PHP: Hypertext Preprocessor

Statement on glibc/iconv Vulnerability

EDIT 2024-04-25: Clarified when a PHP application is vulnerable to this bug.Recently, a bug in glibc version 2.39 and older (CVE-2024-2961) was uncovered where a buffer overflow in character set conversions to the ISO-2022-CN-EXT character set can result in remote code execution. This specific buffer overflow in glibc is exploitable through PHP, which exposes the iconv functionality of glibc to do character set conversions via the iconv extension. Although the bug is exploitable in the context of the PHP Engine, the bug is not in PHP. It is also not directly exploitable remotely. The bug is exploitable, if and only if, the PHP application calls iconv functions or filters with user-supplied character sets. Applications are not vulnerable if: Glibc security updates from the distribution have been installedOr the iconv extension is not loadedOr the vulnerable character set has been removed from gconv-modules-extra.confOr the application passes only specifically allowed character sets to iconv. Moreover, when using a user-supplied character set, it is good practice for applications to accept only specific charsets that have been explicitly allowed by the application. One example of how this can be done is by using an allow-list and the array_search() function to check the encoding before passing it to iconv. For example: array_search($charset, $allowed_list, true) There are numerous reports online with titles like "Mitigating the iconv Vulnerability for PHP (CVE-2024-2961)" or "PHP Under Attack". These titles are misleading as this is not a bug in PHP itself. If your PHP application is vulnerable, we first recommend to check if your Linux distribution has already published patched variants of glibc. Debian, CentOS, and others, have already done so, and please upgrade as soon as possible. Once an update is available in glibc, updating that package on your Linux machine will be enough to alleviate the issue. You do not need to update PHP, as glibc is a dynamically linked library. If your Linux distribution has not published a patched version of glibc, there is no fix for this issue. However, there exists a workaround described in GLIBC Vulnerability on Servers Serving PHP which explains a way on how to remove the problematic character set from glibc. Perform this procedure for every gconv-modules-extra.conf file that is available on your system.Once an update is available in glibc, updating that package on your Linux machine will be enough to alleviate the issue. You do not need to update PHP, as glibc is a dynamically linked library.PHP users on Windows are not affected.There will therefore also not be a new version of PHP for this vulnerability.

Posted on: 23 April 2024 | 7:00 pm

PHP 8.3.0 RC 6 available for testing

The PHP team is pleased to announce the release of PHP 8.3.0, RC 6. This is the sixth and final release candidate, continuing the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.3.0, RC 6 please visit the download page. Please carefully test this version and report any issues found in the bug reporting system. Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be the production-ready, general availability release, planned for 23 November 2023. The signatures for the release can be found in the manifest or on the QA site. Thank you for helping us make PHP better.

Posted on: 8 November 2023 | 6:00 pm

PHP 8.3.0 RC 5 available for testing

The PHP team is pleased to announce the release of PHP 8.3.0, RC 5. This is the fifth release candidate, continuing the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.3.0, RC 5 please visit the download page. Please carefully test this version and report any issues found in the bug reporting system. Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be the fourth release candidate (RC 5), planned for 26 October 2023. The signatures for the release can be found in the manifest or on the QA site. Thank you for helping us make PHP better.

Posted on: 25 October 2023 | 7:00 pm

PHP 8.3.0 RC 4 available for testing

The PHP team is pleased to announce the release of PHP 8.3.0, RC 4. This is the fourth release candidate, continuing the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.3.0, RC 4 please visit the download page. Please carefully test this version and report any issues found in the bug reporting system. Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be the fifth release candidate (RC 5), planned for 26 October 2023. The signatures for the release can be found in the manifest or on the QA site. Thank you for helping us make PHP better.

Posted on: 11 October 2023 | 7:00 pm

PHP 8.3.0 RC 3 available for testing

The PHP team is pleased to announce the release of PHP 8.3.0, RC 3. This is the third release candidate, continuing the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.3.0, RC 3 please visit the download page. Please carefully test this version and report any issues found in the bug reporting system. Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be the fourth release candidate (RC 4), planned for 12 October 2023. The signatures for the release can be found in the manifest or on the QA site. Thank you for helping us make PHP better.

Posted on: 27 September 2023 | 7:00 pm

PHP 8.3.0 RC 2 available for testing

The PHP team is pleased to announce the release of PHP 8.3.0, RC 2. This is the second release candidate, continuing the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.3.0, RC 2 please visit the download page. Please carefully test this version and report any issues found in the bug reporting system. Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be the third release candidate (RC 3), planned for 28 September 2023. The signatures for the release can be found in the manifest or on the QA site. Thank you for helping us make PHP better.

Posted on: 13 September 2023 | 7:00 pm

PHP 8.3.0 RC 1 available for testing

The PHP team is pleased to announce the release of PHP 8.3.0, RC 1. This is the first release candidate, continuing the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.3.0, RC 1 please visit the download page. Please carefully test this version and report any issues found in the bug reporting system. Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be the second release candidate (RC 2), planned for 14 September 2023. The signatures for the release can be found in the manifest or on the QA site. Thank you for helping us make PHP better.

Posted on: 30 August 2023 | 7:00 pm

PHP 8.3.0 Beta 3 available for testing

The PHP team is pleased to announce the third beta release of PHP 8.3.0, Beta 3. This continues the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.3.0 Beta 3 please visit the download page.Please carefully test this version and report any issues found in the bug reporting system.Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be RC 1, planned for Aug 31 2023.The signatures for the release can be found in the manifest or on the QA site.Thank you for helping us make PHP better.

Posted on: 16 August 2023 | 7:00 pm

PHP 8.3.0 Beta 2 available for testing

The PHP team is pleased to announce the second beta release of PHP 8.3.0, Beta 2. This continues the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.3.0 Beta 2 please visit the download page.Please carefully test this version and report any issues found in the bug reporting system.Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be Beta 3, planned for Aug 17 2023.The signatures for the release can be found in the manifest or on the QA site.Thank you for helping us make PHP better.

Posted on: 2 August 2023 | 7:00 pm

PHP 8.3.0 Beta 1 available for testing

The PHP team is pleased to announce the first beta release of PHP 8.3.0, Beta 1. This continues the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.3.0 Beta 1 please visit the download page.Please carefully test this version and report any issues found in the bug reporting system.Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be Beta 2, planned for Aug 3 2023.The signatures for the release can be found in the manifest or on the QA site.Thank you for helping us make PHP better.

Posted on: 19 July 2023 | 7:00 pm

PHP 8.3.0 Alpha 3 available for testing

The PHP team is pleased to announce the third testing release of PHP 8.3.0, Alpha 3. This continues the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki.For source downloads of PHP 8.3.0 Alpha 3 please visit the download page.Please carefully test this version and report any issues found in the bug reporting system.Please DO NOT use this version in production, it is an early test version.For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.The next release will be Beta 1, planned for 20 Jul 2023.The signatures for the release can be found in the manifest or on the QA site.Thank you for helping us make PHP better.

Posted on: 5 July 2023 | 7:00 pm

PHP 8.3.0 Alpha 2 available for testing

The PHP team is pleased to announce the second testing release of PHP 8.3.0, Alpha 2. This continues the PHP 8.3 release cycle, the rouch outline of which is specified in the PHP Wiki.For source downloads of PHP 8.3.0 Alpha 2 please visit download page.Please carefully test this version and report any issues found in the bug reporting system.Please DO NOT use this version in production, it is an early test version.For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.The next release will be Alpha 3, planned for 6 July 2023.The signatures for this release can be found in the manifest or on the QA site.Thank you for helping us make PHP better!

Posted on: 21 June 2023 | 7:00 pm

PHP 8.3.0 Alpha 1 available for testing

The PHP team is pleased to announce the first testing release of PHP 8.3.0, Alpha 1. This starts the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki.For source downloads of PHP 8.3.0 Alpha 1 please visit the download page.Please carefully test this version and report any issues found using the bug tracking system.Please DO NOT use this version in production, it is an early test version.For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.The next release will be Alpha 2, planned for 22 Jun 2023.The signatures for the release can be found in the manifest or on the QA site.Thank you for helping us make PHP better.

Posted on: 7 June 2023 | 7:00 pm

PHP 8.2.0 RC7 available for testing

The PHP team is pleased to announce the release of PHP 8.2.0, RC 7. This is the seventh release candidate, continuing the PHP 8.2 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.2.0, RC 7 please visit the download page. Please carefully test this version and report any issues found in the bug reporting system. Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be the production-ready, general availability release, planned for December 8th 2022. The signatures for the release can be found in the manifest or on the QA site. Thank you for helping us make PHP better.

Posted on: 23 November 2022 | 6:00 pm

PHP 8.2.0 RC 6 available for testing

The PHP team is pleased to announce the release of PHP 8.2.0, RC 6. This is the sixth release candidate, continuing the PHP 8.2 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.2.0, RC 6 please visit the download page. Please carefully test this version and report any issues found in the bug reporting system. Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be the seventh release candidate (RC 7), planned for Nov 24th 2022. The signatures for the release can be found in the manifest or on the QA site. Thank you for helping us make PHP better.

Posted on: 9 November 2022 | 6:00 pm

PHP 8.2.0 RC5 available for testing

The PHP team is pleased to announce the fifth release candidate of PHP 8.2.0, RC 5. This continues the PHP 8.2 release cycle, the rough outline of which is specified in the PHP Wiki.For source downloads of PHP 8.2.0 RC5 please visit the download page.Please carefully test this version and report any issues found in the bug reporting system.Please DO NOT use this version in production, it is an early test version.For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.The next release will be the sixth release candidate (RC 6), planned for Nov 10th 2022.The signatures for the release can be found in the manifest or on the QA site.Thank you for helping us make PHP better.

Posted on: 26 October 2022 | 7:00 pm

PHP 8.2.0 RC 4 available for testing

The PHP team is pleased to announce the release of PHP 8.2.0, RC 4. This is the fourth release candidate, continuing the PHP 8.2 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.2.0, RC 4 please visit the download page. Please carefully test this version and report any issues found in the bug reporting system. Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be the fifth release candidate (RC 5), planned for 27 October 2022. The signatures for the release can be found in the manifest or on the QA site. Thank you for helping us make PHP better.

Posted on: 12 October 2022 | 7:00 pm

PHP 8.2.0 RC3 available for testing

The PHP team is pleased to announce the third release candidate of PHP 8.2.0, RC 3. This continues the PHP 8.2 release cycle, the rough outline of which is specified in the PHP Wiki.For source downloads of PHP 8.2.0 RC3 please visit the download page.Please carefully test this version and report any issues found in the bug reporting system.Please DO NOT use this version in production, it is an early test version.For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.The next release will be the fourth release candidate (RC 4), planned for Oct 13th 2022.The signatures for the release can be found in the manifest or on the QA site.Thank you for helping us make PHP better.

Posted on: 28 September 2022 | 7:00 pm

PHP 8.2.0 RC2 available for testing

The PHP team is pleased to announce the release of PHP 8.2.0, RC 2. This is the second release candidate, continuing the PHP 8.2 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.2.0, RC 2 please visit the download page. Please carefully test this version and report any issues found in the bug reporting system. Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be the third release candidate (RC 3), planned for 29 September 2022. The signatures for the release can be found in the manifest or on the QA site. Thank you for helping us make PHP better.

Posted on: 14 September 2022 | 7:00 pm

PHP 8.2.0 RC1 available for testing

The PHP team is pleased to announce the first release candidate of PHP 8.2.0, RC 1. This continues the PHP 8.2 release cycle, the rough outline of which is specified in the PHP Wiki.For source downloads of PHP 8.2.0 RC1 please visit the download page.Please carefully test this version and report any issues found in the bug reporting system.Please DO NOT use this version in production, it is an early test version.For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.The next release will be the second release candidate (RC 2), planned for Sept 15th 2022.The signatures for the release can be found in the manifest or on the QA site.Thank you for helping us make PHP better.

Posted on: 31 August 2022 | 7:00 pm

PHP 8.2.0 Beta 3 available for testing

The PHP team is pleased to announce the third beta release of PHP 8.2.0, Beta 3. This continues the PHP 8.2 release cycle, the rough outline of which is specified in the PHP Wiki.For source downloads of PHP 8.2.0 Beta 3 please visit the download page.Please carefully test this version and report any issues found in the bug reporting system.Please DO NOT use this version in production, it is an early test version.For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.The next release will be the first release candidate (RC 1), planned for Sept 1 2022.The signatures for the release can be found in the manifest or on the QA site.Thank you for helping us make PHP better.

Posted on: 17 August 2022 | 7:00 pm

PHP 8.2.0 Beta 2 available for testing

The PHP team is pleased to announce the second beta release of PHP 8.2.0, Beta 2. This continues the PHP 8.2 release cycle, the rough outline of which is specified in the PHP Wiki.For source downloads of PHP 8.2.0 Beta 2 please visit the download page.Please carefully test this version and report any issues found in the bug reporting system.Please DO NOT use this version in production, it is an early test version.For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.The next release will be PHP 8.2.0 Beta 3, planned for Aug 18 2022.The signatures for the release can be found in the manifest or on the QA site.Thank you for helping us make PHP better.

Posted on: 3 August 2022 | 7:00 pm

PHP 8.2.0 Beta 1 available for testing

The PHP team is pleased to announce the first beta release of PHP 8.2.0, Beta 1. This continues the PHP 8.2 release cycle, the rough outline of which is specified in the PHP Wiki.For source downloads of PHP 8.2.0 Beta 1 please visit the download page.Please carefully test this version and report any issues found in the bug reporting system.Please DO NOT use this version in production, it is an early test version.Because of a bug found in early testing of this release, this version is NOT usable with ZTS builds.For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.The next release will be PHP 8.2.0 Beta 2, planned for Aug 4 2022.The signatures for the release can be found in the manifest or on the QA site.Thank you for helping us make PHP better.

Posted on: 20 July 2022 | 7:00 pm

PHP 8.2.0 Alpha 3 available for testing

The PHP team is pleased to announce the third testing release of PHP 8.2.0, Alpha 3. This continues the PHP 8.2 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.2.0 Alpha 3 please visit the download page.Please carefully test this version and report any issues found in the bug reporting system.Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be Beta 1, planned for Jul 21 2022.The signatures for the release can be found in the manifest or on the QA site.Thank you for helping us make PHP better.

Posted on: 6 July 2022 | 7:00 pm

PHP 8.2.0 Alpha 2 available for testing

The PHP team is pleased to announce the second testing release of PHP 8.2.0, Alpha 2. This continues the PHP 8.2 release cycle, the rough outline of which is specified in the PHP Wiki.For source downloads of PHP 8.2.0 Alpha 2 please visit the download page.Please carefully test this version and report any issues found in the bug reporting system.Please DO NOT use this version in production, it is an early test version.For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.The next release will be PHP 8.2.0 Alpha 3, planned for 7 Jul 2022.The signatures for the release can be found in the manifest or on the QA site.Thank you for helping us make PHP better.

Posted on: 22 June 2022 | 7:00 pm

The PHP scripting language web site