Merge branch 'PHP-8.3' into PHP-8.4

iluuu1994 · iluuu1994 · commit e77f582d5a7b · 2026-05-06T13:47:39.000+02:00
* PHP-8.3:
  [skip ci] Add NEWS entries for 8.2.31 security issues
diff --git a/NEWS b/NEWS
@@ -44,17 +44,30 @@ PHP                                                                        NEWS
   . Add support for brotli and zstd on Windows. (Shivam Mathur)
 
 - DOM:
-  . Fixed bug GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns
-    declarations after setAttributeNS()). (David Carlier)
+  . Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits
+    duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263)
+    (David Carlier)
   . Fixed bug GH-21688 (segmentation fault on empty HTMLDocument).
     (David Carlier)
-  . Upgrade to lexbor v2.7.0. (ndossche, ilutov)
+  . Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079)
+    (ndossche, ilutov)
   . Fixed bug GH-21544 (Dom\XMLDocument::C14N*( drops namespace declarations
     on DOM-built documents). (David Carlier, ndossche)
 
+- FPM:
+  . Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735)
+    (Jakub Zelenka)
+
 - Iconv:
   . Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)
 
+- MBString:
+  . Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in
+    php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259)
+    (vi3tL0u1s)
+  . Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()).
+    (CVE-2026-6104) (ilutov)
+
 - Opcache:
   . Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in
     zend_jit_use_reg). (Arnaud)
@@ -65,6 +78,10 @@ PHP                                                                        NEWS
 - OpenSSL:
   . Fix a bunch of memory leaks and crashes on edge cases. (ndossche)
 
+- PDO_Firebird:
+  . Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings).
+    (CVE-2025-14179) (SakiTakamachi)
+
 - Phar:
   . Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
   . Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when
@@ -84,12 +101,26 @@ PHP                                                                        NEWS
   . Fixed memory leak when session GC callback return a refcounted value.
     (jorgsowa)
 
+- SOAP:
+  . Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache
+    Map). (CVE-2026-6722) (ilutov)
+  . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with
+    SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
+  . Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check).
+    (CVE-2026-7262) (ilutov)
+
 - SPL:
   . Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent
     free). (Girgias)
   . Fix concurrent iteration and deletion issues in SplObjectStorage.
     (ndossche)
 
+- Standard:
+  . Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset).
+    (CVE-2026-7568) (TimWolla)
+  . Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h
+    functions). (CVE-2026-7258) (ilutov)
+
 - Streams:
   . Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL
     and a proxy set). (ndossche)
