Recently, a bug in glibc version 2.39 and older (CVE-2024-2961) was uncovered where a buffer overflow in character set conversions to the ISO-2022-CN-EXT character set can result in remote code execution.

This specific buffer overflow in glibc is exploitable through PHP, which uses the iconv functionality in glibc to do character set conversions. Although the bug is exploitable in the context of the PHP Engine, the bug is not in PHP. It is also not directly exploitable remotely.

There are numerous reports online with titles like "Mitigating the iconv Vulnerability for PHP (CVE-2024-2961)" or "PHP Under Attack". These titles are misleading as this is not a bug in PHP itself.

Currently there is no fix for this issue, but there is a workaround described in GLIBC Vulnerability on Servers Serving PHP. It explains a way how to remove the problematic character set from glibc. Perform this procedure for every gconv-modules-extra.conf file that is available on your system.

Additionally it is also good practice for applications to accept only specific charsets, with an allow-list.

Some Linux distributions such as Debian, CentOS, and others, already have published patched variants of glibc. Please upgrade as soon as possible.

Once an update is available in glibc, updating that package on your Linux machine will be enough to alleviate the issue. You do not need to update PHP, as glibc is a dynamically linked library.

PHP users on Windows are not affected.

There will therefore also not be a new version of PHP for this vulnerability.

The PHP development team announces the immediate availability of PHP 8.1.28. This is a security release.

All PHP 8.1 users are encouraged to upgrade to this version.

For source downloads of PHP 8.1.28 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP development team announces the immediate availability of PHP 8.3.6. This is a security release.

All PHP 8.3 users are encouraged to upgrade to this version.

For source downloads of PHP 8.3.6 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP development team announces the immediate availability of PHP 8.2.18. This is a security release.

All PHP 8.2 users are encouraged to upgrade to this version.

For source downloads of PHP 8.2.18 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP development team announces the immediate availability of PHP 8.3.4. This is a bug fix release.

All PHP 8.3 users are encouraged to upgrade to this version.

For source downloads of PHP 8.3.4 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP development team announces the immediate availability of PHP 8.2.17. This is a bug fix release.

All PHP 8.2 users are encouraged to upgrade to this version.

For source downloads of PHP 8.2.17 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP development team announces the immediate availability of PHP 8.2.16. This is a bug fix release.

All PHP 8.2 users are encouraged to upgrade to this version.

For source downloads of PHP 8.2.16 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP development team announces the immediate availability of PHP 8.3.3. This is a bug fix release.

All PHP 8.3 users are encouraged to upgrade to this version.

For source downloads of PHP 8.3.3 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP development team announces the immediate availability of PHP 8.2.15. This is a bug fix release.

All PHP 8.2 users are encouraged to upgrade to this version.

For source downloads of PHP 8.2.15 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP development team announces the immediate availability of PHP 8.3.2. This is a bug fix release.

All PHP 8.3 users are encouraged to upgrade to this version.

For source downloads of PHP 8.3.2 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP development team announces the immediate availability of PHP 8.2.14. This is a bug fix release.

All PHP 8.2 users are encouraged to upgrade to this version.

For source downloads of PHP 8.2.14 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP development team announces the immediate availability of PHP 8.1.27. This is a bug fix release.

All PHP 8.1 users are encouraged to upgrade to this version.

For source downloads of PHP 8.1.27 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP development team announces the immediate availability of PHP 8.3.1. This is a bug fix release.

All PHP 8.3 users are encouraged to upgrade to this version.

For source downloads of PHP 8.3.1 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP development team announces the immediate availability of PHP 8.1.26. This is a bug fix release.

All PHP 8.1 users are encouraged to upgrade to this version.

For source downloads of PHP 8.1.26 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP development team announces the immediate availability of PHP 8.3.0. This release marks the latest minor release of the PHP language.

PHP 8.3 comes with numerous improvements and new features such as:

• Typed Class Constants
• Fetch class constant dynamically syntax
• Readonly Amendments
• Override Attribute
• New Randomizer method Random\Randomizer::getBytesFromString
• New function json_validate
• And much much more...

For source downloads of PHP 8.3.0 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The migration guide is available in the PHP Manual. Please consult it for the detailed list of new features and backward incompatible changes.

Kudos to all the contributors and supporters!

The PHP development team announces the immediate availability of PHP 8.2.13. This is a bug fix release.

All PHP 8.2 users are encouraged to upgrade to this version.

For source downloads of PHP 8.2.13 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP team is pleased to announce the release of PHP 8.3.0, RC 6. This is the sixth and final release candidate, continuing the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki.

For source downloads of PHP 8.3.0, RC 6 please visit the download page.

Please carefully test this version and report any issues found in the bug reporting system.

Please DO NOT use this version in production, it is an early test version.

For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.

The next release will be the production-ready, general availability release, planned for 23 November 2023.

The signatures for the release can be found in the manifest or on the QA site.

Thank you for helping us make PHP better.

The PHP development team announces the immediate availability of PHP 8.1.25. This is a bug fix release.

All PHP 8.1 users are encouraged to upgrade to this version.

For source downloads of PHP 8.1.25 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP development team announces the immediate availability of PHP 8.2.12. This is a bug fix release.

All PHP 8.2 users are encouraged to upgrade to this version.

For source downloads of PHP 8.2.12 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP team is pleased to announce the release of PHP 8.3.0, RC 5. This is the fifth release candidate, continuing the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki.

For source downloads of PHP 8.3.0, RC 5 please visit the download page.

Please carefully test this version and report any issues found in the bug reporting system.

Please DO NOT use this version in production, it is an early test version.

For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.

The next release will be the fourth release candidate (RC 5), planned for 26 October 2023.

The signatures for the release can be found in the manifest or on the QA site.

Thank you for helping us make PHP better.

The PHP team is pleased to announce the release of PHP 8.3.0, RC 4. This is the fourth release candidate, continuing the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki.

For source downloads of PHP 8.3.0, RC 4 please visit the download page.

Please carefully test this version and report any issues found in the bug reporting system.

Please DO NOT use this version in production, it is an early test version.

For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.

The next release will be the fifth release candidate (RC 5), planned for 26 October 2023.

The signatures for the release can be found in the manifest or on the QA site.

Thank you for helping us make PHP better.

The PHP development team announces the immediate availability of PHP 8.1.24. This is a bug fix release.

All PHP 8.1 users are encouraged to upgrade to this version.

For source downloads of PHP 8.1.24 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP team is pleased to announce the release of PHP 8.3.0, RC 3. This is the third release candidate, continuing the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki.

For source downloads of PHP 8.3.0, RC 3 please visit the download page.

Please carefully test this version and report any issues found in the bug reporting system.

Please DO NOT use this version in production, it is an early test version.

For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.

The next release will be the fourth release candidate (RC 4), planned for 12 October 2023.

The signatures for the release can be found in the manifest or on the QA site.

Thank you for helping us make PHP better.

The PHP development team announces the immediate availability of PHP 8.2.11. This is a bug fix release.

All PHP 8.2 users are encouraged to upgrade to this version.

For source downloads of PHP 8.2.11 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

The PHP team is pleased to announce the release of PHP 8.3.0, RC 2. This is the second release candidate, continuing the PHP 8.3 release cycle, the rough outline of which is specified in the PHP Wiki.

For source downloads of PHP 8.3.0, RC 2 please visit the download page.

Please carefully test this version and report any issues found in the bug reporting system.

Please DO NOT use this version in production, it is an early test version.

For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive.

The next release will be the third release candidate (RC 3), planned for 28 September 2023.

The signatures for the release can be found in the manifest or on the QA site.

Thank you for helping us make PHP better.