The PHP development team announces the immediate availability of PHP 8.3.6. This is a security release that addresses CVE-2024-1874,
CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757.
All PHP 8.3 users are encouraged to upgrade to this version.
For source downloads of PHP 8.3.6 please visit our downloads page: [https://www.php.net/downloads](https://www.php.net/downloads)
Windows binaries can be found on the PHP for Windows site.
The list of changes is recorded in the ChangeLog.
Release Announcement: [<https://php.net/releases/8_3_6.php>](https://php.net/releases/8_3_6.php)
Downloads: [<https://php.net/downloads>](https://php.net/downloads)
Windows downloads: [<https://windows.php.net/download#php-8.3>](https://windows.php.net/download#php-8.3)
Changelog: [<https://php.net/ChangeLog-8.php#8.3.6>](https://php.net/ChangeLog-8.php#8.3.6)
Release Manifest: [<https://gist.github.com/ericmann/93ec7609f372b05e55f24136c8b826c0>](https://gist.github.com/ericmann/93ec7609f372b05e55f24136c8b826c0)
Many thanks to all the contributors and supporters!
Eric Mann, Jakub Zelenka, and Pierrick Charron
php-8.3.6.tar.bz2
SHA256 hash: 6324b1ddd8eb3025b041034b88dc2bc0b4819b0022129eeaeba37e47803108bc
PGP signature:
On Thu, Apr 11, 2024 at 08:03:31AM -0700, ericmann@php.net wrote:
The PHP development team announces the immediate availability of PHP 8.3.6. This is a security release that addresses CVE-2024-1874,
CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757.
Thank you!!!
May I ask what happened to 8.3.5 and why it was never released?
--
8.3.5 was frozen at the RC1 stage and we elected to include the fixes for the aforementioned CVEs in this release, bumping things instead to 8.3.6 to avoid any confusion as to why someting was in a stable release that /wasn't/ included in the RC. This is rare but does happen.
On Thu, Apr 11, 2024 at 08:03:31AM -0700, ericmann@php.net wrote:
The PHP development team announces the immediate availability of PHP 8.3.6. This is a security release that addresses CVE-2024-1874,
CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757.
Thank you!!!
May I ask what happened to 8.3.5 and why it was never released?
On Thu, Apr 11, 2024 at 08:03:31AM -0700, ericmann@php.net wrote:
The PHP development team announces the immediate availability of PHP 8.3.6. This is a security release that addresses CVE-2024-1874,
CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757.
Thank you!!!
May I ask what happened to 8.3.5 and why it was never released?
–
8.3.5 was frozen at the RC1 stage and we elected to include the fixes for the aforementioned CVEs in this release, bumping things instead to 8.3.6 to avoid any confusion as to why someting was in a stable release that wasn’t included in the RC. This is rare but does happen.
Just to add bit more details here. There was a regression in one of the fix that caused failure for the Windows build. This was missed in time because CI is not currently running on PR’s in private forks for security fixes. We are looking into setting up private repo that would run CI instead of using GitHub private forks created in the advisories. That should hopefully prevent those skips.