head 1.7; access; symbols pkgsrc-2026Q1:1.4.0.2 pkgsrc-2026Q1-base:1.4; locks; strict; comment @# @; 1.7 date 2026.06.06.02.42.08; author taca; state Exp; branches; next 1.6; commitid smE9HsoPLsNVpGIG; 1.6 date 2026.05.08.02.10.51; author taca; state Exp; branches; next 1.5; commitid lwkCq3KpQuaYaXEG; 1.5 date 2026.04.09.15.26.52; author taca; state Exp; branches; next 1.4; commitid kPqJDWes0tXQviBG; 1.4 date 2026.03.15.15.30.49; author taca; state Exp; branches 1.4.2.1; next 1.3; commitid ATQ5rwbpac13l5yG; 1.3 date 2026.02.13.15.27.19; author taca; state Exp; branches; next 1.2; commitid 9c8FM0ozxGqDheuG; 1.2 date 2026.01.19.15.35.56; author taca; state Exp; branches; next 1.1; commitid iuWV4JK38EAp81rG; 1.1 date 2026.01.08.13.38.00; author taca; state Exp; branches; next ; commitid h0n1I71fiLUQPApG; 1.4.2.1 date 2026.05.09.17.25.26; author bsiegert; state Exp; branches; next 1.4.2.2; commitid 24d1hr0hmXtMcaFG; 1.4.2.2 date 2026.06.09.22.44.44; author maya; state Exp; branches; next ; commitid vdljs84ScIMxYaJG; desc @@ 1.7 log @lang/php85: update to 8.5.7 PHP 8.5.7 (2026-06-04) - CLI: . Fixed bug GH-21901 (Stale getopt() optional value). (onthebed) - Date: . Fixed bug GH-18422 (int overflow in php_date_llabs). (iliaal) - DOM: . Fixed bug GH-22077 (UAF in custom XPath function). (afflerbach/David Carlier) - Opcache: . Fixed tracing JIT crash when a VM interrupt is handled during an observed user function call. (Levi Morrison) . Fixed bug GH-21746 (Segfault with tracing JIT). (Arnaud) . Fixed bug GH-22004 (Assertion failure at ext/opcache/jit/zend_jit_trace.c). (Arnaud) . Fixed tailcall VM crash when a VM interrupt is handled from a VM helper. (Levi Morrison, Arnaud) - OpenSSL: . Fix compatibility issues with OpenSSL 4.0. (jordikroon, Remi) - Standard: . Fixed bug GH-21689 (version_compare() incorrectly handles versions ending with a dot). (timwolla) - URI: . Fixed CVE-2026-44927 (In uriparser before 1.0.2, there is pointer difference truncation to int in various places). (CVE-2026-44927) (Sebastian Pipping) . Fixed CVE-2026-44928 (In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal). (CVE-2026-44928) (Sebastian Pipping) @ text @$NetBSD: distinfo,v 1.6 2026/05/08 02:10:51 taca Exp $ BLAKE2s (php-8.5.7.tar.xz) = 008b5a92e8777af2bb9df7e20b65ddabc5570146533914bbf1b99283384868a6 SHA512 (php-8.5.7.tar.xz) = 2d4081b8684936afae946d5cc4d6714a6e40f8a25c9a286fe22190600896ab447293a0a73f58fae09d4543153134fd0b6a1131dccfc2b585406ae2a4d9aa08b7 Size (php-8.5.7.tar.xz) = 14398060 bytes SHA1 (patch-build_Makefile.global) = 570d813a05626f633e2ce380ab6668fdc7e8f030 SHA1 (patch-build_php.m4) = bb72e38ab391ad587962940ba85e8d4de8633dca SHA1 (patch-configure.ac) = 20c95915d5e4aa622d04ee923c626789c44fef11 SHA1 (patch-ext_pcntl_pcntl.c) = 0b741d6b501ae1f4932a98de79a860eef2ee1a14 SHA1 (patch-ext_phar_Makefile.frag) = 53ea5c58b0bc27d236118d5750a74b1cba43e5dd SHA1 (patch-ext_standard_php__fopen__wrapper.c) = 0a2c19c18f089448a8d842e99738b292ab9e5640 SHA1 (patch-main_streams_streams.c) = d699ce7d3a300ffb39494b3f1fa5e0958f714483 SHA1 (patch-php.ini-development) = 2974af3c5f923491d4d23f85a3dcf24d91ce7c86 SHA1 (patch-php.ini-production) = 023ba88c06470e32b18d5502bc500dd7c2510702 SHA1 (patch-sapi_apache2handler_config.m4) = 6b1834b9c212887fbcc1b6679858d5dd8eb4e19b SHA1 (patch-sapi_cgi_Makefile.frag) = 067526fdf543a3c73cc2d1f4ed18da3f94c74d55 SHA1 (patch-sapi_cgi_config9.m4) = 473d5bd351138538bb6f2c394982df35b6543714 SHA1 (patch-sapi_cli_Makefile.frag) = 1cd29d09042863acbf5330e406410fdcf75d06b3 SHA1 (patch-sapi_fpm_fpm_fpm__conf.c) = 26f25b64d71e4d4d89c19b04433b10abc6673504 SHA1 (patch-sapi_fpm_php-fpm.conf.in) = 86e0de84d2e273bf63e475716c1eda1ea5d7937f SHA1 (patch-sapi_fpm_www.conf.in) = 2299f6de1d4c0ead4fe41eca4af5ea3e8e7b3a35 SHA1 (patch-scripts_Makefile.frag) = e3eb2fd682e0b5048995007c040aebaa9d135fe9 SHA1 (patch-scripts_php-config.in) = b43fb08f2bcb99fb96fd967efd85ee871382b0c6 SHA1 (patch-scripts_phpize.in) = 29245d9fc487a0800de4a9a7670b0a65a765bb58 @ 1.6 log @lang/php85: update to 8.5.6 PHP 8.5.6 (2026-05-07) - Core: . Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors). (iliaal) . Fixed ZEND_API mismatch on zend_ce_closure forward decl for Windows+Clang. (henderkes) . Fixed bug GH-21504 (Incorrect RC-handling for ZEND_EXT_STMT op1). (ilutov) . Fixed bug GH-21478 (Forward property operations to real instance for initialized lazy proxies). (iliaal) . Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov) . Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws). (macoaure) . Fixed bug GH-21603 (Missing addref for __unset). (ilutov) . Fixed bug GH-21760 (Trait with class constant name conflict against enum case causes SEGV). (Pratik Bhujel) - CLI: . Fixed bug GH-21754 (`--rf` command line option with a method triggers ext/reflection deprecation warnings). (DanielEScherzer) - Curl: . Add support for brotli and zstd on Windows. (Shivam Mathur) - DOM: . Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263) (David Carlier) - FPM: . Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) (Jakub Zelenka) - Iconv: . Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal) - Lexbor: . Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079) (ndossche, ilutov) - MBString: . Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) (vi3tL0u1s) . Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104) (ilutov) - Opcache: . Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg). (Arnaud) . Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov) . Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud) . Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov) - OpenSSL: . Fix memory leak regression in openssl_pbkdf2(). (ndossche) . Fix a bunch of memory leaks and crashes on edge cases. (ndossche) - PDO_Firebird: . Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi) - PDO_PGSQL: . Fixed bug GH-21683 (pdo_pgsql throws with ATTR_PREFETCH=0 on empty result set). (thomasschiet) - Phar: . Restore is_link handler in phar_intercept_functions_shutdown. (iliaal) . Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment). (iliaal) . Fix memory leak in Phar::offsetGet(). (iliaal) . Fix memory leak in phar_add_file(). (iliaal) . Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from phar_stream_close). (iliaal) . Fix memory leak in phar_verify_signature() when md_ctx is invalid. (JarneClauw) - Random: . Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state). (iliaal) - Session: . Fixed memory leak when session GC callback return a refcounted value. (jorgsowa) - SOAP: . Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) (ilutov) . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov) . Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) (ilutov) - SPL: . Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free). (Girgias) . Fix concurrent iteration and deletion issues in SplObjectStorage. (ndossche) - Sqlite3: . Fixed wrong free list comparator pointer type. (David Carlier) - Standard: . Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) (TimWolla) . Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) (ilutov) - Streams: . Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL and a proxy set). (ndossche) - URI: . Fixed CVE-2026-42371 (uriparser before 1.0.1 has numeric truncation in text range comparison). (CVE-2026-42371) (Joshua W. Windle) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2026/04/09 15:26:52 taca Exp $ d3 3 a5 3 BLAKE2s (php-8.5.6.tar.xz) = 9ddd69e000b551d0534bcf0fecf68bfb270d20fc772e901054e715caba9c7682 SHA512 (php-8.5.6.tar.xz) = e0ce5430809d5347ffdaba827e2c62fefb570b112014add16be545fd444ec374ebc76c373d5a254930538994a639ddd15508cd1083c4ead8ea0b76e7cead0c7c Size (php-8.5.6.tar.xz) = 14392820 bytes @ 1.5 log @lang/php85: update to 8.5.5 PHP 8.5.5 (2026-04-09) - Core: . Fixed bug GH-20672 (Incorrect property_info sizing for locally shadowed trait properties). (ilutov) . Fixed bugs GH-20875, GH-20873, GH-20854 (Propagate IN_GET guard in get_property_ptr_ptr for lazy proxies). (iliaal) - Bz2: . Fix truncation of total output size causing erroneous errors. (ndossche) - DOM: . Fixed bug GH-21486 (Dom\HTMLDocument parser mangles xml:space and xml:lang attributes). (ndossche) - FFI: . Fixed resource leak in FFI::cdef() onsymbol resolution failure. (David Carlier) - GD: . Fixed bug GH-21431 (phpinfo() to display libJPEG 10.0 support). (David Carlier) - Opcache: . Fixed bug GH-21052 (Preloaded constant erroneously propagated to file-cached script). (ilutov) . Fixed bug GH-20838 (JIT compiler produces wrong arithmetic results). (Dmitry, iliaal) . Fixed bug GH-21267 (JIT tracing: infinite loop on FETCH_OBJ_R with IS_UNDEF property in polymorphic context). (Dmitry, iliaal) . Fixed bug GH-21395 (uaf in jit). (ndossche) - OpenSSL: . Fixed bug GH-21083 (Skip private_key_bits validation for EC/curve-based keys). (iliaal) . Fix missing error propagation for BIO_printf() calls. (ndossche) - PCNTL: . Fixed signal handler installation on AIX by bumping the storage size of the num_signals global. (Calvin Buckley) - PCRE: . Fixed re-entrancy issue on php_pcre_match_impl, php_pcre_replace_impl, php_pcre_split_impl, and php_pcre_grep_impl. (David Carlier) - Phar: . Fixed bug GH-21333 (use after free when unlinking entries during iteration of a compressed phar). (David Carlier) - SNMP: . Fixed bug GH-21336 (SNMP::setSecurity() undefined behavior with NULL arguments). (David Carlier) - SOAP: . Fixed Set-Cookie parsing bug wrong offset while scanning attributes. (David Carlier) - SPL: . Fixed bug GH-21454 (missing write lock validation in SplHeap). (ndossche) - Standard: . Fixed bug GH-20906 (Assertion failure when messing up output buffers). (ndossche) . Fixed bug GH-20627 (Cannot identify some avif images with getimagesize). (y-guyon) - Sysvshm: . Fix memory leak in shm_get_var() when variable is corrupted. (ndossche) - XSL: . Fix GH-21357 (XSLTProcessor works with DOMDocument, but fails with Dom\XMLDocument). (ndossche) . Fixed bug GH-21496 (UAF in dom_objects_free_storage). (David Carlier/ndossche) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2026/03/15 15:30:49 taca Exp $ d3 3 a5 3 BLAKE2s (php-8.5.5.tar.xz) = 3b30286ad4501a48ef3bd1dc803eb0a0497b17f9d0213f8ac5d8c0e31338e1b4 SHA512 (php-8.5.5.tar.xz) = aac94c5788ea26fddd59b1bf9604c4bba393ae7fc8539efa0522c9389cc97e8e63f95e924ae81e54dc9e12f05897f05372fae3fafde8f1694c50a82b4cbf3896 Size (php-8.5.5.tar.xz) = 14355236 bytes @ 1.4 log @lang/php85: update to 8.5.4 PHP 8.5.4 (2026-03-12) - Core: . Fixed bug GH-21029 (zend_mm_heap corrupted on Aarch64, LTO builds). (Arnaud) . Fixed bug GH-21059 (Segfault when preloading constant AST closure). (ilutov) . Fixed bug GH-21072 (Crash on (unset) cast in constant expression). (arshidkv12) . Fix deprecation now showing when accessing null key of an array with JIT. (alexandre-daubois) . Fixed bug GH-20657 (Assertion failure in zend_lazy_object_get_info triggered by setRawValueWithoutLazyInitialization() and newLazyGhost()). (Arnaud) . Fixed bug GH-20504 (Assertion failure in zend_get_property_guard when accessing properties on Reflection LazyProxy via isset()). (Arnaud) . Fixed OSS-Fuzz #478009707 (Borked assign-op/inc/dec on untyped hooked property backing value). (ilutov) . Fixed bug GH-21215 (Build fails with -std=). (Arnaud) . Fixed bug GH-13674 (Build system installs libtool wrappers when using slibtool). (Michael Orlitzky) - Curl: . Don't truncate length. (ndossche) - Date: . Fixed bug GH-20936 (DatePeriod::__set_state() cannot handle null start). (ndossche) . Fix timezone offset with seconds losing precision. (ndossche) - DOM: . Fixed bug GH-21077 (Accessing Dom\Node::baseURI can throw TypeError). (ndossche) . Fixed bug GH-21097 (Accessing Dom\Node properties can can throw TypeError). (ndossche) - LDAP: . Fixed bug GH-21262 (ldap_modify() too strict controls argument validation makes it impossible to unset attribute). (David Carlier) - MBString: . Fixed bug GH-21223; mb_guess_encoding no longer crashes when passed huge list of candidate encodings (with 200,000+ entries). (Jordi Kroon) - Opcache: . Fixed bug GH-20718 ("Insufficient shared memory" when using JIT on Solaris). (Petr Sumbera) . Fixed bug GH-21227 (Borked SCCP of array containing partial object). (ilutov) - OpenSSL: . Fix a bunch of leaks and error propagation. (ndossche) - Windows: . Fixed compilation with clang (missing intrin.h include). (Kévin Dunglas) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2026/02/13 15:27:19 taca Exp $ d3 3 a5 3 BLAKE2s (php-8.5.4.tar.xz) = 37a88c3b413c5acd47d4e7ef68aeb586dac7fd06b25e273e5577d27f2c1d0109 SHA512 (php-8.5.4.tar.xz) = e21723dc511b3bece1562f4b7a672b8db1775460515e345904a3a8283dd6bd398a8248507aae5ab2f89b4d5d8515875da7e34593fba471a675d8931a30bf49df Size (php-8.5.4.tar.xz) = 14348800 bytes @ 1.4.2.1 log @Pullup ticket #7106 - requested by taca lang/php85: security fix Revisions pulled up: - lang/php/phpversion.mk 1.495,1.500 - lang/php85/distinfo 1.5-1.6 --- Module Name: pkgsrc Committed By: taca Date: Thu Apr 9 15:26:52 UTC 2026 Modified Files: pkgsrc/lang/php: phpversion.mk pkgsrc/lang/php85: distinfo Log Message: lang/php85: update to 8.5.5 PHP 8.5.5 (2026-04-09) - Core: . Fixed bug GH-20672 (Incorrect property_info sizing for locally shadowed trait properties). (ilutov) . Fixed bugs GH-20875, GH-20873, GH-20854 (Propagate IN_GET guard in get_property_ptr_ptr for lazy proxies). (iliaal) - Bz2: . Fix truncation of total output size causing erroneous errors. (ndossche) - DOM: . Fixed bug GH-21486 (Dom\HTMLDocument parser mangles xml:space and xml:lang attributes). (ndossche) - FFI: . Fixed resource leak in FFI::cdef() onsymbol resolution failure. (David Carlier) - GD: . Fixed bug GH-21431 (phpinfo() to display libJPEG 10.0 support). (David Carlier) - Opcache: . Fixed bug GH-21052 (Preloaded constant erroneously propagated to file-cached script). (ilutov) . Fixed bug GH-20838 (JIT compiler produces wrong arithmetic results). (Dmitry, iliaal) . Fixed bug GH-21267 (JIT tracing: infinite loop on FETCH_OBJ_R with IS_UNDEF property in polymorphic context). (Dmitry, iliaal) . Fixed bug GH-21395 (uaf in jit). (ndossche) - OpenSSL: . Fixed bug GH-21083 (Skip private_key_bits validation for EC/curve-based keys). (iliaal) . Fix missing error propagation for BIO_printf() calls. (ndossche) - PCNTL: . Fixed signal handler installation on AIX by bumping the storage size of the num_signals global. (Calvin Buckley) - PCRE: . Fixed re-entrancy issue on php_pcre_match_impl, php_pcre_replace_impl, php_pcre_split_impl, and php_pcre_grep_impl. (David Carlier) - Phar: . Fixed bug GH-21333 (use after free when unlinking entries during iteration of a compressed phar). (David Carlier) - SNMP: . Fixed bug GH-21336 (SNMP::setSecurity() undefined behavior with NULL arguments). (David Carlier) - SOAP: . Fixed Set-Cookie parsing bug wrong offset while scanning attributes. (David Carlier) - SPL: . Fixed bug GH-21454 (missing write lock validation in SplHeap). (ndossche) - Standard: . Fixed bug GH-20906 (Assertion failure when messing up output buffers). (ndossche) . Fixed bug GH-20627 (Cannot identify some avif images with getimagesize). (y-guyon) - Sysvshm: . Fix memory leak in shm_get_var() when variable is corrupted. (ndossche) - XSL: . Fix GH-21357 (XSLTProcessor works with DOMDocument, but fails with Dom\XMLDocument). (ndossche) . Fixed bug GH-21496 (UAF in dom_objects_free_storage). (David Carlier/ndossche) --- Module Name: pkgsrc Committed By: taca Date: Fri May 8 02:10:51 UTC 2026 Modified Files: pkgsrc/lang/php: phpversion.mk pkgsrc/lang/php85: distinfo Log Message: lang/php85: update to 8.5.6 PHP 8.5.6 (2026-05-07) - Core: . Fixed bug GH-19983 (GC assertion failure with fibers, generators and destructors). (iliaal) . Fixed ZEND_API mismatch on zend_ce_closure forward decl for Windows+Clang. (henderkes) . Fixed bug GH-21504 (Incorrect RC-handling for ZEND_EXT_STMT op1). (ilutov) . Fixed bug GH-21478 (Forward property operations to real instance for initialized lazy proxies). (iliaal) . Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov) . Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving self::/parent::/static:: callables if the error handler throws). (macoaure) . Fixed bug GH-21603 (Missing addref for __unset). (ilutov) . Fixed bug GH-21760 (Trait with class constant name conflict against enum case causes SEGV). (Pratik Bhujel) - CLI: . Fixed bug GH-21754 (`--rf` command line option with a method triggers ext/reflection deprecation warnings). (DanielEScherzer) - Curl: . Add support for brotli and zstd on Windows. (Shivam Mathur) - DOM: . Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263) (David Carlier) - FPM: . Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) (Jakub Zelenka) - Iconv: . Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal) - Lexbor: . Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079) (ndossche, ilutov) - MBString: . Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259) (vi3tL0u1s) . Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()). (CVE-2026-6104) (ilutov) - Opcache: . Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in zend_jit_use_reg). (Arnaud) . Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov) . Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud) . Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov) - OpenSSL: . Fix memory leak regression in openssl_pbkdf2(). (ndossche) . Fix a bunch of memory leaks and crashes on edge cases. (ndossche) - PDO_Firebird: . Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings). (CVE-2025-14179) (SakiTakamachi) - PDO_PGSQL: . Fixed bug GH-21683 (pdo_pgsql throws with ATTR_PREFETCH=0 on empty result set). (thomasschiet) - Phar: . Restore is_link handler in phar_intercept_functions_shutdown. (iliaal) . Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when SCRIPT_NAME is absent from SAPI environment). (iliaal) . Fix memory leak in Phar::offsetGet(). (iliaal) . Fix memory leak in phar_add_file(). (iliaal) . Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from phar_stream_close). (iliaal) . Fix memory leak in phar_verify_signature() when md_ctx is invalid. (JarneClauw) - Random: . Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state). (iliaal) - Session: . Fixed memory leak when session GC callback return a refcounted value. (jorgsowa) - SOAP: . Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache Map). (CVE-2026-6722) (ilutov) . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov) . Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). (CVE-2026-7262) (ilutov) - SPL: . Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent free). (Girgias) . Fix concurrent iteration and deletion issues in SplObjectStorage. (ndossche) - Sqlite3: . Fixed wrong free list comparator pointer type. (David Carlier) - Standard: . Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). (CVE-2026-7568) (TimWolla) . Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h functions). (CVE-2026-7258) (ilutov) - Streams: . Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL and a proxy set). (ndossche) - URI: . Fixed CVE-2026-42371 (uriparser before 1.0.1 has numeric truncation in text range comparison). (CVE-2026-42371) (Joshua W. Windle) @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (php-8.5.6.tar.xz) = 9ddd69e000b551d0534bcf0fecf68bfb270d20fc772e901054e715caba9c7682 SHA512 (php-8.5.6.tar.xz) = e0ce5430809d5347ffdaba827e2c62fefb570b112014add16be545fd444ec374ebc76c373d5a254930538994a639ddd15508cd1083c4ead8ea0b76e7cead0c7c Size (php-8.5.6.tar.xz) = 14392820 bytes @ 1.4.2.2 log @Pullup ticket #7134 - requested by taca lang/php85: Security fix Revisions pulled up: - lang/php/phpversion.mk 1.501 - lang/php85/distinfo 1.7 --- Module Name: pkgsrc Committed By: taca Date: Sat Jun 6 02:42:08 UTC 2026 Modified Files: pkgsrc/lang/php: phpversion.mk pkgsrc/lang/php85: distinfo Log Message: lang/php85: update to 8.5.7 PHP 8.5.7 (2026-06-04) - CLI: . Fixed bug GH-21901 (Stale getopt() optional value). (onthebed) - Date: . Fixed bug GH-18422 (int overflow in php_date_llabs). (iliaal) - DOM: . Fixed bug GH-22077 (UAF in custom XPath function). (afflerbach/David Carlier) - Opcache: . Fixed tracing JIT crash when a VM interrupt is handled during an observed user function call. (Levi Morrison) . Fixed bug GH-21746 (Segfault with tracing JIT). (Arnaud) . Fixed bug GH-22004 (Assertion failure at ext/opcache/jit/zend_jit_trace.c). (Arnaud) . Fixed tailcall VM crash when a VM interrupt is handled from a VM helper. (Levi Morrison, Arnaud) - OpenSSL: . Fix compatibility issues with OpenSSL 4.0. (jordikroon, Remi) - Standard: . Fixed bug GH-21689 (version_compare() incorrectly handles versions ending with a dot). (timwolla) - URI: . Fixed CVE-2026-44927 (In uriparser before 1.0.2, there is pointer difference truncation to int in various places). (CVE-2026-44927) (Sebastian Pipping) . Fixed CVE-2026-44928 (In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal). (CVE-2026-44928) (Sebastian Pipping) @ text @d3 3 a5 3 BLAKE2s (php-8.5.7.tar.xz) = 008b5a92e8777af2bb9df7e20b65ddabc5570146533914bbf1b99283384868a6 SHA512 (php-8.5.7.tar.xz) = 2d4081b8684936afae946d5cc4d6714a6e40f8a25c9a286fe22190600896ab447293a0a73f58fae09d4543153134fd0b6a1131dccfc2b585406ae2a4d9aa08b7 Size (php-8.5.7.tar.xz) = 14398060 bytes @ 1.3 log @lang/php85: update to 8.5.3 PHP 8.5.3 (2026-02-12) - Core: . Fixed bug GH-20806 (preserve_none feature compatiblity with LTO). (henderkes) . Fixed bug GH-20767 (build failure with musttail/preserve_none feature on macOs). (David Carlier) . Fixed bug GH-20837 (NULL dereference when calling ob_start() in shutdown function triggered by bailout in php_output_lock_error()). (timwolla) . Fix OSS-Fuzz #471533782 (Infinite loop in GC destructor fiber). (ilutov) . Fix OSS-Fuzz #472563272 (Borked block_pass JMP[N]Z optimization). (ilutov) . Fixed bug GH-20914 (Internal enums can be cloned and compared). (Arnaud) . Fix OSS-Fuzz #474613951 (Leaked parent property default value). (ilutov) . Fixed bug GH-20895 (ReflectionProperty does not return the PHPDoc of a property if it contains an attribute with a Closure). (timwolla) . Fixed bug GH-20766 (Use-after-free in FE_FREE with GC interaction). (Bob) . Fix OSS-Fuzz #471486164 (Broken by-ref assignment to uninitialized hooked backing value). (ilutov) . Fix OSS-Fuzz #438780145 (Nested finally with repeated return type check may uaf). (ilutov) . Fixed bug GH-20905 (Lazy proxy bailing __clone assertion). (ilutov) . Fixed bug GH-20479 (Hooked object properties overflow). (ndossche) - Date: . Update timelib to 2022.16. (Derick) - DOM: . Fixed GH-21041 (Dom\HTMLDocument corrupts closing tags within scripts). (lexborisov) - MbString: . Fixed bug GH-20833 (mb_str_pad() divide by zero if padding string is invalid in the encoding). (ndossche) . Fixed bug GH-20836 (Stack overflow in mb_convert_variables with recursive array references). (alexandre-daubois) - Opcache: . Fixed bug GH-20818 (Segfault in Tracing JIT with object reference). (khasinski) - OpenSSL: . Fix memory leaks when sk_X509_new_null() fails. (ndossche) . Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails. (ndossche) . Fix crash in openssl_x509_parse() when X509_NAME_oneline() fails. (ndossche) - Phar: . Fixed bug GH-20882 (buildFromIterator breaks with missing base directory). (ndossche) - PGSQL: . Fixed INSERT/UPDATE queries building with PQescapeIdentifier() and possible UB. (David Carlier) - Readline: . Fixed bug GH-18139 (Memory leak when overriding some settings via readline_info()). (ndossche) - SPL: . Fixed bug GH-20856 (heap-use-after-free in SplDoublyLinkedList iterator when modifying during iteration). (ndossche) - Standard: . Fixed bug #74357 (lchown fails to change ownership of symlink with ZTS) (Jakub Zelenka) . Fixed bug GH-20843 (var_dump() crash with nested objects) (David Carlier) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2026/01/19 15:35:56 taca Exp $ d3 3 a5 3 BLAKE2s (php-8.5.3.tar.xz) = 5f0bc098b34614696672950d712c8c8744df99ffc9ce5a4539671e57ce146198 SHA512 (php-8.5.3.tar.xz) = fae92403affa5259fd840609004980cdd2fa97dd511fde8e487292c832d433a2dc8597e3ce7b2de35f949e83a11b9b030e36e2bac6a7c697fdfc6556f9b1a1e0 Size (php-8.5.3.tar.xz) = 14333456 bytes d16 1 a16 1 SHA1 (patch-sapi_cgi_Makefile.frag) = f4cd64d334884c49787d8854115c8cd69cc79bb8 @ 1.2 log @lang/php85: update to 8.5.2 8.5.2 (2026-01-15) 15 Jan 2026, PHP 8.5.2 - Core: . Fix OSS-Fuzz #465488618 (Wrong assumptions when dumping function signature with dynamic class const lookup default argument). (ilutov) . Fixed bug GH-20695 (Assertion failure in normalize_value() when parsing malformed INI input via parse_ini_string()). (ndossche) . Fixed bug GH-20714 (Uncatchable exception thrown in generator). (ilutov) . Fixed bug GH-20352 (UAF in php_output_handler_free via re-entrant ob_start() during error deactivation). (ndossche) . Fixed bug GH-20745 ("Casting out of range floats to int" applies to strings). (Bob) - DOM: . Fixed bug GH-20722 (Null pointer dereference in DOM namespace node cloning via clone on malformed objects). (ndossche) . Fixed bug GH-20444 (Dom\XMLDocument::C14N() seems broken compared to DOMDocument::C14N()). (ndossche) - EXIF: . Fixed bug GH-20631 (Integer underflow in exif HEIF parsing when pos.size < 2). (Oblivionsage) - Intl: . Fix leak in umsg_format_helper(). (ndossche) - LDAP: . Fix memory leak in ldap_set_options(). (ndossche) - Lexbor: . Fixed bug GH-20668 (\Uri\WhatWg\Url::withHost() crashes (SEGV) for URLs using the file: scheme). (lexborisov) - Mbstring: . Fixed bug GH-20674 (mb_decode_mimeheader does not handle separator). (Yuya Hamada) - PCNTL: . Fixed bug with pcntl_getcpuaffinity() on solaris regarding invalid process ids handling. (David Carlier) - Phar: . Fixed bug GH-20732 (Phar::LoadPhar undefined behavior when reading fails). (ndossche) . Fix SplFileInfo::openFile() in write mode. (ndossche) . Fix build on legacy OpenSSL 1.1.0 systems. (Giovanni Giacobbi) . Fixed bug #74154 (Phar extractTo creates empty files). (ndossche) - Session: . Fix support for MM module. (Michael Orlitzky) - Sqlite3: . Fixed bug GH-20699 (SQLite3Result fetchArray return array|false, null returned). (ndossche, plusminmax) - Standard: . Fix error check for proc_open() command. (ndossche) . Fix memory leak in mail() when header key is numeric. (Girgias) . Fixed bug GH-20582 (Heap Buffer Overflow in iptcembed). (ndossche) - URI: . Fixed bug GH-20771 (Assertion failure when getUnicodeHost() returns empty string). (ndossche) - Zlib: . Fix OOB gzseek() causing assertion failure. (ndossche) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1 2026/01/08 13:38:00 taca Exp $ d3 3 a5 3 BLAKE2s (php-8.5.2.tar.xz) = bd3c0a67c4fad8b7398b525c851c889df6726072651c696913053918d634b623 SHA512 (php-8.5.2.tar.xz) = 99c5545195c4fdd5a741e839e60521ec2d1b24275c7362b9aae71e3a7cdc4ceaaf70dfe9ae74da359a06922718b2213f6f2f885735bee5473affdf2fd9f3794a Size (php-8.5.2.tar.xz) = 14331112 bytes @ 1.1 log @lang/php: add package version 8.5.1 PHP is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. It is modular, and object-oriented. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The language is designed to allow web developers to write dynamically generated pages quickly. PHP 8.5 comes with numerous improvements and new features such as * Built-in URI Extension to parse, normalize and handle URL. * Pipe Operator |> enables chaining callables and passing values. * Clone objects and update properties with the new clone() syntax. * A new attribute #[\NoDiscard] for a function. * Static closures and first-class-callables in constatnt expressisons. * cURL shared handles support. * array_first() and array_last() functions are added to array. * And much much more... @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (php-8.5.1.tar.xz) = f24843847d5879caa52d7f2ce032d18c62176595aac36d574d68f801180f1bb1 SHA512 (php-8.5.1.tar.xz) = baac228db5ba26d97abd6c1471ea8448aa1bd7754f4637ca9399b8200df6b7be23e71dd20edbe55828a87a354f0d1a8516aaa434b6fd45ddcb05a478c04a94e2 Size (php-8.5.1.tar.xz) = 14326700 bytes @