What's New in version 7.2.11:


  • Fixed bug '76800 (foreach inconsistent if array modified during loop).
  • Fixed bug '76901 (method_exists on SPL iterator passthrough method corrupts memory).


  • Fixed bug '76480 (Use curl_multi_wait() so that timeouts are respected).


  • Fixed bug '66828 (iconv_mime_encode Q-encoding longer than it should be).


  • Fixed bug '76832 (ZendOPcache.MemoryBase periodically deleted by the OS).
  • Fixed bug '76796 (Compile-time evaluation of disabled function in opcache causes segfault).


  • Fixed bug '75696 (posix_getgrnam fails to print details of group).


  • Fixed bug '74454 (Wrong exception being thrown when using ReflectionMethod).


  • Fixed bug '73457 (Wrong error message when fopen FTP wrapped fails to open data connection).
  • Fixed bug '74764 (Bindto IPv6 works with file_get_contents but fails with stream_socket_client).
  • Fixed bug '75533 (array_reduce is slow when $carry is large array).


  • Fixed bug '76886 (Can't build xmlrpc with expat).


  • Fixed bug '75273 (php_zlib_inflate_filter() may not update bytes_consumed).

What's New in version 5.5.11:


  • Allow zero length comparison in substr_compare() (Tjerk)
  • Fixed bug #60602 (proc_open() changes environment array) (Tjerk)


  • Added feature #65545 (SplFileObject::fread()) (Tjerk)


  • Fixed bug #66109 (Can't reset CURLOPT_CUSTOMREQUEST to default behaviour) (Tjerk)
  • Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive. (Adam)


  • Added clear_env configuration directive to disable clearenv() call. (Github PR# 598, Paul Annesley)


  • Fixed bug #66946 (fileinfo: extensive backtracking in awk rule regular expression). (CVE-2013-7345) (Remi)


  • Fixed bug #66714 (imageconvolution breakage). (Brad Daily)
  • Fixed bug #66869 (Invalid 2nd argument crashes imageaffinematrixget) (Pierre)
  • Fixed bug #66887 (imagescale - poor quality of scaled image). (Remi)
  • Fixed bug #66890 (imagescale segfault). (Remi)
  • Fixed bug #66893 (imagescale ignore method argument). (Remi)


  • hash_pbkdf2() now works correctly if the $length argument is not specified. (Nikita)


  • Fixed bug #66873 (A reproductible crash in UConverter when given invalid encoding) (Stas)


  • Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script) (Tjerk)


  • Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed) (Remi)


  • Added function opcache_is_script_cached(). (Danack)
  • Added information about interned strings usage. (Terry, Julien, Dmitry)


  • Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1). (Remi)


  • Fixed bug #66872 (invalid argument crashes gmp_testbit) (Pierre)


  • Updated bundled libsqlite to (Anatol)

What's new in version 5.5.10:

  • Core: Fixed Request #66574i (Allow multiple paths in php_ini_scanned_path).
  • Date: Fixed bug #45528 (Allow the DateTimeZone constructor to accept timezones per offset too).
  • Fileinfo:
    • Fixed bug #66731 (file: infinite recursion) (CVE-2014-1943).
    • Fixed bug #66820 (out-of-bounds memory access in fileinfo).
  • GD: Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer CVE-2013-7327).
  • JSON: Fixed bug #65753 (JsonSerializeable couldn't implement on module extension)
  • LDAP: Implemented ldap_modify_batch ( (Ondrej Hošek)
  • Openssl: Fixed bug #66501 (Add EC key support to php_openssl_is_private_key). (Mark Zedwood)
  • PCRE: Upgraded to PCRE 8.34.
  • Pgsql: Added warning for dangerous client encoding and remove possible injections for pg_insert()/pg_update()/pg_delete()/pg_select().

What's new in version 5.5.9:


  • Fixed bug #66509 (copy() arginfo has changed starting from 5.4). (willfitch)


  • Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop()). (Laruence, Remi)


  • Fixed bug #66474 (Optimizer bug in constant string to boolean conversion). (Dmitry)
  • FFixed bug #66461 (PHP crashes if opcache.interned_strings_buffer=0). (Dmitry)
  • FFixed bug #66298 (ext/opcache/Optimizer/zend_optimizer.c has dos-style ^M as lineend). (Laruence)


  • Fixed bug #62479 (PDO-psql cannot connect if password contains spaces) (willfitch, iliaa)


  • Fixed Bug #66412 (readline_clear_history() with libedit causes segfault after #65714). (Remi)


  • Fixed bug #66469 (Session module is sending multiple set-cookie headers when session.use_strict_mode=1) (Yasuo)
  • FFixed bug #66481 (Segfaults on session_name()). (cmcdermottroe at engineyard dot com, Yasuo)


  • Fixed bug #66395 (basename function doesn't remove drive letter). (Anatol)


  • Fixed bug #66381 (__ss_family was changed on AIX 5.3). (Felipe)

Zend Engine:

  • Fixed bug #66009 (Failed compilation of PHP extension with C++ std library using VS 2012). (Anatol)

What's New in version 5.5.7:

CLI server:

  • Added some MIME types to the CLI web server (Chris Jones)
  • Implemented FR #65917 (getallheaders() is not supported by the built-in web server) - also implements apache_response_headers() (Andrea Faulds)


  • Fixed bug #66094 (unregister_tick_function tries to cast a Closure to a string). (Laruence)


  • Fixed bug #66176 (Invalid constant substitution). (Dmitry)
  • Fixed bug #65915 (Inconsistent results with require return value). (Dmitry)
  • Fixed bug #65559 (Opcache: cache not cleared if changes occur while running). (Dmitry)


  • Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420). (Stefan Esser).


  • Fixed Bug #65714 (PHP cli forces the tty to cooked mode). (Remi)

What's New in version 5.5.3:

  • Openssl: Fixed UMR in fix for CVE-2013-4248.

What's New in version 5.5.1:

  • Fixed bug #65254 (Exception not catchable when exception thrown in autoload with a namespace).
  • Fixed bug #65088 (Generated configure script is malformed on OpenBSD). (Adam)
  • Fixed bug #65108 (is_callable() triggers Fatal Error).
  • Fixed bug #65035 (yield / exit segfault).
  • Fixed bug #65161 (Generator + autoload + syntax error = segfault).
  • hex2bin() raises E_WARNING for invalid hex string.
  • Fixed bug #65226 (chroot() does not get enabled).

What's New in version 5.5.0:

  • Added generators and coroutines.
  • Added the finally keyword.
  • Added a simplified password hashing API.
  • Added support for constant array/string dereferencing.
  • Added scalar class name resolution via ::class.
  • Added support for using empty() on the result of function calls and other expressions.
  • Added support for non-scalar Iterator keys in foreach.
  • Added support for list() constructs in foreach statements.
  • Added the Zend OPcache extension for opcode caching.
  • The GD library has been upgraded to version 2.1 adding new functions and improving existing functionality.
  • A lot more improvements and fixes.

What's New in version 5.3.10:

  • Core: Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830. (Stas, Dmitry)

What's New in version 5.3.8:


  • Fixed bug #55439 (crypt() returns only the salt for MD5). (Stas)


  • Reverted a change in timeout handling restoring PHP 5.3.6 behavior, as the new behavior caused mysqlnd SSL connections to hang (#55283). (Pierre, Andrey, Johannes)

What's New in version 5.3.7:

Security Enhancements and Fixes in PHP 5.3.7:

  • Updated crypt_blowfish to 1.2. (CVE-2011-2483)
  • Fixed crash in error_log(). Reported by Mateusz Kocielski
  • Fixed buffer overflow on overlog salt in crypt().
  • Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
  • Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
  • Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)

Key enhancements in PHP 5.3.7 include:

  • Upgraded bundled Sqlite3 to version
  • Upgraded bundled PCRE to version 8.12
  • Fixed bug #54910 (Crash when calling call_user_func with unknown function name)
  • Fixed bug #54585 (track_errors causes segfault)
  • Fixed bug #54262 (Crash when assigning value to a dimension in a non-array)
  • Fixed a crash inside dtor for error handling
  • Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)
  • Fixed bug #54935 php_win_err can lead to crash
  • Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)
  • Fixed bug #54305 (Crash in gc_remove_zval_from_buffer)
  • Fixed bug #54580 (get_browser() segmentation fault when browscap ini directive is set through php_admin_value)
  • Fixed bug #54529 (SAPI crashes on apache_config.c:197)
  • Fixed bug #54283 (new DatePeriod(NULL) causes crash).
  • Fixed bug #54269 (Short exception message buffer causes crash)
  • Fixed Bug #54221 (mysqli::get_warnings segfault when used in multi queries)
  • Fixed bug #54395 (Phar::mount() crashes when calling with wrong parameters)
  • Fixed bug #54384 (Dual iterators, GlobIterator, SplFileObject and SplTempFileObject crash when user-space classes don't call the parent constructor)
  • Fixed bug #54292 (Wrong parameter causes crash in SplFileObject::__construct())
  • Fixed bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0)
  • Fixed bug #54281 (Crash in non-initialized RecursiveIteratorIterator)
  • Fixed bug #54623 (Segfault when writing to a persistent socket after closing a copy of the socket)
  • Fixed bug #54681 (addGlob() crashes on invalid flags)
  • Over 80 other bug fixes.

What's New in version 5.3.6:

  • Upgraded bundled Sqlite3 to version 3.7.4. (Ilia)
  • Upgraded bundled PCRE to version 8.11. (Ilia)

What's New in version 5.3.5:

  • Fixed Bug #53632 (infinite loop with x87 fpu). (Scott, Rasmus)

What's New in version 5.3.4:

  • Upgraded bundled Sqlite3 to version 3.7.3. (Ilia)
  • Upgraded bundled PCRE to version 8.10. (Ilia)

Security enhancements:

  • Fixed crash in zip extract method (possible CWE-170). (Maksymilian Arciemowicz, Pierre)
  • Paths with NULL in them (foo\0bar.txt) are now considered as invalid. (Rasmus)
  • Fixed a possible double free in imap extension (Identified by Mateusz Kocielski). (CVE-2010-4150). (Ilia)
  • Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709). (Maksymilian Arciemowicz)
  • Fixed possible flaw in open_basedir (CVE-2010-3436). (Pierre)
  • Fixed MOPS-2010-24, fix string validation. (CVE-2010-2950). (Pierre)
  • Fixed symbolic resolution support when the target is a DFS share. (Pierre)
  • Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data) (CVE-2010-3710). (Adam)

General improvements:

  • Added stat support for zip stream. (Pierre)
  • Added follow_location (enabled by default) option for the http stream support. (Pierre)
  • Improved support for is_link and related functions on Windows. (Pierre)
  • Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al. (Gustavo)

Implemented feature requests:

  • Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend multibyte at runtime. (Kalle)
  • Implemented FR #52173, added functions pcntl_get_last_error() and pcntl_strerror(). (nick dot telford at gmail dot com, Arnaud)
  • Implemented symbolic links support for open_basedir checks. (Pierre)
  • Implemented FR #51804, SplFileInfo::getLinkTarget on Windows. (Pierre)
  • Implemented FR #50692, not uploaded files don't count towards max_file_uploads limit. As a side improvement, temporary files are not opened for empty uploads and, in debug mode, 0-length uploads. (Gustavo)