR #72633 (Postgres PDO lastInsertId() should work without specifying a sequence).
Phar:
Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile).
Fixed bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile).
phpdbg:
Added generator command for inspection of currently alive generators.
Postgres:
Fixed bug #73498 (Incorrect SQL generated for pg_copy_to()).
Implemented FR #31021 (pg_last_notice() is needed to get all notice messages).
Implemented FR #48532 (Allow pg_fetch_all() to index numerically).
Readline:
Fixed bug #72538 (readline_redisplay crashes php).
Reflection:
Undo backwards compatiblity break in ReflectionType->__toString() and deprecate via documentation instead.
Reverted prepending for class names.
Implemented request #38992 (invoke() and invokeArgs() static method calls should match). (cmb).
Add ReflectionNamedType::getName(). This method should be used instead of ReflectionType::__toString()
Prepend for class names and ? for nullable types returned from ReflectionType::__toString().
Fixed bug #72661 (ReflectionType::__toString crashes with iterable).
Fixed bug #72222 (ReflectionClass::export doesn't handle array constants).
Failure to retrieve a reflection object or retrieve an object property will now throw an instance of Error instead of resulting in a fatal error.
Fix #72209 (ReflectionProperty::getValue() doesn't fail if object doesn't match type).
Session:
Fixed bug #73273 (session_unset() empties values from all variables in which is $_session stored).
Fixed bug #73100 (session_destroy null dereference in ps_files_path_create).
Fixed bug #68015 (Session does not report invalid uid for files save handler).
Fixed bug #72940 (SID always return "name=ID", even if session cookie exist).
Implemented session_gc() (Yasuo) https://wiki.php.net/rfc/session-create-id
Implemented session_create_id() (Yasuo) https://wiki.php.net/rfc/session-gc
Implemented RFC: Session ID without hashing. (Yasuo) https://wiki.php.net/rfc/session-id-without-hashing
Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow).
Custom session handlers that do not return strings for session IDs will now throw an instance of Error instead of resulting in a fatal error when a function is called that must generate a session ID.
An invalid setting for session.hash_function will throw an instance of Error instead of resulting in a fatal error when a session ID is created.
Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session Deserialization).
Improved fix for bug #68063 (Empty session IDs do still start sessions).
Fixed bug #71038 (session_start() returns TRUE on failure). Session save handlers must return 'string' always for successful read. i.e. Non-existing session read must return empty string. PHP 7.0 is made not to tolerate buggy return value.
Fixed bug #71394 (session_regenerate_id() must close opened session on errors).
SimpleXML:
Fixed bug #73293 (NULL pointer dereference in SimpleXMLElement::asXML()).
Fixed bug #72971 (SimpleXML isset/unset do not respect namespace).
Fixed bug #72957 (Null coalescing operator doesn't behave as expected with SimpleXMLElement).
Fixed bug #72588 (Using global var doesn't work while accessing SimpleXML element).
Creating an unnamed or duplicate attribute will throw an instance of Error instead of resulting in a fatal error.
SNMP:
Fixed bug #72708 (php_snmp_parse_oid integer overflow in memory allocation).
Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()).
Soap:
Fixed bug #73538 (SoapClient::__setSoapHeaders doesn't overwrite SOAP headers).
Fixed bug #73452 (Segfault (Regression for #69152)).
Fixed bug #73037 (SoapServer reports Bad Request when gzipped).
Fixed bug #73237 (Nested object in "any" element overwrites other fields).
Fixed bug #69137 (Peer verification fails when using a proxy with SoapClient) (Keith Smiley)
Fixed bug #71711 (Soap Server Member variables reference bug).
Fixed bug #71996 (Using references in arrays doesn't work like expected).
SPL:
Fixed bug #73423 (Reproducible crash with GDB backtrace).
Fixed bug #72888 (Segfault on clone on splFileObject).
Fixed bug #73029 (Missing type check when unserializing SplArray).
Fixed bug #72646 (SplFileObject::getCsvControl does not return the escape character).
Fixed bug #72684 (AppendIterator segfault with closed generator).
Attempting to clone an SplDirectory object will throw an instance of Error instead of resulting in a fatal error.
Calling ArrayIterator::append() when iterating over an object will throw an instance of Error instead of resulting in a fatal error.
Fixed bug #55701 (GlobIterator throws LogicException).
SQLite3:
Update to SQLite 3.15.1.
Fixed bug #73530 (Unsetting result set may reset other result set).
Fixed bug #73333 (2147483647 is fetched as string).
Fixed bug #72668 (Spurious warning when exception is thrown in user defined function).
Implemented FR #72653 (SQLite should allow opening with empty filename).
Fixed bug #70628 (Clearing bindings on an SQLite3 statement doesn't work).
Implemented FR #71159 (Upgraded bundled SQLite lib to 3.9.2).
Standard:
Fixed bug #73297 (HTTP stream wrapper should ignore HTTP 100 Continue).
Fixed bug #73303 (Scope not inherited by eval in assert()).
Fixed bug #73192 (parse_url return wrong hostname).
Fixed bug #73203 (passing additional_parameters causes mail to fail).
Fixed bug #73203 (passing additional_parameters causes mail to fail).
Fixed bug #72920 (Accessing a private constant using constant() creates an exception AND warning).
Fixed bug #65550 (get_browser() incorrectly parses entries with "+" sign).
Fixed bug #71882 (Negative ftruncate() on php://memory exhausts memory).
Fixed bug #55451 (substr_compare NULL length interpreted as 0).
Fixed bug #72278 (getimagesize returning FALSE on valid jpg).
Fixed bug #61967 (unset array item in array_walk_recursive cause inconsistent array).
Fixed bug #62607 (array_walk_recursive move internal pointer).
Fixed bug #69068 (Exchanging array during array_walk -> memory errors).
Fixed bug #70713 (Use After Free Vulnerability in array_walk()/ array_walk_recursive()).
Fixed bug #72622 (array_walk + array_replace_recursive create references from nothing).
Fixed bug #72330 (CSV fields incorrectly split if escape char followed by UTF chars).
Implemented RFC: More precise float values.
array_multisort now uses zend_sort instead zend_qsort.
Fixed bug #72505 (readfile() mangles files larger than 2G).
assert() will throw a ParseError when evaluating a string given as the first argument if the PHP code is invalid instead of resulting in a catchable fatal error.
Calling forward_static_call() outside of a class scope will now throw an instance of Error instead of resulting in a fatal error.
Added is_iterable() function.
Fixed bug #72306 (Heap overflow through proc_open and $env parameter).
Fixed bug #71100 (long2ip() doesn't accept integers in strict mode).
Implemented FR #55716 (Add an option to pass a custom stream context to get_headers()).
Additional validation for parse_url() for login/pass components).
Implemented FR #69359 (Provide a way to fetch the current environment variables).
unpack() function accepts an additional optional argument $offset.
Implemented #51879 stream context socket option tcp_nodelay (Joe)
Streams:
Fixed bug #73586 (php_user_filter::$stream is not set to the stream the filter is working on).
Fixed bug #72853 (stream_set_blocking doesn't work).
Fixed bug #72743 (Out-of-bound read in php_stream_filter_create).
Implemented FR #27814 (Multiple small packets send for HTTP request).
Fixed bug #72764 (ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5).
Fixed bug #72810 (Missing SKIP_ONLINE_TESTS checks).
Fixed bug #41021 (Problems with the ftps wrapper).
Fixed bug #54431 (opendir() does not work with ftps:// wrapper).
Fixed bug #72667 (opendir() with ftp:// attempts to open data stream for non-existent directories).
Fixed bug #72771 (ftps:// wrapper is vulnerable to protocol downgrade attack).
Fixed bug #72534 (stream_socket_get_name crashes).
Fixed bug #72439 (Stream socket with remote address leads to a segmentation fault).
sysvshm:
Fixed bug #72858 (shm_attach null dereference).
Tidy:
Implemented support for libtidy 5.0.0 and above.
Creating a tidyNode manually will now throw an instance of Error instead of resulting in a fatal error.
Wddx:
Fixed bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow).
Fixed bug #72142 (WDDX Packet Injection Vulnerability in wddx_serialize_value()).
Fixed bug #72749 (wddx_deserialize allows illegal memory access) (Stas)
Fixed bug #72750 (wddx_deserialize null dereference).
Fixed bug #72790 (wddx_deserialize null dereference with invalid xml).
Fixed bug #72799 (wddx_deserialize null dereference in php_wddx_pop_element).
Fixed bug #72860 (wddx_deserialize use-after-free).
Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element).
Fixed bug #72564 (boolean always deserialized as "true") (Remi)
A circular reference when serializing will now throw an instance of Error instead of resulting in a fatal error.
XML:
Fixed bug #72135 (malformed XML causes fault) (edgarsandi)
Fixed bug #72714 (_xml_startElementHandler() segmentation fault).
Fixed bug #72085 (SEGV on unknown address zif_xml_parse).
XMLRPC:
Fixed bug #72647 (xmlrpc_encode() unexpected output after referencing array elements).
Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).
A circular reference when serializing will now throw an instance of Error instead of resulting in a fatal error.
Zip:
Fixed bug #68302 (impossible to compile php with zip support).
Fixed bug #72660 (NULL Pointer dereference in zend_virtual_cwd).
Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener).
ZipArchive::addGlob() will throw an instance of Error instead of resulting in a fatal error if glob support is not available.

New in PHP 7.0.12 (Oct 14, 2016)

Core:
Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c).
Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by password_verify).
Fixed bug #73058 (crypt broken when salt is 'too' long).
Fixed bug #69579 (Invalid free in extension trait).
Fixed bug #73156 (segfault on undefined function).
Fixed bug #73163 (PHP hangs if error handler throws while accessing undef const in default value).
Fixed bug #73172 (parse error: Invalid numeric literal).
Fixed for #73240 (Write out of bounds at number_format).
Fixed bug #73147 (Use After Free in PHP7 unserialize()).
Fixed bug #73189 (Memcpy negative size parameter php_resolve_path).
BCmath:
Fixed bug #73190 (memcpy negative parameter _bc_new_num_ex).
COM:
Fixed bug #73126 (Cannot pass parameter 1 by reference).
Date:
Fixed bug #73091 (Unserializing DateInterval object may lead to __toString invocation).
DOM:
Fixed bug #73150 (missing NULL check in dom_document_save_html).
Filter:
Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE).
Fixed bug #73054 (default option ignored when object passed to int filter).
GD:
Fixed bug #67325 (imagetruecolortopalette: white is duplicated in palette).
Fixed bug #50194 (imagettftext broken on transparent background w/o alphablending).
Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c).
Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box).
Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given).
Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries).
Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted files).
Fixed bug #73161 (imagecreatefromgd2() may leak memory).
Intl:
Fixed bug #73218 (add mitigation for ICU int overflow).
Mbstring:
Fixed bug #66797 (mb_substr only takes 32-bit signed integer).
Fixed bug #66964 (mb_convert_variables() cannot detect recursion).
Fixed bug #72992 (mbstring.internal_encoding doesn't inherit default_charset).
Mysqlnd:
Fixed bug #72489 (PHP Crashes When Modifying Array Containing MySQLi Result Data).
Opcache:
Fixed bug #72982 (Memory leak in zend_accel_blacklist_update_regexp() function).
OpenSSL:
Fixed bug #73072 (Invalid path SNI_server_certs causes segfault).
Fixed bug #73276 (crash in openssl_random_pseudo_bytes function).
Fixed bug #73275 (crash in openssl_encrypt function).
PCRE:
Fixed bug #73121 (Bundled PCRE doesn't compile because JIT isn't supported on s390).
Fixed bug #73174 (heap overflow in php_pcre_replace_impl).
PDO_DBlib:
Fixed bug #72414 (Never quote values as raw binary data).
Allow PDO::setAttribute() to set query timeouts.
Handle SQLDECIMAL/SQLNUMERIC types, which are used by later TDS versions.
Add common PDO test suite.
Free error and message strings when cleaning up PDO instances.
Fixed bug #67130 (PDOStatement::nextRowset() should succeed when all rows in current rowset haven't been fetched).
Ignore potentially misleading dberr values.
phpdbg:
Fixed bug #72996 (phpdbg_prompt.c undefined reference to DL_LOAD).
Fixed next command not stopping when leaving function.
Session:
Fixed bug #68015 (Session does not report invalid uid for files save handler).
Fixed bug #73100 (session_destroy null dereference in ps_files_path_create).
SimpleXML:
Fixed bug #73293 (NULL pointer dereference in SimpleXMLElement::asXML()).
SOAP:
Fixed bug #71711 (Soap Server Member variables reference bug).
Fixed bug #71996 (Using references in arrays doesn't work like expected).
SPL:
Fixed bug #73257, Fixed bug #73258 (SplObjectStorage unserialize allows use of non-object as key).
SQLite3:
Updated bundled SQLite3 to 3.14.2.
Zip:
Fixed bug #70752 (Depacking with wrong password leaves 0 length files).

New in PHP 7.0.11 (Sep 15, 2016)

Core:
Fixed bug #72944 (Null pointer deref in zval_delref_p).
Fixed bug #72943 (assign_dim on string doesn't reset hval).
Fixed bug #72911 (Memleak in zend_binary_assign_op_obj_helper).
Fixed bug #72813 (Segfault with __get returned by ref).
Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator).
Fixed bug #72854 (PHP Crashes on duplicate destructor call).
Fixed bug #72857 (stream_socket_recvfrom read access violation).
COM:
Fixed bug #72922 (COM called from PHP does not return out parameters).
Dba:
Fixed bug #70825 (Cannot fetch multiple values with group in ini file).
FTP:
Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with require_ssl_reuse).
GD:
Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles).
Fixed bug #66005 (imagecopy does not support 1bit transparency on truecolor images).
Fixed bug #72913 (imagecopy() loses single-color transparency on palette images).
Fixed bug #68716 (possible resource leaks in _php_image_convert()).
iconv:
Fixed bug #72320 (iconv_substr returns false for empty strings).
IMAP:
Fixed bug #72852 (imap_mail null dereference).
Intl:
Fixed bug #65732 (grapheme_*() is not Unicode compliant on CR LF sequence).
Fixed bug #73007 (add locale length check).
Mysqlnd:
Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields).
OCI8:
Fixed invalid handle error with Implicit Result Sets.
Fixed bug #72524 (Binding null values triggers ORA-24816 error).
Opcache:
Fixed bug #72949 (Typo in opcache error message).
PDO:
Fixed bug #72788 (Invalid memory access when using persistent PDO connection).
Fixed bug #72791 (Memory leak in PDO persistent connection handling).
Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY returns false).
PDO_DBlib:
Implemented stringify 'uniqueidentifier' fields.
PDO_pgsql:
Implemented FR #72633 (Postgres PDO lastInsertId() should work without specifying a sequence).
Fixed bug #72759 (Regression in pgo_pgsql).
Phar:
Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile).
Fixed bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile).
Reflection:
Fixed bug #72846 (getConstant for a array constant with constant values returns NULL/NFC/UKNOWN).
Session:
Fixed bug #72724 (PHP7: session-uploadprogress kills httpd).
Fixed bug #72940 (SID always return "name=ID", even if session cookie exist).
SimpleXML:
Fixed bug #72971 (SimpleXML isset/unset do not respect namespace).
Fixed bug #72957 (Null coalescing operator doesn't behave as expected with SimpleXMLElement).
SPL:
Fixed bug #73029 (Missing type check when unserializing SplArray).
Standard:
Fixed bug #55451 (substr_compare NULL length interpreted as 0).
Fixed bug #72278 (getimagesize returning FALSE on valid jpg).
Fixed bug #65550 (get_browser() incorrectly parses entries with "+" sign).
Streams:
Fixed bug #72853 (stream_set_blocking doesn't work).
Fixed bug #72764 (ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5).
Fixed bug #71882 (Negative ftruncate() on php://memory exhausts memory).
SQLite3:
Downgraded bundled SQLite to 3.8.10.2, see #73068
Sysvshm:
Fixed bug #72858 (shm_attach null dereference).
XML:
Fixed bug #72085 (SEGV on unknown address zif_xml_parse).
Fixed bug #72714 (_xml_startElementHandler() segmentation fault).
Wddx:
Fixed bug #72860 (wddx_deserialize use-after-free).
Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element).
ZIP:
Fixed bug #68302 (impossible to compile php with zip support).

New in PHP 7.0.8 (Jun 23, 2016)

Core:
Fixed bug #72218 (If host name cannot be resolved then PHP 7 crashes).
Fixed bug #72221 (segfault, past-the-end access).
Fixed bug #72268 (Integer Overflow in nl2br()).
Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/ json_utf8_to_utf16()).
Fixed bug #72400 (Integer Overflow in addcslashes/addslashes).
Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL).
FPM:
Fixed bug #72308 (fastcgi_finish_request and logging environment variables).
GD:
Fixed bug #72298 (pass2_no_dither out-of-bounds access).
Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre)
Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in heap overflow).
Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert).
Intl: Fixed bug #64524 (Add intl.use_exceptions to php.ini-*).
mbstring:
Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free).
mcrypt:
Fixed bug #72455 (Heap Overflow due to integer overflows).
PCRE:
Fixed bug #72143 (preg_replace uses int instead of size_t).
PDO_pgsql:
Fixed bug #71573 (Segfault (core dumped) if paramno beyond bound).
Fixed bug #72294 (Segmentation fault/invalid pointer in connection with pgsql_stmt_dtor).
Phpdbg:
Fixed bug #72284 (phpdbg fatal errors with coverage).
Postgres:
Fixed bug #72195 (pg_pconnect/pg_connect cause use-after-free).
Fixed bug #72197 (pg_lo_create arbitrary read).
SPL:
Fixed bug #72262 (int/size_t confusion in SplFileObject::fread).
Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and unserialize).
Standard:
Fixed bug #72017 (range() with float step produces unexpected result).
Fixed bug #72193 (dns_get_record returns array containing elements of type 'unknown').
Fixed bug #72229 (Wrong reference when serialize/unserialize an object).
Fixed bug #72300 (ignore_user_abort(false) has no effect).
XML:
Fixed bug #72206 (xml_parser_create/xml_parser_free leaks mem).
XMLRPC:
Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type).
WDDX:
Fixed bug #72340 (Double Free Courruption in wddx_deserialize).
Zip:
Fixed bug #72258 (ZipArchive converts filenames to unrecoverable form).
Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize).

New in PHP 7.0.7 (May 26, 2016)

Core:
Fixed bug #72162 (use-after-free - error_reporting).
Add compiler option to disable special case function calls.
Fixed bug #72101 (crash on complex code).
Fixed bug #72100 (implode() inserts garbage into resulting string when joins very big integer).
Fixed bug #72057 (PHP Hangs when using custom error handler and typehint).
Fixed bug #72038 (Function calls with values to a by-ref parameter don't always throw a notice).
Fixed bug #71737 (Memory leak in closure with parameter named $this).
Fixed bug #72059 (?? is not allowed on constant expressions).
Fixed bug #72159 (Imported Class Overrides Local Class Name).
Curl:
Fixed bug #68658 (Define CURLE_SSL_CACERT_BADFILE).
DBA:
Fixed bug #72157 (use-after-free caused by dba_open).
GD:
Fixed bug #72227 (imagescale out-of-bounds read).
Intl:
Fixed bug #72241 (get_icu_value_internal out-of-bounds read).
JSON:
Fixed bug #72069 (Behavior \JsonSerializable different from json_encode).
Mbstring:
Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace).
OCI8:
Fixed bug #71600 (oci_fetch_all segfaults when selecting more than eight columns).
Opcache:
Fixed bug #72014 (Including a file with anonymous classes multiple times leads to fatal error).
OpenSSL:
Fixed bug #72165 (Null pointer dereference - openssl_csr_new).
PCNTL:
Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite).
POSIX:
Fixed bug #72133 (php_posix_group_to_array crashes if gr_passwd is NULL).
Postgres:
Fixed bug #72028 (pg_query_params(): NULL converts to empty string).
Fixed bug #71062 (pg_convert() doesn't accept ISO 8601 for datatype timestamp).
Fixed bug #72151 (mysqli_fetch_object changed behaviour).
Reflection:
Fixed bug #72174 (ReflectionProperty#getValue() causes __isset call).
Session:
Fixed bug #71972 (Cyclic references causing session_start(): Failed to decode session object).
Sockets:
Added socket_export_stream() function for getting a stream compatible resource from a socket resource.
SPL:
Fixed bug #72051 (The reference in CallbackFilterIterator doesn't work as expected).
SQLite3:
Fixed bug #68849 (bindValue is not using the right data type).
Standard:
Fixed bug #72075 (Referencing socket resources breaks stream_select).
Fixed bug #72031 (array_column() against an array of objects discards all values matching null).

New in PHP 7.0.6 (May 26, 2016)

New in PHP 7.0.5 (Mar 31, 2016)

Core:
Huge pages disabled by default.
Added ability to enable huge pages in Zend Memory Manager through the environment variable USE_ZEND_ALLOC_HUGE_PAGES=1.
Fixed bug #71756 (Call-by-reference widens scope to uninvolved functions when used in switch).
Fixed bug #71729 (Possible crash in zend_bin_strtod, zend_oct_strtod, zend_hex_strtod).
Fixed bug #71695 (Global variables are reserved before execution).
Fixed bug #71629 (Out-of-bounds access in php_url_decode in context php_stream_url_wrap_rfc2397).
Fixed bug #71622 (Strings used in pass-as-reference cannot be used to invoke C::$callable()).
Fixed bug #71596 (Segmentation fault on ZTS with date function (setlocale)).
Fixed bug #71535 (Integer overflow in zend_mm_alloc_heap()).
Fixed bug #71470 (Leaked 1 hashtable iterators).
Fixed bug #71575 (ISO C does not allow extra ‘;’ outside of a function).
Fixed bug #71724 (yield from does not count EOLs).
Fixed bug #71767 (ReflectionMethod::getDocComment returns the wrong comment).
Fixed bug #71806 (php_strip_whitespace() fails on some numerical values).
Fixed bug #71624 (`php -R` (PHP_MODE_PROCESS_STDIN) is broken).
CLI Server:
Fixed bug #69953 (Support MKCALENDAR request method).
Curl:
Fixed bug #71694 (Support constant CURLM_ADDED_ALREADY).
Date:
Fixed bug #71635 (DatePeriod::getEndDate segfault).
Fileinfo:
Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic file).
libxml:
Fixed bug #71536 (Access Violation crashes php-cgi.exe).
mbstring:
Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in mbfl_strcut).
ODBC:
Fixed bug #47803, #69526 (Executing prepared statements is succesfull only for the first two statements).
PCRE:
Fixed bug #71659 (segmentation fault in pcre running twig tests).
PDO_DBlib:
Fixed bug #54648 (PDO::MSSQL forces format of datetime fields).
Phar:
Fixed bug #71625 (Crash in php7.dll with bad phar filename).
Fixed bug #71317 (PharData fails to open specific file).
Fixed bug #71860 (Invalid memory write in phar on filename with \0 in name).
phpdbg:
Fixed crash when advancing (except step) inside an internal function.
Session:
Fixed bug #71683 (Null pointer dereference in zend_hash_str_find_bucket).
SNMP:
Fixed bug #71704 (php_snmp_error() Format String Vulnerability).
SPL:
Fixed bug #71617 (private properties lost when unserializing ArrayObject).
Standard:
Fixed bug #71660 (array_column behaves incorrectly after foreach by reference).
Fixed bug #71798 (Integer Overflow in php_raw_url_encode).
Zip:
Update bundled libzip to 1.1.2.

New in PHP 7.0.4 (Mar 3, 2016)

New in PHP 7.0.3 (Mar 3, 2016)

Core:
Added support for new HTTP 451 code.
Fixed bug #71039 (exec functions ignore length but look for NULL termination).
Fixed bug #71089 (No check to duplicate zend_extension).
Fixed bug #71201 (round() segfault on 64-bit builds).
Fixed bug #71221 (Null pointer deref (segfault) in get_defined_vars via ob_start).
Fixed bug #71248 (Wrong interface is enforced).
Fixed bug #71273 (A wrong ext directory setup in php.ini leads to crash).
Fixed bug #71275 (Bad method called on cloning an object having a trait).
Fixed bug #71297 (Memory leak with consecutive yield from).
Fixed bug #71300 (Segfault in zend_fetch_string_offset).
Fixed bug #71314 (var_export(INF) prints INF.0).
Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input).
Fixed bug #71336 (Wrong is_ref on properties as exposed via get_object_vars()).
Fixed bug #71459 (Integer overflow in iptcembed()).
Apache2handler:
Fix >2G Content-Length headers in apache2handler.
CURL:
Fixed bug #71227 (Can't compile php_curl statically).
Fixed bug #71225 (curl_setopt() fails to set CURLOPT_POSTFIELDS with reference to CURLFile).
GD:
Improved fix for bug #70976.
Interbase:
Fixed bug #71305 (Crash when optional resource is omitted).
LDAP:
Fixed bug #71249 (ldap_mod_replace/ldap_mod_add store value as string "Array").
mbstring:
Fixed bug #71397 (mb_send_mail segmentation fault).
OpenSSL:
Fixed bug #71475 (openssl_seal() uninitialized memory usage).
PCRE:
Upgraded bundled PCRE library to 8.38. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)
Phar:
Fixed bug #71354 (Heap corruption in tar/zip/phar parser).
Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()).
Fixed bug #71488 (Stack overflow when decompressing tar archives).
SOAP:
Fixed bug #70979 (crash with bad soap request).
SPL:
Fixed bug #71204 (segfault if clean spl_autoload_funcs while autoloading).
Fixed bug #71202 (Autoload function registered by another not activated immediately).
Fixed bug #71311 (Use-after-free vulnerability in SPL(ArrayObject, unserialize)).
Fixed bug #71313 (Use-after-free vulnerability in SPL(SplObjectStorage, unserialize)).
Standard:
Fixed bug #71287 (Error message contains hexadecimal instead of decimal number).
Fixed bug #71264 (file_put_contents() returns unexpected value when filesystem runs full).
Fixed bug #71245 (file_get_contents() ignores "header" context option if it's a reference).
Fixed bug #71220 (Null pointer deref (segfault) in compact via ob_start).
Fixed bug #71190 (substr_replace converts integers in original $search array to strings).
Fixed bug #71188 (str_replace converts integers in original $search array to strings).
Fixed bug #71132, #71197 (range() segfaults).
WDDX:
Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization).

New in PHP 7.0.2 (Jan 7, 2016)

Core:
Fixed bug #71165 (-DGC_BENCH=1 doesn't work on PHP7).
Fixed bug #71163 (Segmentation Fault: cleanup_unfinished_calls).
Fixed bug #71109 (ZEND_MOD_CONFLICTS("xdebug") doesn't work).
Fixed bug #71092 (Segmentation fault with return type hinting).
Fixed bug memleak in header_register_callback.
Fixed bug #71067 (Local object in class method stays in memory for each call).
Fixed bug #66909 (configure fails utf8_to_mutf7 test).
Fixed bug #70781 (Extension tests fail on dynamic ext dependency).
Fixed bug #71089 (No check to duplicate zend_extension).
Fixed bug #71086 (Invalid numeric literal parse error within highlight_string() function).
Fixed bug #71154 (Incorrect HT iterator invalidation causes iterator reuse).
Fixed bug #52355 (Negating zero does not produce negative zero).
Fixed bug #66179 (var_export() exports float as integer).
Fixed bug #70804 (Unary add on negative zero produces positive zero).
CURL:
Fixed bug #71144 (Sementation fault when using cURL with ZTS).
DBA:
Fixed key leak with invalid resource.
Filter:
Fixed bug #71063 (filter_input(INPUT_ENV, ..) does not work).
FTP:
Implemented FR #55651 (Option to ignore the returned FTP PASV address).
FPM:
Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).
GD:
Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds).
Mbstring:
Fixed bug #71066 (mb_send_mail: Program terminated with signal SIGSEGV, Segmentation fault).
Opcache:
Fixed bug #71127 (Define in auto_prepend_file is overwrite).
PCRE:
Fixed bug #71178 (preg_replace with arrays creates [0] in replace array if not already set).
Readline:
Fixed bug #71094 (readline_completion_function corrupts static array on second TAB).
Session:
Fixed bug #71122 (Session GC may not remove obsolete session data).
SPL:
Fixed bug #71077 (ReflectionMethod for ArrayObject constructor returns wrong number of parameters).
Fixed bug #71153 (Performance Degradation in ArrayIterator with large arrays).
Standard:
Fixed bug #71270 (Heap BufferOver Flow in escapeshell functions).
WDDX:
Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).
Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability).
XMLRPC:
Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker).

New in PHP 7.0.1 (Jan 7, 2016)

Core:
Fixed bug #71105 (Format String Vulnerability in Class Name Error Message). (CVE-2015-8617)
Fixed bug #70831 (Compile fails on system with 160 CPUs).
Fixed bug #71006 (symbol referencing errors on Sparc/Solaris).
Fixed bug #70997 (When using parentClass:: instead of parent::, static context changed).
Fixed bug #70970 (Segfault when combining error handler with output buffering).
Fixed bug #70967 (Weird error handling for __toString when Error is thrown).
Fixed bug #70958 (Invalid opcode while using ::class as trait method paramater default value).
Fixed bug #70944 (try{ } finally{} can create infinite chains of exceptions).
Fixed bug #70931 (Two errors messages are in conflict).
Fixed bug #70904 (yield from incorrectly marks valid generator as finished).
Fixed bug #70899 (buildconf failure in extensions).
Fixed bug #61751 (SAPI build problem on AIX: Undefined symbol: php_register_internal_extensions).
Fixed \int (or generally every scalar type name with leading backslash) to not be accepted as type name.
Fixed exception not being thrown immediately into a generator yielding from an array.
Fixed bug #70987 (static::class within Closure::call() causes segfault).
Fixed bug #71013 (Incorrect exception handler with yield from).
Fixed double free in error condition of format printer.
CLI server:
Fixed bug #71005 (Segfault in php_cli_server_dispatch_router()).
Intl:
Fixed bug #71020 (Use after free in Collator::sortWithSortKeys). (CVE-2015-8616)
Mysqlnd:
Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction).
Fixed bug #68344 (MySQLi does not provide way to disable peer certificate validation) by introducing MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT connection flag.
OCI8:
Fixed LOB implementation size_t/zend_long mismatch reported by gcov.
Opcache:
Fixed bug #71024 (Unable to use PHP 7.0 x64 side-by-side with PHP 5.6 x32 on the same server).
Fixed bug #70991 (zend_file_cache.c:710: error: array type has incomplete element type).
Fixed bug #70977 (Segmentation fault with opcache.huge_code_pages=1).
PDO_Firebird:
Fixed bug #60052 (Integer returned as a 64bit integer on X64_86).
Phpdbg:
Fixed stderr being written to stdout.
Reflection:
Fixed bug #71018 (ReflectionProperty::setValue() behavior changed).
Fixed bug #70982 (setStaticPropertyValue behaviors inconsistently with 5.6).
Soap:
Fixed bug #70993 (Array key references break argument processing).
SPL:
Fixed bug #71028 (Undefined index with ArrayIterator).
SQLite3:
Fixed bug #71049 (SQLite3Stmt::execute() releases bound parameter instead of internal buffer).
Standard:
Fixed bug #70999 (php_random_bytes: called object is not a function).
Fixed bug #70960 (ReflectionFunction for array_unique returns wrong number of parameters).
Streams/Socket:
Add IPV6_V6ONLY constant / make it usable in stream contexts.

New in PHP 7.0.0 (Dec 3, 2015)

Core:
Fixed bug #70947 (INI parser segfault with INI_SCANNER_TYPED).
Fixed bug #70914 (zend_throw_or_error() format string vulnerability).
Fixed bug #70912 (Null ptr dereference instantiating class with invalid array property).
Fixed bug #70895, #70898 (null ptr deref and segfault with crafted calable).
Fixed bug #70249 (Segmentation fault while running PHPUnit tests on phpBB 3.2-dev).
Fixed bug #70805 (Segmentation faults whilst running Drupal 8 test suite).
Fixed bug #70842 (Persistent Stream Segmentation Fault).
Fixed bug #70862 (Several functions do not check return code of php_stream_copy_to_mem()).
Fixed bug #70863 (Incorect logic to increment_function for proxy objects).
Fixed bug #70323 (Regression in zend_fetch_debug_backtrace() can cause segfaults).
Fixed bug #70873 (Regression on private static properties access).
Fixed bug #70748 (Segfault in ini_lex () at Zend/zend_ini_scanner.l).
Fixed bug #70689 (Exception handler does not work as expected).
Fixed bug #70430 (Stack buffer overflow in zend_language_parser()).
Fixed bug #70782 (null ptr deref and segfault (zend_get_class_fetch_type)).
Fixed bug #70785 (Infinite loop due to exception during identical comparison).
Fixed bug #70630 (Closure::call/bind() crash with ReflectionFunction-> getClosure()).
Fixed bug #70662 (Duplicate array key via undefined index error handler).
Fixed bug #70681 (Segfault when binding $this of internal instance method to null).
Fixed bug #70685 (Segfault for getClosure() internal method rebind with invalid $this).
Added zend_internal_function.reserved[] fields.
Fixed bug #70557 (Memleak on return type verifying failed).
Fixed bug #70555 (fun_get_arg() on unsetted vars return UNKNOW).
Fixed bug #70548 (Redundant information printed in case of uncaught engine exception).
Fixed bug #70547 (unsetting function variables corrupts backtrace).
Fixed bug #70528 (assert() with instanceof adds apostrophes around class name).
Fixed bug #70481 (Memory leak in auto_global_copy_ctor() in ZTS build).
Fixed bug #70431 (Memory leak in php_ini.c).
Fixed bug #70478 (**= does no longer work).
Fixed bug #70398 (SIGSEGV, Segmentation fault zend_ast_destroy_ex).
Fixed bug #70332 (Wrong behavior while returning reference on object).
Fixed bug #70300 (Syntactical inconsistency with new group use syntax).
Fixed bug #70321 (Magic getter breaks reference to array property).
Fixed bug #70187 (Notice: unserialize(): Unexpected end of serialized data).
Fixed bug #70145 (From field incorrectly parsed from headers).
Fixed bug #70370 (Bundled libtool.m4 doesn't handle FreeBSD 10 when building extensions).
Fixed bug causing exception traces with anon classes to be truncated.
Fixed bug #70397 (Segmentation fault when using Closure::call and yield).
Fixed bug #70299 (Memleak while assigning object offsetGet result).
Fixed bug #70288 (Apache crash related to ZEND_SEND_REF).
Fixed bug #70262 (Accessing array crashes PHP 7.0beta3).
Fixed bug #70258 (Segfault if do_resize fails to allocated memory).
Fixed bug #70253 (segfault at _efree () in zend_alloc.c:1389).
Fixed bug #70240 (Segfault when doing unset($var());).
Fixed bug #70223 (Incrementing value returned by magic getter).
Fixed bug #70215 (Segfault when __invoke is static).
Fixed bug #70207 (Finally is broken with opcache).
Fixed bug #70173 (ZVAL_COPY_VALUE_EX broken for 32bit Solaris Sparc).
Fixed bug #69487 (SAPI may truncate POST data).
Fixed bug #70198 (Checking liveness does not work as expected).
Fixed bug #70241, #70293 (Skipped assertions affect Generator returns).
Fixed bug #70239 (Creating a huge array doesn't result in exhausted, but segfault).
Fixed "finally" issues.
Fixed bug #70098 (Real memory usage doesn't decrease).
Fixed bug #70159 (__CLASS__ is lost in closures).
Fixed bug #70156 (Segfault in zend_find_alias_name).
Fixed bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION).
Fixed bug #70117 (Unexpected return type error).
Fixed bug #70106 (Inheritance by anonymous class).
Fixed bug #69674 (SIGSEGV array.c:953).
Fixed bug #70164 (__COMPILER_HALT_OFFSET__ under namespace is not defined).
Fixed bug #70108 (sometimes empty $_SERVER['QUERY_STRING']).
Fixed bug #70179 ($this refcount issue).
Fixed bug #69896 ('asm' operand has impossible constraints).
Fixed bug #70183 (null pointer deref (segfault) in zend_eval_const_expr).
Fixed bug #70182 (Segfault in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER).
Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls).
Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref).
Fixed bug #70089 (segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ()).
Fixed bug #70057 (Build failure on 32-bit Mac OS X 10.6.8: recursive inlining).
Fixed bug #70012 (Exception lost with nested finally block).
Fixed bug #69996 (Changing the property of a cloned object affects the original).
Fixed bug #70083 (Use after free with assign by ref to overloaded objects).
Fixed bug #70006 (cli - function with default arg = STDOUT crash output).
Fixed bug #69521 (Segfault in gc_collect_cycles()).
Improved zend_string API.
Fixed bug #69955 (Segfault when trying to combine [] and assign-op on ArrayAccess object).
Fixed bug #69957 (Different ways of handling div/mod/intdiv).
Fixed bug #69900 (Too long timeout on pipes).
Fixed bug #69872 (uninitialised value in strtr with array).
Fixed bug #69868 (Invalid read of size 1 in zend_compile_short_circuiting).
Fixed bug #69849 (Broken output of apache_request_headers).
Fixed bug #69840 (iconv_substr() doesn't work with UTF-16BE).
Fixed bug #69823 (PHP 7.0.0alpha1 segmentation fault when exactly 33 extensions are loaded).
Fixed bug #69805 (null ptr deref and seg fault in zend_resolve_class_name).
Fixed bug #69802 (Reflection on Closure::__invoke borks type hint class name).
Fixed bug #69761 (Serialization of anonymous classes should be prevented).
Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault).
Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10 as "Business").
Fixed bug #69835 (phpinfo() does not report many Windows SKUs).
Fixed bug #69889 (Null coalesce operator doesn't work for string offsets).
Fixed bug #69891 (Unexpected array comparison result).
Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
Fixed bug #69893 (Strict comparison between integer and empty string keys crashes).
Fixed bug #69767 (Default parameter value with wrong type segfaults).
Fixed bug #69756 (Fatal error: Nesting level too deep - recursive dependency ? with ===).
Fixed bug #69758 (Item added to array not being removed by array_pop/shift ).
Fixed bug #68475 (Add support for $callable() sytnax with 'Class::method').
Fixed bug #69485 (Double free on zend_list_dtor).
Fixed bug #69427 (Segfault on magic method __call of private method in superclass).
Improved __call() and __callStatic() magic method handling. Now they are called in a stackless way using ZEND_CALL_TRAMPOLINE opcode, without additional stack frame.
Optimized strings concatenation.
Fixed weird operators behavior. Division by zero now emits warning and returns +/-INF, modulo by zero and intdid() throws an exception, shifts by negative offset throw exceptions. Compile-time evaluation of division by zero is disabled.
Fixed bug #69371 (Hash table collision leads to inaccessible array keys).
Fixed bug #68933 (Invalid read of size 8 in zend_std_read_property).
Fixed bug #68252 (segfault in Zend/zend_hash.c in function _zend_hash_del_el).
Fixed bug #65598 (Closure executed via static autoload incorrectly marked as static).
Fixed bug #66811 (Cannot access static::class in lambda, writen outside of a class).
Fixed bug #69568 (call a private function in closure failed).
Added PHP_INT_MIN constant.
Added Closure::call() method.
Fixed bug #67959 (Segfault when calling phpversion('spl')).
Implemented the RFC `Catchable "Call to a member function bar() on a non-object"`.
Added options parameter for unserialize allowing to specify acceptable classes (https://wiki.php.net/rfc/secure_unserialize).
Fixed bug #63734 (Garbage collector can free zvals that are still referenced).
Removed ZEND_ACC_FINAL_CLASS, promoting ZEND_ACC_FINAL as final class modifier.
is_long() & is_integer() is now an alias of is_int().
Implemented FR #55467 (phpinfo: PHP Variables with $ and single quotes).
Added ?? operator.
Added operator.
Added \u{xxxxx} Unicode Codepoint Escape Syntax.
Fixed oversight where define() did not support arrays yet const syntax did.
Use "integer" and "float" instead of "long" and "double" in ZPP, type hint and conversion error messages.
Implemented FR #55428 (E_RECOVERABLE_ERROR when output buffering in output buffering handler).
Removed scoped calls of non-static methods from an incompatible $this context.
Removed support for #-style comments in ini files.
Removed support for assigning the result of new by reference.
Invalid octal literals in source code now produce compile errors, fixes PHPSadness #31.
Removed dl() function on fpm-fcgi.
Removed support for hexadecimal numeric strings.
Removed obsolete extensions and SAPIs. See the full list in UPGRADING.
Added NULL byte protection to exec, system and passthru.
Added error_clear_last() function.
Fixed bug #68797 (Number 2.2250738585072012e-308 converted incorrectly).
Improved zend_qsort(using hybrid sorting algo) for better performance, and also renamed zend_qsort to zend_sort.
Added stable sorting algo zend_insert_sort.
Improved zend_memnchr(using sunday algo) for better performance.
Implemented the RFC `Scalar Type Decalarations v0.5`.
Implemented the RFC `Group Use Declarations`.
Implemented the RFC `Continue Output Buffering`.
Implemented the RFC `Constructor behaviour of internal classes`.
Implemented the RFC `Fix "foreach" behavior`.
Implemented the RFC `Generator Delegation`.
Implemented the RFC `Anonymous Class Support`.
Implemented the RFC `Context Sensitive Lexer`.
Fixed bug #69511 (Off-by-one buffer overflow in php_sys_readlink).
CLI server:
Fixed bug #68291 (404 on urls with '+').
Fixed bug #66606 (Sets HTTP_CONTENT_TYPE but not CONTENT_TYPE).
Fixed bug #70264 (CLI server directory traversal).
Fixed bug #69655 (php -S changes MKCALENDAR request method to MKCOL).
Fixed bug #64878 (304 responses return Content-Type header).
Refactor MIME type handling to use a hash table instead of linear search.
Update the MIME type list from the one shipped by Apache HTTPD.
Added support for SEARCH WebDav method.
COM:
Fixed bug #69939 (Casting object to bool returns false).
Curl:
Fixed bug #70330 (Segmentation Fault with multiple "curl_copy_handle").
Fixed bug #70163 (curl_setopt_array() type confusion).
Fixed bug #70065 (curl_getinfo() returns corrupted values).
Fixed bug #69831 (Segmentation fault in curl_getinfo).
Fixed bug #68937 (Segfault in curl_multi_exec).
Removed support for unsafe file uploads.
Date:
Fixed bug #70245 (strtotime does not emit warning when 2nd parameter is object or string).
Fixed bug #70266 (DateInterval::__construct.interval_spec is not supposed to be optional).
Fixed bug #70277 (new DateTimeZone($foo) is ignoring text after null byte).
Fixed day_of_week function as it could sometimes return negative values internally.
Removed $is_dst parameter from mktime() and gmmktime().
Removed date.timezone warning (https://wiki.php.net/rfc/date.timezone_warning_removal).
Added "v" DateTime format modifier to get the 3-digit version of fraction of seconds.
Implemented FR #69089 (Added DateTime::RFC3339_EXTENDED to output in RFC3339 Extended format which includes fraction of seconds).
DBA:
Fixed bug #62490 (dba_delete returns true on missing item (inifile)).
Fixed bug #68711 (useless comparisons).
DOM:
Fixed bug #70558 ("Couldn't fetch" error in DOMDocument::registerNodeClass()).
Fixed bug #70001 (Assigning to DOMNode::textContent does additional entity encoding).
Fixed bug #69846 (Segmenation fault (access violation) when iterating over DOMNodeList).
Made DOMNode::textContent writeable.
EXIF:
Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).
Fileinfo:
Fixed bug #66242 (libmagic: don't assume char is signed).
Filter:
New FILTER_VALIDATE_DOMAIN and better RFC conformance for FILTER_VALIDATE_URL.
FPM:
Fixed bug #70538 ("php-fpm -i" crashes).
Fixed bug #70279 (HTTP Authorization Header is sometimes passed to newer reqeusts).
Fixed bug #68945 (Unknown admin values segfault pools).
Fixed bug #65933 (Cannot specify config lines longer than 1024 bytes).
Implemented FR #67106 (Split main fpm config).
FTP:
Fixed bug #69082 (FTPS support on Windows).
GD:
Fixed bug #53156 (imagerectangle problem with point ordering).
Fixed bug #66387 (Stack overflow with imagefilltoborder).
Fixed bug #70102 (imagecreatefromwebm() shifts colors).
Fixed bug #66590 (imagewebp() doesn't pad to even length).
Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px).
Fixed bug #70064 (imagescale(..., IMG_BICUBIC) leaks memory).
Fixed bug #69024 (imagescale segfault with palette based image).
Fixed bug #53154 (Zero-height rectangle has whiskers).
Fixed bug #67447 (imagecrop() add a black line when cropping).
Fixed bug #68714 (copy 'n paste error).
Fixed bug #66339 (PHP segfaults in imagexbm).
Fixed bug #70047 (gd_info() doesn't report WebP support).
Replace libvpx with libwebp for bundled libgd.
Fixed bug #61221 (imagegammacorrect function loses alpha channel).
Made fontFetch's path parser thread-safe.
Removed T1Lib support.
GMP:
Fixed bug #70284 (Use after free vulnerability in unserialize() with GMP).
hash:
Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).
IMAP:
Fixed bug #70158 (Building with static imap fails).
Fixed bug #69998 (curl multi leaking memory).
Intl:
Fixed bug #70453 (IntlChar::foldCase() incorrect arguments and missing constants).
Fixed bug #70454 (IntlChar::forDigit second parameter should be optional).
Removed deprecated aliases datefmt_set_timezone_id() and IntlDateFormatter::setTimeZoneID().
JSON:
Fixed bug #62010 (json_decode produces invalid byte-sequences).
Fixed bug #68546 (json_decode() Fatal error: Cannot access property started with '\0').
Replace non-free JSON parser with a parser from Jsond extension, fixes #63520 (JSON extension includes a problematic license statement).
Fixed bug #68938 (json_decode() decodes empty string without error).
LDAP:
Fixed bug #47222 (Implement LDAP_OPT_DIAGNOSTIC_MESSAGE).
LiteSpeed:
Updated LiteSpeed SAPI code from V5.5 to V6.6.
libxml:
Fixed handling of big lines in error messages with libxml >= 2.9.0.
Mcrypt:
Fixed bug #70625 (mcrypt_encrypt() won't return data when no IV was specified under RC4).
Fixed bug #69833 (mcrypt fd caching not working).
Fixed possible read after end of buffer and use after free.
Removed mcrypt_generic_end() alias.
Removed mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb(), mcrypt_ofb().
Mysqli:
Fixed bug #32490 (constructor of mysqli has wrong name).
Mysqlnd:
Fixed bug #70949 (SQL Result Sets With NULL Can Cause Fatal Memory Errors).
Fixed bug #70384 (mysqli_real_query():Unknown type 245 sent by the server).
Fixed bug #70456 (mysqlnd doesn't activate TCP keep-alive when connecting to a server).
Fixed bug #70572 segfault in mysqlnd_connect.
Fixed bug #69796 (mysqli_stmt::fetch doesn't assign null values to bound variables).
OCI8:
Fixed memory leak with LOBs.
Fixed bug #68298 (OCI int overflow).
Corrected oci8 hash destructors to prevent segfaults, and a few other fixes.
ODBC:
Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns).
Opcache:
Fixed bug #70656 (require() statement broken after opcache_reset() or a few hours of use).
Fixed bug #70843 (Segmentation fault on MacOSX with opcache.file_cache_only=1).
Fixed bug #70724 (Undefined Symbols from opcache.so on Mac OS X 10.10).
Fixed compatibility with Windows 10 (see also bug #70652).
Attmpt to fix "Unable to reattach to base address" problem.
Fixed bug #70423 (Warning Internal error: wrong size calculation).
Fixed bug #70237 (Empty while and do-while segmentation fault with opcode on CLI enabled).
Fixed bug #70111 (Segfault when a function uses both an explicit return type and an explicit cast).
Fixed bug #70058 (Build fails when building for i386).
Fixed bug #70022 (Crash with opcache using opcache.file_cache_only=1).
Removed opcache.load_comments configuration directive. Now doc comments loading costs nothing and always enabled.
Fixed bug #69838 (Wrong size calculation for function table).
Fixed bug #69688 (segfault with eval and opcache fast shutdown).
Added experimental (disabled by default) file based opcode cache.
Fixed bug with try blocks being removed when extended_info opcode generation is turned on.
Fixed bug #68644 (strlen incorrect : mbstring + func_overload=2 +UTF-8 + Opcache).
OpenSSL:
Require at least OpenSSL version 0.9.8.
Fixed bug #68312 (Lookup for openssl.cnf causes a message box).
Fixed bug #55259 (openssl extension does not get the DH parameters from DH key resource).
Fixed bug #70395 (Missing ARG_INFO for openssl_seal()).
Fixed bug #60632 (openssl_seal fails with AES).
Implemented FR #70438 (Add IV parameter for openssl_seal and openssl_open).
Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure).
Fixed bug #69882 (OpenSSL error "key values mismatch" after openssl_pkcs12_read with extra cert).
Added "alpn_protocols" SSL context option allowing encrypted client/server streams to negotiate alternative protocols using the ALPN TLS extension when built against OpenSSL 1.0.2 or newer. Negotiated protocol information is accessible through stream_get_meta_data() output.
Removed "CN_match" and "SNI_server_name" SSL context options. Use automatic detection or the "peer_name" option instead.
Pcntl:
Fixed bug #70386 (Can't compile on NetBSD because of missing WCONTINUED and WIFCONTINUED).
Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL).
Implemented FR #68505 (Added wifcontinued and wcontinued).
Added rusage support to pcntl_wait() and pcntl_waitpid().
PCRE:
Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string match).
Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).
Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string match).
Fixed bug #53823 (preg_replace: * qualifier on unicode replace garbles the string).
Fixed bug #69864 (Segfault in preg_replace_callback).
PDO:
Fixed bug #70861 (Segmentation fault in pdo_parse_params() during Drupal 8 test suite).
Fixed bug #70389 (PDO constructor changes unrelated variables).
Fixed bug #70272 (Segfault in pdo_mysql).
Fixed bug #70221 (persistent sqlite connection + custom function segfaults).
Removed support for the /e (PREG_REPLACE_EVAL) modifier.
Fixed bug #59450 (./configure fails with "Cannot find php_pdo_driver.h").
PDO_DBlib:
Fixed bug #69757 (Segmentation fault on nextRowset).
PDO_mysql:
Fixed bug #68424 (Add new PDO mysql connection attr to control multi statements option).
PDO_OCI:
Fixed bug #70308 (PDO::ATTR_PREFETCH is ignored).
PDO_pgsql:
Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements when closeCuror() is u).
Removed PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT attribute in favor of ATTR_EMULATE_PREPARES).
Phar:
Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()).
Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/").
Improved fix for bug #69441.
Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory).
Phpdbg:
Fixed bug #70614 (incorrect exit code in -rr mode with Exceptions).
Fixed bug #70532 (phpdbg must respect set_exception_handler).
Fixed bug #70531 (Run and quit mode (-qrr) should not fallback to interactive mode).
Fixed bug #70533 (Help overview (-h) does not rpint anything under Windows).
Fixed bug #70449 (PHP won't compile on 10.4 and 10.5 because of missing constants).
Fixed bug #70214 (FASYNC not defined, needs sys/file.h include).
Fixed bug #70138 (Segfault when displaying memory leaks).
Reflection:
Fixed bug #70650 (Wrong docblock assignment).
Fixed bug #70674 (ReflectionFunction::getClosure() leaks memory when used for internal functions).
Fixed bug causing bogus traces for ReflectionGenerator::getTrace().
Fixed inheritance chain of Reflector interface.
Added ReflectionGenerator class.
Added reflection support for return types and type declarations.
Session:
Fixed bug #70876 (Segmentation fault when regenerating session id with strict mode).
Fixed bug #70529 (Session read causes "String is not zero-terminated" error).
Fixed bug #70013 (Reference to $_SESSION is lost after a call to session_regenerate_id()).
Fixed bug #69952 (Data integrity issues accessing superglobals by reference).
Fixed bug #67694 (Regression in session_regenerate_id()).
Fixed bug #68941 (mod_files.sh is a bash-script).
SOAP:
Fixed bug #70940 (Segfault in soap / type_to_string).
Fixed bug #70900 (SoapClient systematic out of memory error).
Fixed bug #70875 (Segmentation fault if wsdl has no targetNamespace attribute).
Fixed bug #70715 (Segmentation fault inside soap client).
Fixed bug #70709 (SOAP Client generates Segfault).
Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE).
Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions).
Fixed bug #70079 (Segmentation fault after more than 100 SoapClient calls).
Fixed bug #70032 (make_http_soap_request calls zend_hash_get_current_key_ex(,,,NULL).
Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes).
SPL:
Fixed bug #70959 (ArrayObject unserialize does not restore protected fields).
Fixed bug #70853 (SplFixedArray throws exception when using ref variable as index).
Fixed bug #70868 (PCRE JIT and pattern reuse segfault).
Fixed bug #70730 (Incorrect ArrayObject serialization if unset is called in serialize()).
Fixed bug #70573 (Cloning SplPriorityQueue leads to memory leaks).
Fixed bug #70303 (Incorrect constructor reflection for ArrayObject).
Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items).
Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject).
Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage).
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList).
Fixed bug #70053 (MutlitpleIterator array-keys incompatible change in PHP 7).
Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()).
Fixed bug #69845 (ArrayObject with ARRAY_AS_PROPS broken).
Changed ArrayIterator implementation using zend_hash_iterator_... API. Allowed modification of iterated ArrayObject using the same behavior as proposed in `Fix "foreach" behavior`. Removed "Array was modified outside object and internal position is no longer valid" hack.
Implemented FR #67886 (SplPriorityQueue/SplHeap doesn't expose extractFlags nor curruption state).
Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator).
SQLite3:
Fixed bug #70571 (Memory leak in sqlite3_do_callback).
Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()).
Fixed bug #69897 (segfault when manually constructing SQLite3Result).
Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args).
Standard:
Fixed count on symbol tables.
Fixed bug #70963 (Unserialize shows UNKNOWN in result).
Fixed bug #70910 (extract() breaks variable references).
Fixed bug #70808 (array_merge_recursive corrupts memory of unset items).
Fixed bug #70667 (strtr() causes invalid writes and a crashes).
Fixed bug #70668 (array_keys() doesn't respect references when $strict is true).
Implemented the RFC `Random Functions Throwing Exceptions in PHP 7`.
Fixed bug #70487 (pack('x') produces an error).
Fixed bug #70342 (changing configuration with ignore_user_abort(true) isn't working).
Fixed bug #70295 (Segmentation fault with setrawcookie).
Fixed bug #67131 (setcookie() conditional for empty values not met).
Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage).
Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList).
Fixed bug #70250 (extract() turns array elements to references).
Fixed bug #70211 (php 7 ZEND_HASH_IF_FULL_DO_RESIZE use after free).
Fixed bug #70208 (Assert breaking access on objects).
Fixed bug #70140 (str_ireplace/php_string_tolower - Arbitrary Code Execution).
Implemented FR #70112 (Allow "dirname" to go up various times).
Fixed bug #36365 (scandir duplicates file name at every 65535th file).
Fixed bug #70096 (Repeated iptcembed() adds superfluous FF bytes).
Fixed bug #70018 (exec does not strip all whitespace).
Fixed bug #69983 (get_browser fails with user agent of null).
Fixed bug #69976 (Unable to parse "all" urls with colon char).
Fixed bug #69768 (escapeshell*() doesn't cater to !).
Fixed bug #62922 (Truncating entire string should result in string).
Fixed bug #69723 (Passing parameters by reference and array_column).
Fixed bug #69523 (Cookie name cannot be empty).
Fixed bug #69325 (php_copy_file_ex does not pass the argument).
Fixed bug #69299 (Regression in array_filter's $flag argument in PHP 7).
Removed call_user_method() and call_user_method_array() functions.
Fixed user session handlers (See rfc:session.user.return-value).
Added intdiv() function.
Improved precision of log() function for base 2 and 10.
Remove string category support in setlocale().
Remove set_magic_quotes_runtime() and its alias magic_quotes_runtime().
Fixed bug #65272 (flock() out parameter not set correctly in windows).
Added preg_replace_callback_array function.
Deprecated salt option to password_hash.
Fixed bug #69686 (password_verify reports back error on PHP7 will null string).
Added Windows support for getrusage().
Removed hardcoded limit on number of pipes in proc_open().
Streams:
Fixed bug #70361 (HTTP stream wrapper doesn't close keep-alive connections).
Fixed bug #68532 (convert.base64-encode omits padding bytes).
Removed set_socket_blocking() in favor of its alias stream_set_blocking().
Tokenizer:
Fixed bug #69430 (token_get_all has new irrecoverable errors).
XMLReader:
Fixed bug #70309 (XmlReader read generates extra output).
XMLRPC:
Fixed bug #70526 (xmlrpc_set_type returns false on success).
XSL:
Fixed bug #70678 (PHP7 returns true when false is expected).
Fixed bug #70535 (XSLT: free(): invalid pointer).
Fixed bug #69782 (NULL pointer dereference).
Fixed bug #64776 (The XSLT extension is not thread safe).
Removed xsl.security_prefs ini option.
Zlib:
Added deflate_init(), deflate_add(), inflate_init(), inflate_add() functions allowing incremental/streaming compression/decompression.
Zip:
Fixed bug #70322 (ZipArchive::close() doesn't indicate errors).
Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories).
Added ZipArchive::setCompressionName and ZipArchive::setCompressionIndex methods.
Update bundled libzip to 1.0.1.
Fixed bug #67161 (ZipArchive::getStream() returns NULL for certain file).

New in PHP 5.6.16 (Nov 27, 2015)

New in PHP 7.0.0 RC 8 (Nov 26, 2015)

New in PHP 7.0.0 RC 7 (Nov 12, 2015)

New in PHP 5.6.15 (Oct 30, 2015)

New in PHP 7.0.0 RC 6 (Oct 30, 2015)

New in PHP 7.0.0 RC 5 (Oct 19, 2015)

New in PHP 5.6.14 (Oct 2, 2015)

New in PHP 7.0.0 RC 4 (Oct 1, 2015)

New in PHP 7.0.0 RC 3 (Sep 17, 2015)

New in PHP 5.6.13 (Sep 4, 2015)

New in PHP 7.0.0 RC 1 (Aug 21, 2015)

New in PHP 7.0.0 Beta 3 (Aug 7, 2015)

Core:
Fixed "finally" issues.
Fixed bug #70098 (Real memory usage doesn't decrease).
Fixed bug #70159 (__CLASS__ is lost in closures).
Fixed bug #70156 (Segfault in zend_find_alias_name)
Fixed bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION).
Fixed bug #70117 (Unexpected return type error).
Fixed bug #70106 (Inheritance by anonymous class).
Fixed bug #69674 (SIGSEGV array.c:953).
Fixed bug #70164 (__COMPILER_HALT_OFFSET__ under namespace is not defined).
Fixed bug #70108 (sometimes empty $_SERVER['QUERY_STRING']).
Fixed bug #70179 ($this refcount issue).
Fixed bug #69896 ('asm' operand has impossible constraints).
Fixed bug #70183 (null pointer deref (segfault) in zend_eval_const_expr).
Fixed bug #70182 (Segfault in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER).
Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive
method calls).
Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
Fixed bug #70121 (unserialize() could lead to unexpected methods execution NULL pointer deref).
Curl:
Fixed bug #70163 (curl_setopt_array() type confusion).
IMAP:
Fixed bug #70158 (Building with static imap fails).
Fixed bug #69998 (curl multi leaking memory).
Opcache:
Fixed bug #70111 (Segfault when a function uses both an explicit return
type and an explicit cast).
OpenSSL:
Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically
secure).
Phar:
Improved fix for bug #69441.
Fixed bug #70019 (Files extracted from archive may be placed outside of
destination directory).
Phpdbg:
Fixed bug #70138 (Segfault when displaying memory leaks).
SOAP:
Fixed bug #70081 (SoapClient info leak / null pointer dereference via
multiple type confusions).
SPL:
Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject
items).
Fixed bug #70166 (Use After Free Vulnerability in unserialize() with
SPLArrayObject).
Fixed bug #70168 (Use After Free Vulnerability in unserialize() with
SplObjectStorage).
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with
SplDoublyLinkedList).
Standard:
Fixed bug #70140 (str_ireplace/php_string_tolower - Arbitrary Code
Implemented #70112 (Allow "dirname" to go up various times).
Fixed bug #36365 (scandir duplicates file name at every 65535th file).

New in PHP 7.0.0 Beta 2 (Jul 24, 2015)

New in PHP 7.0.0 Beta 1 (Jul 13, 2015)

New in PHP 5.6.11 (Jul 13, 2015)

New in PHP 7.0.0 Alpha 2 (Jun 25, 2015)

Core:
Fixed bug #69872 (uninitialised value in strtr with array).
Fixed bug #69868 (Invalid read of size 1 in zend_compile_short_circuiting).
Fixed bug #69849 (Broken output of apache_request_headers).
Fixed bug #69840 (iconv_substr() doesn't work with UTF-16BE).
Fixed bug #69823 (PHP 7.0.0alpha1 segmentation fault when exactly 33
extensions are loaded).
Fixed bug #69805 (null ptr deref and seg fault in zend_resolve_class_name).
Fixed bug #69802 (Reflection on Closure::__invoke borks type hint class
name).
Fixed bug #69761 (Serialization of anonymous classes should be prevented).
Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation
fault).
Fixed bug #69781 (phpinfo() reports Professional Editions of Windows
7/8/8.1/10 as "Business").
Fixed bug #69835 (phpinfo() does not report many Windows SKUs).
Fixed bug #69889 (Null coalesce operator doesn't work for string offsets).
Fixed bug #69891 (Unexpected array comparison result).
Fixed bug #69892 (Different arrays compare indentical due to integer key
truncation).
Fixed bug #69893 (Strict comparison between integer and empty string keys
crashes).
DOM:
Fixed bug #69846 (Segmenation fault (access violation) when iterating over
DOMNodeList).
GD:
Fixed bug #61221 (imagegammacorrect function loses alpha channel).
mysqlnd:
Fixed Bug #69796 (mysqli_stmt::fetch doesn't assign null values to
bound variables).
Curl:
Fixed bug #69831 (Segmentation fault in curl_getinfo).
Opcache:
Removed opcache.load_comments configuration directive. Now doc comments
loading costs nothing and always enabled.
Fixed bug #69838 (Wrong size calculation for function table).
PCRE:
Fixed bug #69864 (Segfault in preg_replace_callback) (cmb, ab)
PDO_pgsql:
Fixed bug #69752 (PDOStatement::execute() leaks memory with DML
Statements when closeCuror() is u).
SPL:
Fixed bug #69845 (ArrayObject with ARRAY_AS_PROPS broken).
SQLite3:
Fixed bug #69897 (segfault when manually constructing SQLite3Result).
Standard:
Fixed bug #62922 (Truncating entire string should result in string).

New in PHP 7.0.0 Alpha 1 (Jun 13, 2015)

Core:
Fixed bug #69767 (Default parameter value with wrong type segfaults).
Fixed bug #69756 (Fatal error: Nesting level too deep - recursive dependency
? with ===).
Fixed bug #69758 (Item added to array not being removed by array_pop/shift
Fixed bug #68475 (Add support for $callable() sytnax with 'Class::method').
Fixed bug #69485 (Double free on zend_list_dtor).
Fixed bug #69427 (Segfault on magic method __call of private method in
superclass).
Improved __call() and __callStatic() magic method handling. Now they are
called in a stackless way using ZEND_CALL_TRAMPOLINE opcode, without
additional stack frame.
Optimized strings concatenation.
Fixed weird operators behavior. Division by zero now emits warning and
returns +/-INF, modulo by zero and intdid() throws an exception, shifts
by negative offset throw exceptions. Compile-time evaluation of division
by zero is disabled.
Fixed bug #69371 (Hash table collision leads to inaccessible array keys).
Fixed bug #68933 (Invalid read of size 8 in zend_std_read_property).
Fixed bug #68252 (segfault in Zend/zend_hash.c in function
_zend_hash_del_el).
Fixed bug #65598 (Closure executed via static autoload incorrectly marked as static).
Fixed bug #66811 (Cannot access static::class in lambda, writen outside of a
class).
Fixed bug #69568 (call a private function in closure failed).
Added PHP_INT_MIN constant.
Added Closure::call() method.
Fixed bug #67959 (Segfault when calling phpversion('spl')).
Implemented the RFC `Catchable "Call to a member function bar() on a
non-object"`.
Added options parameter for unserialize allowing to specify acceptable
classes
Fixed bug #63734 (Garbage collector can free zvals that are still
referenced).
Removed ZEND_ACC_FINAL_CLASS, promoting ZEND_ACC_FINAL as final class
modifier.
is_long() & is_integer() is now an alias of is_int(). (Kalle)
Implemented FR #55467 (phpinfo: PHP Variables with $ and single quotes).
Added ?? operator.
Added operator.
Added \u{xxxxx} Unicode Codepoint Escape Syntax. (Andrea)
Fixed oversight where define() did not support arrays yet const syntax did.
Use "integer" and "float" instead of "long" and "double" in ZPP, type hint
and conversion error messages.
Implemented FR #55428 (E_RECOVERABLE_ERROR when output buffering in output buffering handler).
Removed scoped calls of non-static methods from an incompatible $this
context.
Removed support for #-style comments in ini files.
Removed support for assigning the result of new by reference.
Invalid octal literals in source code now produce compile errors, fixes
PHPSadness #31.
Removed dl() function on fpm-fcgi.
Removed support for hexadecimal numeric strings.
Removed obsolete extensions and SAPIs. See the full list in UPGRADING.
Added NULL byte protection to exec, system and passthru.
Added error_clear_last() function.
Fixed bug #68797 (Number 2.2250738585072012e-308 converted incorrectly).
Improved zend_qsort(using hybrid sorting algo) for better performance,
and also renamed zend_qsort to zend_sort.
Added stable sorting algo zend_insert_sort.
Implemented the RFC `Scalar Type Decalarations v0.5`.
Implemented the RFC `Group Use Declarations`.
Implemented the RFC `Continue Output Buffering`.
Implemented the RFC `Constructor behaviour of internal classes`.
Implemented the RFC `Fix "foreach" behavior`.
Implemented the RFC `Generator Delegation`.
Implemented the RFC `Anonymous Class Support`.
Implemented the RFC `Context Sensitive Lexer`.
Fixed bug #69511 (Off-by-one buffer overflow in php_sys_readlink).
CLI server:
Refactor MIME type handling to use a hash table instead of linear search.
Update the MIME type list from the one shipped by Apache HTTPD.
Added support for SEARCH WebDav method.
Curl:
Fixed bug #68937 (Segfault in curl_multi_exec).
Removed support for unsafe file uploads.
Date:
Fixed day_of_week function as it could sometimes return negative values
internally.
Removed $is_dst parameter from mktime() and gmmktime().
Removed date.timezone warning
(https://wiki.php.net/rfc/date.timezone_warning_removal).
Added "v" DateTime format modifier to get the 3-digit version of fraction
of seconds.
Implemented FR #69089: Added DateTime::RFC3339_EXTENDED to output in
RFC3339 Extended format which includes fraction of seconds
DBA:
Fixed bug #62490 (dba_delete returns true on missing item (inifile)).
Fixed bug #68711 (useless comparisons). (bugreports at internot dot info)
DOM:
Made DOMNode::textContent writeable.
GD:
Made fontFetch's path parser thread-safe.
Removed T1Lib support.
Fileinfo:
Fixed bug #66242 (libmagic: don't assume char is signed).
Filter:
New FILTER_VALIDATE_DOMAIN and better RFC conformance for FILTER_VALIDATE_URL.
FPM:
Fixed bug #68945 (Unknown admin values segfault pools).
Fixed bug #65933 (Cannot specify config lines longer than 1024 bytes).
Implement request #67106 (Split main fpm config).
FTP:
Fixed bug #69082 (FTPS support on Windows).
Intl:
Removed deprecated aliases datefmt_set_timezone_id() and
IntlDateFormatter::setTimeZoneID().
JSON
Replace non-free JSON parser with a parser from Jsond extension, fixes #63520
(JSON extension includes a problematic license statement).
Fixed bug #68938 (json_decode() decodes empty string without error).
LDAP
Fixed bug #47222 (Implement LDAP_OPT_DIAGNOSTIC_MESSAGE).
LiteSpeed:
Updated LiteSpeed SAPI code from V5.5 to V6.6.
libxml:
Fixed handling of big lines in error messages with libxml >= 2.9.0.
Mcrypt:
Fixed possible read after end of buffer and use after free.
Removed mcrypt_generic_end() alias.
Removed mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb(), mcrypt_ofb().
Opcache:
Fixed bug #69688 (segfault with eval and opcache fast shutdown).
Added experimental (disabled by default) file based opcode cache.
Fixed bug with try blocks being removed when extended_info opcode
generation is turned on.
Fixed bug #68644 (strlen incorrect : mbstring + func_overload=2 +UTF-8
+ Opcache).
OpenSSL:
Added "alpn_protocols" SSL context option allowing encrypted client/server
streams to negotiate alternative protocols using the ALPN TLS extension when
built against OpenSSL 1.0.2 or newer. Negotiated protocol information is
accessible through stream_get_meta_data() output.
Removed "CN_match" and "SNI_server_name" SSL context options. Use automatic
detection or the "peer_name" option instead.
pcntl:
Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler
when setting SIG_DFL).
Added wifcontinued and wcontinued. (xilon-jul)
Added rusage support to pcntl_wait() and pcntl_waitpid().
PCRE:
Removed support for the /e (PREG_REPLACE_EVAL) modifier.
PDO:
Fixed bug #59450 (./configure fails with "Cannot find php_pdo_driver.h").
(maxime dot besson at smile dot fr)
PDO_mysql:
Fixed bug #68424 (Add new PDO mysql connection attr to control multi
statements option).
PDO_pgsql:
Removed PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT attribute in favor of ATTR_EMULATE_PREPARES).
Reflection
Fixed inheritance chain of Reflector interface.
Added ReflectionGenerator class.
Added reflection support for return types and type declarations.
Session:
Fixed bug #67694 (Regression in session_regenerate_id()).
Fixed bug #68941 (mod_files.sh is a bash-script).
SOAP:
Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes).
SPL:
Changed ArrayIterator implementation using zend_hash_iterator_... API.
Allowed modification of iterated ArrayObject using the same behavior
as proposed in `Fix "foreach" behavior`. Removed "Array was modified
outside object and internal position is no longer valid" hack.
Implemented #67886 (SplPriorityQueue/SplHeap doesn't expose extractFlags
nor curruption state).
Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME
breaks the RecursiveIterator).
Sqlite3:
Fixed bug #68260 (SQLite3Result::fetchArray declares wrong
required_num_args).
Standard:
Fixed bug #69723 (Passing parameters by reference and array_column).
Fixed bug #69523 (Cookie name cannot be empty).
Fixed bug #69325 (php_copy_file_ex does not pass the argument).
Fixed bug #69299 (Regression in array_filter's $flag argument in PHP 7).
Removed call_user_method() and call_user_method_array() functions.
Fixed user session handlers (See rfc:session.user.return-value).
Added intdiv() function.
Improved precision of log() function for base 2 and 10.
Remove string category support in setlocale().
Remove set_magic_quotes_runtime() and its alias magic_quotes_runtime().
Fixed bug #65272 (flock() out parameter not set correctly in windows).
Added preg_replace_callback_array function.
Deprecated salt option to password_hash.
Fixed bug #69686 (password_verify reports back error on PHP7 will null
string).
Added Windows support for getrusage().
Removed hardcoded limit on number of pipes in proc_open().
Streams:
Fixed bug #68532 (convert.base64-encode omits padding bytes).
Removed set_socket_blocking() in favor of its alias stream_set_blocking().
XSL:
Fixed bug #64776 (The XSLT extension is not thread safe).
Removed xsl.security_prefs ini option.
Zlib:
Added deflate_init(), deflate_add(), inflate_init(), inflate_add()
functions allowing incremental/streaming compression/decompression.
Zip:
Added ZipArchive::setCompressionName and ZipArchive::setCompressionIndex methods
Update bundled libzip to 1.0.1
Fixed bug #67161. (ZipArchive::getStream() returns NULL for certain file)

New in PHP 5.6.9 (Jun 11, 2015)

New in PHP 5.6.8 (May 15, 2015)

Core:
Fixed bug #66609 (php crashes with __get() and ++ operator in some cases).
Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters).
Fixed bug #68917 (parse_url fails on some partial urls).
Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString).
Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values).
Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing).
Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator).
Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability).
Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions).
Apache2handler:
Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (CVE-2015-3330)
cURL:
Implemented FR #69278 (HTTP2 support).
Fixed bug #68739 (Missing break / control flow).
Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER).
Date:
Fixed bug #69336 (Issues with "last day of ").
Enchant:
Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds).
Ereg:
Fixed bug #68740 (NULL Pointer Dereference).
Fileinfo:
Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault).
Filter:
Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used).
Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127).
Mbstring:
Fixed bug #68846 (False detection of CJK Unified Ideographs Extension E).
OPCache:
Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function).
Fixed bug #69281 (opcache_is_script_cached no longer works).
Fixed bug #68677 (Use After Free). (CVE-2015-1351)
OpenSSL:
Fixed bug #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts).
Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly).
Fixed bug #69215 (Crypto servers should send client CA list).
Add a check for RAND_egd to allow compiling against LibreSSL.
Phar:
Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).
Fixed bug #64931 (phar_add_file is too restrictive on filename).
Fixed bug #65467 (Call to undefined method cli_arg_typ_string).
Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar").
Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783)
Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (CVE-2015-3329)
Postgres:
Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352)
SOAP:
Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault).
Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)).
SPL:
Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc).
Sqlite3:
Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception).
Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3).
Fixed bug #66550 (SQLite prepared statement use-after-free).

New in PHP 5.6.7 (Mar 23, 2015)

Core:
Fixed bug #69174 (leaks when unused inner class use traits precedence).
Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize).
Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build).
Fixed bug #65593 (Segfault when calling ob_start from output buffering callback).
Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c).
Fixed bug #68166 (Exception with invalid character causes segv).
Fixed bug #69141 (Missing arguments in reflection info for some builtin functions).
Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (CVE-2015-0231)
Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
Fixed bug #69207 (move_uploaded_file allows nulls in path).
CGI:
Fixed bug #69015 (php-cgi's getopt does not see $argv).
CLI:
Fixed bug #67741 (auto_prepend_file messes up __LINE__).
cURL:
Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on Win32).
Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl.
Ereg:
Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (CVE-2015-2305)
FPM:
Fixed bug #68822 (request time is reset too early).
ODBC:
Fixed bug #68964 (Allowed memory size exhausted with odbc_exec).
Opcache:
Fixed bug #69159 (Opcache causes problem when passing a variable variable to a function).
Fixed bug #69125 (Array numeric string as key).
Fixed bug #69038 (switch(SOMECONSTANT) misbehaves).
OpenSSL:
Fixed bug #68912 (Segmentation fault at openssl_spki_new).
Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't observe socket timeouts).
Fixed bug #68920 (use strict peer_fingerprint input checks)
Fixed bug #68879 (IP Address fields in subjectAltNames not used) (Daniel Lowrey)
Fixed bug #68265 (SAN match fails with trailing DNS dot)
Fixed bug #67403 (Add signatureType to openssl_x509_parse)
Fixed bug #69195 (Inconsistent stream crypto values across versions)
pgsql:
Fixed bug #68638 (pg_update() fails to store infinite values).
Readline:
Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters).
SOAP:
Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()).
SPL:
Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage).
Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after calling getChildren()).
ZIP:
Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary). (CVE-2015-2331)

New in PHP 5.6.6 (Mar 23, 2015)

Core:
Removed support for multi-line headers, as they are deprecated by RFC 7230.
Fixed bug #67068 (getClosure returns somethings that's not a closure).
Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273)
Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow).
Fixed bug #67988 (htmlspecialchars() does not respect default_charset specified by ini_set).
Added NULL byte protection to exec, system and passthru.
Dba:
Fixed bug #68711 (useless comparisons).
Enchant:
Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). (CVE-2014-9705)
Fileinfo:
Fixed bug #68827 (Double free with disabled ZMM).
Fixed bug #67647 (Bundled libmagic 5.17 does not detect quicktime files correctly).
Fixed bug #68731 (finfo_buffer doesn't extract the correct mime with some gifs).
FPM:
Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).
Fixed bug #68571 (core dump when webserver close the socket).
JSON:
Fixed bug #50224 (json_encode() does not always encode a float as a float) by adding JSON_PRESERVE_ZERO_FRACTION.
LIBXML:
Fixed bug #64938 (libxml_disable_entity_loader setting is shared between threads).
Mysqli:
Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).
Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors).
Opcache:
Fixed bug with try blocks being removed when extended_info opcode generation is turned on.
PDO_mysql:
Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of named pipes).
Phar:
Fixed bug #68901 (use after free). (CVE-2015-2301)
Pgsql:
Fixed bug #65199 (pg_copy_from() modifies input array variable).
Session:
Fixed bug #68941 (mod_files.sh is a bash-script).
Fixed bug #66623 (no EINTR check on flock).
Fixed bug #68063 (Empty session IDs do still start sessions).
Sqlite3:
Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args).
Standard:
Fixed bug #65272 (flock() out parameter not set correctly in windows).
Fixed bug #69033 (Request may get env. variables from previous requests if PHP works as FastCGI).
Streams:
Fixed bug which caused call after final close on streams filter.

New in PHP 5.6.5 (Feb 19, 2015)

Core:
Upgraded crypt_blowfish to version 1.3.
Fixed bug #60704 (unlink() bug with some files path).
Fixed bug #65419 (Inside trait, self::class != __CLASS__).
Fixed bug #68536 (pack for 64bits integer is broken on bigendian).
Fixed bug #55541 (errors spawn MessageBox, which blocks test automation).
Fixed bug #68297 (Application Popup provides too few information).
Fixed bug #65769 (localeconv() broken in TS builds).
Fixed bug #65230 (setting locale randomly broken).
Fixed bug #66764 (configure doesn't define EXPANDED_DATADIR / PHP_DATADIR correctly).
Fixed bug #68583 (Crash in timeout thread).
Fixed bug #65576 (Constructor from trait conflicts with inherited constructor).
Fixed bug #68676 (Explicit Double Free). (CVE-2014-9425)
Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231)
CGI:
Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427)
CLI server:
Fixed bug #68745 (Invalid HTTP requests make web server segfault).
cURL:
Fixed bug #67643 (curl_multi_getcontent returns '' when CURLOPT_RETURNTRANSFER isn't set).
Date:
Implemented FR #68268 (DatePeriod: Getter for start date, end date and interval).
EXIF:
Fixed bug #68799 (Free called on unitialized pointer). (CVE-2015-0232)
Fileinfo:
Fixed bug #68398 (msooxml matches too many archives).
Fixed bug #68665 (invalid free in libmagic).
Fixed bug #68671 (incorrect expression in libmagic).
Removed readelf.c and related code from libmagic sources.
Fixed bug #68735 (fileinfo out-of-bounds memory access).
FPM:
Implemented FR #68526 (Implement POSIX Access Control List for UDS).
Fixed bug #68751 (listen.allowed_clients is broken).
GD:
Fixed bug #68601 (buffer read overflow in gd_gif_in.c).
Implemented FR #68656 (Report gd library version).
mbstring:
Fixed bug #68504 (--with-libmbfl configure option not present on Windows).
Opcache:
Fixed bug #68644 (strlen incorrect : mbstring + func_overload=2 +UTF-8 + Opcache).
Fixed bug #67111 (Memory leak when using "continue 2" inside two foreach loops).
OpenSSL:
Improved handling of OPENSSL_KEYTYPE_EC keys.
pcntl:
Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL).
PCRE:
Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream).
pgsql:
Fixed bug #68697 (lo_export return -1 on failure).
PDO:
Fixed bug #68371 (PDO#getAttribute() cannot be called with platform-specifi attribute names).
PDO_mysql:
Fixed bug #68424 (Add new PDO mysql connection attr to control multi statements option).
SPL:
Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator).
Fixed bug #68479 (Added escape parameter to SplFileObject::fputcsv).
SQLite:
Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2).
Streams:
Fixed bug #68532 (convert.base64-encode omits padding bytes).

New in PHP 5.6.4 (Jan 22, 2015)

New in PHP 5.6.3 (Dec 18, 2014)

Core:
Implemented 64-bit format codes for pack() and unpack().
Fixed bug #51800 (proc_open on Windows hangs forever).
Fixed bug #67633 (A foreach on an array returned from a function not doing copy-on-write).
Fixed bug #67739 (Windows 8.1/Server 2012 R2 OS build number reported as 6.2 (instead of 6.3)).
Fixed bug #67949 (DOMNodeList elements should be accessible through array notation)
Fixed bug #68095 (AddressSanitizer reports a heap buffer overflow in php_getopt()).
Fixed bug #68118 ($a->foo .= 'test'; can leave $a->foo undefined).
Fixed bug #68129 (parse_url() - incomplete support for empty usernames and passwords)
Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).
CURL:
Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, and CURL_SSLVERSION_TLSv1_2 constants if supported by libcurl
Fileinfo:
Fixed bug #66242 (libmagic: don't assume char is signed).
Fixed bug #68224 (buffer-overflow in libmagic/readcdf.c caught by AddressSanitizer).
Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers).
FPM:
Fixed bug #65641 (PHP-FPM incorrectly defines the SCRIPT_NAME variable when using Apache, mod_proxy-fcgi and ProxyPass).
Implemented FR #55508 (listen and listen.allowed_clients should take IPv6 addresses).
GD:
Fixed bug #65171 (imagescale() fails without height param).
GMP:
Implemented gmp_random_range() and gmp_random_bits().
Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).
Mysqli:
Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support)
ODBC:
Fixed bug #68087 (ODBC not correctly reading DATE column when preceded by a VARCHAR column)
OpenSSL:
Fixed bug #68074 (Allow to use system cipher list instead of hardcoded value).
PDO_pgsql:
Fixed bug #68199 (PDO::pgsqlGetNotify doesn't support NOTIFY payloads)
Fixed bug #66584 (Segmentation fault on statement deallocation)
Reflection:
Fixed bug #68103 (Duplicate entry in Reflection for class alias).
SPL:
Fixed bug #68128 (Regression in RecursiveRegexIterator)

New in PHP 5.6.2 (Nov 13, 2014)

New in PHP 5.6.1 (Oct 17, 2014)

New in PHP 5.6.0 (Aug 29, 2014)

General improvements:
Added constant scalar expressions syntax.
Added dedicated syntax for variadic functions.
Added support for argument unpacking to complement the variadic syntax.
Added an exponentiation operator (**).
Added phpdbg SAPI.
Added unified default encoding.
The php://input stream is now re-usable and can be used concurrently with enable_post_data_reading=0.
Added use function and use const..
Added a function for timing attack safe string comparison.
Added the __debugInfo() magic method to allow userland classes to implement the get_debug_info API previously available only to extensions.
Added gost-crypto (CryptoPro S-box) hash algorithm.
Stream wrappers verify peer certificates and host names by default in encrypted client streams.
Uploads equal or greater than 2GB in size are now accepted.
Core:
Fixed bug #67693 (incorrect push to the empty array).
Removed inconsistency regarding behaviour of array in constants at run-time.
Fixed bug #67497 (eval with parse error causes segmentation fault in generator).
Fixed bug #67151 (strtr with empty array crashes).
Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012).
Fixed bug #66608 (Incorrect behavior with nested "finally" blocks).
Implemented FR #34407 (ucwords and Title Case).
Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0).
Fixed bug #67368 (Memory leak with immediately dereferenced array in class constant).
Fixed bug #67468 (Segfault in highlight_file()/highlight_string()).
Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability).
Fixed bug #67551 (php://input temp file will be located in sys_temp_dir instead of upload_tmp_dir).
Fixed bug #67169 (array_splice all elements, then []= gives wrong index).
Fixed bug #67198 (php://input regression).
Fixed bug #67247 (spl_fixedarray_resize integer overflow).
Fixed bug #67250 (iptcparse out-of-bounds read).
Fixed bug #67252 (convert_uudecode out-of-bounds read).
Fixed bug #67249 (printf out-of-bounds read).
Implemented FR #64744 (Differentiate between member function call on a null and non-null, non-objects).
Fixed bug #67436 (Autoloader isn't called if two method definitions don't match).
Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases).
Fixed bug #67390 (insecure temporary file use in the configure script). (CVE-2014-3981)
Fixed bug #67392 (dtrace breaks argument unpack).
Fixed bug #67428 (header('Location: foo') will override a 308-399 response code).
Fixed bug #67433 (SIGSEGV when using count() on an object implementing Countable).
Fixed bug #67399 (putenv with empty variable may lead to crash).
Expose get_debug_info class hook as __debugInfo() magic method.
Implemented unified default encoding (RFC: https://wiki.php.net/rfc/default_encoding).
Added T_POW (**) operator (RFC: https://wiki.php.net/rfc/pow-operator).
Improved IS_VAR operands fetching.
Improved empty string handling. Now ZE uses an interned string instead of allocation new empty string each time.
Implemented internal operator overloading (RFC: https://wiki.php.net/rfc/operator_overloading_gmp).
Made calls from incompatible context issue an E_DEPRECATED warning instead of E_STRICT (phase 1 of RFC: https://wiki.php.net/rfc/incompat_ctx).
Uploads equal or greater than 2GB in size are now accepted.
Reduced POST data memory usage by 200-300%. Changed INI setting always_populate_raw_post_data to throw a deprecation warning when enabling and to accept -1 for never populating the $HTTP_RAW_POST_DATA global variable, which will be the default in future PHP versions.
Implemented dedicated syntax for variadic functions (RFC: https://wiki.php.net/rfc/variadics).
Fixed bug #50333 Improving multi-threaded scalability by using emalloc/efree/estrdup (Anatol, Dmitry)
Implemented constant scalar expressions (with support for constants) (RFC: https://wiki.php.net/rfc/const_scalar_exprs).
Fixed bug #65784 (Segfault with finally).
Fixed bug #66509 (copy() arginfo has changed starting from 5.4).
Allow zero length comparison in substr_compare() (Tjerk)
Fixed bug #60602 (proc_open() changes environment array) (Tjerk)
Fixed bug #61019 (Out of memory on command stream_get_contents).
Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).
Fixed bug #66182 (exit in stream filter produces segfault).
Fixed bug #66736 (fpassthru broken).
Fixed bug #66822 (Cannot use T_POW in const expression) (Tjerk)
Fixed bug #67043 (substr_compare broke by previous change) (Tjerk)
Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()).
Fixed bug #66015 (Unexpected array indexing in class's static property).
Added (constant) string/array dereferencing to static scalar expressions to complete the set; now possible thanks to #66015 being fixed.
Fixed bug #66568 (Update reflection information for unserialize() function).
Fixed bug #66660 (Composer.phar install/update fails).
Fixed bug #67024 (getimagesize should recognize BMP files with negative height).
Fixed bug #67064 (Countable interface prevents using 2nd parameter ($mode) of count() function).
Fixed bug #67072 (Echoing unserialized "SplFileObject" crash).
Fixed bug #67033 (Remove reference to Windows 95).
Apache2 Handler SAPI:
Fixed Apache log issue caused by APR's lack of support for %zu
CLI server:
Added some MIME types to the CLI web server.
Fixed bug #67079 (Missing MIME types for XML/XSL files).
Fixed bug #66830 (Empty header causes PHP built-in web server to hang).
Fixed bug #67594 (Unable to access to apache_request_headers() elements).
Implemented FR #67429 (CLI server is missing some new HTTP response codes).
Fixed bug #67406 (built-in web-server segfaults on startup).
COM:
Fixed bug #41577 (DOTNET is successful once per server run) (Aidas Kasparas)
Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas).
Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)).
Curl:
Implemented FR #65646 (re-enable CURLOPT_FOLLOWLOCATION with open_basedir or safe_mode).
Check for openssl.cafile ini directive when loading CA certs.
Remove cURL close policy related constants as these have no effect and are no longer used in libcurl.
Fixed bug #66109 (Can't reset CURLOPT_CUSTOMREQUEST to default behaviour) (Tjerk)
Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive.
Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset).
Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
Date:
Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712)
Fixed bug #66091 (memory leaks in DateTime constructor) (Tjerk).
Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
Fixed regression in fix for #67118 (constructor can't be called twice).
Fixed bug #67251 (date_parse_from_format out-of-bounds read).
Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read).
Added DateTimeImmutable::createFromMutable to create a DateTimeImmutable object from an existing DateTime (mutable) object (Derick)
Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
Fixed bug #67118 (DateTime constructor crash with invalid data).
DOM:
Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset).
Embed:
Fixed bug #65715 (php5embed.lib isn't provided anymore). (Anatol).
Fileinfo:
Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587)
Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538)
Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). (CVE-2014-0238)
Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in performance degradation). (CVE-2014-0237)
Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check). (CVE-2014-0207)
Fixed bug #67329 (fileinfo: NULL pointer deference flaw by processing certain CDF files).
Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size). (CVE-2014-3478)
Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary check). (CVE-2014-3479)
Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check). (CVE-2014-3480)
Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check). (CVE-2014-3487)
Upgraded to libmagic-5.17 (Anatol)
Fixed bug #66731 (file: infinite recursion). (CVE-2014-1943)
Fixed bug #66820 (out-of-bounds memory access in fileinfo). (CVE-2014-2270)
Fixed bug #66946 (fileinfo: extensive backtracking in awk rule regular expression). (CVE-2013-7345)
Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
Fixed bug #66907 (Solaris 10 is missing strcasestr and needs substitute).
Fixed bug #66307 (Fileinfo crashes with powerpoint files).
FPM:
Fixed bug #67606 (revised fix 67541, broke mod_fastcgi BC).
Fixed bug #67530 (error_log=syslog ignored).
Fixed bug #67635 (php links to systemd libraries without using pkg-config).
Fixed bug #67531 (syslog cannot be set in pool configuration).
Fixed bug #67541 (Fix Apache 2.4.10+ SetHandler proxy:fcgi:// incompatibilities).
Included apparmor support in fpm (RFC: https://wiki.php.net/rfc/fpm_change_hat).
Added clear_env configuration directive to disable clearenv() call.
Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure default configuration). (CVE-2014-0185)
GD:
Fixed bug #67730 (Null byte injection possible with imagexxx functions). (CVE-2014-5120)
Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). (CVE-2014-2497)
Fixed bug #67248 (imageaffinematrixget missing check of parameters).
Fixed imagettftext to load the correct character map rather than the last one.
Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop()). (CVE-2013-7226)
Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer). (CVE-2013-7327)
Fixed bug #66869 (Invalid 2nd argument crashes imageaffinematrixget).
Fixed bug #66887 (imagescale - poor quality of scaled image).
Fixed bug #66890 (imagescale segfault).
Fixed bug #66893 (imagescale ignore method argument).
GMP:
Fixed bug #66872 (invalid argument crashes gmp_testbit) (Pierre)
Fixed crashes in serialize/unserialize.
Moved GMP to use object as the underlying structure and implemented various improvements based on this.
Added gmp_root() and gmp_rootrem() functions for calculating nth roots.
Hash:
Added gost-crypto (CryptoPro S-box) GOST hash algo.
Fixed bug #66698 (Missing FNV1a32 and FNV1a64 hash functions). (Michael M Slusarz).
Implemented timing attack safe string comparison function (RFC: https://wiki.php.net/rfc/timing_attack).
hash_pbkdf2() now works correctly if the $length argument is not specified.
Intl:
Fixed bug #66873 (A reproductible crash in UConverter when given invalid encoding) (Stas)
Fixed bug #66921 (Wrong argument type hint for function intltz_from_date_time_zone).
Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).
Fixed bug #67349 (Locale::parseLocale Double Free).
Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)).
JSON:
Fixed case part of bug #64874 ("json_decode handles whitespace and case-sensitivity incorrectly")
Fixed bug #65753 (JsonSerializeable couldn't implement on module extension) ([email protected])
Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).
ldap:
Added new function ldap_modify_batch().
Fixed issue with null bytes in LDAP bindings.
litespeed:
Fixed bug #63228 (-Werror=format-security error in lsapi code).
Mail:
Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script) (Tjerk)
Mcrypt:
No longer allow invalid key sizes, invalid IV sizes or missing required IV in mcrypt_encrypt, mcrypt_decrypt and the deprecated mode functions.
Use /dev/urandom as the default source for mcrypt_create_iv().
Mbstring:
Upgraded to oniguruma 5.9.5 (Anatol)
Fixed bug #67199 (mb_regex_encoding mismatch).
Milter:
Fixed bug #67715 (php-milter does not build and crashes randomly).
mysqli:
Added new function mysqli_get_links_stats() as well as new INI variable mysqli.rollback_on_cached_plink of type bool (Andrey)
Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed) (Remi)
Fixed building against an external libmysqlclient.
mysqlnd:
Disabled flag for SP OUT variables for 5.5+ servers as they are not natively supported by the overlying APIs.
Added a new fetching mode to mysqlnd.
Added support for gb18030 from MySQL 5.7.
Network:
Fixed bug #67717 (segfault in dns_get_record). (CVE-2014-3597)
Fixed bug #67432 (Fix potential segfault in dns_get_record()). (CVE-2014-4049)
OCI8:
Fixed bug #66875 (Improve performance of multi-row OCI_RETURN_LOB queries)
ODBC:
Fixed bug #60616 (odbc_fetch_into returns junk at end of multi-byte char fields).
OpenSSL:
Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas).
Fixed bug #67609 (TLS connections fail behind HTTP proxy).
Fixed broken build against OpenSSL older than 0.9.8 where ECDH unavailable.
Fixed bug #67666 (Subject altNames doesn't support wildcard matching).
Fixed bug #67224 (Fall back to crypto_type from context if not specified explicitly in stream_socket_enable_crypto).
Fixed bug #65698 (certificates validity parsing does not work past 2050).
Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME).
Peer certificates now verified by default in client socket operations (RFC: https://wiki.php.net/rfc/tls-peer-verification).
New openssl.cafile and openssl.capath ini directives.
Added crypto_method option for the ssl stream context.
Added certificate fingerprint support.
Added explicit TLSv1.1 and TLSv1.2 stream transports.
Fixed bug #65729 (CN_match gives false positive).
Peer name verification matches SAN DNS names for certs using the Subject Alternative Name x509 extension.
Fixed segfault when built against OpenSSL>=1.0.1 (Daniel Lowrey)
Added SPKAC support.
Fallback to Windows CA cert store for peer verification if no openssl.cafile ini directive or "cafile" SSL context option specified in Windows.
The openssl.cafile and openssl.capath ini directives introduced in alpha2 now have PHP_INI_PERDIR accessibility (was PHP_INI_ALL).
New "peer_name" SSL context option replaces "CN_match" (which still works as before but triggers E_DEPRECATED).
Fixed segfault when accessing non-existent context for client SNI use (Daniel Lowrey)
Fixed bug #66501 (Add EC key support to php_openssl_is_private_key).
Fixed bug #47030 (add new boolean "verify_peer_name" SSL context option allowing clients to verify cert names separately from the cert itself). "verify_peer_name" is enabled by default for client streams.
Fixed bug #65538 ("cafile" SSL context option now supports stream wrappers).
New openssl_get_cert_locations() function to aid CA file and peer verification debugging.
Encrypted stream wrappers now disable TLS compression by default.
New "capture_session_meta" SSL context option allows encrypted client and server streams access to negotiated protocol/cipher information.
New "honor_cipher_order" SSL context option allows servers to prioritize cipher suites of their choosing when negotiating SSL/TLS handshakes.
New "single_ecdh_use" and "single_dh_use" SSL context options allow for improved forward secrecy in encrypted stream servers.
New "dh_param" SSL context option allows stream servers control over the parameters when negotiating DHE cipher suites.
New "ecdh_curve" SSL context option allowing stream servers to specify the curve to use when negotiating ephemeral ECDHE ciphers (defaults to NIST P-256).
New "rsa_key_size" SSL context option gives stream servers control over the key size (in bits) used for RSA key agreements.
Crypto methods for encrypted client and server streams now use bitwise flags for fine-grained protocol support.
Added new tlsv1.0 stream wrapper to specify TLSv1 client/server method. tls wrapper now negotiates TLSv1, TLSv1.1 or TLSv1.2.
Encrypted client streams now enable SNI by default.
Encrypted streams now prioritize ephemeral key agreement and high strength ciphers by default.
New OPENSSL_DEFAULT_STREAM_CIPHERS constant exposes default cipher list.
New STREAM_CRYPTO_METHOD_* constants for enhanced control over the crypto methods negotiated encrypted server/client sessions.
Encrypted stream servers now automatically mitigate potential DoS vector arising from client-initiated TLS renegotiation. New "reneg_limit", "reneg_window" and "reneg_limit_callback" SSL context options for custom renegotiation limiting control.
Fixed memory leak in windows cert verification on verify failure.
Peer certificate capturing via SSL context options now functions even if peer verification fails.
Encrypted TLS servers now support the server name indication TLS extension via the new "SNI_server_certs" SSL context option.
Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1).
Fixed bug #66942 (memory leak in openssl_seal()).
Fixed bug #66952 (memory leak in openssl_open()).
Fixed bug #66840 (Fix broken build when extension built separately).
OPcache:
Added an optimization of class constants and constant calls to some internal functions (Laruence, Dmitry)
Added an optimization pass to convert FCALL_BY_NAME into DO_FCALL.
Added an optimization pass to merged identical constants (and related cache_slots) in op_array->literals table.
Added script level constant replacement optimization pass.
Added function opcache_is_script_cached().
Added information about interned strings usage.
Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault happen)
PCRE:
Fixed bug #67238 (Ungreedy and min/max quantifier bug, applied patch from the upstream).
Upgraded to PCRE 8.34.
Added support for (*MARK) backtracking verbs.
pgsql:
Fixed bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756), which affected builds against libpq < 7.3.
pg_insert()/pg_select()/pg_update()/pg_delete() are no longer EXPERIMENTAL.
Impremented FR #25854 Return value for pg_insert should be resource instead of bool.
Implemented FR #41146 - Add "description" with exteneded flag pg_meta_data(). pg_meta_data(resource $conn, string $table [, bool extended]) It also made pg_meta_data() return "is enum" always.
Read-only access to the socket stream underlying database connections is exposed via a new pg_socket() function to allow read/write polling when establishing asynchronous connections and executing queries in non-blocking applications.
Asynchronous connections are now possible using the PGSQL_CONNECT_ASYNC flag in conjunction with a new pg_connect_poll() function and connection polling status constants.
New pg_flush() and pg_consume_input() functions added to manually complete non-blocking reads/writes to underlying connection sockets.
pg_version() returns full report which obtained by PQparameterStatus().
Added pg_lo_truncate().
Added 64bit large object support for PostgreSQL 9.3 and later.
Fixed bug #67555 (Cannot build against libpq 7.3).
phpdbg:
Fixed bug #67575 (Compilation fails for phpdbg when the build directory != src directory).
Fixed bug #67499 (readline feature not enabled when build with libedit).
Fix issue krakjoe/phpdbg#94 (List behavior is inconsistent).
Fix issue krakjoe/phpdbg#97 (The prompt should always ensure it is on a newline).
Fix issue krakjoe/phpdbg#98 (break if does not seem to work).
Fix issue krakjoe/phpdbg#99 (register function has the same behavior as run).
Fix issue krakjoe/phpdbg#100 (No way to list the current stack/frames) (Help entry was missing).
Fixed bug which caused phpdbg to fail immediately on startup in non-debug builds.
Fixed bug #67212 (phpdbg uses non-standard TIOCGWINSZ).
Included phpdbg sapi (RFC: https://wiki.php.net/rfc/phpdbg).
Added watchpoints (watch command).
Renamed some commands (next => continue and how to step).
Fixed issue #85 (https://github.com/krakjoe/phpdbg/issues/85) (Added stdin/stdout/stderr constants and their php:// wrappers).
PDO:
Fixed bug #66604 ('pdo/php_pdo_error.h' not copied to the include dir).
PDO-ODBC:
Fixed bug #50444 (PDO-ODBC changes for 64-bit).
PDO_pgsql:
Fixed bug #42614 (PDO_pgsql: add pg_get_notify support).
Fixed bug #63657 (pgsqlCopyFromFile, pgsqlCopyToArray use Postgres < 7.3 syntax).
Cleaned up code by increasing the requirements to libpq versions providing PQexecParams, PQprepare, PQescapeStringConn, PQescapeByteaConn. According to the release notes that means 8.0.8+ or 8.1.4+.
Deprecated PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT, an undocument constant effectively equivalent to PDO::ATTR_EMULATE_PREPARES.
Added PDO::PGSQL_ATTR_DISABLE_PREPARES constant to execute the queries without preparing them, while still passing parameters separately from the command text using PQexecParams.
PDO_firebird:
Fixed bug #66071 (memory corruption in error handling)
Phar:
Fixed bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name).
Fixed bug #67587 (Redirection loop on nginx with FPM).
readline:
Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt).
Fixed bug #67496 (Save command history when exiting interactive shell with control-c).
Reflection:
Implemented FR #67713 (loosen the restrictions on ReflectionClass::newInstanceWithoutConstructor()).
Session:
Fixed bug #67694 (Regression in session_regenerate_id()).
Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas).
Fixed bug #66827 (Session raises E_NOTICE when session name variable is array).
Fixed bug #65315 (session.hash_function silently fallback to default md5) (Yasuo)
Implemented Request #17860 (Session write short circuit).
Implemented Request #20421 (session_abort() and session_reset() function).
Remove session_gc() and session_serializer_name() wich were introduced in the first 5.6.0 alpha.
SimpleXML:
Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol)
SQLite:
Updated the bundled libsqlite to the version 3.8.3.1 (Anatol)
Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3).
SOAP:
Implemented FR #49898 (Add SoapClient::__getCookies()).
SPL:
Revert fix for #67064 (BC issues).
Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting). (CVE-2014-4698)
Fixed bug #67538 (SPL Iterators use-after-free). (CVE-2014-4670)
Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion). (CVE-2014-3515)
Fixed bug #67359 (Segfault in recursiveDirectoryIterator).
Fixed bug #66127 (Segmentation fault with ArrayObject unset).
Fixed request #67453 (Allow to unserialize empty data).
Added feature #65545 (SplFileObject::fread()) (Tjerk)
Fixed bug #66834 (empty() does not work on classes that extend ArrayObject) (Tjerk)
Fixed bug #66702 (RegexIterator::INVERT_MATCH does not invert).
Standard:
Implemented FR #65634 (HTTP wrapper is very slow with protocol_version 1.1).
Implemented Change crypt() behavior w/o salt RFC. (Yasuo) https://wiki.php.net/rfc/crypt_function_salt
Implemented request #49824 (Change array_fill() to allow creating empty array).
Streams:
Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects).
Tokenizer:
Fixed bug #67395 (token_name() does not return name for T_POW and T_POW_EQUAL token).
XMLReader:
Fixed bug #55285 (XMLReader::getAttribute/No/Ns methods inconsistency).
XSL:
Fixed bug #53965 ( cannot find files with relative paths when loaded with "file://").
Zip:
update libzip to version 1.11.2. PHP don't use any ilibzip private symbol anymore.
new method ZipArchive::setPassword($password).
add --with-libzip option to build with system libzip.
new methods: ZipArchive::setExternalAttributesName($name, $opsys, $attr [, $flags]) ZipArchive::setExternalAttributesIndex($idx, $opsys, $attr [, $flags]) ZipArchive::getExternalAttributesName($name, &$opsys, &$attr [, $flags]) ZipArchive::getExternalAttributesIndex($idx, &$opsys, &$attr [, $flags])
Zlib:
Fixed bug #67865 (internal corruption phar error). Mike
Fixed bug #67724 (chained zlib filters silently fail with large amounts of data).

New in PHP 5.5.16 (Aug 24, 2014)

New in PHP 5.6.0 RC 4 (Aug 16, 2014)

New in PHP 5.6.0 RC 3 (Aug 1, 2014)

Core:
Fixed bug #67497 (eval with parse error causes segmentation fault in generator).
Fixed bug #67151 (strtr with empty array crashes).
Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012).
Fixed bug #66608 (Incorrect behavior with nested "finally" blocks).
Implemented FR #34407 (ucwords and Title Case).
COM:
Fixed missing type checks in com_event_sink.
CLI server:
Fixed bug #66830 (Empty header causes PHP built-in web server to hang).
Fixed bug #67594 (Unable to access to apache_request_headers() elements).
FPM:
Fixed bug #67530 (error_log=syslog ignored).
Fixed bug #67635 (php links to systemd libraries without using pkg-config).
Intl:
Fixed bug #66921 (Wrong argument type hint for function intltz_from_date_time_zone). (Stas)
Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).
pgsql:
Fixed bug #67555 (Cannot build against libpq 7.3).
ODBC:
Fixed bug #60616 (odbc_fetch_into returns junk at end of multi-byte char fields).
OpenSSL:
Fixed missing type checks in OpenSSL options .
Fixed bug #67609 (TLS connections fail behind HTTP proxy).
Fixed broken build against OpenSSL older than 0.9.8 where ECDH unavailable.
Fixed bug #67666 (Subject altNames doesn't support wildcard matching).
Phar:
Fixed bug #67587 (Redirection loop on nginx with FPM).
readline:
Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt).
Fixed bug #67496 (Save command history when exiting interactive shell with control-c).
Reflection:
Implemented FR #67713 (loosen the restrictions on ReflectionClass::newInstanceWithoutConstructor()).
SPL:
Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting).
Fixed bug #67538 (SPL Iterators use-after-free). (CVE-2014-4670).
Session:
Fixed missing type checks in php_session_create_id.
Fixed bug #66827 (Session raises E_NOTICE when session name variable is array).
OPCache:
Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault happen).
phpdbg
Fixed bug #67575 (Compilation fails for phpdbg when the build directory != src directory).

New in PHP 5.6.0 RC 2 (Jul 4, 2014)

New in PHP 5.5.14 (Jun 26, 2014)

New in PHP 5.6.0 Beta 4 (Jun 5, 2014)

New in PHP 5.6.0 Beta 3 (May 16, 2014)

New in PHP 5.6.0 Beta 2 (May 2, 2014)

CLI server:
Fixed bug #67079 (Missing MIME types for XML/XSL files).
COM:
Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)).
Core:
Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()).
Fixed bug #66015 (Unexpected array indexing in class's static property).
Added (constant) string/array dereferencing to static scalar expressions to complete the set; now possible thanks to bug #66015 being fixed.
Fixed bug #66568 (Update reflection information for unserialize() function).
Fixed bug #66660 (Composer.phar install/update fails).
Fixed bug #67024 (getimagesize should recognize BMP files with negative height).
Fixed bug #67064 (Countable interface prevents using 2nd parameter ($mode) of count() function).
Fixed bug #67072 (Echoing unserialized "SplFileObject" crash).
Fixed bug #67033 (Remove reference to Windows 95).
cURL:
Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset).
Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
Date:
Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
Fixed bug #67118 (DateTime constructor crash with invalid data).
DOM:
Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset).
Fileinfo:
Fixed bug #66907 (Solaris 10 is missing strcasestr and needs substitute).
Fixed bug #66307 (Fileinfo crashes with powerpoint files).
FPM:
Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure default configuration) (CVE-2014-0185).
GMP:
Fixed crashes in serialize/unserialize.
JSON:
Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).
LDAP:
Fixed issue with null bytes in LDAP bindings.
litespeed
Fixed bug #63228 (-Werror=format-security error in lsapi code).
mysqlnd:
Added a new fetching mode to mysqlnd.
OpenSSL:
Fix bug #66942 (memory leak in openssl_seal()). (Chuan Ma)
Fix bug #66952 (memory leak in openssl_open()). (Chuan Ma)
Fix bug #66840 (Fix broken build when extension built separately)
phpdbg:
Added watchpoints (watch command).
Renamed some commands (next => continue and how to step).
Fixed issue #85 (https://github.com/krakjoe/phpdbg/issues/85).
PDO:
Fixed bug #66604 ('pdo/php_pdo_error.h' not copied to the include dir).
PDO-ODBC:
Fixed bug #50444 (PDO-ODBC changes for 64-bit).
Phar:
Fix bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name). (PR #588)
SQLite:
Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3).
Apache2 Handler SAPI:
Fixed Apache log issue caused by APR's lack of support for %zu

New in PHP 5.5.12 (May 1, 2014)

New in PHP 5.6.0 Beta 1 (Apr 11, 2014)

Core:
Allow zero length comparison in substr_compare()
Fixed bug #60602 (proc_open() changes environment array)
Fixed bug #61019 (Out of memory on command stream_get_contents).
Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).
Fixed bug #66182 (exit in stream filter produces segfault).
Fixed bug #66736 (fpassthru broken).
Fixed bug #66822 (Cannot use T_POW in const expression)
Fixed bug #67043 (substr_compare broke by previous change)
SPL:
Added feature #65545 (SplFileObject::fread())
Fixed bug #66834 (empty() does not work on classes that extend ArrayObject)
Fixed bug #66702 (RegexIterator::INVERT_MATCH does not invert).
cURL:
Fixed bug #66109 (Can't reset CURLOPT_CUSTOMREQUEST to default behaviour)
Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive.
Date:
Added DateTimeImmutable::createFromMutable to create a DateTimeImmutable object from an existing DateTime (mutable) object
Embed:
Fixed bug #65715 (php5embed.lib isn't provided anymore).
Fileinfo:
Fixed bug #66820 (out-of-bounds memory access in fileinfo (CVE-2014-2270).
Fixed bug #66946i (fileinfo: extensive backtracking in awk rule regular expression). (CVE-2013-7345)
Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
GD:
Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer CVE-2013-7327).
Fixed #66869 (Invalid 2nd argument crashes imageaffinematrixget)
Fixed bug #66887 (imagescale - poor quality of scaled image).
Fixed bug #66890 (imagescale segfault).
Fixed bug #66893 (imagescale ignore method argument).
GMP:
Fixed bug #66872 (invalid argument crashes gmp_testbit)
Hash:
Fixed bug #66698 (Missing FNV1a32 and FNV1a64 hash functions).
Implemented timing attack safe string comparison function
hash_pbkdf2() now works correctly if the $length argument is not specified.
Intl:
Fixed bug #66873 (A reproductible crash in UConverter when given invalid encoding)
Mail:
Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script)
Mbstring:
Upgraded to oniguruma 5.9.5
Mcrypt:
No longer allow invalid key sizes, invalid IV sizes or missing required IV in mcrypt_encrypt, mcrypt_decrypt and the deprecated mode functions.
Use /dev/urandom as the default source for mcrypt_create_iv().
MySQLi:
Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed)
OCI8
Fixed Bug #66875 (Improve performance of multi-row OCI_RETURN_LOB queries)
OpenSSL:
Fixed memory leak in windows cert verification on verify failure.
Peer certificate capturing via SSL context options now functions even if peer verification fails.
Encrypted TLS servers now support the server name indication TLS extension via the new "SNI_server_certs" SSL context option.
Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1).
PCRE:
Added support for (*MARK) backtracking verbs.
PDO_firebird:
Fixed Bug #66071 (memory corruption in error handling)
PDO_pgsql:
Cleaned up code by increasing the requirements to libpq versions providing
PQexecParams, PQprepare, PQescapeStringConn, PQescapeByteaConn. According to the release notes that means 8.0.8+ or 8.1.4+.
Deprecated PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT, an undocument constant effectively equivalent to PDO::ATTR_EMULATE_PREPARES.
Added PDO::PGSQL_ATTR_DISABLE_PREPARES constant to execute the queries without preparing them, while still passing parameters separately from the command text using PQexecParams.
Pgsql:
Read-only access to the socket stream underlying database connections is exposed via a new pg_socket() function to allow read/write polling when
establishing asynchronous connections and executing queries in non-blocking applications.
Asynchronous connections are now possible using the PGSQL_CONNECT_ASYNC flag in conjunction with a new pg_connect_poll() function and connection polling status constants.
New pg_flush() and pg_consume_input() functions added to manually complete non-blocking reads/writes to underlying connection sockets.
Session:
Remove session_gc() and session_serializer_name() wich were introduced in the first 5.6.0 alpha.
SimpleXML:
Fixed bug #66084 (simplexml_load_string() mangles empty node name)
SQLite:
Updated the bundled libsqlite to the version 3.8.3.1
XSL:
Fixed bug #53965 ( cannot find files with relative paths when loaded with "file://").

New in PHP 5.6.0 Alpha 3 (Apr 3, 2014)

Core:
Expose get_debug_info class hook as __debugInfo() magic method. (Sara)
Implemented unified default encoding
RFC: https://wiki.php.net/rfc/default_encoding).
Curl:
Check for openssl.cafile ini directive when loading CA certs.
Remove cURL close policy related constants as these have no effect and are
no longer used in libcurl.
Fileinfo:
Upgraded to libmagic-5.17
Fixed bug #66731 (file: infinite recursion). (CVE-2014-1943)
FPM:
Added clear_env configuration directive to disable clearenv() call
GD:
Fixed imagettftext to load the correct character map rather than the last one
Fixed bug #66714 ( imageconvolution breakage).
JSON:
Fixed bug #65753 (JsonSerializeable couldn't implement on module
OPCache:
Added function opcache_is_script_cached(). (Danack)
Added information about interned strings usage. (Terry, Julien, Dmitry)
Openssl:
Fallback to Windows CA cert store for peer verification if no openssl.cafile
ini directive or "cafile" SSL context option specified in Windows
The openssl.cafile and openssl.capath ini directives introduced in alpha2
now have PHP_INI_PERDIR accessibility (was PHP_INI_ALL).
New "peer_name" SSL context option replaces "CN_match" (which still works
as before but triggers E_DEPRECATED).
Fixed segfault when accessing non-existent context for client SNI use
Fixed bug #66501 (Add EC key support to php_openssl_is_private_key)
Fixed Bug #47030 (add new boolean "verify_peer_name" SSL context option
allowing clients to verify cert names separately from the cert itself)
"verify_peer_name" is enabled by default for client streams
Fixed Bug #65538 ("cafile" SSL context option now supports stream
wrappers).
New openssl_get_cert_locations() function to aid CA file and peer
verification debugging.
Encrypted stream wrappers now disable TLS compression by default
New "capture_session_meta" SSL context option allows encrypted client and
server streams access to negotiated protocol/cipher information
New "honor_cipher_order" SSL context option allows servers to prioritize
cipher suites of their choosing when negotiating SSL/TLS handshakes
New "single_ecdh_use" and "single_dh_use" SSL context options allow for
improved forward secrecy in encrypted stream servers.
New "dh_param" SSL context option allows stream servers control over
the parameters when negotiating DHE cipher suites.
New "ecdh_curve" SSL context option allowing stream servers to specify
the curve to use when negotiating ephemeral ECDHE ciphers (defaults to
NIST P-256)
New "rsa_key_size" SSL context option gives stream servers control
over the key size (in bits) used for RSA key agreements.
Crypto methods for encrypted client and server streams now use
bitwise flags for fine-grained protocol support.
Added new tlsv1.0 stream wrapper to specify TLSv1 client/server method
tls wrapper now negotiates TLSv1, TLSv1.1 or TLSv1.2.
Encrypted client streams now enable SNI by default.
Encrypted streams now prioritize ephemeral key agreement and high strength
ciphers by default.
New OPENSSL_DEFAULT_STREAM_CIPHERS constant exposes default cipher
list.
New STREAM_CRYPTO_METHOD_* constants for enhanced control over the crypto
methods negotiated encrypted server/client sessions.
Encrypted stream servers now automatically mitigate potential DoS vector
arising from client-initiated TLS renegotiation. New "reneg_limit"
"reneg_window" and "reneg_limit_callback" SSL context options for custom
renegotiation limiting control
Pgsql:
pg_insert()/pg_select()/pg_update()/pg_delete() are no longer EXPERIMENTAL
Impremented FR #25854 Return value for pg_insert should be resource instead of bool
Implemented FR #41146 - Add "description" with exteneded flag pg_meta_data()
pg_meta_data(resource $conn, string $table [, bool extended])
It also made pg_meta_data() return "is enum" always

New in PHP 5.6.0 Alpha 2 (Apr 3, 2014)

New in PHP 5.6.0 Alpha 1 (Apr 3, 2014)

CLI server:
Added some MIME types to the CLI web server.
Core:
Improved IS_VAR operands fetching.
Improved empty string handling. Now ZE uses an interned string instead of
allocation new empty string each time.
Implemented internal operator overloading
RFC: https://wiki.php.net/rfc/operator_overloading_gmp).
Made calls from incompatible context issue an E_DEPRECATED warning instead
of E_STRICT (phase 1 of RFC: https://wiki.php.net/rfc/incompat_ctx).
Uploads equal or greater than 2GB in size are now accepted.
Reduced POST data memory usage by 200-300%. Changed INI setting
always_populate_raw_post_data to throw a deprecation warning when enabling
and to accept -1 for never populating the $HTTP_RAW_POST_DATA global
variable, which will be the default in future PHP versions
Implemented dedicated syntax for variadic functions
RFC: https://wiki.php.net/rfc/variadics).
Fixed bug #50333 Improving multi-threaded scalability by using
emalloc/efree/estrdup
Implemented constant scalar expressions (with support for constants)
RFC: https://wiki.php.net/rfc/const_scalar_exprs).
Fixed bug #65784 (Segfault with finally).
Fixed bug #66509 (copy() arginfo has changed starting from 5.4)
cURL:
Implemented FR #65646 (re-enable CURLOPT_FOLLOWLOCATION with open_basedir or safe_mode).
GMP:
Moved GMP to use object as the underlying structure and implemented various
improvements based on this.
RFC: https://wiki.php.net/rfc/operator_overloading_gmp).
Added gmp_root() and gmp_rootrem() functions for calculating nth roots.
Hash:
Added gost-crypto (CryptoPro S-box) GOST hash algo.
JSON:
Fixed case part of bug #64874 ("json_decode handles whitespace and
case-sensitivity incorrectly")
mysqlnd:
Disabled flag for SP OUT variables for 5.5+ servers as they are not natively
supported by the overlying APIs.
OPcache:
Added an optimization of class constants and constant calls to some
internal functions
Added an optimization pass to convert FCALL_BY_NAME into DO_FCALL.
Added an optimization pass to merged identical constants (and related cache_slots) in op_array->literals table.
Added script level constant replacement optimization pass.
Openssl:
Added crypto_method option for the ssl stream context.
Added certificate fingerprint support.
Added explicit TLSv1.1 and TLSv1.2 stream transports.
Fixed bug #65729 (CN_match gives false positive).
Peer name verification matches SAN DNS names for certs using
the Subject Alternative Name x509 extension
Fixed segfault when built against OpenSSL>=1.0.1
Added SPKAC support.
PDO_pgsql:
Fixed Bug #42614 (PDO_pgsql: add pg_get_notify support).
Fixed Bug #63657 (pgsqlCopyFromFile, pgsqlCopyToArray use Postgres < 7.3
syntax).
phpdbg:
Included phpdbg sapi (RFC: https://wiki.php.net/rfc/phpdbg).
pgsql:
pg_version() returns full report which obtained by PQparameterStatus().
Added pg_lo_truncate().
Added 64bit large object support for PostgreSQL 9.3 and later.
Session:
Fixed Bug #65315 (session.hash_function silently fallback to default md5)
Implemented Request #54649 (Create session_serializer_name()).
Implemented Request #17860 (Session write short circuit).
Implemented Request #20421 (session_abort() and session_reset() function).
Implemented Request #11100 (session_gc() function).
Standard:
Implemented FR #65634 (HTTP wrapper is very slow with protocol_version
1.1).
Implemented Change crypt() behavior w/o salt RFC.
https://wiki.php.net/rfc/crypt_function_salt
Implemented request #49824 (Change array_fill() to allow creating empty
array).
XMLReader:
Fixed bug #55285 (XMLReader::getAttribute/No/Ns methods inconsistency).
Zip:
update libzip to version 1.11.2.
PHP don't use any ilibzip private symbol anymore.
new method ZipArchive::setPassword($password).
add --with-libzip option to build with system libzip.
new methods:
ZipArchive::setExternalAttributesName($name, $opsys, $attr [, $flags])
ZipArchive::setExternalAttributesIndex($idx, $opsys, $attr [, $flags])
ZipArchive::getExternalAttributesName($name, &$opsys, &$attr [, $flags])
ZipArchive::getExternalAttributesIndex($idx, &$opsys, &$attr [, $flags])

New in PHP 5.5.11 (Apr 3, 2014)

New in PHP 5.5.10 RC1 (Feb 20, 2014)

New in PHP 5.5.7 (Dec 12, 2013)

New in PHP 5.5.6 (Nov 14, 2013)

New in PHP 5.5.5 (Oct 17, 2013)

Core:
Fixed bug #64979 (Wrong behavior of static variables in closure generators).
Fixed bug #65322 (compile time errors won't trigger auto loading).
Fixed bug #65821 (By-ref foreach on property access of string offset segfaults).
CLI Server:
Fixed bug #65633 (built-in server treat some http headers as case-sensitive).
Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding).
Added application/pdf to PHP CLI Web Server mime types
Datetime:
Fixed bug #64157 (DateTime::createFromFormat() reports confusing error message).
Fixed bug #65502 (DateTimeImmutable::createFromFormat returns DateTime).
Fixed bug #65548 (Comparison for DateTimeImmutable doesn't work).
DBA:
Fixed bug #65708 (dba functions cast $key param to string in-place, bypassing copy on write).
Filter:
Add RFC 6598 IPs to reserved addresses.
Fixed bug #64441 (FILTER_VALIDATE_URL rejects fully qualified domain names).
FTP:
Fixed bug #65667 (ftp_nb_continue produces segfault).
GD:
Ensure that the defined interpolation method is used with the generic scaling methods.
IMAP:
Fixed bug #65721 (configure script broken in 5.5.4 and 5.4.20 when enabling imap).
OPCache:
Fixed bug #65845 (Error when Zend Opcache Optimizer is fully enabled).
Fixed bug #65665 (Exception not properly caught when opcache enabled).
Fixed bug #65510 (5.5.2 crashes in _get_zval_ptr_ptr_var).
Fixed issue #135 (segfault in interned strings if initial memory is too low).
Added function opcache_compile_file() to load PHP scripts into cache without execution.
Added support for GNU Hurd.
Sockets:
Fixed bug #65808 (the socket_connect() won't work with IPv6 address).
SPL:
Fixed bug #64782 (SplFileObject constructor make $context optional / give it a default value).
Standard:
Fixed bug #61548 content-type must appear at the end of headers for 201 Location to work in http.
XMLReader:
Fixed bug #51936 Crash with clone XMLReader.
Fixed bug #64230 XMLReader does not suppress errors.
Build system:
Fixed bug #51076 Race condition in shtool's mkdir -p implementation.
Fixed bug #62396 'make test' crashes starting with 5.3.14 (missing gzencode()).

New in PHP 5.5.3 (Aug 23, 2013)

New in PHP 5.5.2 (Aug 20, 2013)

Core:
Fixed bug #65372 (Segfault in gc_zval_possible_root when return reference fails).
Fixed value of FILTER_SANITIZE_FULL_SPECIAL_CHARS constant (previously was erroneously set to FILTER_SANITIZE_SPECIAL_CHARS value).
Fixed bug #65304 (Use of max int in array_sum).
Fixed bug #65291 (get_defined_constants() causes PHP to crash in a very limited case).
Fixed bug #62691 (solaris sed has no -i switch).
Fixed bug #61345 (CGI mode - make install don't work).
Fixed bug #61268 (--enable-dtrace leads make to clobber Zend/zend_dtrace.d).
DOM:
Added flags option to DOMDocument::schemaValidate() and DOMDocument::schemaValidateSource(). Added LIBXML_SCHEMA_CREATE flag.
OPcache:
Added opcache.restrict_api configuration directive that may limit usage of OPcahce API functions only to patricular script(s).
Added support for glob symbols in blacklist entries (?, *, **).
Fixed bug #65338 (Enabling both php_opcache and php_wincache AVs on shutdown).
Openssl:
Fixed handling null bytes in subjectAltName (CVE-2013-4248).
PDO_mysql:
Fixed bug #65299 (pdo mysql parsing errors).
Phar:
Fixed bug #65028 (Phar::buildFromDirectory creates corrupt archives for some specific contents).
Pgsql:
Fixed bug #62978 (Disallow possible SQL injections with pg_select()/pg_update() /pg_delete()/pg_insert()).
Fixed bug #65336 (pg_escape_literal/identifier() silently returns false).
Sessions:
Implemented strict sessions RFC (https://wiki.php.net/rfc/strict_sessions) which protects against session fixation attacks and session collisions (CVE-2011-4718).
Fixed possible buffer overflow under Windows. Note: Not a security fix.
Changed session.auto_start to PHP_INI_PERDIR.
SOAP:
Fixed bug #65018 (SoapHeader problems with SoapServer).
SPL:
Fixed bug #65328 (Segfault when getting SplStack object Value).
Added RecursiveTreeIterator setPostfix and getPostifx methods.
Fixed bug #61697 (spl_autoload_functions returns lambda functions incorrectly).
Streams:
Fixed bug #65268 (select() implementation uses outdated tick API).

New in PHP 5.5.1 (Jul 19, 2013)

Core:
Fixed bug #65254 (Exception not catchable when exception thrown in autoload with a namespace).
Fixed bug #65088 (Generated configure script is malformed on OpenBSD).
Fixed bug #65108 (is_callable() triggers Fatal Error).
Fixed bug #65035 (yield / exit segfault).
Fixed bug #65161 (Generator + autoload + syntax error = segfault).
Fixed bug #65226 (chroot() does not get enabled).
hex2bin() raises E_WARNING for invalid hex string.
OPcache:
Fixed bug #64827 (Segfault in zval_mark_grey (zend_gc.c)).
OPcache is now compatible with LiteSpeed SAPI.
CGI:
Fixed bug #65143 (Missing php-cgi man page).
CLI server:
Fixed bug #65066 (Cli server not responsive when responding with 422 http status code).
DateTime:
Fixed bug #65184 (strftime() returns insufficient-length string under multibyte locales).
GD:
Fixed bug #65070 (bgcolor does not use the same format as the input image with imagerotate).
Fixed bug #65060 (imagecreatefrom... crashes with user streams).
Fixed bug #65084 (imagecreatefromjpeg fails with URL).
Fix gdImageCreateFromWebpCtx and use same logic to load WebP image that other formats.
Intl:
Add IntlCalendar::setMinimalDaysInFirstWeek()/intlcal_set_minimal_days_in_first_week().
Fixed trailing space in name of constant IntlCalendar::FIELD_FIELD_COUNT.
Fixed bug #62759 (Buggy grapheme_substr() on edge case).
Fixed bug #61860 (Offsets may be wrong for grapheme_stri* functions).
OCI8:
Bump PECL package info version check to allow PECL installs with PHP 5.5+.
PDO:
Allowed PDO_OCI to compile with Oracle Database 12c client libraries.
Pgsql:
pg_unescape_bytea() raises E_WARNING for invalid inputs.
Phar:
Fixed bug #65142 (Missing phar man page).
Session:
Added optional create_sid() argument to session_set_save_handler(), SessionHandler and new SessionIdInterface.
Sockets:
#63472Setting SO_BINDTODEVICE with socket_set_option.
Allowed specifying paths in the abstract namespace for the functions socket_bind(), socket_connect() and socket_sendmsg().
Fixed bug #65260sendmsg() ancillary data construction for SCM_RIGHTS is faulty.
SPL:
Fixed bug #65136RecursiveDirectoryIterator segfault.
Fixed bug #61828Memleak when calling Directory(Recursive)Iterator/Spl(Temp)FileObject ctor twice.
CGI/FastCGI SAPI:
Added PHP_FCGI_BACKLOG, overrides the default listen backlog.

New in PHP 5.5.0 (Jun 21, 2013)

New in PHP 5.4.16 (Jun 7, 2013)

New in PHP 5.4.15 (May 9, 2013)

New in PHP 5.4.14 (Apr 11, 2013)

New in PHP 5.5.0 Alpha 6 (Mar 15, 2013)

New in PHP 5.4.12 (Feb 22, 2013)

New in PHP 5.4.10 (Dec 20, 2012)

New in PHP 5.4.9 (Nov 23, 2012)

New in PHP 5.4.7 (Sep 13, 2012)

Core:
Fixed bug (segfault while build with zts and GOTO vm-kind). (Laruence)
Fixed bug #62955 (Only one directive is loaded from "Per Directory Values"
Windows registry).
Fixed bug #62844 (parse_url() does not recognize //). (Andrew Faulds).
Fixed bug #62829 (stdint.h included on platform where HAVE_STDINT_H is not
set).
Fixed bug #62763 (register_shutdown_function and extending class).
Fixed bug #62725 (Calling exit() in a shutdown function does not return
the exit value).
Fixed bug #62744 (dangling pointers made by zend_disable_class).
Fixed bug #62716 (munmap() is called with the incorrect length).
Fixed bug #62358 (Segfault when using traits a lot).
Fixed bug #62328 (implementing __toString and a cast to string fails)
Fixed bug #51363 (Fatal error raised by var_export() not caught by error
handler).
Fixed bug #40459 (Stat and Dir stream wrapper methods do not call
constructor).
CURL:
Fixed bug #62912 (CURLINFO_PRIMARY_* AND CURLINFO_LOCAL_* not exposed).
Fixed bug #62839 (curl_copy_handle segfault with CURLOPT_FILE).
DateTime:
Fixed bug #62852 (Unserialize invalid DateTime causes crash).
Intl:
Fixed Spoofchecker not being registered on ICU 49.1.
Fix bug #62933 (ext/intl compilation error on icu 3.4.1).
Fix bug #62915 (defective cloning in several intl classes).
Installation:
Fixed bug #62460 (php binaries installed as binary.dSYM).
PCRE:
Fixed bug #55856 (preg_replace should fail on trailing garbage).
reg dot php at alf dot nu)
PDO:
Fixed bug #62685 (Wrong return datatype in PDO::inTransaction()).
Reflection:
Fixed bug #62892 (ReflectionClass::getTraitAliases crashes on importing
trait methods as private). (Felipe)
Fixed bug #62715 (ReflectionParameter::isDefaultValueAvailable() wrong
result). (Laruence)
Session:
Fixed bug (segfault due to retval is not initialized).
Fixed bug (segfault due to PS(mod_user_implemented) not be reseted
when close handler call exit).
SPL:
Fixed bug #62904 (Crash when cloning an object which inherits SplFixedArray)
Laruence)
Implemented FR #62840 (Add sort flag to ArrayObject::ksort).
Standard:
Fixed bug #62836 (Seg fault or broken object references on unserialize()).
FPM:
Merged PR 121 by minitux to add support for slow request counting on PHP
FPM status page. (Lars)

New in PHP 5.3.16 (Sep 13, 2012)

New in PHP 5.4.6 (Aug 16, 2012)

New in PHP 5.4.5 (Jul 19, 2012)

Core:
Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed
Salt).
Fixed bug #62432 (ReflectionMethod random corrupt memory on high
concurrent).
Fixed bug #62373 (serialize() generates wrong reference to the object).
Fixed bug #62357 (compile failure: (S) Arguments missing for built-in
function __memcmp).
Fixed bug #61998 (Using traits with method aliases appears to result in
crash during execution).
Fixed bug #51094 (parse_ini_file() with INI_SCANNER_RAW cuts a value that
includes a semi-colon).
Fixed potential overflow in _php_stream_scandir (CVE-2012-2688).
EXIF:
Fixed information leak in ext exif
FPM:
Fixed bug #62205 (php-fpm segfaults (null passed to strstr)).
Fixed bug #62160 (Add process.priority to set nice(2) priorities).
Fixed bug #62153 (when using unix sockets, multiples FPM instances
Fixed bug #62033 (php-fpm exits with status 0 on some failures to start).
(fat)
Fixed bug #61839 (Unable to cross-compile PHP with --enable-fpm).
Fixed bug #61835 (php-fpm is not allowed to run as root).
Fixed bug #61295 (php-fpm should not fail with commented 'user'
Fixed bug #61218 (FPM drops connection while receiving some binary values
in FastCGI requests).
Fixed bug #61045 (fpm don't send error log to fastcgi clients).
for non-root start). (fat)
Fixed bug #61026 (FPM pools can listen on the same address).
can be launched without errors).
Iconv:
Fix bug #55042 (Erealloc in iconv.c unsafe).
Intl:
Fixed bug #62083 (grapheme_extract() memory leaks).
ResourceBundle constructor now accepts NULL for the first two arguments.
Fixed bug #62081 (IntlDateFormatter constructor leaks memory when called
twice).
Fixed bug #62070 (Collator::getSortKey() returns garbage).
Fixed bug #62017 (datefmt_create with incorrectly encoded timezone leaks
pattern).
Fixed bug #60785 (memory leak in IntlDateFormatter constructor).
JSON:
Fixed bug #61359 (json_encode() calls too many reallocs).
libxml:
Fixed bug #62266 (Custom extension segfaults during xmlParseFile with FPM
SAPI).
Phar:
Fixed bug #62227 (Invalid phar stream path causes crash).
Readline:
Fixed bug #62186 (readline fails to compile - void function should not
return a value).
Reflection:
Fixed bug #62384 (Attempting to invoke a Closure more than once causes
segfault).
Fixed bug #62202 (ReflectionParameter::getDefaultValue() memory leaks
with constant).
Sockets:
Fixed bug #62025 (__ss_family was changed on AIX 5.3).
SPL:
Fixed bug #62433 (Inconsistent behavior of RecursiveDirectoryIterator to
dot files).
Fixed bug #62262 (RecursiveArrayIterator does not implement Countable).
XML Writer:
Fixed bug #62064 (memory leak in the XML Writer module).
Zip:
Upgraded libzip to 0.10.1

New in PHP 5.4.4 (Jun 14, 2012)

New in PHP 5.4.3 (May 9, 2012)

New in PHP 5.4.2 (May 4, 2012)

New in PHP 5.4.1 (Apr 27, 2012)

New in PHP 5.3.11 (Apr 27, 2012)

Core:
Fixed bug #61650 (ini parser crashes when using ${xxxx} ini variables (without apache2)).
Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes).
Fixed bug #61165 (Segfault - strip_tags()).
Fixed bug #61095 (Incorect lexing of 0x00*+).
Fixed bug #61087 (Memory leak in parse_ini_file when specifying invalid scanner mode).
Fixed bug #61072 (Memory leak when restoring an exception handler).
Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX).
Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical vars).
Fixed bug #60895 (Possible invalid handler usage in windows random functions).
Fixed bug #60825 (Segfault when running symfony 2 tests).
Fixed bug #60801 (strpbrk() mishandles NUL byte).
Fixed bug #60569 (Nullbyte truncates Exception $message).
Fixed bug #60227 (header() cannot detect the multi-line header with CR).
Fixed bug #60222 (time_nanosleep() does validate input params).
Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).
Fixed bug #52719 (array_walk_recursive crashes if third param of the function is by reference).
Improve performance of set_exception_handler while doing reset.
Fixed bug #51860 (Include fails with toplevel symlink to /).
DOM:
Added debug info handler to DOM objects.
FPM:
Fixed bug #61430 (Transposed memset() params in sapi/fpm/fpm/fpm_shm.)
Fixed bug #60811 (php-fpm compilation problem).
Fileinfo:
Upgraded libmagic to 5.
Fixed bug #61565 where php_stream_open_wrapper_ex tries to open a directory descriptor under windows.
Fixed bug #61566 failure caused by the posix lseek and read versions under windows in cdf_read().
Fixed bug #61173 (Unable to detect error from finfo constructor).
Firebird Database extension (ibase)
Fixed bug #60802 (ibase_trans() gives segfault when passing params).
Ibase
Fixed bug #60947 (Segmentation fault while executing ibase_db_info).
Installation:
Fixed bug #61172 (Add Apache 2.4 support).
mysqli:
Fixed bug #61003 (mysql_stat() require a valid connection).
PDO_mysql:
Fixed bug #61207 (PDO::nextRowset() after a multi-statement query doesn't always work).
Fixed bug #61194 (PDO should export compression flag with myslqnd).
PDO_odbc:
Fixed bug #61212 (PDO ODBC Segfaults on SQL_SUCESS_WITH_INFO).
PDO_pgsql:
Fixed bug #61267 (pdo_pgsql's PDO::exec() returns the number of SELECTed rows on postgresql >= 9).
PDO_Sqlite extension
Add createCollation support.
pgsql:
Fixed bug #60718 (Compile problem with libpq (PostgreSQL 7.3 or less).
Phar:
Fixed bug #61184 (Phar::webPhar() generates headers with trailing NUL bytes).
Readline:
Fixed bug #61088 (Memory leak in readline_callback_handler_install).
Add open_basedir checks to readline_write_history and readline_read_history.
Reflection"
Fixed bug #61388 (ReflectionObject:getProperties() issues invalid reads when get_properties returns a hash table with (inaccessible) dynamic numeric properties).
Fixed bug #60968 (Late static binding doesn't work with ReflectionMethod::invokeArgs()).
Session:
Fixed bug #60860 (session.save_handler=user without defined function core dumps).
Fixed bug #60634 (Segmentation fault when trying to die() in SessionHandler::write()).
SOAP:
Fixed bug #61423 (gzip compression fails).
Fixed bug #60887 (SoapClient ignores user_agent option and sends no User-Agent header).
Fixed bug #60842, Fixed bug #51775 (Chunked response parsing error when chunksize length line is > 10 bytes).
Fixed bug #49853 (Soap Client stream context header option ignored).
SPL:
Fixed memory leak when calling SplFileInfo's constructor twice.
Fixed bug #61418 (Segmentation fault when DirectoryIterator's or FilesystemIterator's iterators are requested more than once without having had its dtor callback called in between).
Fixed bug #61347 (inconsistent isset behavior of Arrayobject).
Fixed bug #61326 (ArrayObject comparison).
SQLite3 extension
Add createCollation() method.
Streams:
Fixed bug #61371 (stream_context_create() causes memory leaks on use streams_socket_create).
Fixed bug #61253 (Wrappers opened with errors concurrency problem on ZTS).
Fixed bug #61115 (stream related segfault on fatal error in php_stream_context_link).
Fixed bug #60817 (stream_get_line() reads from stream even when there is already sufficient data buffered). stream_get_line() now behaves more like fgets(), as is documented.
Further fix for bug Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together with the last read).
Fixed bug #60106 (stream_socket_server silently truncates long unix socket paths).
Tidy:
Fixed bug #54682 (tidy null pointer dereference).
XMLRPC:
Fixed bug #61264 (xmlrpc_parse_method_descriptions leaks temporary variable).
Fixed bug #61097 (Memory leak in xmlrpc functions copying zvals).
Zlib:
Fixed bug #61306 (initialization of global inappropriate for ZTS).
Fixed bug #61287 (A particular string fails to decompress).
Fixed bug #61139 (gzopen leaks when specifying invalid mode).

New in PHP 5.4.0 (Mar 3, 2012)

autoconf 2.59+ is now supported (and required) for generating the configure script with ./buildconf. Autoconf 2.60+ is desirable otherwise the configure help order may be incorrect.
Removed legacy features:
break/continue $var syntax.
Safe mode and all related ini options.
register_globals and register_long_arrays ini options.
import_request_variables().
allow_call_time_pass_reference.
define_syslog_variables ini option and its associated function.
highlight.bg ini option.
Session bug compatibility mode (session.bug_compat_42 and session.bug_compat_warn ini options).
session_is_registered(), session_register() and session_unregister() functions.
y2k_compliance ini option.
magic_quotes_gpc, magic_quotes_runtime and magic_quotes_sybase ini options. get_magic_quotes_gpc, get_magic_quotes_runtime are kept but always return false, set_magic_quotes_runtime raises an E_CORE_ERROR.
Removed support for putenv("TZ=..") for setting the timezone.
Removed the timezone guessing algorithm in case the timezone isn't set with date.timezone or date_default_timezone_set(). Instead of a guessed timezone, "UTC" is now used instead.
Moved extensions to PECL:
ext/sqlite. (Note: the ext/sqlite3 and ext/pdo_sqlite extensions are not affected)
General improvements:
Added short array syntax support ([1,2,3]), see UPGRADING guide for full details.
Added binary numbers format (0b001010).
Added support for Class::{expr}() syntax.
Added multibyte support by default. Previously php had to be compiled with enable-zend-multibyte. Now it can be enabled or disabled through zend.multibyte directive in php.ini.
Removed compile time dependency from ext/mbstring.
Added support for Traits.
Added closure $this support back.
Added array dereferencing support.
Added callable typehint.
Added indirect method call through array. #47160.
Added DTrace support.
Added class member access on instantiation (e.g. (new foo)->bar()) support.
is now always available regardless of the short_open_tag setting.
Implemented Zend Signal Handling (configurable option enable-zend-signals, off by default):
Improved output layer, see README.NEW-OUTPUT-API for internals.
Improved unix build system to allow building multiple PHP binary SAPIs and one SAPI module the same time. #53271, #52419.
Implemented closure rebinding as parameter to bindTo.
Improved the warning message of incompatible arguments.
Improved ternary operator performance when returning arrays.
Changed error handlers to only generate docref links when the docref_root INI setting is not empty.
Changed silent conversion of array to string to produce a notice.
Changed default value of "default_charset" php.ini option from ISO-8859-1 to UTF-8.
Changed silent casting of null/''/false into an Object when adding a property into a warning.
Changed E_ALL to include E_STRICT.
Disabled windows CRT warning by default, can be enabled again using the ini directive windows_show_crt_warnings.
Fixed bug #55378: Binary number literal returns float number though its value is small enough.
Improved Zend Engine memory usage:
Improved parse error messages.
Replaced zend_function.pass_rest_by_reference by ZEND_ACC_PASS_REST_BY_REFERENCE in zend_function.fn_flags.
Replaced zend_function.return_reference by ZEND_ACC_RETURN_REFERENCE in zend_function.fn_flags.
Removed zend_arg_info.required_num_args as it was only needed for internal functions. Now the first arg_info for internal functions (which has special meaning) is represented by zend_internal_function_info structure.
Moved zend_op_array.size, size_var, size_literal, current_brk_cont, backpatch_count into CG(context) as they are used only during compilation.
Moved zend_op_array.start_op into EG(start_op) as it's used only for 'interactive' execution of single top-level op-array.
Replaced zend_op_array.done_pass_two by ZEND_ACC_DONE_PASS_TWO in zend_op_array.fn_flags.
op_array.vars array is trimmed (reallocated) during pass_two.
Replaced zend_class_entry.constants_updated by ZEND_ACC_CONSTANTS_UPDATED in zend_class_entry.ce_flags.
Reduced the size of zend_class_entry by sharing the same memory space by different information for internal and user classes. See zend_class_entry.info union.
Reduced size of temp_variable.
Improved Zend Engine, performance tweaks and optimizations:
Inlined most probable code-paths for arithmetic operations directly into executor.
Eliminated unnecessary iterations during request startup/shutdown.
Changed $GLOBALS into a JIT autoglobal, so it's initialized only if used. (this may affect opcode caches!)
Improved performance of @ (silence) operator.
Simplified string offset reading. $str[1][0] is now a legal construct.
Added caches to eliminate repeatable run-time bindings of functions, classes, constants, methods and properties.
Added concept of interned strings. All strings constants known at compile time are allocated in a single copy and never changed.
ZEND_RECV now always has IS_CV as its result.
ZEND_CATCH now has to be used only with constant class names.
ZEND_FETCH_DIM_? may fetch array and dimension operands in different order.
Simplified ZEND_FETCH_*_R operations. They can't be used with the EXT_TYPE_UNUSED flag any more. This is a very rare and useless case. ZEND_FREE might be required after them instead.
Split ZEND_RETURN into two new instructions ZEND_RETURN and ZEND_RETURN_BY_REF.
Optimized access to global constants using values with pre-calculated hash_values from the literals table.
Optimized access to static properties using executor specialization. A constant class name may be used as a direct operand of ZEND_FETCH_* instruction without previous ZEND_FETCH_CLASS.
zend_stack and zend_ptr_stack allocation is delayed until actual usage.
Other improvements to Zend Engine:
Added an optimization which saves memory and emalloc/efree calls for empty HashTables.
Added ability to reset user opcode handlers.
Changed the structure of op_array.opcodes. The constant values are moved from opcode operands into a separate literal table.
Fixed (disabled) inline-caching for ZEND_OVERLOADED_FUNCTION methods.
Fixed bug #43200 (Interface implementation / inheritence not possible in abstract classes).
Improved core functions:
Added optional argument to debug_backtrace() and debug_print_backtrace() to limit the amount of stack frames returned.
Added hex2bin() function.
number_format() no longer truncates multibyte decimal points and thousand separators to the first byte. #53457.
Added support for object references in recursive serialize() calls. #36424.
Added support for SORT_NATURAL and SORT_FLAG_CASE in array sort functions (sort, rsort, ksort, krsort, asort, arsort and array_multisort). #55158.
Added stream metadata API support and stream_metadata() stream class handler.
User wrappers can now define a stream_truncate() method that responds to truncation, e.g. through ftruncate(). #53888.
Improved unserialize() performance.
Changed array_combine() to return empty array instead of FALSE when both parameter arrays are empty. #34857.
Fixed invalid free in call_user_method() function.
Fixed crypt_blowfish handling of 8-bit characters. (CVE-2011-2483).
Fixed bug #61095 (Incorect lexing of 0x00*+).
Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with $double=false).
Fixed bug #60895 (Possible invalid handler usage in windows random functions).
Fixed bug #60879 (unserialize() Does not invoke __wakeup() on object).
Fixed bug #60825 (Segfault when running symfony 2 tests).
Fixed bug #60809 (TRAITS - PHPDoc Comment Style Bug).
Fixed bug #60627 (httpd.worker segfault on startup with php_value).
Fixed bug #60613 (Segmentation fault with $cls->{expr}() syntax).
Fixed bug #60611 (Segmentation fault with Cls::{expr}() syntax).
Fixed bug #60558 (Invalid read and writes).
Fixed bug #60536 (Traits Segfault).
Fixed bug #60444 (Segmentation fault with include & class extending).
Fixed bug #60362 (non-existent sub-sub keys should not have values).
Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e).
Fixed bug #60321 (ob_get_status(true) no longer returns an array when buffer is empty).
Fixed bug #60282 (Segfault when using ob_gzhandler() with open buffers).
Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings).
Fixed bug #60227 (header() cannot detect the multi-line header with CR(0x0D)).
Fixed bug #60174 (Notice when array in method prototype error).
Fixed bug #60169 (Conjunction of ternary and list crashes PHP).
Fixed bug #60120 (proc_open's streams may hang with stdin/out/err when
the data exceeds or is equal to 2048 bytes).
Fixed bug #60099 (__halt_compiler() works in braced namespaces).
Fixed bug #60038 (SIGALRM cause segfault in php_error_cb).
Fixed bug #55874 (GCC does not provide __sync_fetch_and_add on some archs).
Fixed bug #55871 (Interruption in substr_replace()).
Fixed bug #55825 (Missing initial value of static locals in trait methods).
Fixed bug #55801 (Behavior of unserialize has changed).
Fixed bug #55622 (memory corruption in parse_ini_string).
Fixed bug #55758 (Digest Authenticate missed in 5.4) .
Fixed bug #55748 (multiple NULL Pointer Dereference with zend_strndup()) (CVE-2011-4153).
Fixed bug #55749 (TOCTOU issue in getenv() on Windows builds).
Fixed bug #55705 (Omitting a callable typehinted argument causes a segfault).
Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).
Fixed bug #55471 (ZTS build broken with dtrace).
Fixed bug #55124 (recursive mkdir fails with current (dot) directory in path).
Fixed bug #55084 (Function registered by header_register_callback is called only once per process).
Implement #54514 (Get php binary path during script execution).
Fixed bug #52624 (tempnam() by-pass open_basedir with nonexistent directory).
Fixed bug #52211 (iconv() returns part of string on error).
Fixed bug #51860 (Include fails with toplevel symlink to /).
Improved generic SAPI support:
Added $_SERVER['REQUEST_TIME_FLOAT'] to include microsecond precision.
Added max_input_vars directive to prevent attacks based on hash collisions.
Added header_register_callback() which is invoked immediately prior to the sending of headers and after default headers have been added.
Added http_response_code() function. #52555.
Fixed bug #55500 (Corrupted $_FILES indices lead to security concern).
Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices).
Improved Apache SAPI:
Fixed bug #60205 (possible integer overflow in content_length).
Improved CLI SAPI:
Added friendly log messages. #55109.
Added built-in web server that is intended for testing purpose.
Added command line option --rz which shows information of the named Zend extension.
Interactive readline shell improvements
Added "cli.pager" php.ini setting to set a pager for output.
Added "cli.prompt" php.ini setting to configure the shell prompt.
Added shortcut #inisetting=value to change ini settings at run-time.
Changed shell not to terminate on fatal errors.
Interactive shell works with shared readline extension. #53878.
Fixed bug #60591 (Memory leak when access a non-exists file).
Fixed bug #60523 (PHP Errors are not reported in browsers using built-in SAPI).
Fixed bug #60477 (Segfault after two multipart/form-data POST requests, one 200 RQ and one 404).
Implement #60390 (Missing $_SERVER['SERVER_PORT']).
Fixed bug #60180 ($_SERVER["PHP_SELF"] incorrect).
Fixed bug #60159 (Router returns false, but POST is not passed to requested resource).
Fixed bug #60146 (Last 2 lines of page not being output).
Fixed bug #60115 (memory definitely lost in cli server).
Fixed bug #60112 (If URI does not contain a file, index.php is not served).
Fixed bug #55759 (memory leak when using built-in server).
Fixed bug #55755 (SegFault when outputting header WWW-Authenticate).
Fixed bug #55747 (request headers missed in $_SERVER).
Fixed bug #55726 (Changing the working directory makes router script inaccessible).
Fixed bug #55463 (cli-server missing _SERVER[REMOTE_ADDR]).
Fixed bug #55450 (Built in web server not accepting file uploads).
Fixed bug #55423 (cli-server could not output correctly in some case).
Improved CGI/FastCGI SAPI:
Added apache compatible functions: apache_child_terminate(), getallheaders(), apache_request_headers() and apache_response_headers().
Improved performance of FastCGI request parsing.
Fixed reinitialization of SAPI callbacks after php_module_startup().
Improved PHP-FPM SAPI:
Added partial syslog support (on error_log only). #52052.
Added .phar to default authorized extensions.
Added process.max to control the number of process FPM can fork. #55166.
Dropped restriction of not setting the same value multiple times, the last one holds.
Lowered default value for Process Manager. #54098.
Enhanced security by limiting access to user defined extensions. #55181.
Enhanced error log when the primary script can't be open. #60199.
Removed EXPERIMENTAL flag.
Fixed bug #60659 (FPM does not clear auth_user on request accept).
Fixed bug #60629 (memory corruption when web server closed the fcgi fd).
Improved Litespeed SAPI:
Fixed bug #55769 (Make Fails with "Missing Separator" error).
Improved BCmath extension
Fixed bug #60377 (bcscale related crashes on 64bits platforms).
Improved CURL extension:
Added support for CURLOPT_MAX_RECV_SPEED_LARGE and CURLOPT_MAX_SEND_SPEED_LARGE. #51815.
Fixed bug #60439 (curl_copy_handle segfault when used with CURLOPT_PROGRESSFUNCTION).
Improved Date extension:
Added the + modifier to parseFromFormat to allow trailing text in the string to parse without throwing an error.
Improved DBA extension
Added Tokyo Cabinet abstract DB support.
Added Berkeley DB 5 support.
Improved DOM extension:
Added the ability to pass options to loadHTML.
Improved filesystem functions
scandir() now accepts SCANDIR_SORT_NONE as a possible sorting_order value. #53407.
Improved fileinfo extension:
Fixed possible memory leak in finfo_open().
Fixed memory leak when calling the Finfo constructor twice.
Fixed bug #60094 (C++ comment fails in c89).
Improved HASH extension:
Added Jenkins's one-at-a-time hash support.
Added FNV-1 hash support.
Made Adler32 algorithm faster. #53213.
Removed Salsa10/Salsa20, which are actually stream ciphers.
Fixed bug #60221 (Tiger hash output byte order).
Improved intl extension:
Added Spoofchecker class, allows checking for visibly confusable characters and other security issues.
Added Transliterator class, allowing transliteration of strings.
Added support for UTS #46.
Fixed memory leak in several Intl locale functions.
Fixed build on Fedora 15 / Ubuntu 11.
Fixed bug #55562 (grapheme_substr() returns false on big length).
Improved JSON extension:
Added new json_encode() option JSON_UNESCAPED_UNICODE. #53946.
Added JsonSerializable interface.
Added JSON_BIGINT_AS_STRING, extended json_decode() sig with $options.
Added support for JSON_NUMERIC_CHECK option in json_encode() that converts numeric strings to integers.
Added new json_encode() option JSON_UNESCAPED_SLASHES. #49366.
Added new json_encode() option JSON_PRETTY_PRINT. #44331.
Improved LDAP extension:
Added paged results support. #42060.
Improved mbstring extension:
Added Shift_JIS/UTF-8 Emoji (pictograms) support.
Added JIS X0213:2004 (Shift_JIS-2004, EUC-JP-2004, ISO-2022-JP-2004) support.
Ill-formed UTF-8 check for security enhancements.
Added MacJapanese (Shift_JIS) and gb18030 encoding support.
Added encode/decode in hex format to mb_[en|de]code_numericentity().
Added user JIS X0213:2004 (Shift_JIS-2004, EUC-JP-2004, ISO-2022-JP-2004) support.
Added the user defined area for CP936 and CP950.
Fixed possible crash in mb_ereg_search_init() using empty pattern.
Fixed bug #60306 (Characters lost while converting from cp936 to utf8).
Improved MS SQL extension:
Fixed bug #60267 (Compile failure with freetds 0.91).
Improved MySQL extensions
MySQL: Deprecated mysql_list_dbs(). #50667.
mysqlnd: Added named pipes support. #48082.
MySQLi: Added iterator support in MySQLi. mysqli_result implements Traversable.
PDO_mysql: Removed support for linking with MySQL client libraries older than 4.1.
ext/mysql, mysqli and pdo_mysql now use mysqlnd by default.
Fixed bug #55473 (mysql_pconnect leaks file descriptors on reconnect).
Fixed bug #55653 (PS crash with libmysql when binding same variable as param and out).
Improved OpenSSL extension:
Added AES support. #48632.
Added a "no_ticket" SSL context option to disable the SessionTicket TLS extension. #53447.
Added no padding option to openssl_encrypt()/openssl_decrypt().
Use php's implementation for Windows Crypto API in openssl_random_pseudo_bytes.
On error in openssl_random_pseudo_bytes() made sure we set strong result to false.
Fixed segfault with older versions of OpenSSL.
Fixed possible attack in SSL sockets with SSL 3.0 / TLS 1.0. CVE-2011-3389.
Fixed bug #61124 (Crash when decoding an invalid base64 encoded string).
Fixed bug #60279 (Fixed NULL pointer dereference in stream_socket_enable_crypto, case when ssl_handle of session_stream is not initialized.
Improved Oracle Database extension (OCI8):
Increased maximum Oracle error message buffer length for new 11.2.0.3 size.
Improved internal initalization failure error messages.
Fixed bug #59985 (show normal warning text for OCI_NO_DATA).
Improved PDO
Fixed PDO objects binary incompatibility.
PDO DBlib driver
Added nextRowset support.
Fixed bug #60033 (Incorrectly merged PDO dblib patches break uniqueidentifier column type).
Fixed bug #50755 (PDO DBLIB Fails with OOM).
Improved Pdo Firebird driver
Fixed bug #53280 (segfaults if query column count less than param count).
Fixed bug #48877 ("bindValue" and "bindParam" do not work for PDO Firebird).
Fixed bug #47415 (segfaults when passing lowercased column name to bindColumn).
Improved PostgreSQL extension:
Added support for "extra" parameter for PGNotify().
Improved preg extension:
Changed third parameter of preg_match_all() to optional. #53238.
Improved readline extension:
Fixed bug #54450 (Enable callback support when built against libedit).
Improved Reflection extension:
Added ReflectionClass::newInstanceWithoutConstructor() to create a new instance of a class without invoking its constructor. #55490.
Added ReflectionExtension::isTemporary() and ReflectionExtension::isPersistent() methods.
Added ReflectionZendExtension class.
Added ReflectionClass::isCloneable().
Fixed bug #60367 (Reflection and Late Static Binding).
Fixed bug #60357 (__toString() method triggers E_NOTICE "Array to string conversion").
Improved Session extension:
Expose session status via new function, session_status. #52982.
Added support for object-oriented session handlers.
Added support for storing upload progress feedback in session data.
Changed session.entropy_file to default to /dev/urandom or /dev/arandom if either is present at compile time.
Fixed bug #60860 (session.save_handler=user without defined function core dumps).
Implement #60551 (session_set_save_handler should support a core's session handler interface).
Fixed bug #60640 (invalid return values).
Improved SNMP extension
Added OO API. #53594 (php-snmp rewrite).
Sanitized return values of existing functions. Now it returns FALSE on failure.
Allow ~infinite OIDs in GET/GETNEXT/SET queries. Autochunk them to max_oids upon request.
Introducing unit tests for extension with ~full coverage. IPv6 support. (#42918)
Way of representing OID value can now be changed when SNMP_VALUE_OBJECT is used for value output mode. Use or'ed SNMP_VALUE_LIBRARY(default if not specified) or SNMP_VALUE_PLAIN. (#54502)
Fixed bug #60749 (SNMP module should not strip non-standard SNMP port from hostname).
Fixed bug #60585 (php build fails with USE flag snmp when IPv6 support is disabled).
Fixed bug #53862 (snmp_set_oid_output_format does not allow returning to default).
Fixed bug #51336 (snmprealwalk (snmp v1) does not handle end of OID tree correctly).
Fixed bug #46065 (snmp_set_quick_print() persists between requests).
Fixed bug #45893 (Snmp buffer limited to 2048 char).
Fixed bug #44193 (snmp v3 noAuthNoPriv doesn't work).
Improved SOAP extension
Added new SoapClient option "keep_alive". #60329.
Fixed basic HTTP authentication for WSDL sub requests.
Improved SPL extension:
Added RegexIterator::getRegex() method.
Added SplObjectStorage::getHash() hook.
Added CallbackFilterIterator and RecursiveCallbackFilterIterator.
Added missing class_uses(..) as pointed out by #55266.
Immediately reject wrong usages of directories under Spl(Temp)FileObject and friends.
FilesystemIterator, GlobIterator and (Recursive)DirectoryIterator now use the default stream context.
Fixed bug #60201 (SplFileObject::setCsvControl does not expose third argument via Reflection).
Fixed bug #55807 (Wrong value for splFileObject::SKIP_EMPTY).
Fixed bug #55287 (spl_classes() not includes CallbackFilter classes)
Improved Sysvshm extension:
Fixed bug #55750 (memory copy issue in sysvshm extension).
Improved Tidy extension:
Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference).
Improved Tokenizer extension:
Fixed bug #54089 (token_get_all with regards to __halt_compiler is not binary safe).
Improved XSL extension:
Added XsltProcessor::setSecurityPrefs($options) and getSecurityPrefs() to define forbidden operations within XSLT stylesheets, default is not to enable write operations from XSLT. Fixed bug #54446.
XSL doesn't stop transformation anymore, if a PHP function can't be called
Improved ZLIB extension:
Re-implemented non-file related functionality.
Fixed bug #55544 (ob_gzhandler always conflicts with zlib.output_compression).

New in PHP 5.3.10 (Feb 3, 2012)

New in PHP 5.3.9 (Jan 11, 2012)

Core:
Added max_input_vars directive to prevent attacks based on hash collisions (Dmitry).
Fixed bug #60205 (possible integer overflow in content_length). (Laruence)
Fixed bug #60139 (Anonymous functions create cycles not detected by the GC). (Dmitry)
Fixed bug #60138 (GC crash with referenced array in RecursiveArrayIterator) (Dmitry).
Fixed bug #60120 (proc_open's streams may hang with stdin/out/err when the data exceeds or is equal to 2048 bytes). (Pierre, Pascal Borreli)
Fixed bug #60099 (__halt_compiler() works in braced namespaces). (Felipe)
Fixed bug #60019 (Function time_nanosleep() is undefined on OS X). (Ilia)
Fixed bug #55874 (GCC does not provide __sync_fetch_and_add on some archs). (klightspeed at netspace dot net dot au)
Fixed bug #55798 (serialize followed by unserialize with numeric object prop. gives integer prop). (Gustavo)
Fixed bug #55749 (TOCTOU issue in getenv() on Windows builds). (Pierre)
Fixed bug #55707 (undefined reference to `__sync_fetch_and_add_4' on Linux parisc). (Felipe)
Fixed bug #55674 (fgetcsv & str_getcsv skip empty fields in some tab-separated records). (Laruence)
Fixed bug #55649 (Undefined function Bug()). (Laruence)
Fixed bug #55622 (memory corruption in parse_ini_string). (Pierre)
Fixed bug #55576 (Cannot conditionally move uploaded file without race condition). (Gustavo)
Fixed bug #55510: $_FILES 'name' missing first character after upload. (Arpad)
Fixed bug #55509 (segfault on x86_64 using more than 2G memory). (Laruence)
Fixed bug #55504 (Content-Type header is not parsed correctly on HTTP POST request). (Hannes)
Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of). (alan_k)
Fixed bug #52461 (Incomplete doctype and missing xmlns). (virsacer at web dot de, Pierre)
Fixed bug #55366 (keys lost when using substr_replace an array). (Arpad)
Fixed bug #55273 (base64_decode() with strict rejects whitespace after pad). (Ilia)
Fixed bug #52624 (tempnam() by-pass open_basedir with nonnexistent directory). (Felipe)
Fixed bug #50982 (incorrect assumption of PAGE_SIZE size). (Dmitry)
Fixed invalid free in call_user_method() function. (Felipe)
Fixed bug #43200 (Interface implementation / inheritence not possible in abstract classes). (Felipe)
BCmath:
Fixed bug #60377 (bcscale related crashes on 64bits platforms). (shm)
Calendar:
Fixed bug #55797 (Integer overflow in SdnToGregorian leads to segfault (in optimized builds). (Gustavo)
cURL:
Fixed bug #60439 (curl_copy_handle segfault when used with CURLOPT_PROGRESSFUNCTION). (Pierrick)
Fixed bug #54798 (Segfault when CURLOPT_STDERR file pointer is closed before calling curl_exec). (Hannes)
Fixed issues were curl_copy_handle() would sometimes lose copied preferences. (Hannes)
DateTime:
Fixed bug #60373 (Startup errors with log_errors on cause segfault). (Derick)
Fixed bug #60236 (TLA timezone dates are not converted properly from timestamp). (Derick)
Fixed bug #55253 (DateTime::add() and sub() result -1 hour on objects with time zone type 2). (Derick)
Fixed bug #54851 (DateTime::createFromFormat() doesn't interpret "D"). (Derick)
Fixed bug #53502 (strtotime with timezone memory leak). (Derick)
Fixed bug #52062 (large timestamps with DateTime::getTimestamp and DateTime::setTimestamp). (Derick)
Fixed bug #51994 (date_parse_from_format is parsing invalid date using 'yz' format). (Derick)
Fixed bug #52113 (Seg fault while creating (by unserialization) DatePeriod). (Derick)
Fixed bug #48476 (cloning extended DateTime class without calling parent::__constr crashed PHP). (Hannes)
EXIF:
Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (Stas, flolechaud at gmail dot com)
Fileinfo:
Fixed bug #60094 (C++ comment fails in c89). (Laruence)
Fixed possible memory leak in finfo_open(). (Felipe)
Fixed memory leak when calling the Finfo constructor twice. (Felipe)
Filter:
Fixed Bug #55478 (FILTER_VALIDATE_EMAIL fails with internationalized domain name addresses containing >1 -). (Ilia)
FTP:
Fixed bug #60183 (out of sync ftp responses). (bram at ebskamp dot me, rasmus)
Gd:
Fixed bug #60160 (imagefill() doesn't work correctly for small images). (Florian)
Intl:
Fixed bug #60192 (SegFault when Collator not constructed properly). (Florian)
Fixed memory leak in several Intl locale functions. (Felipe)
JSON:
Fixed bug #55543 (json_encode() with JSON_NUMERIC_CHECK fails on objects with numeric string properties). (Ilia, dchurch at sciencelogic dot com)
mbstring:
Fixed possible crash in mb_ereg_search_init() using empty pattern. (Felipe)
MS SQL:
Fixed bug #60267 (Compile failure with freetds 0.91). (Felipe)
MySQL:
Fixed bug #55550 (mysql.trace_mode miscounts result sets). (Johannes)
MySQLi extension:
Fixed bug #55859 (mysqli->stat property access gives error). (Andrey)
Fixed bug #55582 (mysqli_num_rows() returns always 0 for unbuffered, when mysqlnd is used). (Andrey)
Fixed bug #55703 (PHP crash when calling mysqli_fetch_fields). (eran at zend dot com, Laruence)
mysqlnd:
Fixed bug #55609 (mysqlnd cannot be built shared). (Johannes)
Fixed bug #55067 (MySQL doesn't support compression - wrong config option). (Andrey)
NSAPI SAPI:
Don't set $_SERVER['HTTPS'] on unsecure connection (bug #55403). (Uwe Schindler)
OpenSSL:
Fixed bug #60279 (Fixed NULL pointer dereference in stream_socket_enable_crypto, case when ssl_handle of session_stream is not initialized.) (shm)
Fix segfault with older versions of OpenSSL. (Scott)
Oracle Database extension (OCI8):
Fixed bug #59985 (show normal warning text for OCI_NO_DATA). (Chris Jones)
Increased maximum Oracle error message buffer length for new 11.2.0.3 size. (Chris Jones)
Improve internal initalization failure error messages. (Chris Jones)
PDO:
Fixed bug #55776 (PDORow to session bug). (Johannes)
PDO Firebird:
Fixed bug #48877 ("bindValue" and "bindParam" do not work for PDO Firebird). (Mariuz)
Fixed bug #47415 (PDO_Firebird segfaults when passing lowercased column name to bindColumn).
Fixed bug #53280 (PDO_Firebird segfaults if query column count less than param count). (Mariuz)
PDO MySQL driver:
Fixed bug #60155 (pdo_mysql.default_socket ignored). (Johannes)
Fixed bug #55870 (PDO ignores all SSL parameters when used with mysql native driver). (Pierre)
Fixed bug #54158 (MYSQLND+PDO MySQL requires #define MYSQL_OPT_LOCAL_INFILE). (Andrey)
PDO OCI driver:
Fixed bug #55768 (PDO_OCI can't resume Oracle session after it's been killed). (mikhail dot v dot gavrilov at gmail dot com, Chris Jones, Tony)
Phar:
Fixed bug #60261 (NULL pointer dereference in phar). (Felipe)
Fixed bug #60164 (Stubs of a specific length break phar_open_from_fp scanning for __HALT_COMPILER). (Ralph Schindler)
Fixed bug #53872 (internal corruption of phar). (Hannes)
Fixed bug #52013 (Unable to decompress files in a compressed phar). (Hannes)
PHP-FPM SAPI:
Fixed bug #60659 (FPM does not clear auth_user on request accept). (bonbons at linux-vserver dot org)
Fixed bug #60629 (memory corruption when web server closed the fcgi fd). (fat)
Fixed bug #60179 (php_flag and php_value does not work properly). (fat)
Fixed bug #55526 (Heartbeat causes a lot of unnecessary events). (fat)
Fixed bug #55533 (The -d parameter doesn't work). (fat)
Implemented FR #52569 (Add the "ondemand" process-manager to allow zero children). (fat)
Fixed bug #55486 (status show BIG processes number). (fat)
Fixed bug #55577 (status.html does not install). (fat)
Backported from 5.4 branch (Dropped restriction of not setting the same value multiple times, the last one holds). (giovanni at giacobbi dot net, fat)
Backported FR #55166 from 5.4 branch (Added process.max to control the number of process FPM can fork). (fat)
Backported FR #55181 from 5.4 branch (Enhance security by limiting access to user defined extensions). (fat)
Backported FR #54098 from 5.4 branch (Lowered process manager default value). (fat)
Backported FR #52052 from 5.4 branch (Added partial syslog support). (fat)
Implemented FR #54577 (Enhanced status page with full status and details about each processes. Also provide a web page (status.html) for real-time FPM status. (fat)
Enhance error log when the primary script can't be open. FR #60199. (fat)
Added .phar to default authorized extensions. (fat)
Postgres:
Fixed bug #60244 (pg_fetch_* functions do not validate that row param is >0). (Ilia)
Reflection:
Fixed bug #60367 (Reflection and Late Static Binding). (Laruence)
Session:
Fixed bug #55267 (session_regenerate_id fails after header sent). (Hannes)
SimpleXML:
Reverted the SimpleXML->query() behaviour to returning empty arrays instead of false when no nodes are found as it was since 5.3.3 (bug #48601). (chregu, rrichards)
SOAP:
Fixed bug #54911 (Access to a undefined member in inherit SoapClient may cause Segmentation Fault). (Dmitry)
Fixed bug #48216 (PHP Fatal error: SOAP-ERROR: Parsing WSDL: Extra content at the end of the doc, when server uses chunked transfer encoding with spaces after chunk size). (Dmitry)
Fixed bug #44686 (SOAP-ERROR: Parsing WSDL with references). (Dmitry)
Sockets:
Fixed bug #60048 (sa_len a #define on IRIX). (china at thewrittenword dot com)
SPL:
Fixed bug #60082 (Crash in ArrayObject() when using recursive references). (Tony)
Fixed bug #55807 (Wrong value for splFileObject::SKIP_EMPTY). (jgotti at modedemploi dot fr, Hannes)
Fixed bug #54304 (RegexIterator::accept() doesn't work with scalar values). (Hannes)
Streams:
Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together with the last read). (Gustavo)
Tidy:
Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference). (Maksymilian Arciemowicz, Felipe)
XSL:Added xsl.security_prefs ini option to define forbidden operations within XSLT stylesheets, default is not to enable write operations. This option won't be in 5.4, since there's a new method. Fixes Bug #54446. (Chregu, Nicolas Gregoire)

New in PHP 5.4.0 RC 2 (Dec 9, 2011)

Core:
Fixed bug #60227 (header() cannot detect the multi-line header with CR(0x0D)). (rui)
Fixed bug #60099 (__halt_compiler() works in braced namespaces). (Felipe)
Fixed bug #55874 (GCC does not provide __sync_fetch_and_add on some archs). (klightspeed at netspace dot net dot au)
Fixed bug #52624 (tempnam() by-pass open_basedir with nonexistent directory). (Felipe)
Fixed bug #55748 (multiple NULL Pointer Dereference with zend_strndup()) (CVE-2011-4153). (Stas)
Fixed invalid free in call_user_method() function. (Felipe)
Zend Engine:
Fixed bug #43200 (Interface implementation / inheritence not possible in abstract classes). (Felipe)
CLI SAPI:
Fixed bug #60159 (Router returns false, but POST is not passed to requested resource). (Laruence)
Fixed bug #55759 (memory leak when using built-in server). (Laruence)
Improved PHP-FPM SAPI:
Enhance error log when the primary script can't be open. FR #60199. (fat)
Remove EXPERIMENTAL flag. (fat)
Added .phar to default authorized extensions. (fat)
BCmath:
Fixed bug #60377 (bcscale related crashes on 64bits platforms) (shm)
Fileinfo:
Fixed possible memory leak in finfo_open(). (Felipe)
Fixed memory leak when calling the Finfo constructor twice. (Felipe)
Intl:
Fixed memory leak in several Intl locale functions. (Felipe)
Mbstring:
Fixed bug #60306 (Characters lost while converting from cp936 to utf8). (Laruence)
Fixed possible crash in mb_ereg_search_init() using empty pattern. (Felipe)
MS SQL:
Fixed bug #60267 (Compile failure with freetds 0.91). (Felipe)
OpenSSL:
Fixed bug #60279 (Fixed NULL pointer dereference in stream_socket_enable_crypto, case when ssl_handle of session_stream is not initialized.) (shm)
Oracle Database extension (OCI8):
Fixed bug #59985 (show normal warning text for OCI_NO_DATA) (Chris Jones)
Output:
Fixed bug #60321 (ob_get_status(true) no longer returns an array when buffer is empty). (Pierrick)
Fixed bug #60282 (Segfault when using ob_gzhandler() with open buffers).(Laruence)
Reflection:
Fixed bug #60357 (__toString() method triggers E_NOTICE "Array to string conversion"). (Laruence)
SOAP extension:
Added new SoapClient option "keep_alive". FR #60329. (Pierrick)
Tidy:
Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference). (Maksymilian Arciemowicz, Felipe)

New in PHP 5.4.0 Alpha 3 (Aug 12, 2011)

New in PHP 5.4.0 Alpha 2 (Aug 12, 2011)

New in PHP 5.4.0 Alpha 1 (Jul 1, 2011)

New in PHP 5.3.6 (Mar 18, 2011)

Upgraded bundled Sqlite3 to version 3.7.4. (Ilia)
Upgraded bundled PCRE to version 8.11. (Ilia)
Zend Engine:
Indirect reference to $this fails to resolve if direct $this is never used in method.
Added options to debug backtrace functions. (Stas)
Fixed bug numerous crashes due to setlocale (crash on error, pcre, mysql etc.) on Windows in thread safe mode. (Pierre)
Fixed Bug #53971 (isset() and empty() produce apparently spurious runtime error). (Dmitry)
Fixed Bug #53958 (Closures can't 'use' shared variables by value and by reference). (Dmitry)
Fixed Bug #53629 (memory leak inside highlight_string()). (Hannes, Ilia)
Fixed Bug #51458 (Lack of error context with nested exceptions). (Stas)
Fixed Bug #47143 (Throwing an exception in a destructor causes a fatal error). (Stas)
Fixed bug #43512 (same parameter name can be used multiple times in
method/function definition). (Felipe)
Core:
Added ability to connect to HTTPS sites through proxy with basic authentication using stream_context/http/header/Proxy-Authorization (Dmitry)
Changed default value of ini directive serialize_precision from 100 to 17.
Fixed bug #54055 (buffer overrun with high values for precision ini setting).
Fixed bug #53959 (reflection data for fgetcsv out-of-date). (Richard)
Fixed bug #53577 (Regression introduced in 5.3.4 in open_basedir with a trailing forward slash). (lekensteyn at gmail dot com, Pierre)
Fixed bug #53682 (Fix compile on the VAX). (Rasmus, jklos)
Fixed bug #48484 (array_product() always returns 0 for an empty array).
Fixed bug #48607 (fwrite() doesn't check reply from ftp server before exiting).
Calendar extension:
Fixed bug #53574 (Integer overflow in SdnToJulian, sometimes leading to segfault).
DOM extension:
Implemented FR #39771 (Made DOMDocument::saveHTML accept an optional DOMNode like DOMDocument::saveXML).
DateTime extension:
Fixed a bug in DateTime->modify() where absolute date/time statements had no effect. (Derick)
Fixed bug #53729 (DatePeriod fails to initialize recurrences on 64bit big-endian systems).
Fixed bug #52808 (Segfault when specifying interval as two dates). (Stas)
Fixed bug #52738 (Can't use new properties in class extended from DateInterval).
Fixed bug #52290 (setDate, setISODate, setTime works wrong when DateTime created from timestamp).
Fixed bug #52063 (DateTime constructor's second argument doesn't have a null default value). (Gustavo, Stas)
Exif extension:
Fixed bug #54002
Filter extension:
Fixed bug #53924 (FILTER_VALIDATE_URL doesn't validate port number).
Fixed bug #53150 (FILTER_FLAG_NO_RES_RANGE is missing some IP ranges).
Fixed bug #52209 (INPUT_ENV returns NULL for set variables (CLI)). (Ilia)
Fixed bug #47435 (FILTER_FLAG_NO_RES_RANGE don't work with ipv6).
Fileinfo extension:
Fixed bug #54016 (finfo_file() Cannot determine filetype in archives).
Gettext:
Fixed bug #53837 (_() crashes on Windows when no LANG or LANGUAGE environment variable are set).
IMAP extension:
Implemented FR #53812 (get MIME headers of the part of the email). (Stas)
Fixed bug #53377 (imap_mime_header_decode() doesn't ignore \t during long MIME header unfolding). (Adam)
Intl extension:
Fixed bug #53612 (Segmentation fault when using cloned several intl
objects).
Fixed bug #53512 (NumberFormatter::setSymbol crash on bogus $attr values).
Implemented clone functionality for number, date & message formatters.
JSON extension:
Fixed bug #53963 (Ensure error_code is always set during some failed
decodings).
mysqlnd:
Fixed problem with always returning 0 as num_rows for unbuffered sets.
MySQL Improved extension:
Added 'db' and 'catalog' keys to the field fetching functions (FR #39847).
Fixed buggy counting of affected rows when using the text protocol. The
collected statistics were wrong when multi_query was used with mysqlnd
Fixed bug #53795 (Connect Error from MySqli (mysqlnd) when using SSL).
Fixed bug #53503 (mysqli::query returns false after successful LOAD DATA
query).
Fixed bug #53425 (mysqli_real_connect() ignores client flags when built to
call libmysql).
OpenSSL extension:
Fixed stream_socket_enable_crypto() not honoring the socket timeout in
server mode. (Gustavo)
Fixed bug #54060 (Memory leaks when openssl_encrypt). (Pierre)
Fixed bug #54061 (Memory leaks when openssl_decrypt). (Pierre)
Fixed bug #53592 (stream_socket_enable_crypto() busy-waits in client mode).
Implemented FR #53447 (Cannot disable SessionTicket extension for servers
that do not support it) by adding a no_ticket SSL context option.
PDO MySQL driver:
Fixed bug #53551 (PDOStatement execute segfaults for pdo_mysql driver).
Implemented FR #47802 (Support for setting character sets in DSN strings).
PDO Oracle driver:
Fixed bug #39199 (Cannot load Lob data with more than 4000 bytes on
ORACLE 10).
PDO PostgreSQL driver:
Fixed bug #53517 (segfault in pgsql_stmt_execute() when postgres is down).
Phar extension:
Fixed bug #54247 (format-string vulnerability on Phar).
(CVE-2011-1153)
Fixed bug #53541 (format string bug in ext/phar).
Fixed bug #53898 (PHAR reports invalid error message, when the directory
does not exist). (Ilia)
PHP-FPM SAPI:
Enforce security in the fastcgi protocol parsing.
Fixed bug #53777 (php-fpm log format now match php_error log format).
Fixed bug #53527 (php-fpm --test doesn't set a valuable return value).
Fixed bug #53434 (php-fpm slowlog now also logs the original request).
Readline extension:
Fixed bug #53630 (Fixed parameter handling inside readline() function).
Reflection extension:
Fixed bug #53915 (ReflectionClass::getConstant(s) emits fatal error on
constants with self::).
Shmop extension:
Fixed bug #54193 (Integer overflow in shmop_read()).
Reported by Jose Carlos Norte (CVE-2011-1092)
SNMP extension:
Fixed bug #51336 (snmprealwalk (snmp v1) does not handle end of OID tree
correctly).
SOAP extension:
Fixed possible crash introduced by the NULL poisoning patch.
SPL extension:
Fixed memory leak in DirectoryIterator::getExtension() and
SplFileInfo::getExtension().
Fixed bug #53914 (SPL assumes HAVE_GLOB is defined).
Fixed bug #53515 (property_exists incorrect on ArrayObject null and 0 values).
Fixed bug #49608 (Using CachingIterator on DirectoryIterator instance
segfaults).
Added SplFileInfo::getExtension(). FR #48767. (Peter Cowburn)
SQLite3 extension:
Fixed memory leaked introduced by the NULL poisoning patch.
Mateusz Kocielski, Pierre)
Fixed memory leak on SQLite3Result and SQLite3Stmt when assigning to a
reference.
Add SQlite3_Stmt::readonly() for checking if a statement is read only.
Implemented FR #53466 (SQLite3Result::columnType() should return false after all of the rows have been fetched). (Scott)
Streams:
Fixed bug #54092 (Segmentation fault when using HTTP proxy with the FTP
wrapper).
Fixed bug #53913 (Streams functions assume HAVE_GLOB is defined).
Fixed bug #53903 (userspace stream stat callback does not separate the
elements of the returned array before converting them).
Implemented FR #26158 (open arbitrary file descriptor with fopen).
Tokenizer Extension
Fixed bug #54089 (token_get_all() does not stop after __halt_compiler).
XSL extension:
Fixed memory leaked introduced by the NULL poisoning patch.
Zip extension:
Added the filename into the return value of stream_get_meta_data().
Fixed bug #53923 (Zip functions assume HAVE_GLOB is defined). (Adam)
Fixed bug #53893 (Wrong return value for ZipArchive::extractTo()). (Pierre)
Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive). (CVE-2011-0421)
Fixed bug #53854 (Missing constants for compression type).
Fixed bug #53603 (ZipArchive should quiet stat errors).
Fixed bug #53579 (stream_get_contents() segfaults on ziparchive streams).
Fixed bug #53568 (swapped memset arguments in struct initialization).
Fixed bug #53166 (Missing parameters in docs and reflection definition).
Fixed bug #49072 (feof never returns true for damaged file in zip).

New in PHP 5.3.5 (Mar 11, 2011)

New in PHP 5.3.4 (Dec 10, 2010)

New in PHP 5.3.3 (Aug 10, 2010)

Methods with the same name as the last element of a namespaced class name will no longer be treated as constructor. This change doesn't affect non-namespaced classes.
There is no impact on migration from 5.2.x because namespaces were only introduced in PHP 5.3.
Security Enhancements and Fixes:
Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531).
Fixed a possible resource destruction issues in shm_put_var().
Fixed a possible information leak because of interruption of XOR operator.
Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks.
Fixed a possible memory corruption in ArrayObject::uasort().
Fixed a possible memory corruption in parse_str().
Fixed a possible memory corruption in pack().
Fixed a possible memory corruption in substr_replace().
Fixed a possible memory corruption in addcslashes().
Fixed a possible stack exhaustion inside fnmatch().
Fixed a possible dechunking filter buffer overflow.
Fixed a possible arbitrary memory access inside sqlite extension.
Fixed string format validation inside phar extension.
Fixed handling of session variable serialization on certain prefix characters.
Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).
Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user.
Fixed possible buffer overflows when handling error packets in mysqlnd.
Key enhancements:
Upgraded bundled sqlite to version 3.6.23.1.
Upgraded bundled PCRE to version 8.02.
Added FastCGI Process Manager (FPM) SAPI.
Added stream filter support to mcrypt extension.
Added full_special_chars filter to ext/filter.
Fixed a possible crash because of recursive GC invocation.
Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).
Fixed bug #52060 (Memory leak when passing a closure to method_exists()).
Fixed bug #52001 (Memory allocation problems after using variable variables).
Fixed bug #51723 (Content-length header is limited to 32bit integer with Apache2 on Windows).
Fixed bug #48930 (__COMPILER_HALT_OFFSET__ incorrect in PHP >= 5.3).

New in PHP 5.3.2 (Mar 4, 2010)

New in PHP 5.3.1 (Nov 20, 2009)

Security Fixes
Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion. (Ilia)
Added missing sanity checks around exif processing. (Ilia)
Fixed a safe_mode bypass in tempnam(). (Rasmus)
Fixed a open_basedir bypass in posix_mkfifo(). (Rasmus)
Fixed bug #50063 (safe_mode_include_dir fails). (Johannes, christian at elmerot dot se)
Added error constant when json_encode() detects an invalid UTF-8 sequence. (Scott)
Added support for ACL on Windows for thread safe SAPI (Apache2 for example) and fix its support on NTS. (Pierre)
Upgraded bundled sqlite to version 3.6.19. (Scott)
Updated timezone database to version 2009.17 (2009q). (Derick)
Fixed crash in com_print_typeinfo when an invalid typelib is given. (Pierre)
Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (Rasmus)
Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (Rasmus)
Fixed certificate validation inside php_openssl_apply_verification_policy (Ryan Sleevi, Ilia)
Fixed crash in SQLiteDatabase::ArrayQuery() and SQLiteDatabase::SingleQuery() when calling using Reflection. (Felipe)
Fixed crash when instantiating PDORow and PDOStatement through Reflection. (Felipe)
Fixed sanity check for the color index in imagecolortransparent. (Pierre)
Fixed scandir/readdir when used mounted points on Windows. (Pierre)
Fixed zlib.deflate compress filter to actually accept level parameter. (Jani)
Fixed leak on error in popen/exec (and related functions) on Windows. (Pierre)
Fixed possible bad caching of symlinked directories in the realpath cache on Windows. (Pierre)
Fixed atime and mtime in stat related functions on Windows. (Pierre)
Fixed spl_autoload_unregister/spl_autoload_functions wrt. Closures and Functors. (Christian Seiler)
Fixed open_basedir circumvention for "mail.log" ini directive. (Maksymilian Arciemowicz, Stas)
Fixed signature generation/validation for zip archives in ext/phar. (Greg)
Fixed memory leak in stream_is_local(). (Felipe, Tony)
Fixed BC break in mime_content_type(), removes the content encoding. (Scott)
Changed ini file directives [PATH=](on Win32) and [HOST=](on all) to be case insensitive (garretts)
Restored shebang line check to CGI sapi (not checked by scanner anymore). (Jani)
Improve symbolic, mounted volume and junctions support for realpath on Windows. (Pierre)
Improved readlink on Windows, suppress ?? and use the drive syntax only. (Pierre)
Improved dns_get_record() AAAA support on windows. Always available when IPv6 is support is installed, format is now the same than on unix. (Pierre)
Improved the DNS functions on OSX to use newer APIs, also use Bind 9 API where available on other platforms. (Scott)
Improved shared extension loading on OSX to use the standard Unix dlopen() API. (Scott)
Fixed bug #50063 (safe_mode_include_dir fails). (Johannes, christian at elmerot dot se)
Fixed bug #50052 (Different Hashes on Windows and Linux on wrong Salt size). (Pierre)
Fixed bug #49910 (no support for ././@LongLink for long filenames in phar tar support). (Greg)
Fixed bug #49908 (throwing exception in __autoload crashes when interface is not defined). (Felipe)
Fixed bug #49847 (exec() fails to return data inside 2nd parameter, given output lines >4095 bytes). (Ilia)
Fixed bug #49809 (time_sleep_until() is not available on OpenSolaris). (Jani)
Fixed bug #49757 (long2ip() can return wrong value in a multi-threaded applications). (Ilia, Florian Anderiasch)
Fixed bug #49738 (calling mcrypt after mcrypt_generic_deinit crashes). (Sriram Natarajan)
Fixed bug #49732 (crashes when using fileinfo when timestamp conversion fails). (Pierre)
Fixed bug #49698 (Unexpected change in strnatcasecmp()). (Rasmus)
Fixed bug #49630 (imap_listscan function missing). (Felipe)
Fixed bug #49572 (use of C++ style comments causes build failure). (Sriram Natarajan)
Fixed bug #49531 (CURLOPT_INFILESIZE sometimes causes warning "CURLPROTO_FILE cannot be set"). (Felipe)
Fixed bug #49517 (cURL's CURLOPT_FILE prevents file from being deleted after fclose). (Ilia)
Fixed bug #49470 (FILTER_SANITIZE_EMAIL allows disallowed characters). (Ilia)
Fixed bug #49447 (php engine need to correctly check for socket API return status on windows). (Sriram Natarajan)
Fixed bug #49391 (ldap.c utilizing deprecated ldap_modify_s). (Ilia)
Fixed bug #49361 (wordwrap() wraps incorrectly on end of line boundaries). (Ilia, code-it at mail dot ru)
Fixed bug #49372 (segfault in php_curl_option_curl). (Pierre)
Fixed bug #49306 (inside pdo_mysql default socket settings are ignored). (Ilia)
Fixed bug #49289 (bcmath module doesn't compile with phpize configure). (Jani)
Fixed bug #49286 (php://input (php_stream_input_read) is broken). (Jani)
Fixed bug #49269 (Ternary operator fails on Iterator object when used inside foreach declaration). (Etienne, Dmitry)
Fixed bug #49236 (Missing PHP_SUBST(PDO_MYSQL_SHARED_LIBADD)). (Jani)
Fixed bug #49223 (Inconsistency using get_defined_constants). (Garrett)
Fixed bug #49193 (gdJpegGetVersionString() inside gd_compact identifies wrong type in declaration). (Ilia)
Fixed bug #49183 (dns_get_record does not return NAPTR records). (Pierre)
Fixed bug #49144 (Import of schema from different host transmits original authentication details). (Dmitry)
Fixed bug #49142 (crash when exception thrown from __tostring()). (David Soria Parra)
Fixed bug #49986 (Missing ICU DLLs on windows package). (Pierre)
Fixed bug #49132 (posix_times returns false without error). (phpbugs at gunnu dot us)
Fixed bug #49125 (Error in dba_exists C code). (jdornan at stanford dot edu)
Fixed bug #49122 (undefined reference to mysqlnd_stmt_next_result on compile with --with-mysqli and MySQL 6.0). (Jani)
Fixed bug #49108 (2nd scan_dir produces segfault). (Felipe)
Fixed bug #49098 (mysqli segfault on error). (Rasmus)
Fixed bug #49095 (proc_get_status['exitcode'] fails on win32). (Felipe)
Fixed bug #49092 (ReflectionFunction fails to work with functions in fully qualified namespaces). (Kalle, Jani)
Fixed bug #49074 (private class static fields can be modified by using reflection). (Jani)
Fixed bug #49072 (feof never returns true for damaged file in zip). (Pierre)
Fixed bug #49065 ("disable_functions" php.ini option does not work on Zend extensions). (Stas)
Fixed bug #49064 (--enable-session=shared does not work: undefined symbol: php_url_scanner_reset_vars). (Jani)
Fixed bug #49056 (parse_ini_file() regression in 5.3.0 when using non-ASCII strings as option keys). (Jani)
Fixed bug #49052 (context option headers freed too early when using --with-curlwrappers). (Jani)
Fixed bug #49047 (The function touch() fails on directories on Windows). (Pierre)
Fixed bug #49032 (SplFileObject::fscanf() variables passed by reference). (Jani)
Fixed bug #49027 (mysqli_options() doesn't work when using mysqlnd). (Andrey)
Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars restrictions). (Ilia)
Fixed bug #49012 (phar tar signature algorithm reports as Unknown (0) in getSignature() call). (Greg)
Fixed bug #49020 (phar misinterprets ustar long filename standard). (Greg)
Fixed bug #49018 (phar tar stores long filenames wit prefix/name reversed). (Greg)
Fixed bug #49014 (dechunked filter broken when serving more than 8192 bytes in a chunk). (andreas dot streichardt at globalpark dot com, Ilia)
Fixed bug #49000 (PHP CLI in Interactive mode (php -a) crashes when including files from function). (Stas)
Fixed bug #48994 (zlib.output_compression does not output HTTP headers when set to a string value). (Jani)
Fixed bug #48980 (Crash when compiling with pdo_firebird). (Felipe)
Fixed bug #48962 (cURL does not upload files with specified filename). (Ilia)
Fixed bug #48929 (Double
after HTTP headers when "header" context option is an array). (David Zülke)
Fixed bug #48913 (Too long error code strings in pdo_odbc driver). (naf at altlinux dot ru, Felipe)
Fixed bug #48912 (Namespace causes unexpected strict behaviour with extract()). (Dmitry)
Fixed bug #48909 (Segmentation fault in mysqli_stmt_execute()). (Andrey)
Fixed bug #48899 (is_callable returns true even if method does not exist in parent class). (Felipe)
Fixed bug #48893 (Problems compiling with Curl). (Felipe)
Fixed bug #48872 (string.c: errors: duplicate case values). (Kalle)
Fixed bug #48854 (array_merge_recursive modifies arrays after first one). (Felipe)
Fixed bug #48805 (IPv6 socket transport is not working). (Ilia)
Fixed bug #48802 (printf() returns incorrect outputted length). (Jani)
Fixed bug #48880 (Random Appearing open_basedir problem). (Rasmus, Gwynne)
Fixed bug #48791 (open office files always reported as corrupted). (Greg)
Fixed bug #48788 (RecursiveDirectoryIterator doesn't descend into symlinked directories). (Ilia)
Fixed bug #48783 (make install will fail saying phar file exists). (Greg)
Fixed bug #48774 (SIGSEGVs when using curl_copy_handle()). (Sriram Natarajan)
Fixed bug #48771 (rename() between volumes fails and reports no error on Windows). (Pierre)
Fixed bug #48768 (parse_ini_*() crash with INI_SCANNER_RAW). (Jani)
Fixed bug #48763 (ZipArchive produces corrupt archive). (dani dot church at gmail dot com, Pierre)
Fixed bug #48762 (IPv6 address filter still rejects valid address). (Felipe)
Fixed bug #48757 (ReflectionFunction::invoke() parameter issues). (Kalle)
Fixed bug #48754 (mysql_close() crash php when no handle specified). (Johannes, Andrey)
Fixed bug #48752 (Crash during date parsing with invalid date). (Pierre)
Fixed bug #48746 (Unable to browse directories within Junction Points). (Pierre, Kanwaljeet Singla)
Fixed bug #48745 (mysqlnd: mysql_num_fields returns wrong column count for mysql_list_fields). (Andrey)
Fixed bug #48740 (PHAR install fails when INSTALL_ROOT is not the final install location). (james dot cohen at digitalwindow dot com, Greg)
Fixed bug #48733 (CURLOPT_WRITEHEADER|CURLOPT_FILE|CURLOPT_STDERR warns on files that have been opened with r+). (Ilia)
Fixed bug #48719 (parse_ini_*(): scanner_mode parameter is not checked for sanity). (Jani)
Fixed bug #48718 (FILTER_VALIDATE_EMAIL does not allow numbers in domain components). (Ilia)
Fixed bug #48681 (openssl signature verification for tar archives broken). (Greg)
Fixed bug #48660 (parse_ini_*(): dollar sign as last character of value fails). (Jani)
Fixed bug #48645 (mb_convert_encoding() doesn't understand hexadecimal html-entities). (Moriyoshi)
Fixed bug #48637 ("file" fopen wrapper is overwritten when using --with-curlwrappers). (Jani)
Fixed bug #48608 (Invalid libreadline version not detected during configure). (Jani)
Fixed bug #48400 (imap crashes when closing stream opened with OP_PROTOTYPE flag). (Jani)
Fixed bug #48377 (error message unclear on converting phar with existing file). (Greg)
Fixed bug #48247 (Infinite loop and possible crash during startup with errors when errors are logged). (Jani)
Fixed bug #48198 error: 'MYSQLND_LLU_SPEC' undeclared. Cause for #48780 and #46952 - both fixed too. (Andrey)
Fixed bug #48189 (ibase_execute error in return param). (Kalle)
Fixed bug #48182 (ssl handshake fails during asynchronous socket connection). (Sriram Natarajan)
Fixed bug #48116 (Fixed build with Openssl 1.0). (Pierre, Al dot Smith at aeschi dot ch dot eu dot org)
Fixed bug #48057 (Only the date fields of the first row are fetched, others are empty). (info at programmiernutte dot net)
Fixed bug #47481 (natcasesort() does not sort extended ASCII characters correctly). (Herman Radtke)
Fixed bug #47351 (Memory leak in DateTime). (Derick, Tobias John)
Fixed bug #47273 (Encoding bug in SoapServer->fault). (Dmitry)
Fixed bug #46682 (touch() afield returns different values on windows). (Pierre)
Fixed bug #46614 (Extended MySQLi class gives incorrect empty() result). (Andrey)
Fixed bug #46020 (with Sun Java System Web Server 7.0 on HPUX, #define HPUX). (Uwe Schindler)
Fixed bug #45905 (imagefilledrectangle() clipping error). (markril at hotmail dot com, Pierre)
Fixed bug #45554 (Inconsistent behavior of the u format char). (Derick)
Fixed bug #45141 (setcookie will output expires years of >4 digits). (Ilia)
Fixed bug #44683 (popen crashes when an invalid mode is passed). (Pierre)
Fixed bug #43510 (stream_get_meta_data() does not return same mode as used in fopen). (Jani)
Fixed bug #42434 (ImageLine w/ antialias = 1px shorter). (wojjie at gmail dot com, Kalle)
Fixed bug #40013 (php_uname() does not return nodename on Netware (Guenter Knauf)
Fixed bug #38091 (Mail() does not use FQDN when sending SMTP helo). (Kalle, Rick Yorgason)
Fixed bug #28038 (Sent incorrect RCPT TO commands to SMTP server) (Garrett)
Fixed bug #27051 (Impersonation with FastCGI does not exec process as impersonated user). (Pierre)
Fixed PECL bug #16842 (oci_error return false when NO_DATA_FOUND is raised). (Chris Jones)