FFI is one of the features that made Python and LuaJIT very useful for fast
prototyping. It allows calling C functions and using C data types from pure
scripting language and therefore develop “system code” more productively.
For PHP, FFI opens a way to write PHP extensions and bindings to C libraries
in pure PHP.
Provides
Requires
License
PHP
Changelog
* Tue May 12 2026 Remi Collet <remi@remirepo.net> - 7.4.33-26
- Fix XSS within status endpoint
CVE-2026-6735
- Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
CVE-2026-6722
- Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
CVE-2026-7261
- Fix Broken Apache map value NULL check
CVE-2026-7262
- Fix Signed integer overflow of char array offset
CVE-2026-7568
- Fix Consistently pass unsigned char to ctype.h functions
CVE-2026-7258
* Thu Dec 18 2025 Remi Collet <remi@remirepo.net> - 7.4.33-25
- Fix Null byte termination in dns_get_record()
GHSA-www2-q4fc-65wf
- Fix Heap buffer overflow in array_merge()
CVE-2025-14178
- Fix Information Leak of Memory in getimagesize
CVE-2025-14177
* Thu Jul 03 2025 Remi Collet <remi@remirepo.net> - 7.4.33-24
- Fix pgsql extension does not check for errors during escaping
CVE-2025-1735
- Fix NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix
CVE-2025-6491
- Fix Null byte termination in hostnames
CVE-2025-1220
* Mon Mar 17 2025 Remi Collet <remi@remirepo.net> - 7.4.33-23
- Fix libxml streams use wrong `content-type` header when requesting a redirected resource
CVE-2025-1219
- Fix Stream HTTP wrapper header check might omit basic auth header
CVE-2025-1736
- Fix Stream HTTP wrapper truncate redirect location to 1024 bytes
CVE-2025-1861
- Fix Streams HTTP wrapper does not fail for headers without colon
CVE-2025-1734
- Fix Header parser of `http` stream wrapper does not handle folded headers
CVE-2025-1217
- use oracle client library version 23.7 on x86_64 and aarch64
* Thu Feb 13 2025 Remi Collet <remi@remirepo.net> - 7.4.33-22
- backport fix for ICU 74+
- backport fix strict prototypes
* Wed Nov 27 2024 Remi Collet <remi@remirepo.net> - 7.4.33-21
- Fix Leak partial content of the heap through heap buffer over-read
CVE-2024-8929
* Fri Nov 22 2024 Remi Collet <remi@remirepo.net> - 7.4.33-20
- Fix Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface
GHSA-4w77-75f9-2c8w
- Fix OOB access in ldap_escape
CVE-2024-8932
- Fix Integer overflow in the dblib/firebird quoter causing OOB writes
CVE-2024-11236
- Fix Configuring a proxy in a stream context might allow for CRLF injection in URIs
CVE-2024-11234
- Fix Single byte overread with convert.quoted-printable-decode filter
CVE-2024-11233
* Fri Nov 15 2024 Remi Collet <remi@remirepo.net> - 7.4.33-19
- disable firebird on EL-10
* Thu Sep 26 2024 Remi Collet <remi@remirepo.net> - 7.4.33-18
- Fix Bypass of CVE-2012-1823, Argument Injection in PHP-CGI
CVE-2024-4577
- Fix Bypass of CVE-2024-4577, Parameter Injection Vulnerability
CVE-2024-8926
- Fix cgi.force_redirect configuration is bypassable due to the environment variable collision
CVE-2024-8927
- Fix Logs from childrens may be altered
CVE-2024-9026
- Fix Erroneous parsing of multipart form data
CVE-2024-8925
- use ICU 74.2
* Mon Aug 26 2024 Remi Collet <remi@remirepo.net> - 7.4.33-17
- add backport for https://bugs.php.net/79589
error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading
* Wed Jul 31 2024 Remi Collet <remi@remirepo.net> - 7.4.33-16
- use oracle client library version 23.5 on x86_64
* Tue Jun 04 2024 Remi Collet <remi@remirepo.net> - 7.4.33-15
- Fix filter bypass in filter_var FILTER_VALIDATE_URL
CVE-2024-5458
* Wed Apr 10 2024 Remi Collet <remi@remirepo.net> - 7.4.33-14
- Fix __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
CVE-2024-2756
- Fix password_verify can erroneously return true opening ATO risk
CVE-2024-3096
* Wed Mar 06 2024 Remi Collet <remi@remirepo.net> - 7.4.33-13
- patch test suite for zlib-ng
* Mon Feb 19 2024 Remi Collet <remi@remirepo.net> - 7.4.33-12
- more build patch for GCC 14
* Wed Feb 14 2024 Remi Collet <remi@remirepo.net> - 7.4.33-11
- add build patch for GCC 14
- use oracle client library version 21.13 on x86_64
* Tue Dec 12 2023 Remi Collet <remi@remirepo.net> - 7.4.33-10
- use ICU 73.2
- use oracle client library version 21.12 on x86_64, 19.19 on aarch64
- add fixes for libxml 2.11 and 2.12 from 8.1
* Thu Sep 21 2023 Remi Collet <remi@remirepo.net> - 7.4.33-9
- use oracle client library version 21.11 on x86_64, 19.19 on aarch64
- use official Oracle Instant Client RPM
* Tue Aug 01 2023 Remi Collet <remi@remirepo.net> - 7.4.33-8
- Fix Security issue with external entity loading in XML without enabling it
GHSA-3qrf-m4j2-pcrr CVE-2023-3823
- Fix Buffer mismanagement in phar_dir_read()
GHSA-jqcx-ccgc-xwhv CVE-2023-3824
- move httpd/nginx wants directive to config files in /etc
* Tue Jun 06 2023 Remi Collet <remi@remirepo.net> - 7.4.33-7
- Fix Missing error check and insufficient random bytes in HTTP Digest
authentication for SOAP
GHSA-76gg-c692-v2mw CVE-2023-3247
* Fri Apr 14 2023 Remi Collet <remi@remirepo.net> - 7.4.33-6
- use ICU 72.1
- use oracle client library version 21.10
- fix possible buffer overflow in date
- define %__phpize and %__phpconfig
* Tue Feb 21 2023 Remi Collet <remi@remirepo.net> - 7.4.33-5
- F38: enable imap extension
* Tue Feb 14 2023 Remi Collet <remi@remirepo.net> - 7.4.33-4
- fix #81744: Password_verify() always return true with some hash
CVE-2023-0567
- fix #81746: 1-byte array overrun in common path resolve code
CVE-2023-0568
- fix DOS vulnerability when parsing multipart request body
CVE-2023-0662
* Fri Feb 10 2023 Remi Collet <remi@remirepo.net> - 7.4.33-3
- F38: disable imap extension
- add dependency on pcre2 minimal version
* Mon Dec 19 2022 Remi Collet <remi@remirepo.net> - 7.4.33-2
- pdo: fix #81740: PDO::quote() may return unquoted string
CVE-2022-31631
- use oracle client library version 21.8
* Tue Nov 01 2022 Remi Collet <remi@remirepo.net> - 7.4.33-1
- Update to 7.4.33 - http://www.php.net/releases/7_4_33.php
* Wed Oct 26 2022 Remi Collet <remi@remirepo.net> - 7.4.32-2
- add upstream fix for CVE-2022-31630 and CVE-2022-37454
* Wed Sep 28 2022 Remi Collet <remi@remirepo.net> - 7.4.32-1
- Update to 7.4.32 - http://www.php.net/releases/7_4_32.php
- use ICU 71.1
* Wed Jul 27 2022 Remi Collet <remi@remirepo.net> - 7.4.30-2
- use bcond for zts and debug
* Tue Jun 07 2022 Remi Collet <remi@remirepo.net> - 7.4.30-1
- Update to 7.4.30 - http://www.php.net/releases/7_4_30.php
- use oracle client library version 21.6
* Tue Apr 12 2022 Remi Collet <remi@remirepo.net> - 7.4.29-1
- Update to 7.4.29 - http://www.php.net/releases/7_4_29.php
* Tue Feb 22 2022 Remi Collet <remi@remirepo.net> - 7.4.28-2
- retrieve tzdata version
- use oracle client library version 21.5
* Tue Feb 15 2022 Remi Collet <remi@remirepo.net> - 7.4.28-1
- Update to 7.4.28 - http://www.php.net/releases/7_4_28.php
* Wed Dec 15 2021 Remi Collet <remi@remirepo.net> - 7.4.27-1
- Update to 7.4.27 - http://www.php.net/releases/7_4_27.php
* Thu Dec 02 2021 Remi Collet <remi@remirepo.net> - 7.4.27~RC1-2
- ensure we use libgd >= 2.3
* Wed Dec 01 2021 Remi