Three branches of PHP have released new versions, namely 7.4.32, 8.0.24 & 8.1.11, and the updates are mainly to fix bugs and security issues.

PHP 7.4.32

This release resolves the infinite recursion issue with specially constructed phar files and prevents conflicting variable names for the __Host/__Secure HTTP headers. All developers using PHP 7.4 series are recommended to upgrade to this version.

Core:

• fix bugs #81726: phar wrapper: DOS when using quine gzip files (CVE-2022-31628)
• fix bugs #81727: Do not break HTTP variable names that conflict with variable names with specific semantic meanings (CVE-2022-31629)

PHP 8.1.11

This release mainly fixes security issues:

Core:

• fix bugs #81726: phar wrapper: DOS when using quine gzip files (CVE-2022-31628)
• fix bugs #81727: Do not break HTTP variable names that conflict with variable names with specific semantic meanings (CVE-2022-31629)
• Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
• Fixed bug GH-9361 (Segmentation fault on script exit #9379).
• Fixed bug GH-9447 (Invalid class FQN emitted by AST dump for new and class constants in constant expressions).

PHP 8.0.24

This release mainly fixes security issues:

Core:

• Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
• Fixed bug GH-9361 (Segmentation fault on script exit #9379).
• Fixed bug GH-9407 (LSP error in eval’d code refers to wrong class for static type).
• fix bugs #81727: Do not break HTTP variable names that conflict with variable names with specific semantic meanings (CVE-2022-31629)

See Changelog for details.