CVS commit: pkgsrc/lang

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang
From: "Takahiro Kambe" <taca%netbsd.org@localhost>
Date: Fri, 8 May 2026 02:06:41 +0000

Module Name:    pkgsrc
Committed By:   taca
Date:           Fri May  8 02:06:40 UTC 2026

Modified Files:
        pkgsrc/lang/php: phpversion.mk
        pkgsrc/lang/php84: distinfo

Log Message:
lang/php84: update to 8.4.21

PHP 8.4.21 (2026-05-07)

- Core:
  . Fixed bug GH-19983 (GC assertion failure with fibers, generators and
    destructors). (iliaal)
  . Fixed bug GH-21478 (Forward property operations to real instance for
    initialized lazy proxies). (iliaal)
  . Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov)
  . Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving
    self::/parent::/static:: callables if the error handler throws). (macoaure)
  . Fixed bug GH-21603 (Missing addref for __unset). (ilutov)
  . Fixed bug GH-21760 (Trait with class constant name conflict against
    enum case causes SEGV). (Pratik Bhujel)

- CLI:
  . Fixed bug GH-21754 (`--rf` command line option with a method triggers
    ext/reflection deprecation warnings). (DanielEScherzer)

- Curl:
  . Add support for brotli and zstd on Windows. (Shivam Mathur)

- DOM:
  . Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits
    duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263)
    (David Carlier)
  . Fixed bug GH-21688 (segmentation fault on empty HTMLDocument).
    (David Carlier)
  . Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079)
    (ndossche, ilutov)

- FPM:
  . Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735)
    (Jakub Zelenka)

- Iconv:
  . Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)

- MBString:
  . Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in
    php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259)
    (vi3tL0u1s)
  . Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()).
    (CVE-2026-6104) (ilutov)

- Opcache:
  . Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in
    zend_jit_use_reg). (Arnaud)
  . Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov)
  . Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud)
  . Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)

- OpenSSL:
  . Fix a bunch of memory leaks and crashes on edge cases. (ndossche)

- PDO_Firebird:
  . Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings).
    (CVE-2025-14179) (SakiTakamachi)

- Phar:
  . Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
  . Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when
    SCRIPT_NAME is absent from SAPI environment). (iliaal)
  . Fix memory leak in Phar::offsetGet(). (iliaal)
  . Fix memory leak in phar_add_file(). (iliaal)
  . Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from
    phar_stream_close). (iliaal)
  . Fix memory leak in phar_verify_signature() when md_ctx is invalid.
    (JarneClauw)

- Random:
  . Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize()
    accepts all-zero state). (iliaal)

- Session:
  . Fixed memory leak when session GC callback return a refcounted value.
    (jorgsowa)

- SOAP:
  . Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache
    Map). (CVE-2026-6722) (ilutov)
  . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with
    SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
  . Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check).
    (CVE-2026-7262) (ilutov)

- SPL:
  . Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent
    free). (Girgias)
  . Fix concurrent iteration and deletion issues in SplObjectStorage.
    (ndossche)

- Standard:
  . Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset).
    (CVE-2026-7568) (TimWolla)
  . Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h
    functions). (CVE-2026-7258) (ilutov)

- Streams:
  . Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL
    and a proxy set). (ndossche)

- XSL:
  . Fixed bug GH-21600 (Segfault on module shutdown). (David Carlier)

- Zip:
  . Fixed bug GH-21698 (memory leak with ZipArchive::addGlob()
    early return statements). (David Carlier)


To generate a diff of this commit:
cvs rdiff -u -r1.497 -r1.498 pkgsrc/lang/php/phpversion.mk
cvs rdiff -u -r1.20 -r1.21 pkgsrc/lang/php84/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/php/phpversion.mk
diff -u pkgsrc/lang/php/phpversion.mk:1.497 pkgsrc/lang/php/phpversion.mk:1.498
--- pkgsrc/lang/php/phpversion.mk:1.497 Fri May  8 02:04:24 2026
+++ pkgsrc/lang/php/phpversion.mk       Fri May  8 02:06:40 2026
@@ -1,4 +1,4 @@
-# $NetBSD: phpversion.mk,v 1.497 2026/05/08 02:04:24 taca Exp $
+# $NetBSD: phpversion.mk,v 1.498 2026/05/08 02:06:40 taca Exp $
 #
 # This file selects a PHP version, based on the user's preferences and
 # the installed packages. It does not add a dependency on the PHP
@@ -112,7 +112,7 @@ PHP56_VERSION=      5.6.40
 PHP74_VERSION= 7.4.33
 PHP82_VERSION= 8.2.30
 PHP83_VERSION= 8.3.31
-PHP84_VERSION= 8.4.20
+PHP84_VERSION= 8.4.21
 PHP85_VERSION= 8.5.5
 
 _VARGROUPS+=   php

Index: pkgsrc/lang/php84/distinfo
diff -u pkgsrc/lang/php84/distinfo:1.20 pkgsrc/lang/php84/distinfo:1.21
--- pkgsrc/lang/php84/distinfo:1.20     Fri Apr 10 15:13:15 2026
+++ pkgsrc/lang/php84/distinfo  Fri May  8 02:06:40 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.20 2026/04/10 15:13:15 taca Exp $
+$NetBSD: distinfo,v 1.21 2026/05/08 02:06:40 taca Exp $
 
-BLAKE2s (php-8.4.20.tar.xz) = 77198c86d32681684638802ebd347c61ba36776156ccb94ef03b632962bd4f1e
-SHA512 (php-8.4.20.tar.xz) = 8ec32d7c25bdd2528fb5baafba90175ffa9e94db68a9408e6d006810c6cd22404e8602c7f327b8590371a4f01680f027b3d7a6ddfb51e613e4c7ffccb73196b1
-Size (php-8.4.20.tar.xz) = 13685708 bytes
+BLAKE2s (php-8.4.21.tar.xz) = 78a16ad0959764f8c8e0d2bf62dfa9a3ff966ea59a6b773bcbd7ff1902c09317
+SHA512 (php-8.4.21.tar.xz) = 1269952167afb1efea8a8d62fc3b5532018e91556cf9f971e1752b437fc27e3457b313e027f1569806291131a5ff065d87a7604cf04637871849c731dec16e36
+Size (php-8.4.21.tar.xz) = 13718684 bytes
 SHA1 (patch-build_Makefile.global) = da9577733497d026315b4702cb19d673053148ed
 SHA1 (patch-build_php.m4) = bb72e38ab391ad587962940ba85e8d4de8633dca
 SHA1 (patch-configure.ac) = 2bdd1d2b1def552032dba5fbeb6140922b72c880

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index