A popular general-purpose scripting language that is especially suited to web development. Fast, flexible and pragmatic, PHP powers everything from your blog to the most popular websites in the world.
The PHP team is pleased to announce the release of PHP 8.4.0, RC2.
This is the second release candidate, continuing the PHP 8.4 release cycle,
the rough outline of which is specified in the
PHP Wiki.
For source downloads of PHP 8.4.0, RC2 please visit the
download page.
Please carefully test this version and report any issues found in the
bug reporting system.
Please DO NOT use this version in production, it is an early test version.
For more information on the new features and other changes, you can read the
NEWS file
or the UPGRADING
file for a complete list of upgrading notes. These files can also be
found in the release archive.
The next release will be RC 3, planned for 24 October 2024.
The PHP team is pleased to announce the release of PHP 8.4.0, RC 1.
This is the first release candidate, continuing the PHP 8.4 release cycle,
the rough outline of which is specified in the
PHP Wiki.
For source downloads of PHP 8.4.0, RC 1 please visit the
download page.
Please carefully test this version and report any issues found in the
bug reporting system.
Please DO NOT use this version in production, it is an early test version.
For more information on the new features and other changes, you can read the
NEWS file
or the UPGRADING
file for a complete list of upgrading notes. These files can also be
found in the release archive.
The next release will be RC 2, planned for 10 October 2024.
The PHP team is pleased to announce the release of PHP 8.4.0, Beta 5.
This is the third beta release, continuing the PHP 8.4 release cycle,
the rough outline of which is specified in the
PHP Wiki.
For source downloads of PHP 8.4.0, Beta 5 please visit the
download page.
Please carefully test this version and report any issues found in the
bug reporting system.
Please DO NOT use this version in production, it is an early test version.
For more information on the new features and other changes, you can read the
NEWS file
or the UPGRADING
file for a complete list of upgrading notes. These files can also be
found in the release archive.
The next release will be RC 1, planned for 26 September 2024.
The PHP team is pleased to announce the release of PHP 8.4.0, Beta 4.
This is the second beta release, continuing the PHP 8.4 release cycle,
the rough outline of which is specified in the
PHP Wiki.
For source downloads of PHP 8.4.0, Beta 4 please visit the
download page.
Please carefully test this version and report any issues found in the
bug reporting system.
Please DO NOT use this version in production, it is an early test version.
For more information on the new features and other changes, you can read the
NEWS file
or the UPGRADING
file for a complete list of upgrading notes. These files can also be
found in the release archive.
The next release will be Beta 5, planned for 12 September 2024.
The PHP team is pleased to announce the release of PHP 8.4.0, Beta 3.
This is the first beta release, continuing the PHP 8.4 release cycle,
the rough outline of which is specified in the
PHP Wiki.
For source downloads of PHP 8.4.0, Beta 3 please visit the
download page.
Please carefully test this version and report any issues found in the
bug reporting system.
Please DO NOT use this version in production, it is an early test version.
For more information on the new features and other changes, you can read the
NEWS file
or the UPGRADING
file for a complete list of upgrading notes. These files can also be
found in the release archive.
The next release will be Beta 4, planned for 29 August 2024.
The PHP team is pleased to announce the second testing release of PHP 8.4.0, Alpha 4. This continues the PHP 8.4 release cycle, the rough outline of which is specified in the PHP Wiki.
For source downloads of PHP 8.4.0 Alpha 4 please visit the download page.
Please carefully test this version and report any issues found in the bug reporting system.
Please DO NOT use this version in production, it is an early test version.
For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.
The next release will be Beta 1, planned for 15 Aug 2024.
The PHP team is pleased to announce the second testing release of PHP 8.4.0, Alpha 2. This continues the PHP 8.4 release cycle, the rough outline of which is specified in the PHP Wiki.
For source downloads of PHP 8.4.0 Alpha 2 please visit the download page.
Please carefully test this version and report any issues found in the bug reporting system.
Please DO NOT use this version in production, it is an early test version.
For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.
The next release will be Alpha 3, planned for 1 Aug 2024.
The PHP team is pleased to announce the first testing release of PHP 8.4.0, Alpha 1. This starts the PHP 8.4 release cycle, the rough outline of which is specified in the PHP Wiki.
For source downloads of PHP 8.4.0 Alpha 1 please visit the download page.
Please carefully test this version and report any issues found using the bug tracking system.
Please DO NOT use this version in production, it is an early test version.
For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.
The next release will be Alpha 2, planned for 18 Jul 2024.
The signatures for the release can be found in the manifest or on the QA site.
EDIT 2024-04-25: Clarified when a PHP application is vulnerable to this bug.
Recently, a bug in glibc version 2.39 and older (CVE-2024-2961) was uncovered
where a buffer overflow in character set conversions to
the ISO-2022-CN-EXT character set can result in remote code execution.
This specific buffer overflow in glibc is exploitable through PHP,
which exposes the iconv functionality of glibc to do character set
conversions via the iconv extension.
Although the bug is exploitable in the context of the PHP
Engine, the bug is not in PHP. It is also not directly exploitable
remotely.
The bug is exploitable, if and only if,
the PHP application calls iconv functions
or filters
with user-supplied character sets.
Applications are not vulnerable if:
Glibc security updates from the distribution have been installed.
Or the iconv extension is not loaded.
Or the vulnerable character set has been removed from gconv-modules-extra.conf.
Or the application passes only specifically allowed character sets to iconv.
Moreover, when using a user-supplied character set,
it is good practice for applications to accept only
specific charsets that have been explicitly allowed by the application.
One example of how this can be done is by using an allow-list and the
array_search() function
to check the encoding before passing it to iconv.
For example: array_search($charset, $allowed_list, true)
There are numerous reports online with titles like "Mitigating the
iconv Vulnerability for PHP (CVE-2024-2961)" or "PHP Under Attack". These
titles are misleading as this is not a bug in PHP itself.
If your PHP application is vulnerable, we first recommend to check if your Linux distribution
has already published patched variants of glibc.
Debian,
CentOS, and others, have already done so, and please upgrade as soon as possible.
Once an update is available in glibc, updating that package on your
Linux machine will be enough to alleviate the issue. You do not need to
update PHP, as glibc is a dynamically linked library.
If your Linux distribution has not published a patched version of glibc,
there is no fix for this issue. However, there exists a workaround described in
GLIBC
Vulnerability on Servers Serving PHP which explains a way on how to remove
the problematic character set from glibc. Perform this procedure for every
gconv-modules-extra.conf file that is available on your system.
PHP users on Windows are not affected.
Therefore, a new version of PHP will not be released for this vulnerability.