Author: Saki Takamachi (SakiTakamachi)
Date: 2025-12-19T08:21:03+09:00
Commit:
https://github.com/php/web-php/commit/2c883c5a0c199f0be977da122dd160236a00e968
Raw diff:
https://github.com/php/web-php/commit/2c883c5a0c199f0be977da122dd160236a00e968.diff
Announce PHP 8.4.16
Changed paths:
A archive/entries/2025-12-18-4.xml
A releases/8_4_16.php
M ChangeLog-8.php
M archive/archive.xml
M include/release-qa.php
M include/releases.inc
M include/version.inc
Diff:
diff --git a/ChangeLog-8.php b/ChangeLog-8.php
index 56cc605139..5e0f7aaccd 100644
--- a/ChangeLog-8.php
+++ b/ChangeLog-8.php
@@ -599,6 +599,111 @@
<a id="PHP_8_4"></a>
+<section class="version" id="8.4.16"><!-- {{{ 8.4.16 -->
+<h3>Version 8.4.16</h3>
+<b><?php release_date('18-Dec-2025'); ?></b>
+<ul><li>Core:
+<ul>
+ <li>Sync all boost.context files with release 1.86.0.</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20435); ?>
(SensitiveParameter doesn't work for named argument passing to variadic
parameter).</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20286); ?>
(use-after-destroy during userland stream_close()).</li>
+</ul></li>
+<li>Bz2:
+<ul>
+ <li>Fix assertion failures resulting in crashes with stream filter object
parameters.</li>
+</ul></li>
+<li>Date:
+<ul>
+ <li>Fix crashes when trying to instantiate uninstantiable classes via date
static constructors.</li>
+</ul></li>
+<li>DOM:
+<ul>
+ <li>Fix memory leak when edge case is hit when registering xpath
callback.</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20395); ?> (querySelector
and querySelectorAll requires elements in $selectors to be lowercase).</li>
+ <li>Fix missing NUL byte check on C14NFile().</li>
+</ul></li>
+<li>Fibers:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20483); ?> (ASAN stack
overflow with fiber.stack_size INI small value).</li>
+</ul></li>
+<li>FTP:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20601); ?> (ftp_connect
overflow on timeout).</li>
+</ul></li>
+<li>GD:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20511); ?>
(imagegammacorrect out of range input/output values).</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20602); ?> (imagescale
overflow with large height values).</li>
+</ul></li>
+<li>Intl:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20426); ?>
(Spoofchecker::setRestrictionLevel() error message suggests missing
constants).</li>
+</ul></li>
+<li>LibXML:
+<ul>
+ <li>Fix some deprecations on newer libxml versions regarding input
buffer/parser handling.</li>
+</ul></li>
+<li>MbString:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20491); ?> (SLES15 compile
error with mbstring oniguruma).</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20492); ?> (mbstring compile
warning due to non-strings).</li>
+</ul></li>
+<li>MySQLnd:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20528); ?> (Regression
breaks mysql connexion using an IPv6 address enclosed in square brackets).</li>
+</ul></li>
+<li>Opcache:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20329); ?>
(opcache.file_cache broken with full interned string buffer).</li>
+</ul></li>
+<li>PDO:
+<ul>
+ <li>Fixed <?php githubsecurityl('php/php-src', '8xr5-qppj-gvwj'); ?> (PDO
quoting result null deref). (CVE-2025-14180)</li>
+</ul></li>
+<li>Phar:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20442); ?> (Phar does not
respect case-insensitiveness of __halt_compiler() when reading stub).</li>
+ <li>Fix broken return value of fflush() for phar file entries.</li>
+ <li>Fix assertion failure when fseeking a phar file out of bounds.</li>
+</ul></li>
+<li>PHPDBG:
+<ul>
+ <li>Fixed ZPP type violation in phpdbg_get_executable() and
phpdbg_end_oplog().</li>
+</ul></li>
+<li>SPL:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20614); ?> (SplFixedArray
incorrectly handles references in deserialization).</li>
+</ul></li>
+<li>Standard:
+<ul>
+ <li>Fix memory leak in array_diff() with custom type checks.</li>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20583); ?> (Stack overflow
in http_build_query via deep structures).</li>
+ <li>Fixed <?php githubsecurityl('php/php-src', 'www2-q4fc-65wf'); ?> (Null
byte termination in dns_get_record()).</li>
+ <li>Fixed <?php githubsecurityl('php/php-src', 'h96m-rvf9-jgm2'); ?> (Heap
buffer overflow in array_merge()). (CVE-2025-14178)</li>
+ <li>Fixed <?php githubsecurityl('php/php-src', '3237-qqm7-mfv7'); ?>
(Information Leak of Memory in getimagesize). (CVE-2025-14177)</li>
+</ul></li>
+<li>Tidy:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20374); ?> (PHP with tidy
and custom-tags).</li>
+</ul></li>
+<li>XML:
+<ul>
+ <li>Fixed bug <?php githubissuel('php/php-src', 20439); ?>
(xml_set_default_handler() does not properly handle special characters in
attributes when passing data to callback).</li>
+</ul></li>
+<li>Zip:
+<ul>
+ <li>Fix crash in property existence test.</li>
+ <li>Don't truncate return value of zip_fread() with user sizes.</li>
+</ul></li>
+<li>Zlib:
+<ul>
+ <li>Fix assertion failures resulting in crashes with stream filter object
parameters.</li>
+</ul></li>
+</ul>
+<!-- }}} --></section>
+
+
+
<section class="version" id="8.4.15"><!-- {{{ 8.4.15 -->
<h3>Version 8.4.15</h3>
<b><?php release_date('20-Nov-2025'); ?></b>
diff --git a/archive/archive.xml b/archive/archive.xml
index f13c6bd56b..7a8ccfd0eb 100644
--- a/archive/archive.xml
+++ b/archive/archive.xml
@@ -9,6 +9,7 @@
<uri>http://php.net/contact</uri>
<email>[email protected]</email>
</author>
+ <xi:include href="entries/2025-12-18-4.xml"/>
<xi:include href="entries/2025-12-18-3.xml"/>
<xi:include href="entries/2025-12-18-2.xml"/>
<xi:include href="entries/2025-12-18-1.xml"/>
diff --git a/archive/entries/2025-12-18-4.xml b/archive/entries/2025-12-18-4.xml
new file mode 100644
index 0000000000..e946df7712
--- /dev/null
+++ b/archive/entries/2025-12-18-4.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<entry xmlns="http://www.w3.org/2005/Atom";>
+ <title>PHP 8.4.16 Released!</title>
+ <id>https://www.php.net/archive/2025.php#2025-12-18-4</id>
+ <published>2025-12-18T23:19:06+00:00</published>
+ <updated>2025-12-18T23:19:06+00:00</updated>
+ <link href="https://www.php.net/index.php#2025-12-18-4"; rel="alternate"
type="text/html"/>
+ <link href="https://www.php.net/archive/2025.php#2025-12-18-4"; rel="via"
type="text/html"/>
+ <category term="releases" label="New PHP release"/>
+ <category term="frontpage" label="PHP.net frontpage news"/>
+ <content type="xhtml">
+ <div xmlns="http://www.w3.org/1999/xhtml";><p>The PHP development team
announces the immediate availability of PHP 8.4.16. This is a security
release.</p>
+
+<p>All PHP 8.4 users are encouraged to upgrade to this version.</p>
+
+<p>For source downloads of PHP 8.4.16 please visit our <a
href="https://www.php.net/downloads.php";>downloads page</a>,
+Windows source and binaries can also be found <a
href="https://www.php.net/downloads.php?os=windows&version=8.4";>there</a>.
+The list of changes is recorded in the <a
href="https://www.php.net/ChangeLog-8.php#8.4.16";>ChangeLog</a>.
+</p> </div>
+ </content>
+</entry>
diff --git a/include/release-qa.php b/include/release-qa.php
index f781064798..11b4c0c9c3 100644
--- a/include/release-qa.php
+++ b/include/release-qa.php
@@ -88,12 +88,12 @@
'active' => true,
'release' => [
'type' => 'RC',
- 'number' => 1,
- 'sha256_bz2' =>
'e6c3a8b14d3b83d1c7870a2785fa52b018a47e99fbca928133fb5db83b45d0f5',
- 'sha256_gz' =>
'f3c82948de16204e3432a5a26276c67f18b9ee18de3170faebeab6e84e44b33d',
- 'sha256_xz' =>
'5a9e95594132d1950ccfe250b519382b0f9c9fdb1831d3b3caa338d5fa55b10c',
+ 'number' => 0,
+ 'sha256_bz2' => '',
+ 'sha256_gz' => '',
+ 'sha256_xz' => '',
'date' => '04 Dec 2025',
- 'baseurl' => 'https://downloads.php.net/~saki/',
+ 'baseurl' => 'https://downloads.php.net/',
],
],
diff --git a/include/releases.inc b/include/releases.inc
index 225c2bd3c1..706db5ebec 100644
--- a/include/releases.inc
+++ b/include/releases.inc
@@ -2,6 +2,43 @@
$OLDRELEASES = array (
8 =>
array (
+ '8.4.15' =>
+ array (
+ 'announcement' =>
+ array (
+ 'English' => '/releases/8_4_15.php',
+ ),
+ 'tags' =>
+ array (
+ 0 => '',
+ ),
+ 'date' => '20 Nov 2025',
+ 'source' =>
+ array (
+ 0 =>
+ array (
+ 'filename' => 'php-8.4.15.tar.gz',
+ 'name' => 'PHP 8.4.15 (tar.gz)',
+ 'sha256' =>
'51d23c98073c1e88c98c12b175736a11316cd3d4753f8d060934e53e5a9945c3',
+ 'date' => '20 Nov 2025',
+ ),
+ 1 =>
+ array (
+ 'filename' => 'php-8.4.15.tar.bz2',
+ 'name' => 'PHP 8.4.15 (tar.bz2)',
+ 'sha256' =>
'b7155bdd498d60d63e4bc320dc224863976d31b5bd9339699726c961255a3197',
+ 'date' => '20 Nov 2025',
+ ),
+ 2 =>
+ array (
+ 'filename' => 'php-8.4.15.tar.xz',
+ 'name' => 'PHP 8.4.15 (tar.xz)',
+ 'sha256' =>
'a060684f614b8344f9b34c334b6ba8db1177555997edb5b1aceab0a4b807da7e',
+ 'date' => '20 Nov 2025',
+ ),
+ ),
+ 'museum' => false,
+ ),
'8.2.29' =>
array (
'announcement' =>
diff --git a/include/version.inc b/include/version.inc
index 8af309dad2..856038964a 100644
--- a/include/version.inc
+++ b/include/version.inc
@@ -34,13 +34,13 @@ $RELEASES = (function () {
/* PHP 8.4 Release */
$data['8.4'] = [
- 'version' => '8.4.15',
- 'date' => '20 Nov 2025',
- 'tags' => [''], // Set to ['security'] for security releases.
+ 'version' => '8.4.16',
+ 'date' => '18 Dec 2025',
+ 'tags' => ['security'], // Set to ['security'] for security releases.
'sha256' => [
- 'tar.gz' =>
'51d23c98073c1e88c98c12b175736a11316cd3d4753f8d060934e53e5a9945c3',
- 'tar.bz2' =>
'b7155bdd498d60d63e4bc320dc224863976d31b5bd9339699726c961255a3197',
- 'tar.xz' =>
'a060684f614b8344f9b34c334b6ba8db1177555997edb5b1aceab0a4b807da7e',
+ 'tar.gz' =>
'8e35d24f148ea7c2a93e9b9bcc329e8bf78b5bb922f3723a727c74c19d184e98',
+ 'tar.bz2' =>
'6c48c65eba6a2f7a102925d08772239b1f45110aed2187fdd81b933ed439c692',
+ 'tar.xz' =>
'f66f8f48db34e9e29f7bfd6901178e9cf4a1b163e6e497716dfcb8f88bcfae30',
]
];
diff --git a/releases/8_4_16.php b/releases/8_4_16.php
new file mode 100644
index 0000000000..e02dd3590f
--- /dev/null
+++ b/releases/8_4_16.php
@@ -0,0 +1,16 @@
+<?php
+$_SERVER['BASE_PAGE'] = 'releases/8_4_16.php';
+include_once __DIR__ . '/../include/prepend.inc';
+site_header('PHP 8.4.16 Release Announcement');
+?>
+<h1>PHP 8.4.16 Release Announcement</h1>
+
+<p>The PHP development team announces the immediate availability of PHP
8.4.16. This is a security release.</p>
+
+<p>All PHP 8.4 users are encouraged to upgrade to this version.</p>
+
+<p>For source downloads of PHP 8.4.16 please visit our <a
href="https://www.php.net/downloads.php";>downloads page</a>,
+Windows source and binaries can also be found <a
href="https://www.php.net/downloads.php?os=windows&version=8.4";>there</a>.
+The list of changes is recorded in the <a
href="https://www.php.net/ChangeLog-8.php#8.4.16";>ChangeLog</a>.
+</p>
+<?php site_footer();
