Bug#1110354: unblock: php8.4/8.4.11-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1110354: unblock: php8.4/8.4.11-1
From: Ondřej Surý <ondrej@sury.org>
Date: Sun, 03 Aug 2025 18:24:52 +0200
Message-id: <[🔎] 175423829239.1914700.16406581172775202274.reportbug@calcifer.rfc1925.org>
Reply-to: Ondřej Surý <ondrej@sury.org>, 1110354@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: php8.4@packages.debian.org
Control: affects -1 + src:php8.4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please unblock package php8.4

[ Reason ]

As php8.4 gets updated with the upstream version via security anyway, it makes
sense to get the latest version into Trixie for the time of the release, and
minimise the next diff when there is actually a security release next time.

The list of bugs fixed is long, but TBH nothing looks like a critical bug that
**has** to be fixed.

- - Calendar:
  . Fixed jewishtojd overflow on year argument. (David Carlier)

- - Core:
  . Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction
    order). (Daniil Gentili)
  . Fixed bug GH-18907 (Leak when creating cycle in hook). (ilutov)
  . Fix OSS-Fuzz #427814456. (nielsdos)
  . Fix OSS-Fuzz #428983568 and #428760800. (nielsdos)
  . Fixed bug GH-17204 (-Wuseless-escape warnings emitted by re2c). (Peter Kokot)
  . Fixed bug GH-19064 (Undefined symbol 'execute_ex' on Windows ARM64).
    (Demon)

- - Curl:
  . Fix memory leaks when returning refcounted value from curl callback.
    (nielsdos)
  . Remove incorrect string release. (nielsdos)

- - DOM:
  . Fixed bug GH-18979 (Dom\XMLDocument::createComment() triggers undefined
    behavior with null byte). (nielsdos)

- - LDAP:
  . Fixed GH-18902 ldap_exop/ldap_exop_sync assert triggered on empty
    request OID. (David Carlier)

- - MbString:
  . Fixed bug GH-18901 (integer overflow mb_split). (nielsdos)

- - Opcache:
  . Fixed bug GH-18639 (Internal class aliases can break preloading + JIT).
    (nielsdos)
  . Fixed bug GH-18899 (JIT function crash when emitting undefined variable
    warning and opline is not set yet). (nielsdos)
  . Fixed bug GH-14082 (Segmentation fault on unknown address 0x600000000018
    in ext/opcache/jit/zend_jit.c). (nielsdos)
  . Fixed bug GH-18898 (SEGV zend_jit_op_array_hot with property hooks
    and preloading). (nielsdos)

- - OpenSSL:
  . Fixed bug #80770 (It is not possible to get client peer certificate with
    stream_socket_server). (Jakub Zelenka)

- - PCNTL:
  . Fixed bug GH-18958 (Fatal error during shutdown after pcntl_rfork() or
    pcntl_forkx() with zend-max-execution-timers). (Arnaud)

- - Phar:
  . Fix stream double free in phar. (nielsdos, dixyes)
  . Fix phar crash and file corruption with SplFileObject. (nielsdos)

- - SOAP:
  . Fixed bug GH-18990, bug #81029, bug #47314 (SOAP HTTP socket not closing
    on object destruction). (nielsdos)
  . Fix memory leak when URL parsing fails in redirect. (Girgias)

- - SPL:
  . Fixed bug GH-19094 (Attaching class with no Iterator implementation to
    MultipleIterator causes crash). (nielsdos)

- - Standard:
  . Fix misleading errors in printf(). (nielsdos)
  . Fix RCN violations in array functions. (nielsdos)
  . Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value.
    (David Carlier)

- - Streams:
  . Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter
    fatal error). (Jakub Zelenka)

- - Zip:
  . Fix leak when path is too long in ZipArchive::extractTo(). (nielsdos)

[ Impact ]

This is more a reputational problem than technical one.  I've heard this many
times that Debian is outdated already when released.

[ Tests ]

There's this whole battery of upstream tests.

[ Risks ]

The usual, but given that we didn't really have many problems since we started
using upstream PHP versions for security updates, I would assess the risk is
quite low.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

It's up to your discretion; I am not pushing this very hard, but it makes sense
to me to have this updated before the final release date.

unblock php8.4/8.4.11-1


-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmiPjVRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcKsGw//Xy9zRdGoYWCAsU6m9e4vfh8vTJjURclloNc7ciNjdariadRPD1HQFQD8
9GvZo5H2+t+qwAk4Tax6+n+FLwZtScqNtSCeg86wfaeQbWJ80AXYSLZkdXop4MOx
2+xq7ERfe5xm6i2Bo2gtzky99QVnhdljmrJsdrCBEb56YI2tlvlfmAB533BUiAWs
dayFo0eFl6VHymo+FwmNFd6F9O7IMixT7IVpv/vKBsW7/YLAUxzlpX3VSThwuQ1O
OhvBioTTOlxy/3DVbNpl81tUVID3Op1lPSm5wGvE1VmGAuQnDqw6lJj7AYzA6xWU
/v7qw+k9/jtj7El1kjNj2rUbrJDOu964Gx6uCr3e/lXbfS6fzR2plaQ/oaN9mf8l
nvyPA3cfwV+Wo+91jQNQeTuk4LXtzr4v05uu9JN63PeqTtzEPHo39j1NkE86cGQc
5BCtVIheF0TBULhrJO0z2qBewgGxRxW6aF5BCUpJ+GHg8aXuGQ9vru4+ZhiFBX45
CejW7+XRdJPYL4Qz+Yg8SMbjYgQfvE2nZ4SZaAVNNIQ/nFlkgFeO7Qqsu1jwuV/L
BEDLr5oLLM8/RpMoF44fiBGuiHfaf3RBRDSt4oJ8LuRedWceZVl1WlWq7WsehK0/
FDEBVB6I+3BUceG5CP2lmH5i3e0FqDbsfGhFUL/rvdL7M+XtXQ4=
=nhCE
-----END PGP SIGNATURE-----

Attachment: php8.4_8.4.10-1..8.4.11-1.debdiff.xz
Description: application/xz

Reply to:

Follow-Ups:
- Processed: unblock: php8.4/8.4.11-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1110354: marked as done (unblock: php8.4/8.4.11-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: unblock: php8.4/8.4.11-1
Next by Date: Bug#1110080: rustc-web 1.85.0+dfsg3-1~deb12u3 flagged for acceptance
Previous by thread: NEW changes in oldstable-new
Next by thread: Processed: unblock: php8.4/8.4.11-1
Index(es):
- Date
- Thread