CVS commit: [pkgsrc-2026Q1] pkgsrc/lang

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2026Q1] pkgsrc/lang
From: "Benny Siegert" <bsiegert%netbsd.org@localhost>
Date: Sat, 9 May 2026 17:36:14 +0000

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Sat May  9 17:36:14 UTC 2026

Modified Files:
        pkgsrc/lang/php [pkgsrc-2026Q1]: phpversion.mk
        pkgsrc/lang/php84 [pkgsrc-2026Q1]: distinfo

Log Message:
Pullup ticket #7107 - requested by taca
lang/php84: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.496,1.498
- lang/php84/distinfo                                           1.20-1.21

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Fri Apr 10 15:13:16 UTC 2026

   Modified Files:
        pkgsrc/lang/php: phpversion.mk
        pkgsrc/lang/php84: distinfo

   Log Message:
   lang/php84: update to 8.4.20

   PHP 8.4.20 (2026-04-09)

   - Bz2:
     . Fix truncation of total output size causing erroneous errors. (ndossche)

   - Core:
     . Fixed bugs GH-20875, GH-20873, GH-20854 (Propagate IN_GET guard in
       get_property_ptr_ptr for lazy proxies). (iliaal)

   - DOM:
     . Fixed bug GH-21486 (Dom\HTMLDocument parser mangles xml:space and
       xml:lang attributes). (ndossche)

   - FFI:
     . Fixed resource leak in FFI::cdef() onsymbol resolution failure.
       (David Carlier)

   - GD:
     . Fixed bug GH-21431 (phpinfo() to display libJPEG 10.0 support).
       (David Carlier)

   - Opcache:
     . Fixed bug GH-20838 (JIT compiler produces wrong arithmetic results).
       (Dmitry, iliaal)
     . Fixed bug GH-21267 (JIT tracing: infinite loop on FETCH_OBJ_R with
       IS_UNDEF property in polymorphic context). (Dmitry, iliaal)
     . Fixed bug GH-21395 (uaf in jit). (ndossche)

   - OpenSSL:
     . Fixed bug GH-21083 (Skip private_key_bits validation for EC/curve-based
       keys). (iliaal)
     . Fix missing error propagation for BIO_printf() calls. (ndossche)

   - PCRE:
     . Fixed re-entrancy issue on php_pcre_match_impl, php_pcre_replace_impl,
       php_pcre_split_impl, and php_pcre_grep_impl. (David Carlier)

   - PGSQL:
     . Fixed preprocessor silently guarding PGSQL_SUPPRESS_TIMESTAMPS support
       due to a typo. (KentarouTakeda)

   - SNMP:
     . Fixed bug GH-21336 (SNMP::setSecurity() undefined behavior with
       NULL arguments). (David Carlier)

   - SOAP:
     . Fixed Set-Cookie parsing bug wrong offset while scanning attributes.
       (David Carlier)

   - SPL:
     . Fixed bug GH-21454 (missing write lock validation in SplHeap).
       (ndossche)

   - Standard:
     . Fixed bug GH-20906 (Assertion failure when messing up output buffers).
       (ndossche)
     . Fixed bug GH-20627 (Cannot identify some avif images with getimagesize).
       (y-guyon)

   - Sysvshm:
     . Fix memory leak in shm_get_var() when variable is corrupted. (ndossche)

   - XSL:
     . Fix GH-21357 (XSLTProcessor works with DOMDocument, but fails with
       Dom\XMLDocument). (ndossche)
     . Fixed bug GH-21496 (UAF in dom_objects_free_storage).
       (David Carlier/ndossche)

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Fri May  8 02:06:40 UTC 2026

   Modified Files:
        pkgsrc/lang/php: phpversion.mk
        pkgsrc/lang/php84: distinfo

   Log Message:
   lang/php84: update to 8.4.21

   PHP 8.4.21 (2026-05-07)

   - Core:
     . Fixed bug GH-19983 (GC assertion failure with fibers, generators and
       destructors). (iliaal)
     . Fixed bug GH-21478 (Forward property operations to real instance for
       initialized lazy proxies). (iliaal)
     . Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov)
     . Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving
       self::/parent::/static:: callables if the error handler throws). (macoaure)
     . Fixed bug GH-21603 (Missing addref for __unset). (ilutov)
     . Fixed bug GH-21760 (Trait with class constant name conflict against
       enum case causes SEGV). (Pratik Bhujel)

   - CLI:
     . Fixed bug GH-21754 (`--rf` command line option with a method triggers
       ext/reflection deprecation warnings). (DanielEScherzer)

   - Curl:
     . Add support for brotli and zstd on Windows. (Shivam Mathur)

   - DOM:
     . Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits
       duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263)
       (David Carlier)
     . Fixed bug GH-21688 (segmentation fault on empty HTMLDocument).
       (David Carlier)
     . Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079)
       (ndossche, ilutov)

   - FPM:
     . Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735)
       (Jakub Zelenka)

   - Iconv:
     . Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)

   - MBString:
     . Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in
       php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259)
       (vi3tL0u1s)
     . Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()).
       (CVE-2026-6104) (ilutov)

   - Opcache:
     . Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in
       zend_jit_use_reg). (Arnaud)
     . Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov)
     . Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud)
     . Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)

   - OpenSSL:
     . Fix a bunch of memory leaks and crashes on edge cases. (ndossche)

   - PDO_Firebird:
     . Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings).
       (CVE-2025-14179) (SakiTakamachi)

   - Phar:
     . Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
     . Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when
       SCRIPT_NAME is absent from SAPI environment). (iliaal)
     . Fix memory leak in Phar::offsetGet(). (iliaal)
     . Fix memory leak in phar_add_file(). (iliaal)
     . Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from
       phar_stream_close). (iliaal)
     . Fix memory leak in phar_verify_signature() when md_ctx is invalid.
       (JarneClauw)

   - Random:
     . Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize()
       accepts all-zero state). (iliaal)

   - Session:
     . Fixed memory leak when session GC callback return a refcounted value.
       (jorgsowa)

   - SOAP:
     . Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache
       Map). (CVE-2026-6722) (ilutov)
     . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with
       SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
     . Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check).
       (CVE-2026-7262) (ilutov)

   - SPL:
     . Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent
       free). (Girgias)
     . Fix concurrent iteration and deletion issues in SplObjectStorage.
       (ndossche)

   - Standard:
     . Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset).
       (CVE-2026-7568) (TimWolla)
     . Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h
       functions). (CVE-2026-7258) (ilutov)

   - Streams:
     . Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL
       and a proxy set). (ndossche)

   - XSL:
     . Fixed bug GH-21600 (Segfault on module shutdown). (David Carlier)

   - Zip:
     . Fixed bug GH-21698 (memory leak with ZipArchive::addGlob()
       early return statements). (David Carlier)


To generate a diff of this commit:
cvs rdiff -u -r1.494.2.1 -r1.494.2.2 pkgsrc/lang/php/phpversion.mk
cvs rdiff -u -r1.19 -r1.19.2.1 pkgsrc/lang/php84/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/php/phpversion.mk
diff -u pkgsrc/lang/php/phpversion.mk:1.494.2.1 pkgsrc/lang/php/phpversion.mk:1.494.2.2
--- pkgsrc/lang/php/phpversion.mk:1.494.2.1     Sat May  9 17:25:26 2026
+++ pkgsrc/lang/php/phpversion.mk       Sat May  9 17:36:14 2026
@@ -1,4 +1,4 @@
-# $NetBSD: phpversion.mk,v 1.494.2.1 2026/05/09 17:25:26 bsiegert Exp $
+# $NetBSD: phpversion.mk,v 1.494.2.2 2026/05/09 17:36:14 bsiegert Exp $
 #
 # This file selects a PHP version, based on the user's preferences and
 # the installed packages. It does not add a dependency on the PHP
@@ -112,7 +112,7 @@ PHP56_VERSION=      5.6.40
 PHP74_VERSION= 7.4.33
 PHP82_VERSION= 8.2.30
 PHP83_VERSION= 8.3.30
-PHP84_VERSION= 8.4.19
+PHP84_VERSION= 8.4.20
 PHP85_VERSION= 8.5.6
 
 _VARGROUPS+=   php

Index: pkgsrc/lang/php84/distinfo
diff -u pkgsrc/lang/php84/distinfo:1.19 pkgsrc/lang/php84/distinfo:1.19.2.1
--- pkgsrc/lang/php84/distinfo:1.19     Sun Mar 15 15:29:11 2026
+++ pkgsrc/lang/php84/distinfo  Sat May  9 17:36:14 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.19 2026/03/15 15:29:11 taca Exp $
+$NetBSD: distinfo,v 1.19.2.1 2026/05/09 17:36:14 bsiegert Exp $
 
-BLAKE2s (php-8.4.19.tar.xz) = 19f8c747042bbd61bd9a773684fb4343c0db2dd6749c2d3e0b3019a775efd017
-SHA512 (php-8.4.19.tar.xz) = 1b5ae8cde9ab88a9f53337d7b640434550ef676809d2a521564fceed37fc063d7a6b94b8b7c887b1fb84acf1d1ef862a6c32ccb4d16f846294c2aeaecd85a908
-Size (php-8.4.19.tar.xz) = 13684456 bytes
+BLAKE2s (php-8.4.20.tar.xz) = 77198c86d32681684638802ebd347c61ba36776156ccb94ef03b632962bd4f1e
+SHA512 (php-8.4.20.tar.xz) = 8ec32d7c25bdd2528fb5baafba90175ffa9e94db68a9408e6d006810c6cd22404e8602c7f327b8590371a4f01680f027b3d7a6ddfb51e613e4c7ffccb73196b1
+Size (php-8.4.20.tar.xz) = 13685708 bytes
 SHA1 (patch-build_Makefile.global) = da9577733497d026315b4702cb19d673053148ed
 SHA1 (patch-build_php.m4) = bb72e38ab391ad587962940ba85e8d4de8633dca
 SHA1 (patch-configure.ac) = 2bdd1d2b1def552032dba5fbeb6140922b72c880

Prev by Date: CVS commit: pkgsrc/misc/nq
Previous by Thread: CVS commit: pkgsrc/misc/nq
Indexes:

Home | Main Index | Thread Index | Old Index