PHP 5 ChangeLog

Version 5.6.40

  • GD:
    • Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free). (CVE-2016-10166)
    • Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (CVE-2019-6977)
  • Mbstring:
    • Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (CVE-2019-9023)
    • Fixed bug #77371 (heap buffer overflow in mb regex functions - compile_string_node). (CVE-2019-9023)
    • Fixed bug #77381 (heap buffer overflow in multibyte match_at). (CVE-2019-9023)
    • Fixed bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string). (CVE-2019-9023)
    • Fixed bug #77385 (buffer overflow in fetch_token). (CVE-2019-9023)
    • Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (CVE-2019-9023)
    • Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (CVE-2019-9023)
  • Phar:
    • Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (CVE-2019-9021)
  • Xmlrpc:
    • Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (CVE-2019-9020)
    • Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (CVE-2019-9024)

Version 5.6.39

  • Core:
    • Fixed bug #77231 (Segfault when using convert.quoted-printable-encode filter).
  • IMAP:
    • Fixed bug #77020 (null pointer dereference in imap_mail).
    • Fixed bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter). (CVE-2018-19518)
  • Phar:
    • Fixed bug #77022 (PharData always creates new files with mode 0666).
    • Fixed bug #77143 (Heap Buffer Overflow (READ: 4) in phar_parse_pharfile). (CVE-2018-20783)

Version 5.6.38

  • Apache2:
    • Fixed bug #76582 (XSS due to the header Transfer-Encoding: chunked). (CVE-2018-17082)

Version 5.6.37

  • Exif:
    • Fixed bug #76423 (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c). (CVE-2018-14883)
    • Fixed bug #76557 (heap-buffer-overflow (READ of size 48) while reading exif data). (CVE-2018-14851)
  • Win32:
    • Fixed bug #76459 (windows linkinfo lacks openbasedir check). (CVE-2018-15132)

Version 5.6.36

  • Exif:
    • Fixed bug #76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value). (CVE-2018-10549)
  • iconv:
    • Fixed bug #76249 (stream filter convert.iconv leads to infinite loop on invalid sequence). (CVE-2018-10546)
  • LDAP:
    • Fixed bug #76248 (Malicious LDAP-Server Response causes Crash). (CVE-2018-10548)
  • Phar:
    • Fixed bug #76129 (fix for CVE-2018-5712 may not be complete). (CVE-2018-10547)

Version 5.6.35

  • FPM:
    • Fixed bug #75605 (Dumpable FPM child processes allow bypassing opcache access controls). (CVE-2018-10545)

Version 5.6.34

  • Standard:
    • Fixed bug #75981 (stack-buffer-overflow while parsing HTTP response). (CVE-2018-7584)

Version 5.6.33

  • GD:
    • Fixed bug #75571 (Potential infinite loop in gdImageCreateFromGifCtx). (CVE-2018-5711)
  • Phar:
    • Fixed bug #74782 (Reflected XSS in .phar 404 page). (CVE-2018-5712)

Version 5.6.32

  • Date:
    • Fixed bug #75055 (Out-Of-Bounds Read in timelib_meridian()). (CVE-2017-16642)
  • mcrypt:
    • Fixed bug #72535 (arcfour encryption stream filter crashes php).
  • PCRE:
    • Fixed bug #75207 (applied upstream patch for CVE-2016-1283).

Version 5.6.31

  • Core:
    • Fixed bug #73807 (Performance problem with processing large post request). (CVE-2017-11142)
    • Fixed bug #74111 (Heap buffer overread (READ: 1) finish_nested_data from unserialize). (CVE-2017-12933)
    • Fixed bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability). (CVE-2017-11628)
    • Fixed bug #74819 (wddx_deserialize() heap out-of-bound read via php_parse_date()). (CVE-2017-11145)
  • GD:
    • Fixed bug #74435 (Buffer over-read into uninitialized memory). (CVE-2017-7890)
  • mbstring:
    • Add oniguruma upstream fix (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229)
  • OpenSSL:
    • Fixed bug #74651 (negative-size-param (-1) in memcpy in zif_openssl_seal()). (CVE-2017-11144)
  • PCRE:
    • Fixed bug #74087 (Segmentation fault in PHP7.1.1(compiled using the bundled PCRE library)).
  • WDDX:
    • Fixed bug #74145 (wddx parsing empty boolean tag leads to SIGSEGV). (CVE-2017-11143)

Version 5.6.30

  • EXIF:
    • Fixed bug #73737 (FPE when parsing a tag format). (CVE-2016-10158)
  • GD:
    • Fixed bug #73549 (Use after free when stream is passed to imagepng).
    • Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (CVE-2016-10167)
    • Fixed bug #73869 (Signed Integer Overflow gd_io.c). (CVE-2016-10168)
  • Intl:
    • Fixed bug #68447 (grapheme_extract take an extra trailing character).
  • Phar:
    • Fixed bug #73764 (Crash while loading hostile phar archive). (CVE-2016-10159)
    • Fixed bug #73768 (Memory corruption when loading hostile phar). (CVE-2016-10160)
    • Fixed bug #73773 (Seg fault when loading hostile phar). (CVE-2017-11147)
  • SQLite3:
    • Reverted fix for bug #73530 (Unsetting result set may reset other result set).
  • Standard:
    • Fixed bug #70213 (Unserialize context shared on double class lookup).
    • Fixed bug #73825 (Heap out of bounds read on unserialize in finish_nested_data()). (CVE-2016-10161)

Version 5.6.29

  • Mysqlnd:
    • Fixed bug #64526 (Add missing mysqlnd.* parameters to php.ini-*).
  • Opcache:
    • Fixed bug #73402 (Opcache segfault when using class constant to call a method).
    • Fixed bug #69090 (check cached files permissions)
  • OpenSSL:
    • Fixed bug #72776 (Invalid parameter in memcpy function trough openssl_pbkdf2).
  • Postgres:
    • Fixed bug #73498 (Incorrect SQL generated for pg_copy_to()).
  • SOAP:
    • Fixed bug #73452 (Segfault (Regression for #69152)).
  • SQLite3:
    • Fixed bug #73530 (Unsetting result set may reset other result set).
  • Standard:
    • Fixed bug #73297 (HTTP stream wrapper should ignore HTTP 100 Continue).
  • WDDX:
    • Fixed bug #73631 (Invalid read when wddx decodes empty boolean element). (CVE-2016-9935)

Version 5.6.28

  • Core:
    • Fixed bug #73337 (try/catch not working with two exceptions inside a same operation).
  • Bz2:
    • Fixed bug #73356 (crash in bzcompress function).
  • GD:
    • Fixed bug #73213 (Integer overflow in imageline() with antialiasing).
    • Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()).
    • Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()).
    • Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf).
    • Fixed bug #72482 (Illegal write/read access caused by gdImageAALine overflow).
    • Fixed bug #72696 (imagefilltoborder stackoverflow on truecolor images). (CVE-2016-9933)
  • Imap:
    • Fixed bug #73418 (Integer Overflow in "_php_imap_mail" leads Heap Overflow).
  • SPL:
    • Fixed bug #73144 (Use-after-free in ArrayObject Deserialization).
  • SOAP:
    • Fixed bug #73037 (SoapServer reports Bad Request when gzipped).
  • SQLite3:
    • Fixed bug #73333 (2147483647 is fetched as string).
  • Standard:
    • Fixed bug #73203 (passing additional_parameters causes mail to fail).
    • Fixed bug #73188 (use after free in userspace streams).
    • Fixed bug #73192 (parse_url return wrong hostname).
  • Wddx:
    • Fixed bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow). (CVE-2016-9934)

Version 5.6.27

  • Core:
    • Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c).
    • Fixed bug #73058 (crypt broken when salt is 'too' long).
    • Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by password_verify).
    • Fixed bug #73189 (Memcpy negative size parameter php_resolve_path).
    • Fixed bug #73147 (Use After Free in unserialize()).
  • BCmath:
    • Fixed bug #73190 (memcpy negative parameter _bc_new_num_ex).
  • DOM:
    • Fixed bug #73150 (missing NULL check in dom_document_save_html).
  • Ereg:
    • Fixed bug #73284 (heap overflow in php_ereg_replace function).
  • Filter:
    • Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE).
    • Fixed bug #67167 (Wrong return value from FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE).
    • Fixed bug #73054 (default option ignored when object passed to int filter).
  • GD:
    • Fixed bug #67325 (imagetruecolortopalette: white is duplicated in palette).
    • Fixed bug #50194 (imagettftext broken on transparent background w/o alphablending).
    • Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c).
    • Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box).
    • Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given).
    • Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries).
    • Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted files).
    • Fixed bug #73161 (imagecreatefromgd2() may leak memory).
  • Intl:
    • Fixed bug #73218 (add mitigation for ICU int overflow).
  • Imap:
    • Fixed bug #73208 (integer overflow in imap_8bit caused heap corruption).
  • Mbstring:
    • Fixed bug #72994 (mbc_to_code() out of bounds read).
    • Fixed bug #66964 (mb_convert_variables() cannot detect recursion).
    • Fixed bug #72992 (mbstring.internal_encoding doesn't inherit default_charset).
    • Fixed bug #73082 (string length overflow in mb_encode_* function).
  • PCRE:
    • Fixed bug #73174 (heap overflow in php_pcre_replace_impl).
  • Opcache:
    • Fixed bug #72590 (Opcache restart with kill_all_lockers does not work).
  • OpenSSL:
    • Fixed bug #73072 (Invalid path SNI_server_certs causes segfault).
    • Fixed bug #73275 (crash in openssl_encrypt function).
    • Fixed bug #73276 (crash in openssl_random_pseudo_bytes function).
  • Session:
    • Fixed bug #68015 (Session does not report invalid uid for files save handler).
    • Fixed bug #73100 (session_destroy null dereference in ps_files_path_create).
  • SimpleXML:
    • Fixed bug #73293 (NULL pointer dereference in SimpleXMLElement::asXML()).
  • SPL:
    • Fixed bug #73073 (CachingIterator null dereference when convert to string).
  • Standard:
    • Fixed bug #73240 (Write out of bounds at number_format).
    • Fixed bug #73017 (memory corruption in wordwrap function).
  • Stream:
    • Fixed bug #73069 (readfile() mangles files larger than 2G).
  • Zip:
    • Fixed bug #70752 (Depacking with wrong password leaves 0 length files).

Version 5.6.26

  • Core:
    • Fixed bug #72907 (null pointer deref, segfault in gc_remove_zval_from_buffer (zend_gc.c:260)).
  • Dba:
    • Fixed bug #71514 (Bad dba_replace condition because of wrong API usage).
    • Fixed bug #70825 (Cannot fetch multiple values with group in ini file).
  • EXIF:
    • Fixed bug #72926 (Uninitialized Thumbail Data Leads To Memory Leakage in exif_process_IFD_in_TIFF).
  • FTP:
    • Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with require_ssl_reuse).
  • GD:
    • Fixed bug #66005 (imagecopy does not support 1bit transparency on truecolor images).
    • Fixed bug #72913 (imagecopy() loses single-color transparency on palette images).
    • Fixed bug #68716 (possible resource leaks in _php_image_convert()).
  • Intl:
    • Fixed bug #73007 (add locale length check). (CVE-2016-7416)
  • JSON:
    • Fixed bug #72787 (json_decode reads out of bounds).
  • mbstring:
    • Fixed bug #66797 (mb_substr only takes 32-bit signed integer).
    • Fixed bug #72910 (Out of bounds heap read in mbc_to_code() / triggered by mb_ereg_match()).
  • MSSQL:
    • Fixed bug #72039 (Use of uninitialised value on mssql_guid_string).
  • Mysqlnd:
    • Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields). (CVE-2016-7412)
  • PDO:
    • Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY returns false).
  • PDO_pgsql:
    • Implemented FR #72633 (Postgres PDO lastInsertId() should work without specifying a sequence).
    • Fixed bug #72759 (Regression in pgo_pgsql).
  • Phar:
    • Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile). (CVE-2016-7414)
    • Fixed bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile).
  • SPL:
    • Fixed bug #73029 (Missing type check when unserializing SplArray). (CVE-2016-7417)
  • Standard:
    • Fixed bug #72823 (strtr out-of-bound access).
    • Fixed bug #72278 (getimagesize returning FALSE on valid jpg).
    • Fixed bug #65550 (get_browser() incorrectly parses entries with "+" sign).
    • Fixed bug #71882 (Negative ftruncate() on php://memory exhausts memory).
    • Fixed bug #73011 (integer overflow in fgets cause heap corruption).
    • Fixed bug #73017 (memory corruption in wordwrap function).
    • Fixed bug #73045 (integer overflow in fgetcsv caused heap corruption).
    • Fixed bug #73052 (Memory Corruption in During Deserialized-object Destruction). (CVE-2016-7411)
  • Streams:
    • Fixed bug #72853 (stream_set_blocking doesn't work).
  • Wddx:
    • Fixed bug #72860 (wddx_deserialize use-after-free). (CVE-2016-7413)
    • Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element). (CVE-2016-7418)
  • XML:
    • Fixed bug #72085 (SEGV on unknown address zif_xml_parse).
    • Fixed bug #72927 (integer overflow in xml_utf8_encode).
  • ZIP:
    • Fixed bug #68302 (impossible to compile php with zip support).

Version 5.6.25

  • Core:
    • Fixed bug #70436 (Use After Free Vulnerability in unserialize()).
    • Fixed bug #72024 (microtime() leaks memory).
    • Fixed bug #72581 (previous property undefined in Exception after deserialization).
    • Implemented FR #72614 (Support "nmake test" on building extensions by phpize).
    • Fixed bug #72641 (phpize (on Windows) ignores PHP_PREFIX).
    • Fixed bug #72663 (Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization). (CVE-2016-7124)
    • Fixed bug #72681 (PHP Session Data Injection Vulnerability). (CVE-2016-7125)
  • Bz2:
    • Fixed bug #72837 (integer overflow in bzdecompress caused heap corruption).
  • Calendar:
    • Fixed bug #67976 (cal_days_month() fails for final month of the French calendar).
    • Fixed bug #71894 (AddressSanitizer: global-buffer-overflow in zif_cal_from_jd).
  • Curl:
    • Fixed bug #71144 (Segmentation fault when using cURL with ZTS).
    • Fixed bug #71929 (Certification information (CERTINFO) data parsing error).
    • Fixed bug #72807 (integer overflow in curl_escape caused heap corruption).
  • DOM:
    • Fixed bug #66502 (DOM document dangling reference).
  • Ereg:
    • Fixed bug #72838 (Integer overflow lead to heap corruption in sql_regcase).
  • EXIF:
    • Fixed bug #72627 (Memory Leakage In exif_process_IFD_in_TIFF). (CVE-2016-7128)
    • Fixed bug #72735 (Samsung picture thumb not read (zero size)).
  • Filter:
    • Fixed bug #71745 (FILTER_FLAG_NO_RES_RANGE does not cover whole 127.0.0.0/8 range).
  • FPM:
    • Fixed bug #72575 (using --allow-to-run-as-root should ignore missing user).
  • GD:
    • Fixed bug #43828 (broken transparency of imagearc for truecolor in blendingmode).
    • Fixed bug #66555 (Always false condition in ext/gd/libgd/gdkanji.c).
    • Fixed bug #68712 (suspicious if-else statements).
    • Fixed bug #70315 (500 Server Error but page is fully rendered).
    • Fixed bug #72596 (imagetypes function won't advertise WEBP support).
    • Fixed bug #72604 (imagearc() ignores thickness for full arcs).
    • Fixed bug #72697 (select_colors write out-of-bounds). (CVE-2016-7126)
    • Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles).
    • Fixed bug #72730 (imagegammacorrect allows arbitrary write access). (CVE-2016-7127)
    • Fixed bug #72494 (imagecropauto out-of-bounds access)
  • Intl:
    • Partially fixed #72506 (idn_to_ascii for UTS #46 incorrect for long domain names).
  • mbstring:
    • Fixed bug #72691 (mb_ereg_search raises a warning if a match zero-width).
    • Fixed bug #72693 (mb_ereg_search increments search position when a match zero-width).
    • Fixed bug #72694 (mb_ereg_search_setpos does not accept a string's last position).
    • Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error).
  • PCRE:
    • Fixed bug #72688 (preg_match missing group names in matches).
  • PDO_pgsql:
    • Fixed bug #70313 (PDO statement fails to throw exception).
  • Reflection:
    • Fixed bug #72222 (ReflectionClass::export doesn't handle array constants).
  • SNMP:
    • Fixed bug #72708 (php_snmp_parse_oid integer overflow in memory allocation).
  • Standard:
    • Fixed bug #72330 (CSV fields incorrectly split if escape char followed by UTF chars).
    • Fixed bug #72836 (integer overflow in base64_decode).
    • Fixed bug #72848 (integer overflow in quoted_printable_encode).
    • Fixed bug #72849 (integer overflow in urlencode).
    • Fixed bug #72850 (integer overflow in php_uuencode).
    • Fixed bug #72716 (initialize buffer before read).
  • Streams:
    • Fixed bug #41021 (Problems with the ftps wrapper).
    • Fixed bug #54431 (opendir() does not work with ftps:// wrapper).
    • Fixed bug #72667 (opendir() with ftp:// attempts to open data stream for non-existent directories).
    • Fixed bug #72764 (ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5).
    • Fixed bug #72771 (ftps:// wrapper is vulnerable to protocol downgrade attack).
  • SPL:
    • Fixed bug #72122 (IteratorIterator breaks '@' error suppression).
    • Fixed bug #72646 (SplFileObject::getCsvControl does not return the escape character).
    • Fixed bug #72684 (AppendIterator segfault with closed generator).
  • SQLite3:
    • Implemented FR #72653 (SQLite should allow opening with empty filename).
  • Wddx:
    • Fixed bug #72142 (WDDX Packet Injection Vulnerability in wddx_serialize_value()).
    • Fixed bug #72749 (wddx_deserialize allows illegal memory access). (CVE-2016-7129)
    • Fixed bug #72750 (wddx_deserialize null dereference). (CVE-2016-7130)
    • Fixed bug #72790 (wddx_deserialize null dereference with invalid xml). (CVE-2016-7131)
    • Fixed bug #72799 (wddx_deserialize null dereference in php_wddx_pop_element). (CVE-2016-7132)

Version 5.6.24

  • Core:
    • Fixed bug #71936 (Segmentation fault destroying HTTP_RAW_POST_DATA).
    • Fixed bug #72496 (Cannot declare public method with signature incompatible with parent private method).
    • Fixed bug #72138 (Integer Overflow in Length of String-typed ZVAL).
    • Fixed bug #72513 (Stack-based buffer overflow vulnerability in virtual_file_ex). (CVE-2016-6289)
    • Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session Deserialization). (CVE-2016-6290)
    • Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications). (CVE-2016-5385)
  • bz2:
    • Fixed bug #72447 (Type Confusion in php_bz2_filter_create()).
    • Fixed bug #72613 (Inadequate error handling in bzread()). (CVE-2016-5399)
  • Date:
    • Fixed bug #66836 (DateTime::createFromFormat 'U' with pre 1970 dates fails parsing).
  • EXIF:
    • Fixed bug #50845 (exif_read_data() returns corrupted exif headers).
    • Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE). (CVE-2016-6291)
    • Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment). (CVE-2016-6292)
  • GD:
    • Fixed bug #43475 (Thick styled lines have scrambled patterns).
    • Fixed bug #53640 (XBM images require width to be multiple of 8).
    • Fixed bug #64641 (imagefilledpolygon doesn't draw horizontal line).
    • Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).
    • Fixed bug #72519 (imagegif/output out-of-bounds access).
    • Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()). (CVE-2016-6207)
  • Intl:
    • Fixed bug #72533 (locale_accept_from_http out-of-bounds access). (CVE-2016-6294)
  • OpenSSL:
    • Fixed bug #71915 (openssl_random_pseudo_bytes is not fork-safe).
    • Fixed bug #72336 (openssl_pkey_new does not fail for invalid DSA params).
  • SNMP:
    • Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()). (CVE-2016-6295)
  • SPL:
    • Fixed bug #55701 (GlobIterator throws LogicException).
  • SQLite3:
    • Fixed bug #70628 (Clearing bindings on an SQLite3 statement doesn't work).
  • Streams:
    • Fixed bug #72439 (Stream socket with remote address leads to a segmentation fault).
  • Xmlrpc:
    • Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c). (CVE-2016-6296)
  • Zip:
    • Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener). (CVE-2016-6297)

Version 5.5.38

  • Core:
    • Fixed bug #70480 (php_url_parse_ex() buffer overflow read). (CVE-2016-6288)
    • Fixed bug #72513 (Stack-based buffer overflow vulnerability in virtual_file_ex). (CVE-2016-6289)
    • Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session Deserialization). (CVE-2016-6290)
    • Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications). (CVE-2016-5385)
  • BZip2:
    • Fixed bug #72613 (Inadequate error handling in bzread()). (CVE-2016-5399)
  • EXIF:
    • Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE). (CVE-2016-6291)
    • Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment). (CVE-2016-6292)
  • GD:
    • Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).
    • Fixed bug #72519 (imagegif/output out-of-bounds access).
    • Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()). (CVE-2016-6207)
  • Intl:
    • Fixed bug #72533 (locale_accept_from_http out-of-bounds access). (CVE-2016-6294)
  • ODBC:
    • Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns). (CVE-2015-8879)
  • SNMP:
    • Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()). (CVE-2016-6295)
  • Xmlrpc:
    • Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c). (CVE-2016-6296)
  • Zip:
    • Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener). (CVE-2016-6297)

Version 5.6.23

  • Core:
    • Fixed bug #72268 (Integer Overflow in nl2br()).
    • Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/ json_utf8_to_utf16()).
    • Fixed bug #72400 (Integer Overflow in addcslashes/addslashes).
    • Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL).
  • Date:
    • Fixed bug #63740 (strtotime seems to use both sunday and monday as start of week).
  • GD:
    • Fixed bug #72298 (pass2_no_dither out-of-bounds access).
    • Fixed bug #72337 (invalid dimensions can lead to crash).
    • Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in heap overflow). (CVE-2016-5766)
    • Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert).
    • Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow). (CVE-2016-5767)
  • Intl:
    • Fixed bug #70484 (selectordinal doesn't work with named parameters).
  • mbstring:
    • Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (CVE-2016-5768)
  • mcrypt:
    • Fixed bug #72455 (Heap Overflow due to integer overflows). (CVE-2016-5769)
  • OpenSSL:
    • Fixed bug #72140 (segfault after calling ERR_free_strings()).
  • Phar:
    • Fixed bug #72321 (invalid free in phar_extract_file()). (CVE-2016-4473)
  • SPL:
    • Fixed bug #72262 (int/size_t confusion in SplFileObject::fread). (CVE-2016-5770)
    • Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and unserialize). (CVE-2016-5771)
  • WDDX:
    • Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (CVE-2016-5772)
  • zip:
    • Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize). (CVE-2016-5773)

Version 5.5.37

  • Core:
    • Fixed bug #72268 (Integer Overflow in nl2br()).
    • Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/ json_utf8_to_utf16()).
    • Fixed bug #72400 (Integer Overflow in addcslashes/addslashes).
    • Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL).
  • GD:
    • Fixed bug #66387 (Stack overflow with imagefilltoborder). (CVE-2015-8874)
    • Fixed bug #72298 (pass2_no_dither out-of-bounds access).
    • Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in heap overflow). (CVE-2016-5766)
    • Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert).
    • Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow). (CVE-2016-5767)
  • mbstring:
    • Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (CVE-2016-5768)
  • mcrypt:
    • Fixed bug #72455 (Heap Overflow due to integer overflows). (CVE-2016-5769)
  • SPL:
    • Fixed bug #72262 (int/size_t confusion in SplFileObject::fread). (CVE-2016-5770)
    • Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and unserialize). (CVE-2016-5771)
  • WDDX:
    • Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (CVE-2016-5772)
  • zip:
    • Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize). (CVE-2016-5773)
  • Version 5.6.22

    • Core:
      • Fixed bug #72172 (zend_hex_strtod should not use strlen).
      • Fixed bug #72114 (Integer underflow / arbitrary null write in fread/gzread). (CVE-2016-5096)
      • Fixed bug #72135 (Integer Overflow in php_html_entities). (CVE-2016-5094)
    • GD:
      • Fixed bug #72227 (imagescale out-of-bounds read). (CVE-2013-7456)
    • Intl:
      • Fixed bug #64524 (Add intl.use_exceptions to php.ini-*).
      • Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (CVE-2016-5093)
    • Postgres:
      • Fixed bug #72151 (mysqli_fetch_object changed behaviour). Patch to #71820 is reverted.

    Version 5.5.36

    • Core:
      • Fixed bug #72114 (Integer underflow / arbitrary null write in fread/gzread). (CVE-2016-5096)
      • Fixed bug #72135 (Integer Overflow in php_html_entities). (CVE-2016-5094)
    • GD:
      • Fixed bug #72227 (imagescale out-of-bounds read). (CVE-2013-7456)
    • Intl:
      • Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (CVE-2016-5093)
    • Phar:
      • Fixed bug #71331 (Uninitialized pointer in phar_make_dirstream()). (CVE-2016-4343)

    Version 5.6.21

    • Core:
      • Fixed bug #69537 (__debugInfo with empty string for key gives error).
      • Fixed bug #71841 (EG(error_zval) is not handled well).
    • BCmath:
      • Fixed bug #72093 (bcpowmod accepts negative scale and corrupts _one_ definition). (CVE-2016-4537, CVE-2016-4538)
    • Curl:
      • Fixed bug #71831 (CURLOPT_NOPROXY applied as long instead of string).
    • Date:
      • Fixed bug #71889 (DateInterval::format Segmentation fault).
    • EXIF:
      • Fixed bug #72094 (Out of bounds heap read access in exif header processing). (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544)
    • GD:
      • Fixed bug #71952 (Corruption inside imageaffinematrixget).
      • Fixed bug #71912 (libgd: signedness vulnerability). (CVE-2016-3074)
    • Intl:
      • Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative offset). (CVE-2016-4540, CVE-2016-4541)
    • OCI8:
      • Fixed bug #71422 (Fix ORA-01438: value larger than specified precision allowed for this column).
    • ODBC:
      • Fixed bug #63171 (Script hangs after max_execution_time).
    • Opcache:
      • Fixed bug #71843 (null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER).
    • PDO:
      • Fixed bug #52098 (Own PDOStatement implementation ignore __call()).
      • Fixed bug #71447 (Quotes inside comments not properly handled).
    • Postgres:
      • Fixed bug #71820 (pg_fetch_object binds parameters before call constructor).
    • SPL:
      • Fixed bug #67582 (Cloned SplObjectStorage with overwritten getHash fails offsetExists()).
    • Standard:
      • Fixed bug #71840 (Unserialize accepts wrongly data).
      • Fixed bug #67512 (php_crypt() crashes if crypt_r() does not exist or _REENTRANT is not defined).
    • XML:
      • Fixed bug #72099 (xml_parse_into_struct segmentation fault). (CVE-2016-4539)

    Version 5.5.35

    • BCMath:
      • Fixed bug #72093 (bcpowmod accepts negative scale and corrupts _one_ definition). (CVE-2016-4537, CVE-2016-4538)
    • Exif:
      • Fixed bug #72094 (Out of bounds heap read access in exif header processing). (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544)
    • GD:
      • Fixed bug #71912 (libgd: signedness vulnerability). (CVE-2016-3074)
    • Intl:
      • Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative offset). (CVE-2016-4540, CVE-2016-4541)
    • XML:
      • Fixed bug #72099 (xml_parse_into_struct segmentation fault). (CVE-2016-4539)

    Version 5.6.20

    • CLI Server:
      • Fixed bug #69953 (Support MKCALENDAR request method).
    • Core:
      • Fixed bug #71596 (Segmentation fault on ZTS with date function (setlocale)).
    • Curl:
      • Fixed bug #71694 (Support constant CURLM_ADDED_ALREADY).
    • Date:
      • Fixed bug #71635 (DatePeriod::getEndDate segfault).
    • Fileinfo:
      • Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic file). (CVE-2015-8865)
    • Mbstring:
      • Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in mbfl_strcut). (CVE-2016-4073)
    • ODBC:
      • Fixed bug #47803, #69526 (Executing prepared statements is succesfull only for the first two statements).
      • Fixed bug #71860 (Invalid memory write in phar on filename with \0 in name). (CVE-2016-4072)
    • PDO_DBlib:
      • Fixed bug #54648 (PDO::MSSQL forces format of datetime fields).
    • Phar:
      • Fixed bug #71625 (Crash in php7.dll with bad phar filename).
      • Fixed bug #71504 (Parsing of tar file with duplicate filenames causes memory leak).
    • SNMP:
      • Fixed bug #71704 (php_snmp_error() Format String Vulnerability). (CVE-2016-4071)
    • Standard:
      • Fixed bug #71798 (Integer Overflow in php_raw_url_encode). (CVE-2016-4070)

    Version 5.5.34

    • Fileinfo:
      • Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic file). (CVE-2015-8865)
    • Mbstring:
      • Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in mbfl_strcut). (CVE-2016-4073)
    • ODBC:
      • Fixed bug #71860 (Invalid memory write in phar on filename with \0 in name). (CVE-2016-4072)
    • SNMP:
      • Fixed bug #71704 (php_snmp_error() Format String Vulnerability). (CVE-2016-4071)
    • Standard:
      • Fixed bug #71798 (Integer Overflow in php_raw_url_encode). (CVE-2016-4070)

    Version 5.6.19

    • CLI server:
      • Fixed bug #71559 (Built-in HTTP server, we can download file in web by bug).
    • CURL:
      • Fixed bug #71523 (Copied handle with new option CURLOPT_HTTPHEADER crashes while curl_multi_exec).
    • Date:
      • Fixed bug #68078 (Datetime comparisons ignore microseconds).
      • Fixed bug #71525 (Calls to date_modify will mutate timelib_rel_time, causing date_date_set issues).
    • Fileinfo:
      • Fixed bug #71434 (finfo throws notice for specific python file).
    • FPM:
      • Fixed bug #62172 (FPM not working with Apache httpd 2.4 balancer/fcgi setup).
    • Opcache:
      • Fixed bug #71584 (Possible use-after-free of ZCG(cwd) in Zend Opcache).
    • PDO MySQL:
      • Fixed bug #71569 (#70389 fix causes segmentation fault).
    • Phar:
      • Fixed bug #71498 (Out-of-Bound Read in phar_parse_zipfile()).
    • Standard:
      • Fixed bug #70720 (strip_tags improper php code parsing).
    • WDDX:
      • Fixed bug #71587 (Use-After-Free / Double-Free in WDDX Deserialize).
    • XSL:
      • Fixed bug #71540 (NULL pointer dereference in xsl_ext_function_php()).
    • Zip:
      • Fixed bug #71561 (NULL pointer dereference in Zip::ExtractTo).

    Version 5.5.33

    • Phar:
      • Fixed bug #71498 (Out-of-Bound Read in phar_parse_zipfile()).
    • WDDX:
      • Fixed bug #71587 (Use-After-Free / Double-Free in WDDX Deserialize).

    Version 5.6.18

    • Core:
      • Added support for new HTTP 451 code.
      • Fixed bug #71039 (exec functions ignore length but look for NULL termination).
      • Fixed bug #71089 (No check to duplicate zend_extension).
      • Fixed bug #71201 (round() segfault on 64-bit builds).
      • Fixed bug #71273 (A wrong ext directory setup in php.ini leads to crash).
      • Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input).
      • Fixed bug #71459 (Integer overflow in iptcembed()).
    • Apache2handler:
      • Fix >2G Content-Length headers in apache2handler.
    • FTP:
      • Implemented FR #55651 (Option to ignore the returned FTP PASV address).
    • GD:
      • Improved fix for bug #70976.
    • Opcache:
      • Fixed bug #71127 (Define in auto_prepend_file is overwrite).
      • Fixed bug #71024 (Unable to use PHP 7.0 x64 side-by-side with PHP 5.6 x32 on the same server).
    • PCRE:
      • Upgraded bundled PCRE library to 8.38. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)
    • Phar:
      • Fixed bug #71354 (Heap corruption in tar/zip/phar parser). (CVE-2016-4342)
      • Fixed bug #71331 (Uninitialized pointer in phar_make_dirstream()). (CVE-2016-4343)
      • Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()).
      • Fixed bug #71488 (Stack overflow when decompressing tar archives). (CVE-2016-2554)
    • Session:
      • Fixed bug #69111 (Crash in SessionHandler::read()).
    • SOAP:
      • Fixed bug #70979 (crash with bad soap request).
    • SPL:
      • Fixed bug #71204 (segfault if clean spl_autoload_funcs while autoloading).
    • WDDX:
      • Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization).

    Version 5.5.32

    • Core:
      • Fixed bug #71039 (exec functions ignore length but look for NULL termination).
      • Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input).
      • Fixed bug #71459 (Integer overflow in iptcembed()).
    • GD:
      • Improved fix for bug #70976.
    • PCRE:
      • Upgraded bundled PCRE library to 8.38. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)
    • Phar:
      • Fixed bug #71354 (Heap corruption in tar/zip/phar parser). (CVE-2016-4342)
      • Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()).
      • Fixed bug #71488 (Stack overflow when decompressing tar archives). (CVE-2016-2554)
    • WDDX:
      • Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization).

    Version 5.6.17

    • Core:
      • Fixed bug #66909 (configure fails utf8_to_mutf7 test).
      • Fixed bug #70958 (Invalid opcode while using ::class as trait method paramater default value).
      • Fixed bug #70957 (self::class can not be resolved with reflection for abstract class).
      • Fixed bug #70944 (try{ } finally{} can create infinite chains of exceptions).
      • Fixed bug #61751 (SAPI build problem on AIX: Undefined symbol: php_register_internal_extensions).
    • FPM:
      • Fixed bug #70755 (fpm_log.c memory leak and buffer overflow). (CVE-2016-5114)
    • GD:
      • Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds). (CVE-2016-1903)
    • Mysqlnd:
      • Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction).
    • SOAP:
      • Fixed bug #70900 (SoapClient systematic out of memory error).
    • Standard:
      • Fixed bug #70960 (ReflectionFunction for array_unique returns wrong number of parameters).
    • PDO_Firebird:
      • Fixed bug #60052 (Integer returned as a 64bit integer on X64_86).
    • WDDX:
      • Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).
      • Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability).
    • XMLRPC:
      • Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()).

    Version 5.5.31

    • FPM:
      • Fixed bug #70755 (fpm_log.c memory leak and buffer overflow). (CVE-2016-5114)
    • GD:
      • Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds). (CVE-2016-1903)
    • WDDX:
      • Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).
      • Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability).
    • XMLRPC:
      • Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()).

    Version 5.6.16

    • Core:
      • Fixed bug #70828 (php-fpm 5.6 with opcache crashes when referencing a non-existent constant).
      • Fixed bug #70748 (Segfault in ini_lex () at Zend/zend_ini_scanner.l).
    • Mysqlnd:
      • Fixed bug #68344 (MySQLi does not provide way to disable peer certificate validation) by introducing MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT connection flag.
    • OCI8:
      • Fixed bug #68298 (OCI int overflow).
    • PDO_DBlib:
      • Fixed bug #69757 (Segmentation fault on nextRowset).
    • SOAP:
      • Fixed bug #70875 (Segmentation fault if wsdl has no targetNamespace attribute).
    • SPL:
      • Fixed bug #70852 (Segfault getting NULL offset of an ArrayObject).

    Version 5.6.15

    • Core:
      • Fixed bug #70681 (Segfault when binding $this of internal instance method to null).
      • Fixed bug #70685 (Segfault for getClosure() internal method rebind with invalid $this).
    • Date:
      • Fixed bug #70619 (DateTimeImmutable segfault).
    • Mcrypt:
      • Fixed bug #70625 (mcrypt_encrypt() won't return data when no IV was specified under RC4).
    • Mysqlnd:
      • Fixed bug #70384 (mysqli_real_query():Unknown type 245 sent by the server).
      • Fixed bug #70572 segfault in mysqlnd_connect.
    • Opcache:
      • Fixed bug #70632 (Third one of segfault in gc_remove_from_buffer).
      • Fixed bug #70631 (Another Segfault in gc_remove_from_buffer()).
      • Fixed bug #70601 (Segfault in gc_remove_from_buffer()).
      • Fixed compatibility with Windows 10 (see also #70652).

    Version 5.6.14

    • Core:
      • Fixed bug #70370 (Bundled libtool.m4 doesn't handle FreeBSD 10 when building extensions).
    • CLI server:
      • Fixed bug #68291 (404 on urls with '+').
    • DOM:
      • Fixed bug #70001 (Assigning to DOMNode::textContent does additional entity encoding).
    • ldap:
      • Fixed bug #70465 (Bug in ldap_search() modifies LDAP_OPT_TIMELIMIT/DEREF's values). (Tyson Andre).
      • Fixed bug #69574 (ldap timeouts not enforced). (Côme Bernigaud).
    • Mysqlnd:
      • Fixed bug #70456 (mysqlnd doesn't activate TCP keep-alive when connecting to a server).
    • OpenSSL:
      • Fixed bug #55259 (openssl extension does not get the DH parameters from DH key resource).
      • Fixed bug #70395 (Missing ARG_INFO for openssl_seal()).
      • Fixed bug #60632 (openssl_seal fails with AES).
      • Fixed bug #68312 (Lookup for openssl.cnf causes a message box).
    • PDO:
      • Fixed bug #70389 (PDO constructor changes unrelated variables).
    • Phar:
      • Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). (CVE-2015-7803)
      • Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). (CVE-2015-7804)
    • Phpdbg:
      • Fix phpdbg_break_next() sometimes not breaking.
    • Standard:
      • Fixed bug #67131 (setcookie() conditional for empty values not met).
    • Streams:
      • Fixed bug #70361 (HTTP stream wrapper doesn't close keep-alive connections).
    • Zip:
      • Fixed bug #70322 (ZipArchive::close() doesn't indicate errors).

    Version 5.5.30

    • Phar:
      • Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). (CVE-2015-7803)
      • Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). (CVE-2015-7804)

    Version 5.6.13

    • Core:
      • Fixed bug #69900 (Too long timeout on pipes).
      • Fixed bug #69487 (SAPI may truncate POST data).
      • Fixed bug #70198 (Checking liveness does not work as expected).
      • Fixed bug #70172 (Use After Free Vulnerability in unserialize()). (CVE-2015-6834)
      • Fixed bug #70219 (Use after free vulnerability in session deserializer). (CVE-2015-6835)
    • CLI server:
      • Fixed bug #66606 (Sets HTTP_CONTENT_TYPE but not CONTENT_TYPE).
      • Fixed bug #70264 (CLI server directory traversal).
    • Date:
      • Fixed bug #70266 (DateInterval::__construct.interval_spec is not supposed to be optional).
      • Fixed bug #70277 (new DateTimeZone($foo) is ignoring text after null byte).
    • EXIF:
      • Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).
    • GMP:
      • Fixed bug #70284 (Use after free vulnerability in unserialize() with GMP).
    • hash:
      • Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).
    • MCrypt:
      • Fixed bug #69833 (mcrypt fd caching not working).
    • Opcache:
      • Fixed bug #70237 (Empty while and do-while segmentation fault with opcode on CLI enabled).
    • PCRE:
      • Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string match).
      • Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).
    • SOAP:
      • Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). (CVE-2015-6836)
    • SPL:
      • Fixed bug #70290 (Null pointer deref (segfault) in spl_autoload via ob_start).
      • Fixed bug #70303 (Incorrect constructor reflection for ArrayObject).
      • Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6834)
      • Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6834)
    • Standard:
      • Fixed bug #70052 (getimagesize() fails for very large and very small WBMP).
      • Fixed bug #70157 (parse_ini_string() segmentation fault with INI_SCANNER_TYPED).
    • XSLT:
      • Fixed bug #69782 (NULL pointer dereference). (CVE-2015-6837, CVE-2015-6838)
    • ZIP:
      • Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories). (CVE-2014-9767)

    Version 5.5.29

    • Core:
      • Fixed bug #70172 (Use After Free Vulnerability in unserialize()). (CVE-2015-6834)
      • Fixed bug #70219 (Use after free vulnerability in session deserializer). (CVE-2015-6835)
    • EXIF:
      • Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).
    • hash:
      • Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).
    • PCRE:
      • Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).
    • SOAP:
      • Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). (CVE-2015-6836)
    • SPL:
      • Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6834)
      • Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6834)
    • XSLT:
      • Fixed bug #69782 (NULL pointer dereference). (CVE-2015-6837, CVE-2015-6838)
    • ZIP:
      • Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories). (CVE-2014-9767)

    Version 5.4.45

    • Core:
      • Fixed bug #70172 (Use After Free Vulnerability in unserialize()). (CVE-2015-6834)
      • Fixed bug #70219 (Use after free vulnerability in session deserializer). (CVE-2015-6835)
    • EXIF:
      • Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).
    • hash:
      • Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).
    • PCRE:
      • Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).
    • SOAP:
      • Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). (CVE-2015-6836)
    • SPL:
      • Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6834)
      • Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6834)
    • XSLT:
      • Fixed bug #69782 (NULL pointer dereference). (CVE-2015-6837, CVE-2015-6838)
    • ZIP:
      • Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories). (CVE-2014-9767)

    Version 5.6.12

    • Core:
      • Fixed bug #70012 (Exception lost with nested finally block).
      • Fixed bug #70002 (TS issues with temporary dir handling).
      • Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls).
      • Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
      • Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref).
    • CLI server:
      • Fixed bug #69655 (php -S changes MKCALENDAR request method to MKCOL).
      • Fixed bug #64878 (304 responses return Content-Type header).
    • GD:
      • Fixed bug #53156 (imagerectangle problem with point ordering).
      • Fixed bug #66387 (Stack overflow with imagefilltoborder). (CVE-2015-8874)
      • Fixed bug #70102 (imagecreatefromwebm() shifts colors).
      • Fixed bug #66590 (imagewebp() doesn't pad to even length).
      • Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px).
      • Fixed bug #70064 (imagescale(..., IMG_BICUBIC) leaks memory).
      • Fixed bug #69024 (imagescale segfault with palette based image).
      • Fixed bug #53154 (Zero-height rectangle has whiskers).
      • Fixed bug #67447 (imagecrop() add a black line when cropping).
      • Fixed bug #68714 (copy 'n paste error).
      • Fixed bug #66339 (PHP segfaults in imagexbm).
      • Fixed bug #70047 (gd_info() doesn't report WebP support).
    • ODBC:
      • Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns). (CVE-2015-8879)
    • OpenSSL:
      • Fixed bug #69882 (OpenSSL error "key values mismatch" after openssl_pkcs12_read with extra cert).
      • Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). (CVE-2015-8867)
    • Phar:
      • Improved fix for bug #69441.
      • Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). (CVE-2015-6833)
    • SOAP:
      • Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions).
    • SPL:
      • Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). (CVE-2015-6832)
      • Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). (CVE-2015-6831)
      • Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6831)
      • Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6831)
    • Standard:
      • Fixed bug #70096 (Repeated iptcembed() adds superfluous FF bytes).

    Version 5.5.28

    • Core:
      • Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls).
      • Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
      • Fixed bug #70002 (TS issues with temporary dir handling).
      • Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref).
    • OpenSSL:
      • Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). (CVE-2015-8867)
    • Phar:
      • Improved fix for bug #69441.
      • Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). (CVE-2015-6833)
    • SOAP:
      • Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions).
    • SPL:
      • Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). (CVE-2015-6832)
      • Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). (CVE-2015-6831)
      • Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6831)
      • Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6831)

    Version 5.4.44

    • Core:
      • Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls).
      • Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
      • Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref).
    • OpenSSL:
      • Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). (CVE-2015-8867)
    • Phar:
      • Improved fix for bug #69441.
      • Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). (CVE-2015-6833)
    • SOAP:
      • Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions).
    • SPL:
      • Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). (CVE-2015-6832)
      • Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). (CVE-2015-6831)
      • Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). (CVE-2015-6831)
      • Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). (CVE-2015-6831)

    Version 5.6.11

    • Core:
      • Fixed bug #69768 (escapeshell*() doesn't cater to !).
      • Fixed bug #69703 (Use __builtin_clzl on PowerPC).
      • Fixed bug #69732 (can induce segmentation fault with basic php code).
      • Fixed bug #69642 (Windows 10 reported as Windows 8).
      • Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault).
      • Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10 as "Business").
      • Fixed bug #69740 (finally in generator (yield) swallows exception in iteration).
      • Fixed bug #69835 (phpinfo() does not report many Windows SKUs).
      • Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
      • Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776.
    • GD:
      • Fixed bug #61221 (imagegammacorrect function loses alpha channel).
    • GMP:
      • Fixed bug #69803 (gmp_random_range() modifies second parameter if GMP number).
    • Mysqlnd:
      • Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM). (CVE-2015-3152)
    • PCRE:
      • Fixed bug #53823 (preg_replace: * qualifier on unicode replace garbles the string).
      • Fixed bug #69864 (Segfault in preg_replace_callback).
    • PDO_pgsql:
      • Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements when closeCuror() is u).
      • Fixed bug #69362 (PDO-pgsql fails to connect if password contains a leading single quote).
      • Fixed bug #69344 (PDO PgSQL Incorrect binding numeric array with gaps).
    • Phar:
      • Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). (CVE-2015-5589)
      • Fixed bug #69923 (Buffer overflow and stack smashing error in phar_fix_filepath). (CVE-2015-5590)
    • SimpleXML:
      • Refactored the fix for bug #66084 (simplexml_load_string() mangles empty node name).
    • SPL:
      • Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error).
      • Fixed bug #67805 (SplFileObject setMaxLineLength).
      • Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()).
    • Sqlite3:
      • Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()).

    Version 5.5.27

    • Core:
      • Fixed bug #69768 (escapeshell*() doesn't cater to !).
      • Fixed bug #69703 (Use __builtin_clzl on PowerPC).
      • Fixed bug #69732 (can induce segmentation fault with basic php code).
      • Fixed bug #69642 (Windows 10 reported as Windows 8).
      • Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault).
      • Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10 as "Business").
      • Fixed bug #69835 (phpinfo() does not report many Windows SKUs).
      • Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
      • Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776.
    • GD:
      • Fixed bug #61221 (imagegammacorrect function loses alpha channel).
    • Mysqlnd:
      • Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM). (CVE-2015-3152)
    • PCRE:
      • Fixed Bug #53823 (preg_replace: * qualifier on unicode replace garbles the string).
      • Fixed bug #69864 (Segfault in preg_replace_callback).
    • PDO_pgsql:
      • Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements when closeCuror() is u).
      • Fixed bug #69362 (PDO-pgsql fails to connect if password contains a leading single quote).
      • Fixed bug #69344 (PDO PgSQL Incorrect binding numeric array with gaps).
    • Phar:
      • Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). (CVE-2015-5589)
      • Fixed bug #69923 (Buffer overflow and stack smashing error in phar_fix_filepath). (CVE-2015-5590)
    • SimpleXML:
      • Refactored the fix for bug #66084 (simplexml_load_string() mangles empty node name).
    • SPL:
      • Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error).
      • Fixed bug #67805 (SplFileObject setMaxLineLength).

    Version 5.4.43

    • Core:
      • Fixed bug #69768 (escapeshell*() doesn't cater to !).
      • Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776.
    • Mysqlnd:
      • Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM). (CVE-2015-3152)
    • Phar:
      • Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). (CVE-2015-5589)
      • Fixed bug #69923 (Buffer overflow and stack smashing error in phar_fix_filepath). (CVE-2015-5590)

    Version 5.6.10

    • Core:
      • Fixed bug #66048 (temp. directory is cached during multiple requests).
      • Fixed bug #69566 (Conditional jump or move depends on uninitialised value in extension trait).
      • Fixed bug #69599 (Strange generator+exception+variadic crash).
      • Fixed bug #69628 (complex GLOB_BRACE fails on Windows).
      • Fixed POST data processing slowdown due to small input buffer size on Windows.
      • Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). (CVE-2015-4642)
      • Fixed bug #69719 (Incorrect handling of paths with NULs). (CVE-2015-4598)
    • FTP:
      • Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4643)
    • GD:
      • Fixed bug #69479 (GD fails to build with newer libvpx).
    • Iconv:
      • Fixed bug #48147 (iconv with //IGNORE cuts the string).
    • Litespeed SAPI:
      • Fixed bug #68812 (Unchecked return value).
    • Mail:
      • Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers).
    • MCrypt:
      • Added file descriptor caching to mcrypt_create_iv().
    • Opcache:
      • Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF).
    • Phar:
      • Fixed bug #69680 (phar symlink in binary directory broken).
    • Postgres:
      • Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644)
    • Sqlite3:
      • Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416)

    Version 5.5.26

    • Core:
      • Fixed bug #69566 (Conditional jump or move depends on uninitialised value in extension trait).
      • Fixed bug #66048 (temp. directory is cached during multiple requests).
      • Fixed bug #69628 (complex GLOB_BRACE fails on Windows).
      • Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). (CVE-2015-4642)
      • Fixed bug #69719 (Incorrect handling of paths with NULs). (CVE-2015-4598)
    • FTP:
      • Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4643)
    • GD:
      • Fixed bug #69479 (GD fails to build with newer libvpx).
    • Iconv:
      • Fixed bug #48147 (iconv with //IGNORE cuts the string).
    • Litespeed SAPI:
      • Fixed bug #68812 (Unchecked return value).
    • Mail:
      • Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers).
    • MCrypt:
      • Added file descriptor caching to mcrypt_create_iv().
    • Opcache:
      • Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF).
    • PCRE:
      • Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)
    • Phar:
      • Fixed bug #69680 (phar symlink in binary directory broken).
    • Postgres:
      • Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644)
    • Sqlite3:
      • Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416)

    Version 5.4.42

    • Core:
      • Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4643)
      • Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). (CVE-2015-4642)
      • Fixed bug #69719 (Incorrect handling of paths with NULs). (CVE-2015-4598)
    • Litespeed SAPI:
      • Fixed bug #68812 (Unchecked return value).
    • Mail:
      • Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers).
    • Postgres:
      • Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644)
    • Sqlite3:
      • Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416)

    Version 5.6.9

    • Core:
      • Fixed bug #69467 (Wrong checked for the interface by using Trait).
      • Fixed bug #69420 (Invalid read in zend_std_get_method).
      • Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash).
      • Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer).
      • Fixed bug #68652 (segmentation fault in destructor).
      • Fixed bug #69419 (Returning compatible sub generator produces a warning).
      • Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA).
      • Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (CVE-2015-4024)
      • Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).
      • Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025)
      • Fixed bug #69522 (heap buffer overflow in unpack()).
    • FTP:
      • Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4022)
    • ODBC:
      • Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0).
      • Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result).
      • Fixed bug #69381 (out of memory with sage odbc driver).
    • OpenSSL:
      • Fixed bug #69402 (Reading empty SSL stream hangs until timeout).
    • PCNTL:
      • Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026)
    • PCRE:
      • Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)
    • Phar:
      • Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (CVE-2015-4021)

    Version 5.5.25

    • Core:
      • Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (CVE-2015-4024)
      • Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).
      • Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025)
      • Fixed bug #69522 (heap buffer overflow in unpack()).
      • Fixed bug #69467 (Wrong checked for the interface by using Trait).
      • Fixed bug #69420 (Invalid read in zend_std_get_method).
      • Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash).
      • Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer).
      • Fixed bug #68652 (segmentation fault in destructor).
      • Fixed bug #69419 (Returning compatible sub generator produces a warning).
      • Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA).
    • FTP:
      • Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4022)
    • ODBC:
      • Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0).
      • Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result).
      • Fixed bug #69381 (out of memory with sage odbc driver).
    • OpenSSL:
      • Fixed bug #69402 (Reading empty SSL stream hangs until timeout).
    • PCNTL:
      • Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026)
    • Phar:
      • Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (CVE-2015-4021)

    Version 5.4.41

    • Core:
      • Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (CVE-2015-4024)
      • Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).
      • Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025)
      • Fixed bug #69522 (heap buffer overflow in unpack()).
    • FTP:
      • Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4022)
    • PCNTL:
      • Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026)
    • PCRE:
      • Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)
    • Phar:
      • Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (CVE-2015-4021)

    Version 5.6.8

    • Core:
      • Fixed bug #66609 (php crashes with __get() and ++ operator in some cases).
      • Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters).
      • Fixed bug #68917 (parse_url fails on some partial urls).
      • Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
      • Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString).
      • Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values).
      • Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing).
      • Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator).
      • Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability).
      • Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (CVE-2015-3411, CVE-2015-3412)
    • Apache2handler:
      • Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (CVE-2015-3330)
    • cURL:
      • Implemented FR #69278 (HTTP2 support).
      • Fixed bug #68739 (Missing break / control flow).
      • Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER).
    • Date:
      • Fixed bug #69336 (Issues with "last day of <monthname>").
    • Enchant:
      • Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds).
    • Ereg:
      • Fixed bug #68740 (NULL Pointer Dereference).
    • Fileinfo:
      • Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (CVE-2015-4604, CVE-2015-4605)
    • Filter:
      • Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used).
      • Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127).
    • Mbstring:
      • Fixed bug #68846 (False detection of CJK Unified Ideographs Extension E).
    • OPCache:
      • Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function).
      • Fixed bug #69281 (opcache_is_script_cached no longer works).
      • Fixed bug #68677 (Use After Free). (CVE-2015-1351)
    • OpenSSL:
      • Fixed bug #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts).
      • Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly).
      • Fixed bug #69215 (Crypto servers should send client CA list).
      • Add a check for RAND_egd to allow compiling against LibreSSL.
    • Phar:
      • Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).
      • Fixed bug #64931 (phar_add_file is too restrictive on filename).
      • Fixed bug #65467 (Call to undefined method cli_arg_typ_string).
      • Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar").
      • Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783, CVE-2015-3307)
      • Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (CVE-2015-3329)
    • Postgres:
      • Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352)
    • SOAP:
      • Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault). (CVE-2015-4599)
      • Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)).
    • SPL:
      • Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc).
    • Sqlite3:
      • Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception).
      • Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3).
      • Fixed bug #66550 (SQLite prepared statement use-after-free).

    Version 5.5.24

    • Apache2handler:
      • Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (CVE-2015-3330)
    • Core:
      • Fixed bug #66609 (php crashes with __get() and ++ operator in some cases).
      • Fixed bug #67626 (User exceptions not properly handled in streams).
      • Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters).
      • Fixed bug #68917 (parse_url fails on some partial urls).
      • Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
      • Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString).
      • Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing).
      • Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator).
      • Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability).
      • Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (CVE-2015-3411, CVE-2015-3412)
    • cURL:
      • Implemented FR #69278 (HTTP2 support).
      • Fixed bug #68739 (Missing break / control flow).
      • Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER).
    • Date:
      • Export date_get_immutable_ce so that it can be used by extensions.
      • Fixed bug #69336 (Issues with "last day of <monthname>").
    • Enchant:
      • Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds).
    • Ereg:
      • Fixed bug #68740 (NULL Pointer Dereference).
    • Fileinfo:
      • Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (CVE-2015-4604, CVE-2015-4605)
    • Filter:
      • Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used).
      • Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127).
    • Mbstring:
      • Fixed bug #68846 (False detection of CJK Unified Ideographs Extension E).
    • ODBC:
      • Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0).
    • OPCache:
      • Fixed bug #69281 (opcache_is_script_cached no longer works).
      • Fixed bug #68677 (Use After Free). (CVE-2015-1351)
    • OpenSSL:
      • Fixed bug #67403 (Add signatureType to openssl_x509_parse).
      • Add a check for RAND_egd to allow compiling against LibreSSL.
    • Phar:
      • Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).
      • Fixed bug #64931 (phar_add_file is too restrictive on filename).
      • Fixed bug #65467 (Call to undefined method cli_arg_typ_string).
      • Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar").
      • Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783, CVE-2015-3307)
      • Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (CVE-2015-3329)
    • Postgres:
      • Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352)
    • SOAP:
      • Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault). (CVE-2015-4599)
      • Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)).
    • SPL:
      • Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc).
    • SQLITE:
      • Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception).
      • Fixed bug #69287 (Upgrade bundled sqlite to 3.8.8.3).
      • Fixed bug #66550 (SQLite prepared statement use-after-free).

    Version 5.4.40

    • Apache2handler:
      • Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (CVE-2015-3330)
    • Core:
      • Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString).
      • Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability).
      • Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (CVE-2015-3411, CVE-2015-3412)
    • cURL:
      • Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER).
    • Ereg:
      • Fixed bug #68740 (NULL Pointer Dereference).
    • Fileinfo:
      • Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (CVE-2015-4604, CVE-2015-4605)
    • GD:
      • Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (CVE-2014-9709)
    • Phar:
      • Fixed bug #68901 (use after free). (CVE-2015-2301)
      • Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783, CVE-2015-3307)
      • Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (CVE-2015-3329)
    • Postgres:
      • Fixed bug #68741 (Null pointer deference). (CVE-2015-1352)
    • SOAP:
      • Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault). (CVE-2015-4599)
      • Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)).
    • Sqlite3:
      • Fixed bug #66550 (SQLite prepared statement use-after-free).

    Version 5.6.7

    • Core:
      • Fixed bug #69174 (leaks when unused inner class use traits precedence).
      • Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize).
      • Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build).
      • Fixed bug #65593 (Segfault when calling ob_start from output buffering callback).
      • Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c).
      • Fixed bug #68166 (Exception with invalid character causes segv).
      • Fixed bug #69141 (Missing arguments in reflection info for some builtin functions).
      • Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (CVE-2015-2787)
      • Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
      • Fixed bug #69207 (move_uploaded_file allows nulls in path). (CVE-2015-2348)
    • CGI:
      • Fixed bug #69015 (php-cgi's getopt does not see $argv).
    • CLI:
      • Fixed bug #67741 (auto_prepend_file messes up __LINE__).
    • cURL:
      • Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on Win32).
      • Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl.
    • Ereg:
      • Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (CVE-2015-2305)
    • FPM:
      • Fixed bug #68822 (request time is reset too early).
    • ODBC:
      • Fixed bug #68964 (Allowed memory size exhausted with odbc_exec).
    • Opcache:
      • Fixed bug #69159 (Opcache causes problem when passing a variable variable to a function).
      • Fixed bug #69125 (Array numeric string as key).
      • Fixed bug #69038 (switch(SOMECONSTANT) misbehaves).
    • OpenSSL:
      • Fixed bug #68912 (Segmentation fault at openssl_spki_new).
      • Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't observe socket timeouts).
      • Fixed bug #68920 (use strict peer_fingerprint input checks) (Daniel Lowrey)
      • Fixed bug #68879 (IP Address fields in subjectAltNames not used) (Daniel Lowrey)
      • Fixed bug #68265 (SAN match fails with trailing DNS dot) (Daniel Lowrey)
      • Fixed bug #67403 (Add signatureType to openssl_x509_parse) (Daniel Lowrey)
      • Fixed bug #69195 (Inconsistent stream crypto values across versions) (Daniel Lowrey)
    • pgsql:
      • Fixed bug #68638 (pg_update() fails to store infinite values).
    • Readline:
      • Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters).
    • SOAP:
      • Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (CVE-2015-4147, CVE-2015-4148)
    • SPL:
      • Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage).
      • Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after calling getChildren()).
    • ZIP:
      • Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary). (CVE-2015-2331)

    Version 5.5.23

    • Core:
      • Fixed bug #69174 (leaks when unused inner class use traits precedence).
      • Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize).
      • Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build).
      • Fixed bug #65593 (Segfault when calling ob_start from output buffering callback).
      • Fixed bug #69017 (Fail to push to the empty array with the constant value defined in class scope).
      • Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c).
      • Fixed bug #68166 (Exception with invalid character causes segv).
      • Fixed bug #69141 (Missing arguments in reflection info for some builtin functions).
      • Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (CVE-2015-2787)
      • Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
      • Fixed bug #69207 (move_uploaded_file allows nulls in path). (CVE-2015-2348)
    • CGI:
      • Fixed bug #69015 (php-cgi's getopt does not see $argv).
    • CLI:
      • Fixed bug #67741 (auto_prepend_file messes up __LINE__).
    • cURL:
      • Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on Win32).
      • Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl.
    • Ereg:
      • Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (CVE-2015-2305)
    • FPM:
      • Fixed bug #68822 (request time is reset too early).
    • JSON :
      • Fixed bug #64695 (JSON_NUMERIC_CHECK has issues with strings that are numbers plus the letter e).
    • ODBC:
      • Fixed bug #68964 (Allowed memory size exhausted with odbc_exec).
    • Opcache:
      • Fixed bug #69125 (Array numeric string as key).
      • Fixed bug #69038 (switch(SOMECONSTANT) misbehaves).
    • OpenSSL:
    • pgsql:
      • Fixed bug #68638 (pg_update() fails to store infinite values).
    • Readline:
      • Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters).
    • SOAP:
      • Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (CVE-2015-4147, CVE-2015-4148)
    • SPL:
      • Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage).
      • Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after calling getChildren()).
    • ZIP:
      • Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary). (CVE-2015-2331)

    Version 5.4.39

    • Core:
      • Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (CVE-2015-2787)
      • Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options).
      • Fixed bug #69207 (move_uploaded_file allows nulls in path). (CVE-2015-2348)
    • Ereg:
      • Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (CVE-2015-2305)
    • SOAP:
      • Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (CVE-2015-4147, CVE-2015-4148)
    • ZIP:
      • Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary). (CVE-2015-2331)

    Version 5.6.6

    • Core:
      • Removed support for multi-line headers, as they are deprecated by RFC 7230.
      • Fixed bug #67068 (getClosure returns somethings that's not a closure).
      • Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273)
      • Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow).
      • Fixed bug #67988 (htmlspecialchars() does not respect default_charset specified by ini_set).
      • Added NULL byte protection to exec, system and passthru.
    • Dba:
      • Fixed bug #68711 (useless comparisons).
    • Enchant:
      • Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). (CVE-2014-9705)
    • Fileinfo:
      • Fixed bug #68827 (Double free with disabled ZMM).
      • Fixed bug #67647 (Bundled libmagic 5.17 does not detect quicktime files correctly).
      • Fixed bug #68731 (finfo_buffer doesn't extract the correct mime with some gifs).
    • FPM:
      • Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).
      • Fixed bug #68571 (core dump when webserver close the socket).
    • JSON:
      • Fixed bug #50224 (json_encode() does not always encode a float as a float) by adding JSON_PRESERVE_ZERO_FRACTION.
    • LIBXML:
      • Fixed bug #64938 (libxml_disable_entity_loader setting is shared between threads). (CVE-2015-8866)
    • Mysqli:
      • Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).
      • Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors).
    • Opcache:
      • Fixed bug with try blocks being removed when extended_info opcode generation is turned on.
    • PDO_mysql:
      • Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of named pipes).
    • Phar:
      • Fixed bug #68901 (use after free). (CVE-2015-2301)
    • Pgsql:
      • Fixed bug #65199 (pg_copy_from() modifies input array variable).
    • Session:
      • Fixed bug #68941 (mod_files.sh is a bash-script).
      • Fixed bug #66623 (no EINTR check on flock).
      • Fixed bug #68063 (Empty session IDs do still start sessions).
    • Sqlite3:
      • Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args).
    • Standard:
      • Fixed bug #65272 (flock() out parameter not set correctly in windows).
      • Fixed bug #69033 (Request may get env. variables from previous requests if PHP works as FastCGI).
    • Streams:
      • Fixed bug which caused call after final close on streams filter.

    Version 5.5.22

    • Core:
      • Fixed bug #67068 (getClosure returns somethings that's not a closure).
      • Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow).
      • Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273)
      • Added NULL byte protection to exec, system and passthru.
      • Removed support for multi-line headers, as they are deprecated by RFC 7230.
    • Date:
      • Fixed bug #45081 (strtotime incorrectly interprets SGT time zone).
    • Dba:
      • Fixed bug #68711 (useless comparisons).
    • Enchant:
      • Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). (CVE-2014-9705)
    • Fileinfo:
      • Fixed bug #68827 (Double free with disabled ZMM).
    • FPM:
      • Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).
      • Fixed bug #68571 (core dump when webserver close the socket).
    • Libxml:
      • Fixed bug #64938 (libxml_disable_entity_loader setting is shared between threads). (CVE-2015-8866)
    • PDO_mysql:
      • Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of named pipes).
    • Phar:
      • Fixed bug #68901 (use after free). (CVE-2015-2301)
    • Pgsql:
      • Fixed bug #65199 (pg_copy_from() modifies input array variable).
    • Sqlite3:
      • Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args).
    • Mysqli:
      • Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).
      • Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors).
    • Session:
      • Fixed bug #68941 (mod_files.sh is a bash-script).
      • Fixed bug #66623 (no EINTR check on flock).
      • Fixed bug #68063 (Empty session IDs do still start sessions).
    • Standard:
      • Fixed bug #65272 (flock() out parameter not set correctly in windows).
      • Fixed bug #69033 (Request may get env. variables from previous requests if PHP works as FastCGI).
    • Streams:
      • Fixed bug which caused call after final close on streams filter.

    Version 5.4.38

    • Core:
      • Removed support for multi-line headers, as they are deprecated by RFC 7230.
      • Added NULL byte protection to exec, system and passthru.
      • Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow).
      • Fixed bug #67827 (broken detection of system crypt sha256/sha512 support).
      • Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273)
    • Enchant:
      • Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). (CVE-2014-9705)
    • SOAP:
      • Fixed bug #67427 (SoapServer cannot handle large messages).

    Version 5.6.5

    • Core:
      • Upgraded crypt_blowfish to version 1.3.
      • Fixed bug #60704 (unlink() bug with some files path).
      • Fixed bug #65419 (Inside trait, self::class != __CLASS__).
      • Fixed bug #68536 (pack for 64bits integer is broken on bigendian).
      • Fixed bug #55541 (errors spawn MessageBox, which blocks test automation).
      • Fixed bug #68297 (Application Popup provides too few information).
      • Fixed bug #65769 (localeconv() broken in TS builds).
      • Fixed bug #65230 (setting locale randomly broken).
      • Fixed bug #66764 (configure doesn't define EXPANDED_DATADIR / PHP_DATADIR correctly).
      • Fixed bug #68583 (Crash in timeout thread).
      • Fixed bug #65576 (Constructor from trait conflicts with inherited constructor).
      • Fixed bug #68676 (Explicit Double Free). (CVE-2014-9425)
      • Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231)
    • CGI:
      • Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427)
    • CLI server:
      • Fixed bug #68745 (Invalid HTTP requests make web server segfault).
    • cURL:
      • Fixed bug #67643 (curl_multi_getcontent returns '' when CURLOPT_RETURNTRANSFER isn't set).
    • Date:
      • Implemented FR #68268 (DatePeriod: Getter for start date, end date and interval).
    • EXIF:
      • Fixed bug #68799 (Free called on uninitialized pointer). (CVE-2015-0232)
    • Fileinfo:
      • Fixed bug #68398 (msooxml matches too many archives).
      • Fixed bug #68665 (invalid free in libmagic).
      • Fixed bug #68671 (incorrect expression in libmagic).
      • Removed readelf.c and related code from libmagic sources.
      • Fixed bug #68735 (fileinfo out-of-bounds memory access). (CVE-2014-9652)
    • FPM:
      • Implemented FR #68526 (Implement POSIX Access Control List for UDS).
      • Fixed bug #68751 (listen.allowed_clients is broken).
    • GD:
      • Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (CVE-2014-9709)
      • Implemented FR #68656 (Report gd library version).
    • mbstring:
      • Fixed bug #68504 (--with-libmbfl configure option not present on Windows).
    • Opcache:
      • Fixed bug #68644 (strlen incorrect : mbstring + func_overload=2 +UTF-8 + Opcache).
      • Fixed bug #67111 (Memory leak when using "continue 2" inside two foreach loops).
    • OpenSSL:
      • Improved handling of OPENSSL_KEYTYPE_EC keys.
    • pcntl:
      • Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL).
    • PCRE:
      • Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream).
    • pgsql:
      • Fixed bug #68697 (lo_export return -1 on failure).
    • PDO:
      • Fixed bug #68371 (PDO#getAttribute() cannot be called with platform-specifi attribute names).
    • PDO_mysql:
      • Fixed bug #68424 (Add new PDO mysql connection attr to control multi statements option).
    • SPL:
      • Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator).
      • Fixed bug #68479 (Added escape parameter to SplFileObject::fputcsv).
    • SQLite:
      • Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2).
    • Streams:
      • Fixed bug #68532 (convert.base64-encode omits padding bytes).

    Version 5.5.21

    • Core:
      • Upgraded crypt_blowfish to version 1.3.
      • Fixed bug #60704 (unlink() bug with some files path).
      • Fixed bug #65419 (Inside trait, self::class != __CLASS__).
      • Fixed bug #65576 (Constructor from trait conflicts with inherited constructor).
      • Fixed bug #55541 (errors spawn MessageBox, which blocks test automation).
      • Fixed bug #68297 (Application Popup provides too few information).
      • Fixed bug #65769 (localeconv() broken in TS builds).
      • Fixed bug #65230 (setting locale randomly broken).
      • Fixed bug #66764 (configure doesn't define EXPANDED_DATADIR / PHP_DATADIR correctly).
      • Fixed bug #68583 (Crash in timeout thread).
      • Fixed bug #68676 (Explicit Double Free). (CVE-2014-9425)
      • Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231)
    • CGI:
      • Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427)
    • CLI server:
      • Fixed bug #68745 (Invalid HTTP requests make web server segfault).
    • cURL:
      • Fixed bug #67643 (curl_multi_getcontent returns '' when CURLOPT_RETURNTRANSFER isn't set).
    • EXIF:
      • Fixed bug #68799 (Free called on uninitialized pointer). (CVE-2015-0232)
    • Fileinfo:
      • Fixed bug #68671 (incorrect expression in libmagic).
      • Fixed bug #68735 (fileinfo out-of-bounds memory access). (CVE-2014-9652)
      • Removed readelf.c and related code from libmagic sources.
    • FPM:
      • Fixed bug #68751 (listen.allowed_clients is broken).
    • GD:
      • Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (CVE-2014-9709)
    • Mbstring:
      • Fixed bug #68504 (--with-libmbfl configure option not present on Windows).
    • Mcrypt:
      • Fixed possible read after end of buffer and use after free.
    • Opcache:
      • Fixed bug #67111 (Memory leak when using "continue 2" inside two foreach loops).
    • OpenSSL:
      • Fixed bug #55618 (use case-insensitive cert name matching).
    • Pcntl:
      • Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL).
    • PCRE:
      • Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream).
    • pgsql:
      • Fixed bug #68697 (lo_export return -1 on failure).
    • PDO:
      • Fixed bug #68371 (PDO#getAttribute() cannot be called with platform-specific attribute names).
    • PDO_mysql:
      • Fixed bug #68424 (Add new PDO mysql connection attr to control multi statements option).
    • SPL:
      • Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator).
      • Fixed bug #65213 (cannot cast SplFileInfo to boolean).
      • Fixed bug #68479 (Added escape parameter to SplFileObject::fputcsv).
    • SQLite:
      • Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2).
    • Streams:
      • Fixed bug #68532 (convert.base64-encode omits padding bytes).

    Version 5.4.37

    • Core:
      • Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231)
    • CGI:
      • Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427)
    • EXIF:
      • Fixed bug #68799 (Free called on uninitialized pointer). (CVE-2015-0232)
    • Fileinfo:
      • Removed readelf.c and related code from libmagic sources.
      • Fixed bug #68735 (fileinfo out-of-bounds memory access). (CVE-2014-9652)
    • OpenSSL:
      • Fixed bug #55618 (use case-insensitive cert name matching).

    Version 5.6.4

    • Core:
      • Fixed bug #68091 (Some Zend headers lack appropriate extern "C" blocks).
      • Fixed bug #68104 (Segfault while pre-evaluating a disabled function).
      • Fixed bug #68185 ("Inconsistent insteadof definition."- incorrectly triggered).
      • Fixed bug #68355 (Inconsistency in example php.ini comments).
      • Fixed bug #68370 ("unset($this)" can make the program crash).
      • Fixed bug #68422 (Incorrect argument reflection info for array_multisort()).
      • Fixed bug #68545 (NULL pointer dereference in unserialize.c).
      • Fixed bug #68446 (Array constant not accepted for array parameter default).
      • Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142)
    • Date:
      • Fixed day_of_week function as it could sometimes return negative values internally.
    • FPM:
      • Fixed bug #68381 (fpm_unix_init_main ignores log_level).
      • Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all addresses).
      • Fixed bug #68421 (access.format='%R' doesn't log ipv6 address).
      • Fixed bug #68423 (PHP-FPM will no longer load all pools).
      • Fixed bug #68428 (listen.allowed_clients is IPv4 only).
      • Fixed bug #68452 (php-fpm man page is oudated).
      • Implemented FR #68458 (Change pm.start_servers default warning to notice).
      • Fixed bug #68463 (listen.allowed_clients can silently result in no allowed access).
      • Implemented FR #68391 (php-fpm conf files loading order).
      • Fixed bug #68478 (access.log don't use prefix).
    • Mcrypt:
      • Fixed possible read after end of buffer and use after free.
    • GMP:
      • Fixed bug #68419 (build error with gmp 4.1).
    • PDO_pgsql:
      • Fixed bug #67462 (PDO_PGSQL::beginTransaction() wrongly throws exception when not in transaction).
      • Fixed bug #68351 (PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving).
    • Session:
      • Fixed bug #68331 (Session custom storage callable functions not being called).
    • SOAP:
      • Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes).
    • zlib:
      • Fixed bug #53829 (Compiling PHP with large file support will replace function gzopen by gzopen64).

    Version 5.5.20

    • Core:
      • Fixed bug #68091 (Some Zend headers lack appropriate extern "C" blocks).
      • Fixed bug #68185 ("Inconsistent insteadof definition."- incorrectly triggered).
      • Fixed bug #68370 ("unset($this)" can make the program crash).
      • Fixed bug #68545 (NULL pointer dereference in unserialize.c).
      • Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142)
    • Date:
      • Fixed day_of_week function as it could sometimes return negative values internally.
    • FPM:
      • Fixed bug #68381 (fpm_unix_init_main ignores log_level).
      • Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all addresses).
      • Fixed bug #68421 (access.format='%R' doesn't log ipv6 address).
      • Fixed bug #68423 (PHP-FPM will no longer load all pools).
      • Fixed bug #68428 (listen.allowed_clients is IPv4 only).
      • Fixed bug #68452 (php-fpm man page is oudated).
      • Fixed bug #68458 (Change pm.start_servers default warning to notice).
      • Fixed bug #68463 (listen.allowed_clients can silently result in no allowed access).
      • Fixed bug #68391 (php-fpm conf files loading order).
      • Fixed bug #68478 (access.log don't use prefix).
    • Mcrypt:
      • Fixed possible read after end of buffer and use after free.
    • PDO_pgsql:
      • Fixed bug #66584 (Segmentation fault on statement deallocation).
      • Fixed bug #67462 (PDO_PGSQL::beginTransaction() wrongly throws exception when not in transaction).
      • Fixed bug #68351 (PDO::PARAM_BOOL and ATTR_EMULATE_PREPARES misbehaving).
    • SOAP:
      • Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes).
    • zlib:
      • Fixed bug #53829 (Compiling PHP with large file support will replace function gzopen by gzopen64).

    Version 5.4.36

    • Core:
      • Upgraded crypt_blowfish to version 1.3.
      • Fixed bug #68545 (NULL pointer dereference in unserialize.c).
      • Fixed bug #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142)
    • Mcrypt:
      • Fixed possible read after end of buffer and use after free.

    Version 5.6.3

    • Core:
      • Implemented 64-bit format codes for pack() and unpack().
      • Fixed bug #51800 (proc_open on Windows hangs forever).
      • Fixed bug #67633 (A foreach on an array returned from a function not doing copy-on-write).
      • Fixed bug #67739 (Windows 8.1/Server 2012 R2 OS build number reported as 6.2 (instead of 6.3)).
      • Fixed bug #67949 (DOMNodeList elements should be accessible through array notation).
      • Fixed bug #68095 (AddressSanitizer reports a heap buffer overflow in php_getopt()).
      • Fixed bug #68118 ($a->foo .= 'test'; can leave $a->foo undefined).
      • Fixed bug #68129 (parse_url() - incomplete support for empty usernames and passwords).
      • Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).
    • CURL:
      • Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, and CURL_SSLVERSION_TLSv1_2 constants if supported by libcurl.
    • Fileinfo:
      • Fixed bug #66242 (libmagic: don't assume char is signed).
      • Fixed bug #68224 (buffer-overflow in libmagic/readcdf.c caught by AddressSanitizer).
      • Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers). (CVE-2014-3710)
    • FPM:
      • Fixed bug #65641 (PHP-FPM incorrectly defines the SCRIPT_NAME variable when using Apache, mod_proxy-fcgi and ProxyPass).
      • Implemented FR #55508 (listen and listen.allowed_clients should take IPv6 addresses).
    • GD:
      • Fixed bug #65171 (imagescale() fails without height param).
    • GMP:
      • Implemented gmp_random_range() and gmp_random_bits().
      • Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).
    • Mysqli:
      • Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).
    • ODBC:
      • Fixed bug #68087 (ODBC not correctly reading DATE column when preceded by a VARCHAR column).
    • OpenSSL:
      • Fixed bug #68074 (Allow to use system cipher list instead of hardcoded value).
    • PDO_pgsql:
      • Fixed bug #68199 (PDO::pgsqlGetNotify doesn't support NOTIFY payloads).
      • Fixed bug #66584 (Segmentation fault on statement deallocation).
    • Reflection:
      • Fixed bug #68103 (Duplicate entry in Reflection for class alias).
    • SPL:
      • Fixed bug #68128 (Regression in RecursiveRegexIterator).

    Version 5.5.19

    • Core:
      • Fixed bug #68095 (AddressSanitizer reports a heap buffer overflow in php_getopt()).
      • Fixed bug #68118 ($a->foo .= 'test'; can leave $a->foo undefined).
      • Fixed bug #68129 (parse_url() - incomplete support for empty usernames and passwords).
      • Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).
    • cURL:
      • Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, and CURL_SSLVERSION_TLSv1_2 constants if supported by libcurl.
    • Fileinfo:
      • Fixed bug #66242 (libmagic: don't assume char is signed).
      • Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers). (CVE-2014-3710)
    • FPM:
      • Implemented FR #55508 (listen and listen.allowed_clients should take IPv6 addresses.
    • GD:
      • Fixed bug #65171imagescale() fails without height param
    • GMP:
      • Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).
    • Mysqli:
      • Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support).
    • ODBC:
      • Fixed bug #68087 (ODBC not correctly reading DATE column when preceded by a VARCHAR column)
    • SPL:
      • Fixed bug #68128 (Regression in RecursiveRegexIterator)

    Version 5.4.35

    • Core:
      • Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy).
    • Fileinfo:
      • Fixed bug #68283 (fileinfo: out-of-bounds read in elf note headers). (CVE-2014-3710)
    • GMP:
      • Fixed bug #63595 (GMP memory management conflicts with other libraries using GMP).
    • PDO_pgsql:
      • Fixed bug #66584 (Segmentation fault on statement deallocation).

    Version 5.6.2

    • Core:
      • Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669)
    • cURL:
      • Fixed bug #68089 (NULL byte injection - cURL lib).
    • EXIF:
      • Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)
    • XMLRPC:
      • Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668)

    Version 5.5.18

    • Core:
      • Fixed bug #67985 (Incorrect last used array index copied to new array after unset).
      • Fixed bug #67739 (Windows 8.1/Server 2012 R2 OS build number reported as 6.2 (instead of 6.3)).
      • Fixed bug #67633 (A foreach on an array returned from a function not doing copy-on-write).
      • Fixed bug #51800 (proc_open on Windows hangs forever).
      • Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669)
    • cURL:
      • Fixed bug #68089 (NULL byte injection - cURL lib).
    • Exif:
      • Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)
    • FPM:
      • Fixed bug #65641 (PHP-FPM incorrectly defines the SCRIPT_NAME variable when using Apache, mod_proxy-fcgi and ProxyPass).
    • OpenSSL:
      • Revert regression introduced by fix of bug #41631.
    • Reflection:
      • Fixed bug #68103 (Duplicate entry in Reflection for class alias).
    • Session:
      • Fixed bug #67972 (SessionHandler Invalid memory read create_sid()).
    • XMLRPC:
      • Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668)

    Version 5.4.34

    • Fileinfo:
      • Fixed bug #66242 (libmagic: don't assume char is signed).
    • Core:
      • Fixed bug #67985 (Incorrect last used array index copied to new array after unset).
      • Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669)
    • cURL:
      • Fixed bug #68089 (NULL byte injection - cURL lib).
    • EXIF:
      • Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)
    • OpenSSL:
      • Reverted fixes for bug #41631, due to regressions.
    • XMLRPC:
      • Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668)

    Version 5.6.1

    • Core:
      • Implemented FR #38409 (parse_ini_file() loses the type of booleans).
      • Fixed bug #65463 (SIGSEGV during zend_shutdown()).
      • Fixed bug #66036 (Crash on SIGTERM in apache process).
      • Fixed bug #67878 (program_prefix not honoured in man pages).
      • Fixed bug #67938 (Segfault when extending interface method with variadic).
      • Fixed bug #67985 (Incorrect last used array index copied to new array after unset).
      • Fixed bug #68088 (New Posthandler Potential Illegal efree() vulnerability). (CVE-2014-3622)
    • DOM:
      • Made DOMNode::textContent writeable.
    • Fileinfo:
      • Fixed bug #67731 (finfo::file() returns invalid mime type for binary files).
    • GD:
      • Made fontFetch's path parser thread-safe.
    • GMP:
      • Fixed bug #67917 (Using GMP objects with overloaded operators can cause memory exhaustion).
      • Fixed bug #50175 (gmp_init() results 0 on given base and number starting with 0x or 0b).
      • Implemented gmp_import() and gmp_export().
    • MySQLi:
      • Fixed bug #67839 (mysqli does not handle 4-byte floats correctly).
    • OpenSSL:
      • Fixed bug #67850 (extension won't build if openssl compiled without SSLv3).
    • phpdbg:
      • Fixed issue #111 (compile error without ZEND_SIGNALS).
    • SOAP:
      • Fixed bug #67955 (SoapClient prepends 0-byte to cookie names).
    • Session:
      • Fixed bug #67972 (SessionHandler Invalid memory read create_sid()).
    • Sysvsem:
      • Implemented FR #67990 (Add optional nowait argument to sem_acquire).

    Version 5.5.17

    • Core:
      • Fixed bug #47358 (glob returns error, should be empty array()).
      • Fixed bug #65463 (SIGSEGV during zend_shutdown()).
      • Fixed bug #66036 (Crash on SIGTERM in apache process).
      • Fixed bug #67878 (program_prefix not honoured in man pages).
    • COM:
      • Fixed bug #41577 (DOTNET is successful once per server run).
    • Date:
      • Fixed bug #66091 (memory leaks in DateTime constructor).
      • Fixed bug #66985 (Some timezones are no longer valid in PHP 5.5.10).
      • Fixed bug #67109 (First uppercase letter breaks date string parsing).
    • FPM:
      • Fixed bug #67606 (FPM with mod_fastcgi/apache2.4 is broken).
    • GD:
      • Made fontFetch's path parser thread-safe.
    • MySQLi:
      • Fixed bug #67839 (mysqli does not handle 4-byte floats correctly).
    • OpenSSL:
      • Fixed bug #41631 (socket timeouts not honored in blocking SSL reads).
      • Fixed bug #67850 (extension won't build if openssl compiled without SSLv3).
    • SPL:
      • Fixed bug #67813 (CachingIterator::__construct InvalidArgumentException wrong message).
    • Zlib:
      • Fixed bug #67724 (chained zlib filters silently fail with large amounts of data).
      • Fixed bug #67865 (internal corruption phar error).

    Version 5.4.33

    • Core:
      • Fixed bug #47358 (glob returns error, should be empty array()).
      • Fixed bug #65463 (SIGSEGV during zend_shutdown()).
      • Fixed bug #66036 (Crash on SIGTERM in apache process).
    • OpenSSL:
      • Fixed bug #41631 (socket timeouts not honored in blocking SSL reads).
    • Date:
      • Fixed bug #66091 (memory leaks in DateTime constructor).
    • FPM:
      • Fixed bug #67606 (FPM with mod_fastcgi/apache2.4 is broken).
    • GD:
      • Made fontFetch's path parser thread-safe.
    • Wddx:
      • Fixed bug #67873 (Segfaults in php_wddx_serialize_var).
    • Zlib:
      • Fixed bug #67724 (chained zlib filters silently fail with large amounts of data).
      • Fixed bug #67865 (internal corruption phar error).

    Version 5.6.0

    • General improvements:
      • Added constant scalar expressions syntax.
      • Added dedicated syntax for variadic functions.
      • Added support for argument unpacking to complement the variadic syntax.
      • Added an exponentiation operator (**).
      • Added phpdbg SAPI.
      • Added unified default encoding.
      • The php://input stream is now re-usable and can be used concurrently with enable_post_data_reading=0.
      • Added use function and use const..
      • Added a function for timing attack safe string comparison.
      • Added the __debugInfo() magic method to allow userland classes to implement the get_debug_info API previously available only to extensions.
      • Added gost-crypto (CryptoPro S-box) hash algorithm.
      • Stream wrappers verify peer certificates and host names by default in encrypted client streams.
      • Uploads equal or greater than 2GB in size are now accepted.
    • Core:
      • Fixed bug #67693 (incorrect push to the empty array).
      • Removed inconsistency regarding behaviour of array in constants at run-time.
      • Fixed bug #67497 (eval with parse error causes segmentation fault in generator).
      • Fixed bug #67151 (strtr with empty array crashes).
      • Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012).
      • Fixed bug #66608 (Incorrect behavior with nested "finally" blocks).
      • Implemented FR #34407 (ucwords and Title Case).
      • Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0).
      • Fixed bug #67368 (Memory leak with immediately dereferenced array in class constant).
      • Fixed bug #67468 (Segfault in highlight_file()/highlight_string()).
      • Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability). (CVE-2014-4721)
      • Fixed bug #67551 (php://input temp file will be located in sys_temp_dir instead of upload_tmp_dir).
      • Fixed bug #67169 (array_splice all elements, then []= gives wrong index).
      • Fixed bug #67198 (php://input regression).
      • Fixed bug #67247 (spl_fixedarray_resize integer overflow).
      • Fixed bug #67250 (iptcparse out-of-bounds read).
      • Fixed bug #67252 (convert_uudecode out-of-bounds read).
      • Fixed bug #67249 (printf out-of-bounds read).
      • Implemented FR #64744 (Differentiate between member function call on a null and non-null, non-objects).
      • Fixed bug #67436 (Autoloader isn't called if two method definitions don't match).
      • Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases).
      • Fixed bug #67390 (insecure temporary file use in the configure script). (CVE-2014-3981)
      • Fixed bug #67392 (dtrace breaks argument unpack).
      • Fixed bug #67428 (header('Location: foo') will override a 308-399 response code).
      • Fixed bug #67433 (SIGSEGV when using count() on an object implementing Countable).
      • Fixed bug #67399 (putenv with empty variable may lead to crash).
      • Expose get_debug_info class hook as __debugInfo() magic method.
      • Implemented unified default encoding (RFC: https://wiki.php.net/rfc/default_encoding).
      • Added T_POW (**) operator (RFC: https://wiki.php.net/rfc/pow-operator).
      • Improved IS_VAR operands fetching.
      • Improved empty string handling. Now ZE uses an interned string instead of allocation new empty string each time.
      • Implemented internal operator overloading (RFC: https://wiki.php.net/rfc/operator_overloading_gmp).
      • Made calls from incompatible context issue an E_DEPRECATED warning instead of E_STRICT (phase 1 of RFC: https://wiki.php.net/rfc/incompat_ctx).
      • Uploads equal or greater than 2GB in size are now accepted.
      • Reduced POST data memory usage by 200-300%. Changed INI setting always_populate_raw_post_data to throw a deprecation warning when enabling and to accept -1 for never populating the $HTTP_RAW_POST_DATA global variable, which will be the default in future PHP versions.
      • Implemented dedicated syntax for variadic functions (RFC: https://wiki.php.net/rfc/variadics).
      • Fixed bug #50333 Improving multi-threaded scalability by using emalloc/efree/estrdup (Anatol, Dmitry)
      • Implemented constant scalar expressions (with support for constants) (RFC: https://wiki.php.net/rfc/const_scalar_exprs).
      • Fixed bug #65784 (Segfault with finally).
      • Fixed bug #66509 (copy() arginfo has changed starting from 5.4).
      • Allow zero length comparison in substr_compare() (Tjerk)
      • Fixed bug #60602 (proc_open() changes environment array) (Tjerk)
      • Fixed bug #61019 (Out of memory on command stream_get_contents).
      • Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).
      • Fixed bug #66182 (exit in stream filter produces segfault).
      • Fixed bug #66736 (fpassthru broken).
      • Fixed bug #66822 (Cannot use T_POW in const expression) (Tjerk)
      • Fixed bug #67043 (substr_compare broke by previous change) (Tjerk)
      • Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()).
      • Fixed bug #66015 (Unexpected array indexing in class's static property).
      • Added (constant) string/array dereferencing to static scalar expressions to complete the set; now possible thanks to #66015 being fixed.
      • Fixed bug #66568 (Update reflection information for unserialize() function).
      • Fixed bug #66660 (Composer.phar install/update fails).
      • Fixed bug #67024 (getimagesize should recognize BMP files with negative height).
      • Fixed bug #67064 (Countable interface prevents using 2nd parameter ($mode) of count() function).
      • Fixed bug #67072 (Echoing unserialized "SplFileObject" crash).
      • Fixed bug #67033 (Remove reference to Windows 95).
    • Apache2 Handler SAPI:
      • Fixed Apache log issue caused by APR's lack of support for %zu (APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120).
    • CLI server:
      • Added some MIME types to the CLI web server.
      • Fixed bug #67079 (Missing MIME types for XML/XSL files).
      • Fixed bug #66830 (Empty header causes PHP built-in web server to hang).
      • Fixed bug #67594 (Unable to access to apache_request_headers() elements).
      • Implemented FR #67429 (CLI server is missing some new HTTP response codes).
      • Fixed bug #67406 (built-in web-server segfaults on startup).
    • COM:
      • Fixed bug #41577 (DOTNET is successful once per server run) (Aidas Kasparas)
      • Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas).
      • Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)).
    • Curl:
      • Implemented FR #65646 (re-enable CURLOPT_FOLLOWLOCATION with open_basedir or safe_mode).
      • Check for openssl.cafile ini directive when loading CA certs.
      • Remove cURL close policy related constants as these have no effect and are no longer used in libcurl.
      • Fixed bug #66109 (Can't reset CURLOPT_CUSTOMREQUEST to default behaviour) (Tjerk)
      • Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive.
      • Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset).
      • Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
    • Date:
      • Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712)
      • Fixed bug #66091 (memory leaks in DateTime constructor) (Tjerk).
      • Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
      • Fixed regression in fix for #67118 (constructor can't be called twice).
      • Fixed bug #67251 (date_parse_from_format out-of-bounds read).
      • Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read).
      • Added DateTimeImmutable::createFromMutable to create a DateTimeImmutable object from an existing DateTime (mutable) object (Derick)
      • Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
      • Fixed bug #67118 (DateTime constructor crash with invalid data).
    • DOM:
      • Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset).
    • Embed:
      • Fixed bug #65715 (php5embed.lib isn't provided anymore). (Anatol).
    • Fileinfo:
      • Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587)
      • Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538)
      • Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). (CVE-2014-0238)
      • Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in performance degradation). (CVE-2014-0237)
      • Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check). (CVE-2014-0207)
      • Fixed bug #67329 (fileinfo: NULL pointer deference flaw by processing certain CDF files). (CVE-2014-0236)
      • Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size). (CVE-2014-3478)
      • Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary check). (CVE-2014-3479)
      • Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check). (CVE-2014-3480)
      • Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check). (CVE-2014-3487)
      • Upgraded to libmagic-5.17 (Anatol)
      • Fixed bug #66731 (file: infinite recursion). (CVE-2014-1943)
      • Fixed bug #66820 (out-of-bounds memory access in fileinfo). (CVE-2014-2270)
      • Fixed bug #66946 (fileinfo: extensive backtracking in awk rule regular expression). (CVE-2013-7345)
      • Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
      • Fixed bug #66907 (Solaris 10 is missing strcasestr and needs substitute).
      • Fixed bug #66307 (Fileinfo crashes with powerpoint files).
    • FPM:
      • Fixed bug #67606 (revised fix 67541, broke mod_fastcgi BC).
      • Fixed bug #67530 (error_log=syslog ignored).
      • Fixed bug #67635 (php links to systemd libraries without using pkg-config).
      • Fixed bug #67531 (syslog cannot be set in pool configuration).
      • Fixed bug #67541 (Fix Apache 2.4.10+ SetHandler proxy:fcgi:// incompatibilities).
      • Included apparmor support in fpm (RFC: https://wiki.php.net/rfc/fpm_change_hat).
      • Added clear_env configuration directive to disable clearenv() call.
      • Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
      • Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
      • Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure default configuration). (CVE-2014-0185)
    • GD:
      • Fixed bug #67730 (Null byte injection possible with imagexxx functions). (CVE-2014-5120)
      • Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). (CVE-2014-2497)
      • Fixed bug #67248 (imageaffinematrixget missing check of parameters).
      • Fixed imagettftext to load the correct character map rather than the last one.
      • Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop()). (CVE-2013-7226)
      • Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer). (CVE-2013-7327)
      • Fixed bug #66869 (Invalid 2nd argument crashes imageaffinematrixget).
      • Fixed bug #66887 (imagescale - poor quality of scaled image).
      • Fixed bug #66890 (imagescale segfault).
      • Fixed bug #66893 (imagescale ignore method argument).
    • GMP:
      • Fixed bug #66872 (invalid argument crashes gmp_testbit) (Pierre)
      • Fixed crashes in serialize/unserialize.
      • Moved GMP to use object as the underlying structure and implemented various improvements based on this.
      • Added gmp_root() and gmp_rootrem() functions for calculating nth roots.
    • Hash:
      • Added gost-crypto (CryptoPro S-box) GOST hash algo.
      • Fixed bug #66698 (Missing FNV1a32 and FNV1a64 hash functions). (Michael M Slusarz).
      • Implemented timing attack safe string comparison function (RFC: https://wiki.php.net/rfc/timing_attack).
      • hash_pbkdf2() now works correctly if the $length argument is not specified.
    • Intl:
      • Fixed bug #66873 (A reproductible crash in UConverter when given invalid encoding) (Stas)
      • Fixed bug #66921 (Wrong argument type hint for function intltz_from_date_time_zone).
      • Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).
      • Fixed bug #67349 (Locale::parseLocale Double Free).
      • Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)).
    • JSON:
      • Fixed case part of bug #64874 ("json_decode handles whitespace and case-sensitivity incorrectly")
      • Fixed bug #65753 (JsonSerializeable couldn't implement on module extension) (chobieeee@php.net)
      • Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).
    • ldap:
      • Added new function ldap_modify_batch().
      • Fixed issue with null bytes in LDAP bindings.
    • litespeed:
      • Fixed bug #63228 (-Werror=format-security error in lsapi code).
    • Mail:
      • Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script) (Tjerk)
    • Mcrypt:
      • No longer allow invalid key sizes, invalid IV sizes or missing required IV in mcrypt_encrypt, mcrypt_decrypt and the deprecated mode functions.
      • Use /dev/urandom as the default source for mcrypt_create_iv().
    • Mbstring:
      • Upgraded to oniguruma 5.9.5 (Anatol)
      • Fixed bug #67199 (mb_regex_encoding mismatch).
    • Milter:
      • Fixed bug #67715 (php-milter does not build and crashes randomly).
    • mysqli:
      • Added new function mysqli_get_links_stats() as well as new INI variable mysqli.rollback_on_cached_plink of type bool (Andrey)
      • Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed) (Remi)
      • Fixed building against an external libmysqlclient.
    • mysqlnd:
      • Disabled flag for SP OUT variables for 5.5+ servers as they are not natively supported by the overlying APIs.
      • Added a new fetching mode to mysqlnd.
      • Added support for gb18030 from MySQL 5.7.
    • Network:
      • Fixed bug #67717 (segfault in dns_get_record). (CVE-2014-3597)
      • Fixed bug #67432 (Fix potential segfault in dns_get_record()). (CVE-2014-4049)
    • OCI8:
      • Fixed bug #66875 (Improve performance of multi-row OCI_RETURN_LOB queries) (Perrier, Chris Jones)
    • ODBC:
      • Fixed bug #60616 (odbc_fetch_into returns junk at end of multi-byte char fields).
    • OpenSSL:
      • Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas).
      • Fixed bug #67609 (TLS connections fail behind HTTP proxy).
      • Fixed broken build against OpenSSL older than 0.9.8 where ECDH unavailable.
      • Fixed bug #67666 (Subject altNames doesn't support wildcard matching).
      • Fixed bug #67224 (Fall back to crypto_type from context if not specified explicitly in stream_socket_enable_crypto).
      • Fixed bug #65698 (certificates validity parsing does not work past 2050).
      • Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME).
      • Peer certificates now verified by default in client socket operations (RFC: https://wiki.php.net/rfc/tls-peer-verification).
      • New openssl.cafile and openssl.capath ini directives.
      • Added crypto_method option for the ssl stream context.
      • Added certificate fingerprint support.
      • Added explicit TLSv1.1 and TLSv1.2 stream transports.
      • Fixed bug #65729 (CN_match gives false positive).
      • Peer name verification matches SAN DNS names for certs using the Subject Alternative Name x509 extension.
      • Fixed segfault when built against OpenSSL>=1.0.1 (Daniel Lowrey)
      • Added SPKAC support.
      • Fallback to Windows CA cert store for peer verification if no openssl.cafile ini directive or "cafile" SSL context option specified in Windows.
      • The openssl.cafile and openssl.capath ini directives introduced in alpha2 now have PHP_INI_PERDIR accessibility (was PHP_INI_ALL).
      • New "peer_name" SSL context option replaces "CN_match" (which still works as before but triggers E_DEPRECATED).
      • Fixed segfault when accessing non-existent context for client SNI use (Daniel Lowrey)
      • Fixed bug #66501 (Add EC key support to php_openssl_is_private_key).
      • Fixed bug #47030 (add new boolean "verify_peer_name" SSL context option allowing clients to verify cert names separately from the cert itself). "verify_peer_name" is enabled by default for client streams.
      • Fixed bug #65538 ("cafile" SSL context option now supports stream wrappers).
      • New openssl_get_cert_locations() function to aid CA file and peer verification debugging.
      • Encrypted stream wrappers now disable TLS compression by default.
      • New "capture_session_meta" SSL context option allows encrypted client and server streams access to negotiated protocol/cipher information.
      • New "honor_cipher_order" SSL context option allows servers to prioritize cipher suites of their choosing when negotiating SSL/TLS handshakes.
      • New "single_ecdh_use" and "single_dh_use" SSL context options allow for improved forward secrecy in encrypted stream servers.
      • New "dh_param" SSL context option allows stream servers control over the parameters when negotiating DHE cipher suites.
      • New "ecdh_curve" SSL context option allowing stream servers to specify the curve to use when negotiating ephemeral ECDHE ciphers (defaults to NIST P-256).
      • New "rsa_key_size" SSL context option gives stream servers control over the key size (in bits) used for RSA key agreements.
      • Crypto methods for encrypted client and server streams now use bitwise flags for fine-grained protocol support.
      • Added new tlsv1.0 stream wrapper to specify TLSv1 client/server method. tls wrapper now negotiates TLSv1, TLSv1.1 or TLSv1.2.
      • Encrypted client streams now enable SNI by default.
      • Encrypted streams now prioritize ephemeral key agreement and high strength ciphers by default.
      • New OPENSSL_DEFAULT_STREAM_CIPHERS constant exposes default cipher list.
      • New STREAM_CRYPTO_METHOD_* constants for enhanced control over the crypto methods negotiated encrypted server/client sessions.
      • Encrypted stream servers now automatically mitigate potential DoS vector arising from client-initiated TLS renegotiation. New "reneg_limit", "reneg_window" and "reneg_limit_callback" SSL context options for custom renegotiation limiting control.
      • Fixed memory leak in windows cert verification on verify failure.
      • Peer certificate capturing via SSL context options now functions even if peer verification fails.
      • Encrypted TLS servers now support the server name indication TLS extension via the new "SNI_server_certs" SSL context option.
      • Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1).
      • Fixed bug #66942 (memory leak in openssl_seal()).
      • Fixed bug #66952 (memory leak in openssl_open()).
      • Fixed bug #66840 (Fix broken build when extension built separately).
    • OPcache:
      • Added an optimization of class constants and constant calls to some internal functions (Laruence, Dmitry)
      • Added an optimization pass to convert FCALL_BY_NAME into DO_FCALL.
      • Added an optimization pass to merged identical constants (and related cache_slots) in op_array->literals table.
      • Added script level constant replacement optimization pass.
      • Added function opcache_is_script_cached().
      • Added information about interned strings usage.
      • Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault happen) (Dmitry, Laruence)
    • PCRE:
      • Fixed bug #67238 (Ungreedy and min/max quantifier bug, applied patch from the upstream).
      • Upgraded to PCRE 8.34.
      • Added support for (*MARK) backtracking verbs.
    • pgsql:
      • Fixed bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756), which affected builds against libpq < 7.3.
      • pg_insert()/pg_select()/pg_update()/pg_delete() are no longer EXPERIMENTAL.
      • Implemented FR #25854 (Return value for pg_insert should be resource instead of bool).
      • Implemented FR #41146 (Add "description" with exteneded flag pg_meta_data(). pg_meta_data(resource $conn, string $table [, bool extended]) It also made pg_meta_data() return "is enum" always).
      • Read-only access to the socket stream underlying database connections is exposed via a new pg_socket() function to allow read/write polling when establishing asynchronous connections and executing queries in non-blocking applications.
      • Asynchronous connections are now possible using the PGSQL_CONNECT_ASYNC flag in conjunction with a new pg_connect_poll() function and connection polling status constants.
      • New pg_flush() and pg_consume_input() functions added to manually complete non-blocking reads/writes to underlying connection sockets.
      • pg_version() returns full report which obtained by PQparameterStatus().
      • Added pg_lo_truncate().
      • Added 64bit large object support for PostgreSQL 9.3 and later.
      • Fixed bug #67555 (Cannot build against libpq 7.3).
    • phpdbg:
      • Fixed bug #67575 (Compilation fails for phpdbg when the build directory != src directory).
      • Fixed bug #67499 (readline feature not enabled when build with libedit).
      • Fixed issue #94 (List behavior is inconsistent).
      • Fixed issue #97 (The prompt should always ensure it is on a newline).
      • Fixed issue #98 (break if does not seem to work).
      • Fixed issue #99 (register function has the same behavior as run).
      • Fixed issue #100 (No way to list the current stack/frames) (Help entry was missing).
      • Fixed bug which caused phpdbg to fail immediately on startup in non-debug builds.
      • Fixed bug #67212 (phpdbg uses non-standard TIOCGWINSZ).
      • Included phpdbg sapi (RFC: https://wiki.php.net/rfc/phpdbg).
      • Added watchpoints (watch command).
      • Renamed some commands (next => continue and how to step).
      • Fixed issue #85 (Added stdin/stdout/stderr constants and their php:// wrappers).
    • PDO:
      • Fixed bug #66604 ('pdo/php_pdo_error.h' not copied to the include dir).
    • PDO-ODBC:
      • Fixed bug #50444 (PDO-ODBC changes for 64-bit).
    • PDO_pgsql:
      • Fixed bug #42614 (PDO_pgsql: add pg_get_notify support).
      • Fixed bug #63657 (pgsqlCopyFromFile, pgsqlCopyToArray use Postgres < 7.3 syntax).
      • Cleaned up code by increasing the requirements to libpq versions providing PQexecParams, PQprepare, PQescapeStringConn, PQescapeByteaConn. According to the release notes that means 8.0.8+ or 8.1.4+.
      • Deprecated PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT, an undocument constant effectively equivalent to PDO::ATTR_EMULATE_PREPARES.
      • Added PDO::PGSQL_ATTR_DISABLE_PREPARES constant to execute the queries without preparing them, while still passing parameters separately from the command text using PQexecParams.
    • PDO_firebird:
      • Fixed bug #66071 (memory corruption in error handling) (Popa)
    • Phar:
      • Fixed bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name).
      • Fixed bug #67587 (Redirection loop on nginx with FPM).
    • readline:
      • Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt).
      • Fixed bug #67496 (Save command history when exiting interactive shell with control-c).
    • Reflection:
      • Implemented FR #67713 (loosen the restrictions on ReflectionClass::newInstanceWithoutConstructor()).
    • Session:
      • Fixed bug #67694 (Regression in session_regenerate_id()).
      • Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas).
      • Fixed bug #66827 (Session raises E_NOTICE when session name variable is array).
      • Fixed bug #65315 (session.hash_function silently fallback to default md5) (Yasuo)
      • Implemented FR #17860 (Session write short circuit).
      • Implemented FR #20421 (session_abort() and session_reset() function).
      • Remove session_gc() and session_serializer_name() wich were introduced in the first 5.6.0 alpha.
    • SimpleXML:
      • Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol)
    • SQLite:
      • Updated the bundled libsqlite to the version 3.8.3.1 (Anatol)
      • Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3).
    • SOAP:
      • Implemented FR #49898 (Add SoapClient::__getCookies()).
    • SPL:
      • Revert fix for #67064 (BC issues).
      • Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting). (CVE-2014-4698)
      • Fixed bug #67538 (SPL Iterators use-after-free). (CVE-2014-4670)
      • Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion). (CVE-2014-3515)
      • Fixed bug #67359 (Segfault in recursiveDirectoryIterator).
      • Fixed bug #66127 (Segmentation fault with ArrayObject unset).
      • Implemented FR #67453 (Allow to unserialize empty data).
      • Fixed bug #66834 (empty() does not work on classes that extend ArrayObject) (Tjerk)
      • Fixed bug #66702 (RegexIterator::INVERT_MATCH does not invert).
    • Standard:
      • Implemented FR #65634 (HTTP wrapper is very slow with protocol_version 1.1).
      • Implemented Change crypt() behavior w/o salt RFC. (Yasuo) https://wiki.php.net/rfc/crypt_function_salt
      • Implemented FR #49824 (Change array_fill() to allow creating empty array).
    • Streams:
      • Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects).
    • Tokenizer:
      • Fixed bug #67395 (token_name() does not return name for T_POW and T_POW_EQUAL token).
    • XMLReader:
      • Fixed bug #55285 (XMLReader::getAttribute/No/Ns methods inconsistency).
    • XSL:
      • Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded with "file://").
    • Zip:
      • update libzip to version 0.11.2. PHP doesn't use any ilibzip private symbol anymore.
      • new method ZipArchive::setPassword($password).
      • add --with-libzip option to build with system libzip.
      • new methods: ZipArchive::setExternalAttributesName($name, $opsys, $attr [, $flags]) ZipArchive::setExternalAttributesIndex($idx, $opsys, $attr [, $flags]) ZipArchive::getExternalAttributesName($name, &$opsys, &$attr [, $flags]) ZipArchive::getExternalAttributesIndex($idx, &$opsys, &$attr [, $flags])
    • Zlib:
      • Fixed bug #67865 (internal corruption phar error). Mike
      • Fixed bug #67724 (chained zlib filters silently fail with large amounts of data).

    Version 5.5.16

    • COM:
      • Fixed missing type checks in com_event_sink.
    • Core:
      • Fixed bug #67693 (incorrect push to the empty array).
    • Fileinfo:
      • Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538)
      • Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587).
    • FPM:
      • Fixed bug #67635 (php links to systemd libraries without using pkg-config).
    • GD:
      • Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). (CVE-2014-2497)
      • Fixed bug #67730 (Null byte injection possible with imagexxx functions). (CVE-2014-5120).
    • Milter:
      • Fixed bug #67715 (php-milter does not build and crashes randomly).
    • Network:
      • Fixed bug #67717 (segfault in dns_get_record). (CVE-2014-3597).
    • OpenSSL:
      • Fixed missing type checks in OpenSSL options.
    • readline:
      • Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt).
      • Fixed bug #67496 (Save command history when exiting interactive shell with control-c).
    • Sessions:
      • Fixed missing type checks in php_session_create_id.
    • ODBC:
      • Fixed bug #60616 (odbc_fetch_into returns junk data at end of multi-byte char fields).

    Version 5.4.32

    • Core:
      • Fixed bug #67717 (segfault in dns_get_record) (CVE-2014-3597).
      • Fixed bug #67693 (incorrect push to the empty array)
    • COM:
      • Fixed missing type checks in com_event_sink.
    • Fileinfo:
      • Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538)
      • Fixed bug #67716 (Segfault in cdf.c) (CVE-2014-3587).
    • GD:
      • Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). (CVE-2014-2497)
      • Fixed bug #67730 (Null byte injection possible with imagexxx functions) (CVE-2014-5120).
    • Milter:
      • Fixed bug #67715 (php-milter does not build and crashes randomly).
    • OpenSSL:
      • Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas).
    • Readline:
      • Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt).
      • Fixed bug #67496 (Save command history when exiting interactive shell with control-c).
    • Sessions:
      • Fixed missing type checks in php_session_create_id.
    • SPL:
      • Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting) (CVE-2014-4698).
      • Fixed bug #67538 (SPL Iterators use-after-free) (CVE-2014-4670).
    • ODBC:
      • Fixed bug #60616 (odbc_fetch_into returns junk data at end of multi-byte char fields).

    Version 5.3.29

    • Core:
      • Fixed bug #66127 (Segmentation fault with ArrayObject unset).
      • Fixed bug #67247 (spl_fixedarray_resize integer overflow).
      • Fixed bug #67249 (printf out-of-bounds read).
      • Fixed bug #67250 (iptcparse out-of-bounds read).
      • Fixed bug #67252 (convert_uudecode out-of-bounds read).
      • Fixed bug #67359 (Segfault in recursiveDirectoryIterator).
      • Fixed bug #67390 (insecure temporary file use in the configure script). (CVE-2014-3981)
      • Fixed bug #67399 (putenv with empty variable may lead to crash).
      • Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion) (CVE-2014-3515).
      • Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability). (CVE-2014-4721)
    • COM:
      • Fixed missing type checks in com_event_sink.
    • Date:
      • Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712)
      • Fixed bug #67251 (date_parse_from_format out-of-bounds read).
      • Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read).
    • Exif:
      • Fixed bug #65873 (Integer overflow in exif_read_data()).
    • Fileinfo:
      • Fixed bug #66307 (Fileinfo crashes with powerpoint files).
      • Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check). (CVE-2014-0207)
      • Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). (CVE-2014-0238)
      • Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in performance degradation). (CVE-2014-0237)
      • Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size) (CVE-2014-3478).
      • Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary check) (CVE-2014-3479).
      • Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check) (CVE-2014-3480).
      • Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check) (CVE-2014-3487).
    • Intl:
      • Fixed bug #67349 (Locale::parseLocale Double Free).
      • Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)).
    • Network:
      • Fixed bug #67432 (Fix potential segfault in dns_get_record()). (CVE-2014-4049)
    • OpenSSL:
      • Fixed missing type checks in OpenSSL options.
    • Session:
      • Fixed missing type checks in php_session_create_id.

    Version 5.5.15

    • CLI server:
      • Fixed bug #67429 (CLI server is missing some new HTTP response codes).
      • Fixed bug #66830 (Empty header causes PHP built-in web server to hang).
    • Core:
      • Fixed bug #67428 (header('Location: foo') will override a 308-399 response code).
      • Fixed bug #67436 (Autoloader isn't called if two method definitions don't match).
      • Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0).
      • Fixed bug #67497 eval with parse error causes segmentation fault in generator).
      • Fixed bug #67151 (strtr with empty array crashes).
      • Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012).
    • FPM:
      • Fixed bug #67530 (error_log=syslog ignored).
      • Fixed bug #67531 (syslog cannot be set in pool configuratio).
    • Intl:
      • Fixed bug #66921 (Wrong argument type hint for function intltz_from_date_time_zone).
      • Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).
    • OPCache:
      • Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault happen).
    • pgsql:
      • Fixed bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756), which affected builds against libpq < 7.3).
    • Phar:
      • Fixed bug #67587 (Redirection loop on nginx with FPM).
    • SPL:
      • Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting). (CVE-2014-4698)
      • Fixed bug #67538 (SPL Iterators use-after-free) (CVE-2014-4670).
    • Streams:
      • Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects).

    Version 5.4.31

    • Core:
      • Fixed bug #67428 (header('Location: foo') will override a 308-399 response code).
      • Fixed bug #67436 (Autoloader isn't called if two method definitions don't match).
      • Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0).
      • Fixed bug #67151 (strtr with empty array crashes).
      • Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012).
    • CLI server:
      • Implemented FR #67429 (CLI server is missing some new HTTP response codes).
      • Fixed bug #66830 (Empty header causes PHP built-in web server to hang).
    • FPM:
      • Fixed bug #67530 (error_log=syslog ignored).
      • Fixed bug #67531 (syslog cannot be set in pool configuration).
    • Intl:
      • Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).
    • pgsql:
      • Fixed bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756), which affected builds against libpq < 7.3.
    • Phar:
      • Fixed bug #67587 (Redirection loop on nginx with FPM).
    • Streams:
      • Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects).

    Version 5.5.14

    • CLI server:
      • Fixed bug #67406 (built-in web-server segfaults on startup).
    • Core:
      • Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases).
      • Fixed bug #67390 (insecure temporary file use in the configure script). (CVE-2014-3981).
      • Fixed bug #67399 (putenv with empty variable may lead to crash).
      • Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability). (CVE-2014-4721)
      • Fixed BC break introduced by patch for bug #67072.
    • Date:
      • Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
      • Fixed regression in fix for bug #67118 (constructor can't be called twice).
    • Fileinfo:
      • Fixed bug #67326 (cdf_read_short_sector insufficient boundary check). (CVE-2014-0207)).
      • Fixed bug #67410 (mconvert incorrect handling of truncated pascal string size). (CVE-2014-3478).
      • Fixed bug #67411 (cdf_check_stream_offset insufficient boundary check). (CVE-2014-3479).
      • Fixed bug #67412 (cdf_count_chain insufficient boundary check). (CVE-2014-3480).
      • Fixed bug #67413 (cdf_read_property_info insufficient boundary check). (CVE-2014-3487).
    • Intl:
      • Fixed bug #67349 (Locale::parseLocale Double Free).
      • Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)).
    • Network:
      • Fixed bug #67432 (Fix potential segfault in dns_get_record()). (CVE-2014-4049)).
    • OPCache:
      • Fixed issue #183 (TMP_VAR is not only used once).
    • OpenSSL:
      • Fixed bug #65698 (certificates validity parsing does not work past 2050).
      • Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME).
    • PDO-ODBC:
      • Fixed bug #50444 (PDO-ODBC changes for 64-bit).
    • SOAP:
      • Implemented FR #49898 (Add SoapClient::__getCookies()).
    • SPL:
      • Fixed bug #66127 (Segmentation fault with ArrayObject unset).
      • Fixed bug #67359 (Segfault in recursiveDirectoryIterator).
      • Fixed bug #67360 (Missing element after ArrayObject::getIterator).
      • Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion). (CVE-2014-3515).

    Version 5.4.30

    • Core:
      • Fixed BC break introduced by patch for bug #67072.
      • Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases).
      • Fixed bug #67390 (insecure temporary file use in the configure script) (CVE-2014-3981).
      • Fixed bug #67399 (putenv with empty variable may lead to crash).
      • Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability). (CVE-2014-4721)
    • CLI server:
      • Fixed bug #67406 (built-in web-server segfaults on startup).
    • Date:
      • Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
      • Fixed regression in fix for bug #67118 (constructor can't be called twice).
    • Fileinfo:
      • Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check) (CVE-2014-0207).
      • Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size) (CVE-2014-3478).
      • Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary check) (CVE-2014-3479).
      • Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check) (CVE-2014-3480).
      • Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check) (CVE-2014-3487).
    • Intl:
      • Fixed bug #67349 (Locale::parseLocale Double Free).
      • Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)).
    • Network:
      • Fixed bug #67432 (Fix potential segfault in dns_get_record()) (CVE-2014-4049).
    • OpenSSL:
      • Fixed bug #65698 (certificates validity parsing does not work past 2050).
      • Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME).
    • SOAP:
      • Implemented FR #49898 (Add SoapClient::__getCookies()).
    • SPL:
      • Fixed bug #66127 (Segmentation fault with ArrayObject unset).
      • Fixed bug #67359 (Segfault in recursiveDirectoryIterator).
      • Fixed bug #67360 (Missing element after ArrayObject::getIterator).
      • Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion) (CVE-2014-3515).

    Version 5.5.13

    • CLI server:
      • Fixed bug #67079 (Missing MIME types for XML/XSL files).
    • COM:
      • Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)).
    • Core:
      • Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()).
      • Fixed bug #67072 (Echoing unserialized "SplFileObject" crash).
      • Fixed bug #67245 (usage of memcpy() with overlapping src and dst in zend_exceptions.c).
      • Fixed bug #67247 (spl_fixedarray_resize integer overflow).
      • Fixed bug #67249 (printf out-of-bounds read).
      • Fixed bug #67250 (iptcparse out-of-bounds read).
    • cURL:
      • Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset).
    • Date:
      • Fixed bug #67118 (DateTime constructor crash with invalid data).
      • Fixed bug #67251 (date_parse_from_format out-of-bounds read).
      • Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read).
    • DOM:
      • Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset).
    • Fileinfo:
      • Fixed bug #66307 (Fileinfo crashes with powerpoint files).
      • Fixed bug #67327 (CDF infinite loop in nelements DoS) (CVE-2014-0238).
      • Fixed bug #67328 (numerous file_printf calls resulting in performance degradation) (CVE-2014-0237).
    • FPM:
      • Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
    • GD:
      • Fixed bug #67248 (imageaffinematrixget missing check of parameters).
    • PCRE:
      • Fixed bug #67248 Ungreedy and min/max quantifier bug, applied patch from the upstream.
    • Phar:
      • Fixed bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name).

    Version 5.4.29

    • COM:
      • Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)).
    • Core:
      • Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()).
      • Fixed bug #67072 (Echoing unserialized "SplFileObject" crash).
      • Fixed bug #67245 (usage of memcpy() with overlapping src and dst in zend_exceptions.c).
      • Fixed bug #67247 (spl_fixedarray_resize integer overflow).
      • Fixed bug #67249 (printf out-of-bounds read).
      • Fixed bug #67250 (iptcparse out-of-bounds read).
      • Fixed bug #67252 (convert_uudecode out-of-bounds read). (Stas)
    • Fileinfo:
      • Fixed bug #66307 (Fileinfo crashes with powerpoint files).
      • Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). (CVE-2014-0238)
      • Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in performance degradation). (CVE-2014-0237)
    • Date:
      • Fixed bug #67118 (DateTime constructor crash with invalid data).
      • Fixed bug #67251 (date_parse_from_format out-of-bounds read).
      • Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read).
    • DOM:
      • Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset).
    • FPM:
      • Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
    • Phar:
      • Fixed bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name).

    Version 5.5.12

    • Core:
      • Fixed bug #61019 (Out of memory on command stream_get_contents).
      • Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).
      • Fixed bug #66182 (exit in stream filter produces segfault).
      • Fixed bug #66736 (fpassthru broken).
      • Fixed bug #67024 (getimagesize should recognize BMP files with negative heighty).
      • Fixed bug #67043 (substr_compare broke by previous change).
    • cURL:
      • Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
    • Date:
      • Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
    • Embed:
      • Fixed bug #65715 (php5embed.lib isn't provided anymore).
    • Fileinfo:
      • Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
    • FPM:
      • Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
      • Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185)).
    • Json:
      • Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).
    • LDAP:
      • Fixed issue with null bytes in LDAP bindings.
    • mysqli:
      • Fixed problem in mysqli_commit()/mysqli_rollback() with second parameter (extra comma) and third parameters (lack of escaping).
    • Openssl:
      • Fixed bug #66942 (memory leak in openssl_seal()).
      • Fixed bug #66952 (memory leak in openssl_open()).
    • SimpleXML:
      • Fixed bug #66084 (simplexml_load_string() mangles empty node name).
    • SQLite:
      • Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3)
    • XSL:
      • Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded with "file://")
    • Apache2 Handler SAPI:
      • Fixed Apache log issue caused by APR's lack of support for %zu (APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120)

    Version 5.4.28

    • Core:
      • Fixed bug #61019 (Out of memory on command stream_get_contents).
      • Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).
      • Fixed bug #66171 (Symlinks and session handler allow open_basedir bypass).
      • Fixed bug #66182 (exit in stream filter produces segfault).
      • Fixed bug #66736 (fpassthru broken).
      • Fixed bug #67024 (getimagesize should recognize BMP files with negative height).
    • cURL:
      • Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
    • Date:
      • Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
    • Embed:
      • Fixed bug #65715 (php5embed.lib isn't provided anymore).
    • Fileinfo:
      • Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
    • FPM:
      • Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
      • Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure default configuration) (CVE-2014-0185).
    • JSON:
      • Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).
    • LDAP:
      • Fixed issue with null bytes in LDAP bindings.
    • OpenSSL:
      • Fixed bug #66942 (memory leak in openssl_seal()).
      • Fixed bug #66952 (memory leak in openssl_open()).
    • SimpleXML:
      • Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol)
    • XSL:
      • Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded with "file://").
    • Apache2 Handler SAPI:
      • Fixed Apache log issue caused by APR's lack of support for %zu (APR issue 56120).

    Version 5.5.11

    • Core:
      • Fixed bug #60602 (proc_open() changes environment array).
      • Allow zero length comparison in substr_compare().
    • cURL:
      • Fixed bug #66109 (Can't reset CURLOPT_CUSTOMREQUEST to default behaviour).
      • Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive.
    • Fileinfo:
      • Fixed bug #66946 (fileinfo: extensive backtracking in awk rule regular expression). (CVE-2013-7345)
    • FPM:
      • Added clear_env configuration directive to disable clearenv() call.
    • GD:
      • Fixed bug #66714 (imageconvolution breakage).
      • Fixed bug #66869 (Invalid 2nd argument crashes imageaffinematrixget).
      • Fixed bug #66887 (imagescale - poor quality of scaled image).
      • Fixed bug #66890 (imagescale segfault).
      • Fixed bug #66893 (imagescale ignore method argument).
    • GMP:
      • Fixed bug #66872 (invalid argument crashes gmp_testbit).
    • Hash:
      • hash_pbkdf2() now works correctly if the $length argument is not specified.
    • Intl:
      • Fixed bug #66873 A reproductible crash in UConverter when given invalid encoding.
    • Mail:
      • Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script).
    • MySQLi:
      • Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed).
    • OPCache:
      • Added function opcache_is_script_cached().
      • Added information about interned strings usage.
    • Openssl:
      • Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1).
    • SQLite:
      • Updated bundled libsqlite to 3.8.3.1.
    • SPL:
      • Added feature #65545 (SplFileObject::fread()).

    Version 5.4.27

    • Core:
      • Fixed bug #60602 (proc_open() changes environment array)
    • Fileinfo:
      • Fixed bug #66946 (fileinfo: extensive backtracking in awk rule regular expression). (CVE-2013-7345)
    • FPM:
      • Added clear_env configuration directive to disable clearenv() call.
    • GMP:
      • Fixed bug #66872 (invalid argument crashes gmp_testbit)
    • Mail:
      • Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script)
    • MySQLi:
      • Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed)
    • Openssl:
      • Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1)

    Version 5.5.10

    • Core:
      • Fixed bug #66574 (Allow multiple paths in php_ini_scanned_path).
    • Date:
      • Fixed bug #45528 (Allow the DateTimeZone constructor to accept timezones per offset too).
      • Fixed bug #44780 (some time zone offsets not recognized by timezone_name_from_abbr)
      • Fixed bug #45543 (DateTime::setTimezone can not set timezones without ID)
    • Fileinfo:
      • Fixed bug #66731 (file: infinite recursion (CVE-2014-1943)).
      • Fixed bug #66820 (out-of-bounds memory access in fileinfo (CVE-2014-2270)).
    • GD:
      • Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer (CVE-2013-7327)).
    • JSON:
      • Fixed bug #65753 (JsonSerializeable couldn't implement on module extension).
    • LDAP:
      • Implemented ldap_modify_batch (https://wiki.php.net/rfc/ldap_modify_batch).
    • Openssl:
      • Fixed bug #66501 (Add EC key support to php_openssl_is_private_key).
    • PCRE:
      • Upgraded to PCRE 8.34.
    • Pgsql:
      • Added warning for dangerous client encoding and remove possible injections for pg_insert()/pg_update()/pg_delete()/pg_select().

    Version 5.4.26

    • Date:
      • Fixed bug #44780 (some time zone offsets not recognized by timezone_name_from_abbr)
      • Fixed bug #45543 (DateTime::setTimezone can not set timezones without ID)
    • JSON:
      • Fixed bug #65753 (JsonSerializeable couldn't implement on module extension)
    • Fileinfo:
      • Fixed bug #66731 (file: infinite recursion) (CVE-2014-1943).
      • Fixed bug #66820 (out-of-bounds memory access in fileinfo) (CVE-2014-2270).
    • LDAP:
      • Implemented ldap_modify_batch (https://wiki.php.net/rfc/ldap_modify_batch).
    • Openssl:
      • Fixed bug #66501 (Add EC key support to php_openssl_is_private_key).
    • Pgsql:
      • Added warning for dangerous client encoding and remove possible injections for pg_insert()/pg_update()/pg_delete()/pg_select().

    Version 5.5.9

    • Core:
      • Fixed bug #66509 (copy() arginfo has changed starting from 5.4).
    • GD:
      • Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop(), CVE-2013-7226).
    • OPCache:
      • Fixed bug #66474 (Optimizer bug in constant string to boolean conversion).
      • Fixed bug #66461 (PHP crashes if opcache.interned_strings_buffer=0).
      • Fixed bug #66298 (ext/opcache/Optimizer/zend_optimizer.c has dos-style ^M as lineend).
    • PDO_pgsql:
      • Fixed bug #62479 (PDO-pgsql cannot connect if password contains spaces).
    • Readline:
      • Fixed bug #66412 (readline_clear_history() with libedit causes segfault after #65714).
    • Session:
      • Fixed bug #66469 (Session module is sending multiple set-cookie headers when session.use_strict_mode=1).
      • Fixed bug #66481 (Segfaults on session_name()).
    • Standard:
      • Fixed bug #66395 (basename function doesn't remove drive letter).
    • Sockets:
      • Fixed bug #66381 (__ss_family was changed on AIX 5.3).
    • Zend Engine:
      • Fixed bug #66009 (Failed compilation of PHP extension with C++ std library using VS 2012).

    Version 5.4.25

    • Core:
      • Fixed bug #66286 (Incorrect object comparison with inheritance).
      • Fixed bug #66509 (copy() arginfo has changed starting from 5.4).
    • mysqlnd:
      • Fixed bug #66283 (Segmentation fault after memory_limit).
    • PDO_pgsql:
      • Fixed bug #62479 (PDO-psql cannot connect if password contains spaces).
    • Session:
      • Fixed bug #66481 (Calls to session_name() segfault when session.name is null).

    Version 5.5.8

    • Core:
      • Disallowed JMP into a finally block.
      • Added validation of class names in the autoload process.
      • Fixed invalid C code in zend_strtod.c.
      • Fixed bug #66041 (list() fails to unpack yielded ArrayAccess object).
      • Fixed bug #65764 (generators/throw_rethrow FAIL with ZEND_COMPILE_EXTENDED_INFO).
      • Fixed bug #61645 (fopen and O_NONBLOCK).
      • Fixed bug #66218 (zend_register_functions breaks reflection).
    • Date:
      • Fixed bug #66060 (Heap buffer over-read in DateInterval, CVE-2013-6712).
      • Fixed bug #65768 (DateTimeImmutable::diff does not work).
    • DOM:
      • Fixed bug #65196 (Passing DOMDocumentFragment to DOMDocument::saveHTML() Produces invalid Markup).
    • Exif:
      • Fixed bug #65873 (Integer overflow in exif_read_data()).
    • Filter:
      • Fixed bug #66229 (128.0.0.0/16 isn't reserved any longer).
    • GD:
      • Fixed bug #64405 (Use freetype-config for determining freetype2 dir(s)).
    • PDO_odbc:
      • Fixed bug #66311 (Stack smashing protection kills PDO/ODBC queries).
    • MySQLi:
      • Fixed bug #65486 (mysqli_poll() is broken on win x64).
    • OPCache:
      • Fixed revalidate_path=1 behavior to avoid caching of symlinks values.
      • Fixed issue #140 ("opcache.enable_file_override" doesn't respect "opcache.revalidate_freq".)
    • SNMP:
      • Fixed SNMP_ERR_TOOBIG handling for bulk walk operations.
    • SOAP:
      • Fixed bug #66112 (Use after free condition in SOAP extension).
    • Sockets:
      • Fixed bug #65923 (ext/socket assumes AI_V4MAPPED is defined).
    • XSL:
      • Fixed bug #49634 (Segfault throwing an exception in a XSL registered function).
    • ZIP:
      • Fixed bug #66321 (ZipArchive::open() ze_obj->filename_len not real).

    Version 5.4.24

    • Core:
      • Added validation of class names in the autoload process.
      • Fixed invalid C code in zend_strtod.c.
      • Fixed bug #61645 (fopen and O_NONBLOCK).
    • Date:
      • Fixed bug #66060 (Heap buffer over-read in DateInterval, CVE-2013-6712).
      • Fixed bug #63391 (Incorrect/inconsistent day of week prior to the year 1600).
      • Fixed bug #61599 (Wrong Day of Week).
    • DOM:
      • Fixed bug #65196 (Passing DOMDocumentFragment to DOMDocument::saveHTML() Produces invalid Markup).
    • Exif:
      • Fixed bug #65873 (Integer overflow in exif_read_data()).
    • Filter:
      • Fixed bug #66229 (128.0.0.0/16 isn't reserved any longer).
    • GD:
      • Fixed bug #64405 (Use freetype-config for determining freetype2 dir(s)).
    • PDO_odbc:
      • Fixed bug #66311 (Stack smashing protection kills PDO/ODBC queries).
    • SNMP:
      • Fixed SNMP_ERR_TOOBIG handling for bulk walk operations.
    • XSL:
      • Fixed bug #49634 (Segfault throwing an exception in a XSL registered function).
    • ZIP:
      • Fixed bug #66321 (ZipArchive::open() ze_obj->filename_len not real).

    Version 5.5.7

    • Core:
      • Fixed bug #66094 (unregister_tick_function tries to cast a Closure to a string).
      • Fixed bug #65969 (Chain assignment with T_LIST failure).
    • CLI server:
      • Added some MIME types to the CLI web server.
      • Implemented FR #65917 (getallheaders() is not supported by the built-in web server) - also implements apache_response_headers()
    • OPCache:
      • Fixed bug #66176 (Invalid constant substitution).
      • Fixed bug #65915 (Inconsistent results with require return value).
      • Fixed bug #65559 (Opcache: cache not cleared if changes occur while running).
    • readline:
      • Fixed bug #65714 (PHP cli forces the tty to cooked mode).
    • Openssl:
      • Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420).

    Version 5.4.23

    • Core:
      • Fixed bug #66094 (unregister_tick_function tries to cast a Closure to a string).
      • Fixed bug #65947 (basename is no more working after fgetcsv in certain situation).
    • JSON:
      • Fixed whitespace part of #64874 ("json_decode handles whitespace and case-sensitivity incorrectly").
    • MySQLi:
      • Fixed bug #66043 (Segfault calling bind_param() on mysqli).
    • mysqlnd:
      • Fixed bug #66124 (mysqli under mysqlnd loses precision when bind_param with 'i').
      • Fixed bug #66141 (mysqlnd quote function is wrong with NO_BACKSLASH_ESCAPES after failed query).
    • OpenSSL:
      • Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420). (Stefan Esser).
    • PDO:
      • Fixed bug #65946 (sql_parser permanently converts values bound to strings).

    Version 5.3.28

    • Openssl:
      • Fixed handling null bytes in subjectAltName (CVE-2013-4248).
      • Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420). (Stefan Esser).

    Version 5.5.6

    • Core:
      • Improved performance of array_merge() and func_get_args() by eliminating useless copying.
      • Fixed bug #65947 (basename is no more working after fgetcsv in certain situation).
      • Fixed bug #65939 (Space before ";" breaks php.ini parsing).
      • Fixed bug #65911 (scope resolution operator - strange behavior with $this).
      • Fixed bug #65936 (dangling context pointer causes crash).
    • FPM:
      • Changed default listen() backlog to 65535.
    • JSON:
      • Fixed bug #64874 (json_decode handles whitespace incorrectly).
    • MySQLi:
      • Fixed bug #66043 (Segfault calling bind_param() on mysqli).
    • OPCache:
      • Increased limit for opcache.max_accelerated_files to 1,000,000.
      • Fixed issue #115 (path issue when using phar).
      • Fixed issue #149 (Phar mount points not working with OPcache enabled).
    • ODBC:
      • Fixed bug #65950 (Field name truncation if the field name is bigger than 32 characters).
    • PDO:
      • Fixed bug #66033 (Segmentation Fault when constructor of PDO statement throws an exception).
      • Fixed bug #65946 (sql_parser permanently converts values bound to strings).
    • Standard:
      • Fixed bug #64760 (var_export() does not use full precision for floating-point numbers).

    Version 5.4.22

    • Core:
      • Fixed bug #65911 (scope resolution operator - strange behavior with $this).
    • CLI server:
      • Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding).
    • Exif:
      • Fixed crash on unknown encoding.
    • FTP:
      • Fixed bug #65667 (ftp_nb_continue produces segfault).
    • ODBC:
      • Fixed bug #65950 (Field name truncation if the field name is bigger than 32 characters).
    • Sockets:
      • Fixed bug #65808 (the socket_connect() won't work with IPv6 address).
    • Standard:
      • Fixed bug #64760 (var_export() does not use full precision for floating-point numbers).
    • XMLReader:
      • Fixed bug #51936 (Crash with clone XMLReader).
      • Fixed bug #64230 (XMLReader does not suppress errors).

    Version 5.5.5

    • Core:
      • Fixed bug #64979 (Wrong behavior of static variables in closure generators).
      • Fixed bug #65322 (compile time errors won't trigger auto loading).
      • Fixed bug #65821 (By-ref foreach on property access of string offset segfaults).
    • CLI Server:
      • Fixed bug #65633 (built-in server treat some http headers as case-sensitive).
      • Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding).
      • Added application/pdf to PHP CLI Web Server mime types
    • Datetime:
      • Fixed bug #64157 (DateTime::createFromFormat() reports confusing error message).
      • Fixed bug #65502 (DateTimeImmutable::createFromFormat returns DateTime).
      • Fixed bug #65548 (Comparison for DateTimeImmutable doesn't work).
    • DBA:
      • Fixed bug #65708 (dba functions cast $key param to string in-place, bypassing copy on write).
    • Filter:
      • Add RFC 6598 IPs to reserved addresses.
      • Fixed bug #64441 (FILTER_VALIDATE_URL rejects fully qualified domain names).
    • FTP:
      • Fixed bug #65667 (ftp_nb_continue produces segfault).
    • GD:
      • Ensure that the defined interpolation method is used with the generic scaling methods.
    • IMAP:
      • Fixed bug #65721 (configure script broken in 5.5.4 and 5.4.20 when enabling imap).
    • OPCache:
      • Fixed bug #65845 (Error when Zend Opcache Optimizer is fully enabled).
      • Fixed bug #65665 (Exception not properly caught when opcache enabled).
      • Fixed bug #65510 (5.5.2 crashes in _get_zval_ptr_ptr_var).
      • Fixed issue #135 (segfault in interned strings if initial memory is too low).
      • Added function opcache_compile_file() to load PHP scripts into cache without execution.
      • Added support for GNU Hurd.
    • Sockets:
      • Fixed bug #65808 (the socket_connect() won't work with IPv6 address).
    • SPL:
      • Fixed bug #64782 (SplFileObject constructor make $context optional / give it a default value).
    • Standard:
      • Fixed bug #61548 content-type must appear at the end of headers for 201 Location to work in http.
    • XMLReader:
      • Fixed bug #51936 Crash with clone XMLReader.
      • Fixed bug #64230 XMLReader does not suppress errors.
    • Build system:
      • Fixed bug #51076 Race condition in shtool's mkdir -p implementation.
      • Fixed bug #62396 'make test' crashes starting with 5.3.14 (missing gzencode()).

    Version 5.4.21

    • Core:
      • Fixed bug #65322 (compile time errors won't trigger auto loading).
    • CLI server:
      • Fixed bug #65633 (built-in server treat some http headers as case-sensitive).
    • Datetime:
      • Fixed bug #64157 (DateTime::createFromFormat() reports confusing error message).
    • DBA extension:
      • Fixed bug #65708 (dba functions cast $key param to string in-place, bypassing copy on write).
    • Filter:
      • Add RFC 6598 IPs to reserved addresses.
      • Fixed bug #64441 (FILTER_VALIDATE_URL rejects fully qualified domain names).
    • IMAP:
      • Fixed bug #65721 (configure script broken in 5.5.4 and 5.4.20 when enabling imap).
    • Standard:
      • Fixed bug #61548 (content-type must appear at the end of headers for 201 Location to work in http).
    • Build system:
      • Fixed bug #62396 ('make test' crashes starting with 5.3.14 (missing gzencode())).

    Version 5.5.4

    • Core:
      • Fixed bug #60598 (cli/apache sapi segfault on objects manipulation).
      • Improved fputcsv() to allow specifying escape character.
      • Fixed bug #65483 (quoted-printable encode stream filter incorrectly encoding spaces).
      • Fixed bug #65470 (Segmentation fault in zend_error() with --enable-dtrace).
      • Fixed bug #65490 (Duplicate calls to get lineno & filename for DTRACE_FUNCTION_*).
      • Fixed bug #65225 (PHP_BINARY incorrectly set).
      • Fixed bug #62692 (PHP fails to build with DTrace).
      • Fixed bug #61759 (class_alias() should accept classes with leading backslashes).
      • Fixed bug #46311 (Pointer aliasing issue results in miscompile on gcc4.4).
    • cURL:
      • Fixed bug #65458 (curl memory leak).
    • Datetime:
      • Fixed bug #65554 (createFromFormat broken when weekday name is followed by some delimiters).
      • Fixed bug #65564 (stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer).
    • OPCache:
      • Fixed bug #65561 (Zend Opcache on Solaris 11 x86 needs ZEND_MM_ALIGNMENT=4).
    • Openssl:
      • Fixed bug #64802 (openssl_x509_parse fails to parse subject properly in some cases).
    • Session:
      • Fixed bug #65475 (Session ID is not initialized properly when strict session is enabled).
      • Fixed bug #51127 and #65359, FR #25630/#43980/#54383 (Added php_serialize session serialize handler that uses plain serialize())
    • Standard:
      • Fix issue with return types of password API helper functions. Found via static analysis by cjones.

    Version 5.4.20

    • Core:
      • Fixed bug #60598 (cli/apache sapi segfault on objects manipulation).
      • Fixed bug #65579 (Using traits with get_class_methods causes segfault).
      • Fixed bug #65490 (Duplicate calls to get lineno & filename for DTRACE_FUNCTION_*).
      • Fixed bug #65483 (quoted-printable encode stream filter incorrectly encoding spaces).
      • Fixed bug #65481 (shutdown segfault due to serialize).
      • Fixed bug #65470 (Segmentation fault in zend_error() with --enable-dtrace).
      • Fixed bug #65372 (Segfault in gc_zval_possible_root when return reference fails).
      • Fixed bug #65304 (Use of max int in array_sum).
      • Fixed bug #65291 (get_defined_constants() causes PHP to crash in a very limited case).
      • Fixed bug #65225 (PHP_BINARY incorrectly set).
      • Improved fix for bug #63186 (compile failure on netbsd).
      • Fixed bug #62692 (PHP fails to build with DTrace).
      • Fixed bug #61759 (class_alias() should accept classes with leading backslashes).
      • Fixed bug #61345 (CGI mode - make install don't work).
      • Cherry-picked some DTrace build commits (allowing builds on Linux, bug #62691 and bug #63706) from PHP 5.5 branch.
      • Fixed bug #61268 (--enable-dtrace leads make to clobber Zend/zend_dtrace.d)
    • cURL:
      • Fixed bug #65458 (curl memory leak).
    • Datetime:
      • Fixed bug #65554 (createFromFormat broken when weekday name is followed by some delimiters)
      • Fixed bug #65564 (stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer)
    • Openssl:
      • Fixed bug #64802 (openssl_x509_parse fails to parse subject properly in some cases).
    • Session:
      • Fixed bug #62129 (rfc1867 crashes php even though turned off).
      • Fixed bug #50308 (session id not appended properly for empty anchor tags).
      • Fixed possible buffer overflow under Windows. Note: Not a security fix.
      • Changed session.auto_start to PHP_INI_PERDIR.
    • SOAP:
      • Fixed bug #65018 (SoapHeader problems with SoapServer).
    • SPL:
      • Fixed bug #65328 (Segfault when getting SplStack object Value).
    • PDO:
      • Fixed bug #64953 (Postgres prepared statement positional parameter casting).
    • Phar:
      • Fixed bug #65028 (Phar::buildFromDirectory creates corrupt archives for some specific contents).
    • Pgsql:
      • Fixed bug #65336 (pg_escape_literal/identifier() silently returns false).
      • Fixed bug #62978 (Disallow possible SQL injections with pg_select()/pg_update() /pg_delete()/pg_insert()).
    • Zlib:
      • Fixed bug #65391 (Unable to send vary header user-agent when ob_start('ob_gzhandler') is called).

    Version 5.5.3

    • Openssl:
      • Fixed UMR in fix for CVE-2013-4248.

    Version 5.4.19

    • Core:
      • Fixed bug #64503 (Compilation fails with error: conflicting types for 'zendparse').
    • Openssl:
      • Fixed UMR in fix for CVE-2013-4248.

    Version 5.5.2

    • Core:
      • Fixed bug #65372 (Segfault in gc_zval_possible_root when return reference fails).
      • Fixed value of FILTER_SANITIZE_FULL_SPECIAL_CHARS constant (previously was erroneously set to FILTER_SANITIZE_SPECIAL_CHARS value).
      • Fixed bug #65304 (Use of max int in array_sum).
      • Fixed bug #65291 (get_defined_constants() causes PHP to crash in a very limited case).
      • Fixed bug #62691 (solaris sed has no -i switch).
      • Fixed bug #61345 (CGI mode - make install don't work).
      • Fixed bug #61268 (--enable-dtrace leads make to clobber Zend/zend_dtrace.d).
    • DOM:
      • Added flags option to DOMDocument::schemaValidate() and DOMDocument::schemaValidateSource(). Added LIBXML_SCHEMA_CREATE flag.
    • OPcache:
      • Added opcache.restrict_api configuration directive that may limit usage of OPcahce API functions only to patricular script(s).
      • Added support for glob symbols in blacklist entries (?, *, **).
      • Fixed bug #65338 (Enabling both php_opcache and php_wincache AVs on shutdown).
    • Openssl:
      • Fixed handling null bytes in subjectAltName (CVE-2013-4248).
    • PDO_mysql:
      • Fixed bug #65299 (pdo mysql parsing errors).
    • Phar:
      • Fixed bug #65028 (Phar::buildFromDirectory creates corrupt archives for some specific contents).
    • Pgsql:
      • Fixed bug #62978 (Disallow possible SQL injections with pg_select()/pg_update() /pg_delete()/pg_insert()).
      • Fixed bug #65336 (pg_escape_literal/identifier() silently returns false).
    • Sessions:
      • Implemented strict sessions RFC (https://wiki.php.net/rfc/strict_sessions) which protects against session fixation attacks and session collisions (CVE-2011-4718).
      • Fixed possible buffer overflow under Windows. Note: Not a security fix.
      • Changed session.auto_start to PHP_INI_PERDIR.
    • SOAP:
      • Fixed bug #65018 (SoapHeader problems with SoapServer).
    • SPL:
      • Fixed bug #65328 (Segfault when getting SplStack object Value).
      • Added RecursiveTreeIterator setPostfix and getPostifx methods.
      • Fixed bug #61697 (spl_autoload_functions returns lambda functions incorrectly).
    • Streams:
      • Fixed bug #65268 (select() implementation uses outdated tick API).

    Version 5.4.18

    • Core:
      • Fixed value of FILTER_SANITIZE_FULL_SPECIAL_CHARS constant (previously was erroneously set to FILTER_SANITIZE_SPECIAL_CHARS value).
      • Fixed bug #65254 (Exception not catchable when exception thrown in autoload with a namespace).
      • Fixed bug #65108 (is_callable() triggers Fatal Error).
      • Fixed bug #65088 (Generated configure script is malformed on OpenBSD).
      • Fixed bug #62964 (Possible XSS on "Registered stream filters" info).
      • Fixed bug #62672 (Error on serialize of ArrayObject).
      • Fixed bug #62475 (variant_* functions causes crash when null given as an argument).
      • Fixed bug #60732 (php_error_docref links to invalid pages).
      • Fixed bug #65226 (chroot() does not get enabled).
    • CGI:
      • Fixed bug #65143 (Missing php-cgi man page).
    • CLI server:
      • Fixed bug #65066 (Cli server not responsive when responding with 422 http status code).
    • CURL:
      • Fixed bug #62665 (curl.cainfo doesn't appear in php.ini).
    • FPM:
      • Fixed bug #63983 (enabling FPM borks compile on FreeBSD).
    • FTP:
      • Fixed bug #65228 (FTPs memory leak with SSL).
    • GMP:
      • Fixed bug #65227 (Memory leak in gmp_cmp second parameter).
    • Imap:
      • Fixed bug #64467 (Segmentation fault after imap_reopen failure).
    • Intl:
      • Fixed bug #62759 (Buggy grapheme_substr() on edge case).
      • Fixed bug #61860 (Offsets may be wrong for grapheme_stri* functions).
    • mysqlnd:
      • Fixed segfault in mysqlnd when doing long prepare.
    • ODBC:
      • Fixed bug #61387 (NULL valued anonymous column causes segfault in odbc_fetch_array).
    • Openssl:
      • Fixed handling null bytes in subjectAltName (CVE-2013-4248).
    • PDO:
      • Allowed PDO_OCI to compile with Oracle Database 12c client libraries.
    • PDO_dblib:
      • Fixed bug #65219 (PDO/dblib not working anymore ("use dbName" not sent)).
    • PDO_pgsql:
      • Fixed meta data retrieve when OID is larger than 2^31.
    • Phar:
      • Fixed bug #65142 (Missing phar man page).
    • Session:
      • Fixed bug #62535 ($_SESSION[$key]["cancel_upload"] doesn't work as documented).
      • Fixed bug #35703 (when session_name("123") consist only digits, should warning).
      • Fixed bug #49175 (mod_files.sh does not support hash bits).
    • Sockets:
      • Implemented FR #63472 (Setting SO_BINDTODEVICE with socket_set_option).
    • SPL:
      • Fixed bug #65136 (RecursiveDirectoryIterator segfault).
      • Fixed bug #61828 (Memleak when calling Directory(Recursive)Iterator /Spl(Temp)FileObject ctor twice).
      • Fixed bug #60560 (SplFixedArray un-/serialize, getSize(), count() return 0, keys are strings).
    • XML:
      • Fixed bug #65236 (heap corruption in xml parser). (CVE-2013-4113)

    Version 5.5.1

    • Core:
      • Fixed bug #65254 (Exception not catchable when exception thrown in autoload with a namespace).
      • Fixed bug #65088 (Generated configure script is malformed on OpenBSD).
      • Fixed bug #65108 (is_callable() triggers Fatal Error).
      • Fixed bug #65035 (yield / exit segfault).
      • Fixed bug #65161 (Generator + autoload + syntax error = segfault).
      • Fixed bug #65226 (chroot() does not get enabled).
      • hex2bin() raises E_WARNING for invalid hex string.
    • OPcache:
      • Fixed bug #64827 (Segfault in zval_mark_grey (zend_gc.c)).
      • OPcache is now compatible with LiteSpeed SAPI.
    • CGI:
      • Fixed bug #65143 (Missing php-cgi man page).
    • CLI server:
      • Fixed bug #65066 (Cli server not responsive when responding with 422 http status code).
    • DateTime:
      • Fixed bug #65184 (strftime() returns insufficient-length string under multibyte locales).
    • GD:
      • Fixed bug #65070 (bgcolor does not use the same format as the input image with imagerotate).
      • Fixed bug #65060 (imagecreatefrom... crashes with user streams).
      • Fixed bug #65084 (imagecreatefromjpeg fails with URL).
      • Fix gdImageCreateFromWebpCtx and use same logic to load WebP image that other formats.
    • Intl:
      • Add IntlCalendar::setMinimalDaysInFirstWeek()/intlcal_set_minimal_days_in_first_week().
      • Fixed trailing space in name of constant IntlCalendar::FIELD_FIELD_COUNT.
      • Fixed bug #62759 (Buggy grapheme_substr() on edge case).
      • Fixed bug #61860 (Offsets may be wrong for grapheme_stri* functions).
    • OCI8:
      • Bump PECL package info version check to allow PECL installs with PHP 5.5+.
    • PDO:
      • Allowed PDO_OCI to compile with Oracle Database 12c client libraries.
    • Pgsql:
      • pg_unescape_bytea() raises E_WARNING for invalid inputs.
    • Phar:
      • Fixed bug #65142 (Missing phar man page).
    • Session:
      • Added optional create_sid() argument to session_set_save_handler(), SessionHandler and new SessionIdInterface.
    • Sockets:
      • #63472Setting SO_BINDTODEVICE with socket_set_option.
      • Allowed specifying paths in the abstract namespace for the functions socket_bind(), socket_connect() and socket_sendmsg().
      • Fixed bug #65260sendmsg() ancillary data construction for SCM_RIGHTS is faulty.
    • SPL:
      • Fixed bug #65136RecursiveDirectoryIterator segfault.
      • Fixed bug #61828Memleak when calling Directory(Recursive)Iterator/Spl(Temp)FileObject ctor twice.
    • CGI/FastCGI SAPI:
      • Added PHP_FCGI_BACKLOG, overrides the default listen backlog.

    Version 5.3.27

    • Core:
      • Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC).
      • Fixed bug #64960 (Segfault in gc_zval_possible_root).
      • Fixed bug #64934 (Apache2 TS crash with get_browser()).
      • Fixed bug #63186 (compile failure on netbsd).
    • DateTime:
      • Fixed bug #53437 (Crash when using unserialized DatePeriod instance).
    • PDO_firebird:
      • Fixed bug #64037 (Firebird return wrong value for numeric field).
      • Fixed bug #62024 (Cannot insert second row with null using parametrized query).
    • PDO_pgsql:
      • Fixed bug #64949 (Buffer overflow in _pdo_pgsql_error).
    • pgsql:
      • Fixed bug #64609 (pg_convert enum type support).
    • SPL:
      • Fixed bug #64997 (Segfault while using RecursiveIteratorIterator on 64-bits systems).
    • XML:
      • Fixed bug #65236 (heap corruption in xml parser). (CVE-2013-4113)

    Version 5.4.17

    • Core:
      • Fixed bug #64988 (Class loading order affects E_STRICT warning).
      • Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC).
      • Fixed bug #64960 (Segfault in gc_zval_possible_root).
      • Fixed bug #64936 (doc comments picked up from previous scanner run).
      • Fixed bug #64934 (Apache2 TS crash with get_browser()).
      • Fixed bug #64166 (quoted-printable-encode stream filter incorrectly discarding whitespace).
    • DateTime:
      • Fixed bug #53437 (Crash when using unserialized DatePeriod instance).
    • FPM:
      • Fixed bug #64915 (error_log ignored when daemonize=0).
      • Implemented FR #64764 (add support for FPM init.d script).
    • PDO:
      • Fixed bug #63176 (Segmentation fault when instantiate 2 persistent PDO to the same db server).
    • PDO_DBlib:
      • Fixed bug #63638 (Cannot connect to SQL Server 2008 with PDO dblib).
      • Fixed bug #64338 (pdo_dblib can't connect to Azure SQL).
      • Fixed bug #64808 (FreeTDS PDO getColumnMeta on a prepared but not executed statement crashes).
    • PDO_firebird:
      • Fixed bug #64037 (Firebird return wrong value for numeric field).
      • Fixed bug #62024 (Cannot insert second row with null using parametrized query).
    • PDO_mysql:
      • Fixed bug #48724 (getColumnMeta() doesn't return native_type for BIT, TINYINT and YEAR).
    • PDO_pgsql:
      • Fixed bug #64949 (Buffer overflow in _pdo_pgsql_error).
    • pgsql:
      • Fixed bug #64609 (pg_convert enum type support).
    • Readline:
      • Implement FR #55694 (Expose additional readline variable to prevent default filename completion).
    • SPL:
      • Fixed bug #64997 (Segfault while using RecursiveIteratorIterator on 64-bits systems).

    Version 5.5.0

    • Drop support for bison < 2.4 when building PHP from GIT source
    • Improved Zend Engine:
      • Added ARMv7/v8 versions of various Zend arithmetic functions that are implemented using inline assembler
      • Added systemtap support by enabling systemtap compatible dtrace probes on linux
      • Optimized access to temporary and compiled VM variables. 8% less memory reads
      • The VM stacks for passing function arguments and syntaticaly nested calls were merged into a single stack. The stack size needed for op_array execution is calculated at compile time and preallocated at once. As result all the stack push operations don't require checks for stack overflow any more
    • General improvements:
      • Added generators and coroutines.
      • Added "finally" keyword.
      • Added simplified password hashing API.
      • Added support for constant array/string dereferencing.
      • Added Class Name Resolution As Scalar Via "class" Keyword
      • Added support for using empty() on the result of function calls and other expressions
      • Added support for non-scalar Iterator keys in foreach
      • Added support for list in foreach
    • Core:
      • Added Zend Opcache extension and enable building it by default.
      • Added array_column function which returns a column in a multidimensional array
      • Added boolval()
      • Added "Z" option to pack/unpack
      • Added optional second argument for assert() to specify custom message
      • Added support for changing the process's title in CLI/CLI-Server SAPIs. The implementation is more robust that the proctitle PECL module
      • Improve set_exception_handler while doing reset
      • Return previous handler when passing NULL to set_error_handler and set_exception_handler
      • Implemented FR #64175 (Added HTTP codes as of RFC 6585)
      • Implemented FR #60738 (Allow 'set_error_handler' to handle NULL)
      • Implemented FR #60524 (specify temp dir by php.ini)
      • Implemented FR #46487 (Dereferencing process-handles no longer waits on those processes)
      • Fixed bug #65051 (count() off by one inside unset())
      • Fixed bug #64988 (Class loading order affects E_STRICT warning)
      • Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC)
      • Fixed bug #64960 (Segfault in gc_zval_possible_root)
      • Fixed bug #64936 (doc comments picked up from previous scanner run)
      • Fixed bug #64934 (Apache2 TS crash with get_browser())
      • Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode, CVE 2013-2110)
      • Fixed bug #64853 (Use of no longer available ini directives causes crash on TS build)
      • Fixed bug #64821 (Custom Exceptions crash when internal properties overridden)
      • Fixed bug #64720 (SegFault on zend_deactivate).
      • Fixed bug #64677 (execution operator `` stealing surrounding arguments)
      • Fixed bug #64660 (Segfault on memory exhaustion within function definition)
      • Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault)
      • Fixed bug #64565 (copy doesn't report failure on partial copy)
      • Fixed bug #64555 (foreach no longer copies keys if they are interned)
      • Fixed bug #47675 and Fixed bug #64577 (fd leak on Solaris)
      • Fixed bug #64544 (Valgrind warnings after using putenv)
      • Fixed bug #64515 (Memoryleak when using the same variablename 2times in function declaration)
      • Fixed bug #64503 (Compilation fails with error: conflicting types for 'zendparse')
      • Fixed bug #64239 (Debug backtrace changed behavior since 5.4.10 or 5.4.11)
      • Fixed bug #64523 allow XOR in php.ini
      • Fixed bug #64354 (Unserialize array of objects whose class can't be autoloaded fail)
      • Fixed bug #64370 (microtime(true) less than $_SERVER['REQUEST_TIME_FLOAT'])
      • Fixed bug #64166 (quoted-printable-encode stream filter incorrectly discarding whitespace)
      • Fixed bug #64142 (dval to lval different behavior on ppc64)
      • Fixed bug #64135 (Exceptions from set_error_handler are not always propagated)
      • Fixed bug #63980 (object members get trimmed by zero bytes)
      • Fixed bug #63874 (Segfault if php_strip_whitespace has heredoc)
      • Fixed bug #63830 (Segfault on undefined function call in nested generator)
      • Fixed bug #63822 (Crash when using closures with ArrayAccess)
      • Fixed bug #61681 (Malformed grammar)
      • Fixed bug #61038 (unpack("a5", "str\0\0") does not work as expected)
      • Fixed bug #61025 (__invoke() visibility not honored)
      • Fixed bug #60833 (self, parent, static behave inconsistently case-sensitive)
      • Fixed bug #52126 timestamp for mail.log
      • Fixed bug #49348 (Uninitialized ++$foo->bar; does not cause a notice)
      • Fixed bug #23955 allow specifying Max-Age attribute in setcookie()
      • Fixed bug #18556 (Engine uses locale rules to handle class names)
      • Fix undefined behavior when converting double variables to integers. The double is now always rounded towards zero, the remainder of its division by 2^32 or 2^64 (depending on sizeof(long)) is calculated and it's made signed assuming a two's complement representation
    • Removed legacy features:
      • Remove php_logo_guid(), php_egg_logo_guid(), php_real_logo_guid(), zend_logo_guid()
      • Drop Windows XP and 2003 support
    • Apache2 Handler SAPI:
      • Enabled Apache 2.4 configure option for Windows.
    • Calendar:
      • Fixed bug #64895 (Integer overflow in SndToJewish).
      • Fixed bug #54254 (cal_from_jd returns month = 6 when there is only one Adar).
    • CLI server:
      • Fixed bug #64128 (buit-in web server is broken on ppc64).
    • CURL:
      • Remove curl stream wrappers.
      • Implemented FR #46439 (added CURLFile for safer file uploads).
      • Added support for CURLOPT_FTP_RESPONSE_TIMEOUT, CURLOPT_APPEND, CURLOPT_DIRLISTONLY, CURLOPT_NEW_DIRECTORY_PERMS, CURLOPT_NEW_FILE_PERMS, CURLOPT_NETRC_FILE, CURLOPT_PREQUOTE, CURLOPT_KRBLEVEL, CURLOPT_MAXFILESIZE, CURLOPT_FTP_ACCOUNT, CURLOPT_COOKIELIST, CURLOPT_IGNORE_CONTENT_LENGTH, CURLOPT_CONNECT_ONLY, CURLOPT_LOCALPORT, CURLOPT_LOCALPORTRANGE, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_SSL_SESSIONID_CACHE, CURLOPT_FTP_SSL_CCC, CURLOPT_HTTP_CONTENT_DECODING, CURLOPT_HTTP_TRANSFER_DECODING, CURLOPT_PROXY_TRANSFER_MODE, CURLOPT_ADDRESS_SCOPE, CURLOPT_CRLFILE, CURLOPT_ISSUERCERT, CURLOPT_USERNAME, CURLOPT_PASSWORD, CURLOPT_PROXYUSERNAME, CURLOPT_PROXYPASSWORD, CURLOPT_NOPROXY, CURLOPT_SOCKS5_GSSAPI_NEC, CURLOPT_SOCKS5_GSSAPI_SERVICE, CURLOPT_TFTP_BLKSIZE, CURLOPT_SSH_KNOWNHOSTS, CURLOPT_FTP_USE_PRET, CURLOPT_MAIL_FROM, CURLOPT_MAIL_RCPT, CURLOPT_RTSP_CLIENT_CSEQ, CURLOPT_RTSP_SERVER_CSEQ, CURLOPT_RTSP_SESSION_ID, CURLOPT_RTSP_STREAM_URI, CURLOPT_RTSP_TRANSPORT, CURLOPT_RTSP_REQUEST, CURLOPT_RESOLVE, CURLOPT_ACCEPT_ENCODING, CURLOPT_TRANSFER_ENCODING, CURLOPT_DNS_SERVERS and CURLOPT_USE_SSL
      • Fixed bug #55635 (CURLOPT_BINARYTRANSFER no longer used. The constant still exists for backward compatibility but is doing nothing)
      • Fixed bug #54995 (Missing CURLINFO_RESPONSE_CODE support)
      • Added new functions curl_escape, curl_multi_setopt, curl_multi_strerror curl_pause, curl_reset, curl_share_close, curl_share_init, curl_share_setopt curl_strerror and curl_unescape
      • Addes new curl options CURLOPT_TELNETOPTIONS, CURLOPT_GSSAPI_DELEGATION, CURLOPT_ACCEPTTIMEOUT_MS, CURLOPT_SSL_OPTIONS, CURLOPT_TCP_KEEPALIVE, CURLOPT_TCP_KEEPIDLE and CURLOPT_TCP_KEEPINTVL
    • DateTime:
      • Added DateTimeImmutable - a variant of DateTime that only returns the modified state instead of changing itself.
      • Fixed bug #64825 (Invalid free when unserializing DateTimeZone).
      • Fixed bug #64359 (strftime crash with VS2012)
      • Fixed bug #62852 (Unserialize Invalid Date causes crash)
      • Fixed bug #61642 (modify("+5 weekdays") returns Sunday)
      • Fixed bug #60774 (DateInterval::format("%a") is always zero when an interval is created using the createFromDateString method)
      • Fixed bug #54567 (DateTimeZone serialize/unserialize)
      • Fixed bug #53437 (Crash when using unserialized DatePeriod instance)
    • dba:
      • Fixed bug #62489 (dba_insert not working as expected)
    • Filter:
      • Implemented FR #49180 (added MAC address validation)
    • Fileinfo:
      • Upgraded libmagic to 5.14.
      • Fixed bug #64830 (mimetype detection segfaults on mp3 file)
      • Fixed bug #63590 (Different results in TS and NTS under Windows)
      • Fixed bug #63248 (Load multiple magic files from a directory under Windows)
    • FPM:
      • Add --with-fpm-systemd option to report health to systemd, and systemd_interval option to configure this. The service can now use Type=notify in the systemd unit file.
      • Ignore QUERY_STRING when sent in SCRIPT_FILENAME
      • Log a warning when a syscall fails
      • Implemented FR #64764 (add support for FPM init.d script)
      • Fixed bug #64915 (error_log ignored when daemonize=0)
      • Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11)
      • Fixed some possible memory or resource leaks and possible null dereference detected by code coverity scan
    • GD:
      • Fixed bug #64962 (imagerotate produces corrupted image).
      • Fixed bug #64961 (segfault in imagesetinterpolation)
      • Fix build with system libgd >= 2.1 which is now the minimal version required (as build with previous version is broken). No change when bundled libgd is used
      • Upgraded libgd to 2.1
    • hash:
      • Added support for PBKDF2 via hash_pbkdf2().
      • Fixed bug #64745 (hash_pbkdf2() truncates data when using default length and hex output)
    • intl:
      • Added UConverter wrapper.
      • The intl extension now requires ICU 4.0+
      • Added intl.use_exceptions INI directive, which controls what happens when global errors are set together with intl.error_level
      • MessageFormatter::format() and related functions now accepted named arguments and mixed numeric/named arguments in ICU 4.8+
      • MessageFormatter::format() and related functions now don't error out when an insufficient argument count is provided. Instead, the placeholders will remain unsubstituted
      • MessageFormatter::parse() and MessageFormat::format() (and their static equivalents) don't throw away better than second precision in the arguments
      • IntlDateFormatter::__construct and datefmt_create() now accept for the $timezone argument time zone identifiers, IntlTimeZone objects, DateTimeZone objects and NULL
      • IntlDateFormatter::__construct and datefmt_create() no longer accept invalid timezone identifiers or empty strings
      • The default time zone used in IntlDateFormatter::__construct and datefmt_create() (when the corresponding argument is not passed or NULL is passed) is now the one given by date_default_timezone_get(), not the default ICU time zone
      • The time zone passed to the IntlDateFormatter is ignored if it is NULL and if the calendar passed is an IntlCalendar object -- in this case, the IntlCalendar's time zone will be used instead. Otherwise, the time zone specified in the $timezone argument is used instead. This does not affect old code, as IntlCalendar was introduced in this version
      • IntlDateFormatter::__construct and datefmt_create() now accept for the $calendar argument also IntlCalendar objects
      • IntlDateFormatter::getCalendar() and datefmt_get_calendar() return false if the IntlDateFormatter was set up with an IntlCalendar instead of the constants IntlDateFormatter::GREGORIAN/TRADITIONAL. IntlCalendar did not exist before this version
      • IntlDateFormatter::setCalendar() and datefmt_set_calendar() now also accept an IntlCalendar object, in which case its time zone is taken. Passing a constant is still allowed, and still keeps the time zone
      • IntlDateFormatter::setTimeZoneID() and datefmt_set_timezone_id() are deprecated. Use IntlDateFormatter::setTimeZone() or datefmt_set_timezone() instead
      • IntlDateFormatter::format() and datefmt_format() now also accept an IntlCalendar object for formatting
      • Added the classes: IntlCalendar, IntlGregorianCalendar, IntlTimeZone, IntlBreakIterator, IntlRuleBasedBreakIterator and IntlCodePointBreakIterator
      • Added the functions: intlcal_get_keyword_values_for_locale(), intlcal_get_now(), intlcal_get_available_locales(), intlcal_get(), intlcal_get_time(), intlcal_set_time(), intlcal_add(), intlcal_set_time_zone(), intlcal_after(), intlcal_before(), intlcal_set(), intlcal_roll(), intlcal_clear(), intlcal_field_difference(), intlcal_get_actual_maximum(), intlcal_get_actual_minimum(), intlcal_get_day_of_week_type(), intlcal_get_first_day_of_week(), intlcal_get_greatest_minimum(), intlcal_get_least_maximum(), intlcal_get_locale(), intlcal_get_maximum(), intlcal_get_minimal_days_in_first_week(), intlcal_get_minimum(), intlcal_get_time_zone(), intlcal_get_type(), intlcal_get_weekend_transition(), intlcal_in_daylight_time(), intlcal_is_equivalent_to(), intlcal_is_lenient(), intlcal_is_set(), intlcal_is_weekend(), intlcal_set_first_day_of_week(), intlcal_set_lenient(), intlcal_equals(), intlcal_get_repeated_wall_time_option(), intlcal_get_skipped_wall_time_option(), intlcal_set_repeated_wall_time_option(), intlcal_set_skipped_wall_time_option(), intlcal_from_date_time(), intlcal_to_date_time(), intlcal_get_error_code(), intlcal_get_error_message(), intlgregcal_create_instance(), intlgregcal_set_gregorian_change(), intlgregcal_get_gregorian_change() and intlgregcal_is_leap_year()
      • Added the functions: intltz_create_time_zone(), intltz_create_default(), intltz_get_id(), intltz_get_gmt(), intltz_get_unknown(), intltz_create_enumeration(), intltz_count_equivalent_ids(), intltz_create_time_zone_id_enumeration(), intltz_get_canonical_id(), intltz_get_region(), intltz_get_tz_data_version(), intltz_get_equivalent_id(), intltz_use_daylight_time(), intltz_get_offset(), intltz_get_raw_offset(), intltz_has_same_rules(), intltz_get_display_name(), intltz_get_dst_savings(), intltz_from_date_time_zone(), intltz_to_date_time_zone(), intltz_get_error_code(), intltz_get_error_message()
      • Added the methods: IntlDateFormatter::formatObject(), IntlDateFormatter::getCalendarObject(), IntlDateFormatter::getTimeZone(), IntlDateFormatter::setTimeZone()
      • Added the functions: datefmt_format_object(), datefmt_get_calendar_object(), datefmt_get_timezone(), datefmt_set_timezone(), datefmt_get_calendar_object(), intlcal_create_instance()
    • mbstring:
      • Fixed bug #64769 (mbstring PHPTs crash on Windows x64).
    • MCrypt:
      • mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb() and mcrypt_ofb() now throw E_DEPRECATED.
    • mysql:
      • This extension is now deprecated, and deprecation warnings will be generated when connections are established to databases via mysql_connect(), mysql_pconnect(), or through implicit connection: use MySQLi or PDO_MySQL instead
      • Dropped support for LOAD DATA LOCAL INFILE handlers when using libmysql. Known for stability problems
      • Added support for SHA256 authentication available with MySQL 5.6.6+
    • mysqli:
      • Added mysqli_begin_transaction()/mysqli::begin_transaction(). Implemented all options, per MySQL 5.6, which can be used with START TRANSACTION, COMMIT and ROLLBACK through options to mysqli_commit()/mysqli_rollback() and their respective OO counterparts. They work in libmysql and mysqlnd mode
      • Added mysqli_savepoint(), mysqli_release_savepoint()
      • Fixed bug #64726 (Segfault when calling fetch_object on a use_result and DB pointer has closed)
      • Fixed bug #64394 (MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS undeclared when using Connector/C)
    • mysqlnd:
      • Add new begin_transaction() call to the connection object. Implemented all options, per MySQL 5.6, which can be used with START TRANSACTION, COMMIT and ROLLBACK
      • Added mysqlnd_savepoint(), mysqlnd_release_savepoint()
      • Fixed bug #63530 (mysqlnd_stmt::bind_one_parameter crashes, uses wrong alloc for stmt->param_bind)
      • Fixed return value of mysqli_stmt_affected_rows() in the time after prepare() and before execute()
    • PCRE:
      • Merged PCRE 8.32
      • Deprecated the /e modifier
      • Fixed bug #63284 (Upgrade PCRE to 8.31)
    • PDO:
      • Fixed bug #63176 (Segmentation fault when instantiate 2 persistent PDO to the same db server)
    • PDO_DBlib:
      • Fixed bug #63638 (Cannot connect to SQL Server 2008 with PDO dblib)
      • Fixed bug #64338 (pdo_dblib can't connect to Azure SQL)
      • Fixed bug #64808 (FreeTDS PDO getColumnMeta on a prepared but not executed statement crashes)
    • PDO_pgsql:
      • Fixed bug #64949 (Buffer overflow in _pdo_pgsql_error)
    • PDO_mysql:
      • Fixed bug #48724 (getColumnMeta() doesn't return native_type for BIT, TINYINT and YEAR)
    • pgsql:
      • Added pg_escape_literal() and pg_escape_identifier()
      • Fixed bug #46408 Locale number format settings can cause pg_query_params to break with numerics
    • Phar:
      • Fixed timestamp update on Phar contents modification
    • readline:
      • Fixed bug #55694 (Expose additional readline variable to prevent default filename completion)
    • Reflection:
      • Fixed bug #64007 (There is an ability to create instance of Generator by hand)
    • Sockets:
      • Added socket_cmsg_space(), socket_sendmsg(), and socket_recvmsg() functions
      • Fixed bug #64508 (Fails to build with --disable-ipv6)
      • Fixed bug #64287 (sendmsg/recvmsg shutdown handler causes segfault)
    • SPL:
      • Fixed bug #64997 (Segfault while using RecursiveIteratorIterator on 64-bits systems)
      • Fixed bug #64264 (SPLFixedArray toArray problem)
      • Fixed bug #64228 (RecursiveDirectoryIterator always assumes SKIP_DOTS)
      • Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended)
      • Fixed bug #60560 (SplFixedArray un-/serialize, getSize(), count() return 0, keys are strings)
      • Fixed bug #52861 (unset fails with ArrayObject and deep arrays)
      • Implement #48358 (Add SplDoublyLinkedList::add() to insert an element at a given offset)
    • SNMP:
      • Fixed bug #64765 (Some IPv6 addresses get interpreted wrong)
      • Fixed bug #64159 (Truncated snmpget)
      • Fixed bug #64124 (IPv6 malformed)
      • Fixed bug #61981 (OO API, walk: $suffix_as_key is not working correctly)
    • SOAP:
      • Added SoapClient constructor option 'ssl_method' to specify ssl method
    • Streams:
      • Fixed bug #64770 (stream_select() fails with pipes returned by proc_open() on Windows x64)
      • Fixed Windows x64 version of stream_socket_pair() and improved error handling
    • Tokenizer:
      • Fixed bug #60097 (token_get_all fails to lex nested heredoc)
    • Zip:
      • Upgraded libzip to 0.10.1
      • Fixed bug #64452 (Zip crash intermittently)
      • Fixed bug #64342 (ZipArchive::addFile() has to check for file existence)

    Version 5.4.16

    • Core:
      • Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode, CVE-2013-2110).
      • Fixed bug #64853 (Use of no longer available ini directives causes crash on TS build).
      • Fixed bug #64729 (compilation failure on x32).
      • Fixed bug #64720 (SegFault on zend_deactivate).
      • Fixed bug #64660 (Segfault on memory exhaustion within function definition).
    • Calendar:
      • Fixed bug #64895 (Integer overflow in SndToJewish).
    • Fileinfo:
      • Fixed bug #64830 (mimetype detection segfaults on mp3 file).
    • FPM:
      • Ignore QUERY_STRING when sent in SCRIPT_FILENAME.
      • Fixed some possible memory or resource leaks and possible null dereference detected by code coverity scan.
      • Log a warning when a syscall fails.
      • Add --with-fpm-systemd option to report health to systemd, and systemd_interval option to configure this. The service can now use Type=notify in the systemd unit file.
    • MySQLi
      • Fixed bug #64726 (Segfault when calling fetch_object on a use_result and DB pointer has closed).
    • Phar:
      • Fixed bug #64214 (PHAR PHPTs intermittently crash when run on DFS, SMB or with non std tmp dir).
    • SNMP:
      • Fixed bug #64765 (Some IPv6 addresses get interpreted wrong).
      • Fixed bug #64159 (Truncated snmpget).
    • Streams:
      • Fixed bug #64770 (stream_select() fails with pipes returned by proc_open() on Windows x64).
    • Zend Engine:
      • Fixed bug #64821 (Custom Exceptions crash when internal properties overridden).

    Version 5.3.26

    • Core:
      • Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode, CVE-2013-2110).
    • Calendar:
      • Fixed bug #64895 (Integer overflow in SndToJewish).
    • FPM:
      • Fixed some possible memory or resource leaks and possible null dereference detected by code coverity scan.
      • Log a warning when a syscall fails.
    • MySQLi:
      • Fixed bug #64726 (Segfault when calling fetch_object on a use_result and DB pointer has closed).
    • Phar:
      • Fixed bug #64214 (PHAR PHPTs intermittently crash when run on DFS, SMB or with non std tmp dir).
    • Streams:
      • Fixed bug #64770 (stream_select() fails with pipes returned by proc_open() on Windows x64).
    • Zend Engine:
      • Fixed bug #64821 (Custom Exception crash when internal properties overridden).

    Version 5.4.15

    • Core:
      • Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault).
      • Fixed bug #64458 (dns_get_record result with string of length -1).
      • Fixed bug #64433 (follow_location parameter of context is ignored for most response codes).
      • Fixed bug #47675 (fd leak on Solaris).
      • Fixed bug #64577 (fd leak on Solaris).
    • Fileinfo:
      • Upgraded libmagic to 5.14.
    • Streams:
      • Fixed Windows x64 version of stream_socket_pair() and improved error handling.
    • Zip:
      • Fixed bug #64342 (ZipArchive::addFile() has to check for file existence).

    Version 5.3.25

    • Core:
      • Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault).
      • Fixed bug #64458 (dns_get_record result with string of length -1).
      • Fixed bug #47675 (fd leak on Solaris).
      • Fixed bug #64577 (fd leak on Solaris).
    • Streams:
      • Fixed Windows x64 version of stream_socket_pair() and improved error handling.
    • Zip:
      • Fixed bug #64342 (ZipArchive::addFile() has to check for file existence).

    Version 5.4.14

    • Core:
      • Fixed bug #64529 (Ran out of opcode space).
      • Fixed bug #64515 (Memoryleak when using the same variablename two times in function declaration).
      • Fixed bug #64432 (more empty delimiter warning in strX methods).
      • Fixed bug #64417 (ArrayAccess::&offsetGet() in a trait causes fatal error).
      • Fixed bug #64370 (microtime(true) less than $_SERVER['REQUEST_TIME_FLOAT']).
      • Fixed bug #64239 (Debug backtrace changed behavior since 5.4.10 or 5.4.11).
      • Fixed bug #63976 (Parent class incorrectly using child constant in class property).
      • Fixed bug #63914 (zend_do_fcall_common_helper_SPEC does not handle exceptions properly).
      • Fixed bug #62343 (Show class_alias In get_declared_classes()).
    • PCRE:
      • Merged PCRE 8.32.
    • SNMP:
      • Fixed bug #61981 (OO API, walk: $suffix_as_key is not working correctly).
    • Zip:
      • Fixed bug #64452 (Zip crash intermittently). (Anatol)

    Version 5.3.24

    • Core:
      • Fixed bug #64370 (microtime(true) less than $_SERVER['REQUEST_TIME_FLOAT']).
      • Fixed bug #63914 (zend_do_fcall_common_helper_SPEC does not handle exceptions properly).
      • Fixed bug #62343 (Show class_alias In get_declared_classes()).
    • PCRE:
      • Merged PCRE 8.32.
    • mysqlnd:
      • Fixed bug #63530 (mysqlnd_stmt::bind_one_parameter crashes, uses wrong alloc for stmt->param_bind).
    • DateTime:
      • Fixed bug #62852 (Unserialize Invalid Date causes crash).
    • Zip:
      • Fixed bug #64452 (Zip crash intermittently).

    Version 5.4.13

    • Core:
      • Fixed bug #64235 (Insteadof not work for class method in 5.4.11).
      • Implemented FR #64175 (Added HTTP codes as of RFC 6585).
      • Fixed bug #64142 (dval to lval different behavior on ppc64).
      • Fixed bug #64070 (Inheritance with Traits failed with error).
    • CLI server:
      • Fixed bug #64128 (buit-in web server is broken on ppc64).
    • Mbstring:
      • mb_split() can now handle empty matches like preg_split() does.
    • OpenSSL:
      • Fixed bug #61930 (openssl corrupts ssl key resource when using openssl_get_publickey()).
    • PDO_mysql:
      • Fixed bug #60840 (undefined symbol: mysqlnd_debug_std_no_trace_funcs).
    • Phar:
      • Fixed timestamp update on Phar contents modification.
    • SOAP:
      • Added check that soap.wsdl_cache_dir conforms to open_basedir (CVE-2013-1635).
      • Disabled external entities loading (CVE-2013-1643, CVE-2013-1824).
    • SPL:
      • Fixed bug #64264 (SPLFixedArray toArray problem).
      • Fixed bug #64228 (RecursiveDirectoryIterator always assumes SKIP_DOTS).
      • Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended).
      • Fixed bug #52861 (unset fails with ArrayObject and deep arrays).
    • SNMP:
      • Fixed bug #64124 (IPv6 malformed).

    Version 5.3.23

    • Phar:
      • Fixed timestamp update on Phar contents modification.
    • SOAP
      • Added check that soap.wsdl_cache_dir conforms to open_basedir (CVE-2013-1635).
      • Disabled external entities loading (CVE-2013-1643, CVE-2013-1824).
    • SPL:
      • Fixed bug #64264 (SPLFixedArray toArray problem).
      • Fixed bug #64228 (RecursiveDirectoryIterator always assumes SKIP_DOTS).
      • Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended).
      • Fixed bug #52861 (unset fails with ArrayObject and deep arrays).

    Version 5.4.12

    • Core:
      • Fixed bug #64099 (Wrong TSRM usage in zend_register_class alias).
      • Fixed bug #64011 (get_html_translation_table() output incomplete with HTML_ENTITIES and ISO-8859-1).
      • Fixed bug #63982 (isset() inconsistently produces a fatal error on protected property).
      • Fixed bug #63943 (Bad warning text from strpos() on empty needle).
      • Fixed bug #63899 (Use after scope error in zend_compile).
      • Fixed bug #63893 (Poor efficiency of strtr() using array with keys of very different length).
      • Fixed bug #63882 (zend_std_compare_objects crash on recursion).
      • Fixed bug #63462 (Magic methods called twice for unset protected properties).
      • Fixed bug #62524 (fopen follows redirects for non-3xx statuses).
      • Support BITMAPV5HEADER in getimagesize().
    • Date:
      • Fixed bug #63699 (Performance improvements for various ext/date functions).
      • Fixed bug #55397 Comparsion of incomplete DateTime causes SIGSEGV.
    • FPM:
      • Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11).
    • Litespeed:
      • Fixed bug #63228 (-Werror=format-security error in lsapi code).
    • sqlite3:
      • Fixed bug #63921 (sqlite3::bindvalue and relative PHP functions aren't using sqlite3_*_int64 API).
    • PDO_OCI:
      • Fixed bug #57702 (Multi-row BLOB fetches).
      • Fixed bug #52958 (Segfault in PDO_OCI on cleanup after running a long testsuite).
    • PDO_sqlite:
      • Fixed bug #63916 (PDO::PARAM_INT casts to 32bit int internally even on 64bit builds in pdo_sqlite).

    Version 5.3.22

    • Zend Engine:
      • Fixed bug #64099 (Wrong TSRM usage in zend_Register_class alias).
      • Fixed bug #63899 (Use after scope error in zend_compile).
    • Core:
      • Fixed bug #63943 (Bad warning text from strpos() on empty needle).
    • Date:
      • Fixed bug #55397 (comparsion of incomplete DateTime causes SIGSEGV).
    • FPM:
      • Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11).
    • SPL:
      • Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended).

    Version 5.4.11

    • Core:
      • Fixed bug #63762 (Sigsegv when Exception::$trace is changed by user).
      • Fixed bug #43177 (Errors in eval()'ed code produce status code 500).
    • Filter:
      • Fixed bug #63757 (getenv() produces memory leak with CGI SAPI).
      • Fixed bug #54096 (FILTER_VALIDATE_INT does not accept +0 and -0).
    • JSON:
      • Fixed bug #63737 (json_decode does not properly decode with options parameter).
    • CLI server:
      • Update list of common mime types. Added webm, ogv, ogg.
    • cURL extension:
      • Fixed bug (segfault due to libcurl connection caching).
      • Fixed bug #63859 (Memory leak when reusing curl-handle).
      • Fixed bug #63795 (CURL >= 7.28.0 no longer support value 1 for CURLOPT_SSL_VERIFYHOST).
      • Fixed bug #63352 (Can't enable hostname validation when using curl stream wrappers).
      • Fixed bug #55438 (Curlwapper is not sending http header randomly).

    Version 5.3.21

    • Zend Engine:
      • Fixed bug #63762 (Sigsegv when Exception::$trace is changed by user).
    • cURL extension:
      • Fixed bug (segfault due to libcurl connection caching).
      • Fixed bug #63795 (CURL >= 7.28.0 no longer support value 1 for CURLOPT_SSL_VERIFYHOST).
      • Fixed bug #63352 (Can't enable hostname validation when using curl stream wrappers).
      • Fixed bug #55438 (Curlwapper is not sending http header randomly).

    Version 5.4.10

    • Core:
      • Fixed bug #63635 (Segfault in gc_collect_cycles).
      • Fixed bug #63512 (parse_ini_file() with INI_SCANNER_RAW removes quotes from value).
      • Fixed bug #63468 (wrong called method as callback with inheritance).
      • Fixed bug #63451 (config.guess file does not have AIX 7 defined, shared objects are not created).
      • Fixed bug #61557 (Crasher in tt-rss backend.php).
      • Fixed bug #61272 (ob_start callback gets passed empty string).
    • Date:
      • Fixed bug #63666 (Poor date() performance).
      • Fixed bug #63435 (Datetime::format('u') sometimes wrong by 1 microsecond).
    • Imap:
      • Fixed bug #63126 (DISABLE_AUTHENTICATOR ignores array).
    • Json:
      • Fixed bug #63588 (use php_next_utf8_char and remove duplicate implementation).
    • MySQLi:
      • Fixed bug #63361 (missing header).
    • MySQLnd:
      • Fixed bug #63398 (Segfault when polling closed link).
    • Fileinfo:
      • Fixed bug #63590 (Different results in TS and NTS under Windows).
    • FPM:
      • Fixed bug #63581 Possible null dereference and buffer overflow.
    • Pdo_sqlite:
      • Fixed bug #63149 getColumnMeta should return the table name when system SQLite used.
    • Apache2 Handler SAPI:
      • Enabled Apache 2.4 configure option for Windows.
    • Reflection:
      • Fixed bug #63614 (Fatal error on Reflection).
    • SOAP:
      • Fixed bug #63271 (SOAP wsdl cache is not enabled after initial requests).
    • Sockets:
      • Fixed bug #49341 (Add SO_REUSEPORT support for socket_set_option()).

    Version 5.3.20

    • Zend Engine:
      • Fixed bug #63635 (Segfault in gc_collect_cycles).
      • Fixed bug #63512 (parse_ini_file() with INI_SCANNER_RAW removes quotes from value).
      • Fixed bug #63468 (wrong called method as callback with inheritance).
    • Core:
      • Fixed bug #63451 (config.guess file does not have AIX 7 defined, shared objects are not created).
      • Fixed bug #63377 (Segfault on output buffer).
    • Apache2 Handler SAPI:
      • Enabled Apache 2.4 configure option for Windows.
    • Date:
      • Fixed bug #63435 (Datetime::format('u') sometimes wrong by 1 microsecond).
    • Fileinfo:
      • Fixed bug #63248 (Load multiple magic files from a directory under Windows).
      • Fixed bug #63590 (Different results in TS and NTS under Windows).
    • FPM:
      • Fixed bug #63581 (Possible null dereference and buffer overflow).
    • Imap:
      • Fixed bug #63126 (DISABLE_AUTHENTICATOR ignores array).
    • MySQLnd:
      • Fixed bug #63398 (Segfault when polling closed link).
    • Reflection:
      • Fixed bug #63614 (Fatal error on Reflection).
    • SOAP:
      • Fixed bug #63271 (SOAP wsdl cache is not enabled after initial requests).

    Version 5.4.9

    • Core:
      • Fixed bug #63305 (zend_mm_heap corrupted with traits).
      • Fixed bug #63369 ((un)serialize() leaves dangling pointers, causes crashes).
      • Fixed bug #63241 (PHP fails to open Windows deduplicated files).
      • Fixed bug #62444 (Handle leak in is_readable on windows).
    • Curl:
      • Fixed bug #63363 (Curl silently accepts boolean true for SSL_VERIFYHOST).
    • Fileinfo:
      • Fixed bug #63248 (Load multiple magic files from a directory under Windows).
    • Libxml
      • Fixed bug #63389 (Missing context check on libxml_set_streams_context() causes memleak).
    • Mbstring:
      • Fixed bug #63447 (max_input_vars doesn't filter variables when mbstring.encoding_translation = On).
    • OCI8:
      • Fixed bug #63265 (Add ORA-00028 to the PHP_OCI_HANDLE_ERROR macro)
    • PCRE:
      • Fixed bug #63180 (Corruption of hash tables).
      • Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite).
      • Fixed bug #63284 (Upgrade PCRE to 8.31).
    • PDO:
      • Fixed bug #63235 (buffer overflow in use of SQLGetDiagRec).
    • PDO_pgsql:
      • Fixed bug #62593 (Emulate prepares behave strangely with PARAM_BOOL).
    • Phar:
      • Fixed bug #63297 (Phar fails to write an openssl based signature).
    • Streams:
      • Fixed bug #63240 (stream_get_line() return contains delimiter string).
    • Reflection:
      • Fixed bug #63399 (ReflectionClass::getTraitAliases() incorrectly resolves traitnames).

    Version 5.3.19

    • Core:
      • Fixed bug #63241 (PHP fails to open Windows deduplicated files).
      • Fixed bug #62444 (Handle leak in is_readable on windows).
    • Libxml:
      • Fixed bug #63389 (Missing context check on libxml_set_streams_context() causes memleak).
    • Mbstring:
      • Fixed bug #63447 (max_input_vars doesn't filter variables when mbstring.encoding_translation = On).
    • MySQL:
      • Fixed compilation failure on mixed 32/64 bit systems.
    • OCI8:
      • Fixed bug #63265 (Add ORA-00028 to the PHP_OCI_HANDLE_ERROR macro)
    • PCRE:
      • Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite).
      • Fixed bug #63284 (Upgrade PCRE to 8.31).
    • PDO:
      • Fixed bug #63235 (buffer overflow in use of SQLGetDiagRec).
    • PDO_pgsql:
      • Fixed bug #62593 (Emulate prepares behave strangely with PARAM_BOOL).
    • Phar:
      • Fixed bug #63297 (Phar fails to write an openssl based signature).
    • Streams:
      • Fixed bug #63240 (stream_get_line() return contains delimiter string).

    Version 5.4.8

    • CLI server
      • Changed response to unknown HTTP method to 501 according to RFC.
      • Support HTTP PATCH method.
    • Core
      • Added optional second argument for assert() to specify custom message.
      • Support building PHP with the native client toolchain.
      • Added --offline option for tests.
      • Fixed bug #63162 (parse_url does not match password component).
      • Fixed bug #63111 (is_callable() lies for abstract static method).
      • Fixed bug #63093 (Segfault while load extension failed in zts-build).
      • Fixed bug #62976 (Notice: could not be converted to int when comparing some builtin classes).
      • Fixed bug #62955 (Only one directive is loaded from "Per Directory Values" Windows registry).
      • Fixed bug #62907 (Double free when use traits).
      • Fixed bug #61767 (Shutdown functions not called in certain error situation).
      • Fixed bug #60909 (custom error handler throwing Exception + fatal error = no shutdown function).
      • Fixed bug #60723 (error_log error time has changed to UTC ignoring default timezone).
    • cURL
      • Fixed bug #62085 (file_get_contents a remote file by Curl wrapper will cause cpu Soaring).
    • Date
      • Fixed bug #62896 ("DateTime->modify('+0 days')" modifies DateTime object)
      • Fixed bug #62561 (DateTime add 'P1D' adds 25 hours).
    • DOM
      • Fixed bug #63015 (Incorrect arginfo for DOMErrorHandler).
    • FPM
      • Fixed bug #62954 (startup problems fpm / php-fpm).
      • Fixed bug #62886 (PHP-FPM may segfault/hang on startup).
      • Fixed bug #63085 (Systemd integration and daemonize).
      • Fixed bug #62947 (Unneccesary warnings on FPM).
      • Fixed bug #62887 (Only /status?plain&full gives "last request cpu").
      • Fixed bug #62216 (Add PID to php-fpm init.d script).
    • OpenSSL
      • Implemented FR #61421 (OpenSSL signature verification missing RMD160, SHA224, SHA256, SHA384, SHA512).
    • SOA
      • Fixed bug #50997 (SOAP Error when trying to submit 2nd Element of a choice).
    • SPL
      • Fixed bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined variables).
    • mbstring
      • Allow passing null as a default value to mb_substr() and mb_strcut(). Patch by Alexander Moskaliov via GitHub PR #133.
    • Filter extension
      • Fixed bug #49510 (Boolean validation fails with FILTER_NULL_ON_FAILURE with empty string or false.)
    • Socket
      • Fixed bug #63000 (MCAST_JOIN_GROUP on OSX is broken, merge of PR 185 by Igor Wiedler).

    Version 5.3.18

    • Core
      • Fixed bug #63111 (is_callable() lies for abstract static method).
      • Fixed bug #63093 (Segfault while load extension failed in zts-build).
      • Fixed bug #62976 (Notice: could not be converted to int when comparing some builtin classes).
      • Fixed bug #61767 (Shutdown functions not called in certain error situation).
      • Fixed bug #61442 (exception threw in __autoload can not be catched).
      • Fixed bug #60909 (custom error handler throwing Exception + fatal error = no shutdown function).
    • cURL
      • Fixed bug #62085 (file_get_contents a remote file by Curl wrapper will cause cpu Soaring).
    • FPM
      • Fixed bug #62954 (startup problems fpm / php-fpm).
      • Fixed bug #62886 (PHP-FPM may segfault/hang on startup).
      • Fixed bug #63085 (Systemd integration and daemonize).
      • Fixed bug #62947 (Unneccesary warnings on FPM).
      • Fixed bug #62887 (Only /status?plain&full gives "last request cpu").
      • Fixed bug #62216 (Add PID to php-fpm init.d script).
    • Intl
      • Fixed bug #62915 (defective cloning in several intl classes).
    • SOAP
      • Fixed bug #50997 (SOAP Error when trying to submit 2nd Element of a choice).
    • SPL
      • Fixed bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined variables).

    Version 5.4.7

    • Core
      • Fixed bug (segfault while build with zts and GOTO vm-kind)
      • Fixed bug #62955 (Only one directive is loaded from "Per Directory Values" Windows registry)
      • Fixed bug #62844 (parse_url() does not recognize //)
      • Fixed bug #62829 (stdint.h included on platform where HAVE_STDINT_H is not set)
      • Fixed bug #62763 (register_shutdown_function and extending class)
      • Fixed bug #62725 (Calling exit() in a shutdown function does not return the exit value)
      • Fixed bug #62744 (dangling pointers made by zend_disable_class)
      • Fixed bug #62716 (munmap() is called with the incorrect length)
      • Fixed bug #62358 (Segfault w