PHP

5.6.0

Released on 28 Aug 2014
Project description.
PHP is a popular general-purpose scripting language that is especially suited to web development
PHP 5.6.0 Changelog
  • General improvements:
    • Added constant scalar expressions syntax.
    • Added dedicated syntax for variadic functions.
    • Added support for argument unpacking to complement the variadic syntax.
    • Added an exponentiation operator (**).
    • Added phpdbg SAPI.
    • Added unified default encoding.
    • The php://input stream is now re-usable and can be used concurrently with enable_post_data_reading=0.
    • Added use function and use const..
    • Added a function for timing attack safe string comparison.
    • Added the __debugInfo() magic method to allow userland classes to implement the get_debug_info API previously available only to extensions.
    • Added gost-crypto (CryptoPro S-box) hash algorithm.
    • Stream wrappers verify peer certificates and host names by default in encrypted client streams.
    • Uploads equal or greater than 2GB in size are now accepted.
  • Core:
    • Fixed bug #67693 (incorrect push to the empty array).
    • Removed inconsistency regarding behaviour of array in constants at run-time.
    • Fixed bug #67497 (eval with parse error causes segmentation fault in generator).
    • Fixed bug #67151 (strtr with empty array crashes).
    • Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012).
    • Fixed bug #66608 (Incorrect behavior with nested "finally" blocks).
    • Implemented FR #34407 (ucwords and Title Case).
    • Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0).
    • Fixed bug #67368 (Memory leak with immediately dereferenced array in class constant).
    • Fixed bug #67468 (Segfault in highlight_file()/highlight_string()).
    • Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability).
    • Fixed bug #67551 (php://input temp file will be located in sys_temp_dir instead of upload_tmp_dir).
    • Fixed bug #67169 (array_splice all elements, then []= gives wrong index).
    • Fixed bug #67198 (php://input regression).
    • Fixed bug #67247 (spl_fixedarray_resize integer overflow).
    • Fixed bug #67250 (iptcparse out-of-bounds read).
    • Fixed bug #67252 (convert_uudecode out-of-bounds read).
    • Fixed bug #67249 (printf out-of-bounds read).
    • Implemented FR #64744 (Differentiate between member function call on a null and non-null, non-objects).
    • Fixed bug #67436 (Autoloader isn't called if two method definitions don't match).
    • Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases).
    • Fixed bug #67390 (insecure temporary file use in the configure script). (CVE-2014-3981)
    • Fixed bug #67392 (dtrace breaks argument unpack).
    • Fixed bug #67428 (header('Location: foo') will override a 308-399 response code).
    • Fixed bug #67433 (SIGSEGV when using count() on an object implementing Countable).
    • Fixed bug #67399 (putenv with empty variable may lead to crash).
    • Expose get_debug_info class hook as __debugInfo() magic method.
    • Implemented unified default encoding (RFC: https://wiki.php.net/rfc/default_encoding).
    • Added T_POW (**) operator (RFC: https://wiki.php.net/rfc/pow-operator).
    • Improved IS_VAR operands fetching.
    • Improved empty string handling. Now ZE uses an interned string instead of allocation new empty string each time.
    • Implemented internal operator overloading (RFC: https://wiki.php.net/rfc/operator_overloading_gmp).
    • Made calls from incompatible context issue an E_DEPRECATED warning instead of E_STRICT (phase 1 of RFC: https://wiki.php.net/rfc/incompat_ctx).
    • Uploads equal or greater than 2GB in size are now accepted.
    • Reduced POST data memory usage by 200-300%. Changed INI setting always_populate_raw_post_data to throw a deprecation warning when enabling and to accept -1 for never populating the $HTTP_RAW_POST_DATA global variable, which will be the default in future PHP versions.
    • Implemented dedicated syntax for variadic functions (RFC: https://wiki.php.net/rfc/variadics).
    • Fixed bug #50333 Improving multi-threaded scalability by using emalloc/efree/estrdup (Anatol, Dmitry)
    • Implemented constant scalar expressions (with support for constants) (RFC: https://wiki.php.net/rfc/const_scalar_exprs).
    • Fixed bug #65784 (Segfault with finally).
    • Fixed bug #66509 (copy() arginfo has changed starting from 5.4).
    • Allow zero length comparison in substr_compare() (Tjerk)
    • Fixed bug #60602 (proc_open() changes environment array) (Tjerk)
    • Fixed bug #61019 (Out of memory on command stream_get_contents).
    • Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets).
    • Fixed bug #66182 (exit in stream filter produces segfault).
    • Fixed bug #66736 (fpassthru broken).
    • Fixed bug #66822 (Cannot use T_POW in const expression) (Tjerk)
    • Fixed bug #67043 (substr_compare broke by previous change) (Tjerk)
    • Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()).
    • Fixed bug #66015 (Unexpected array indexing in class's static property).
    • Added (constant) string/array dereferencing to static scalar expressions to complete the set; now possible thanks to #66015 being fixed.
    • Fixed bug #66568 (Update reflection information for unserialize() function).
    • Fixed bug #66660 (Composer.phar install/update fails).
    • Fixed bug #67024 (getimagesize should recognize BMP files with negative height).
    • Fixed bug #67064 (Countable interface prevents using 2nd parameter ($mode) of count() function).
    • Fixed bug #67072 (Echoing unserialized "SplFileObject" crash).
    • Fixed bug #67033 (Remove reference to Windows 95).
  • Apache2 Handler SAPI:
    • Fixed Apache log issue caused by APR's lack of support for %zu (APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120).
  • CLI server:
    • Added some MIME types to the CLI web server.
    • Fixed bug #67079 (Missing MIME types for XML/XSL files).
    • Fixed bug #66830 (Empty header causes PHP built-in web server to hang).
    • Fixed bug #67594 (Unable to access to apache_request_headers() elements).
    • Implemented FR #67429 (CLI server is missing some new HTTP response codes).
    • Fixed bug #67406 (built-in web-server segfaults on startup).
  • COM:
    • Fixed bug #41577 (DOTNET is successful once per server run) (Aidas Kasparas)
    • Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas).
    • Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)).
  • Curl:
    • Implemented FR #65646 (re-enable CURLOPT_FOLLOWLOCATION with open_basedir or safe_mode).
    • Check for openssl.cafile ini directive when loading CA certs.
    • Remove cURL close policy related constants as these have no effect and are no longer used in libcurl.
    • Fixed bug #66109 (Can't reset CURLOPT_CUSTOMREQUEST to default behaviour) (Tjerk)
    • Fix compilation on libcurl versions between 7.10.5 and 7.12.2, inclusive.
    • Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset).
    • Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent).
  • Date:
    • Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712)
    • Fixed bug #66091 (memory leaks in DateTime constructor) (Tjerk).
    • Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
    • Fixed regression in fix for #67118 (constructor can't be called twice).
    • Fixed bug #67251 (date_parse_from_format out-of-bounds read).
    • Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read).
    • Added DateTimeImmutable::createFromMutable to create a DateTimeImmutable object from an existing DateTime (mutable) object (Derick)
    • Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied).
    • Fixed bug #67118 (DateTime constructor crash with invalid data).
  • DOM:
    • Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset).
  • Embed:
    • Fixed bug #65715 (php5embed.lib isn't provided anymore). (Anatol).
  • Fileinfo:
    • Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587)
    • Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538)
    • Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). (CVE-2014-0238)
    • Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in performance degradation). (CVE-2014-0237)
    • Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check). (CVE-2014-0207)
    • Fixed bug #67329 (fileinfo: NULL pointer deference flaw by processing certain CDF files). (CVE-2014-0236)
    • Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size). (CVE-2014-3478)
    • Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary check). (CVE-2014-3479)
    • Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check). (CVE-2014-3480)
    • Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check). (CVE-2014-3487)
    • Upgraded to libmagic-5.17 (Anatol)
    • Fixed bug #66731 (file: infinite recursion). (CVE-2014-1943)
    • Fixed bug #66820 (out-of-bounds memory access in fileinfo). (CVE-2014-2270)
    • Fixed bug #66946 (fileinfo: extensive backtracking in awk rule regular expression). (CVE-2013-7345)
    • Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian).
    • Fixed bug #66907 (Solaris 10 is missing strcasestr and needs substitute).
    • Fixed bug #66307 (Fileinfo crashes with powerpoint files).
  • FPM:
    • Fixed bug #67606 (revised fix 67541, broke mod_fastcgi BC).
    • Fixed bug #67530 (error_log=syslog ignored).
    • Fixed bug #67635 (php links to systemd libraries without using pkg-config).
    • Fixed bug #67531 (syslog cannot be set in pool configuration).
    • Fixed bug #67541 (Fix Apache 2.4.10+ SetHandler proxy:fcgi:// incompatibilities).
    • Included apparmor support in fpm (RFC: https://wiki.php.net/rfc/fpm_change_hat).
    • Added clear_env configuration directive to disable clearenv() call.
    • Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf).
    • Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor).
    • Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure default configuration). (CVE-2014-0185)
  • GD:
    • Fixed bug #67730 (Null byte injection possible with imagexxx functions). (CVE-2014-5120)
    • Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). (CVE-2014-2497)
    • Fixed bug #67248 (imageaffinematrixget missing check of parameters).
    • Fixed imagettftext to load the correct character map rather than the last one.
    • Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop()). (CVE-2013-7226)
    • Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer). (CVE-2013-7327)
    • Fixed bug #66869 (Invalid 2nd argument crashes imageaffinematrixget).
    • Fixed bug #66887 (imagescale - poor quality of scaled image).
    • Fixed bug #66890 (imagescale segfault).
    • Fixed bug #66893 (imagescale ignore method argument).
  • GMP:
    • Fixed bug #66872 (invalid argument crashes gmp_testbit) (Pierre)
    • Fixed crashes in serialize/unserialize.
    • Moved GMP to use object as the underlying structure and implemented various improvements based on this.
    • Added gmp_root() and gmp_rootrem() functions for calculating nth roots.
  • Hash:
    • Added gost-crypto (CryptoPro S-box) GOST hash algo.
    • Fixed bug #66698 (Missing FNV1a32 and FNV1a64 hash functions). (Michael M Slusarz).
    • Implemented timing attack safe string comparison function (RFC: https://wiki.php.net/rfc/timing_attack).
    • hash_pbkdf2() now works correctly if the $length argument is not specified.
  • Intl:
    • Fixed bug #66873 (A reproductible crash in UConverter when given invalid encoding) (Stas)
    • Fixed bug #66921 (Wrong argument type hint for function intltz_from_date_time_zone).
    • Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting).
    • Fixed bug #67349 (Locale::parseLocale Double Free).
    • Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)).
  • JSON:
    • Fixed case part of bug #64874 ("json_decode handles whitespace and case-sensitivity incorrectly")
    • Fixed bug #65753 (JsonSerializeable couldn't implement on module extension) (chobieeee@php.net)
    • Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set).
  • ldap:
    • Added new function ldap_modify_batch().
    • Fixed issue with null bytes in LDAP bindings.
  • litespeed:
    • Fixed bug #63228 (-Werror=format-security error in lsapi code).
  • Mail:
    • Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script) (Tjerk)
  • Mcrypt:
    • No longer allow invalid key sizes, invalid IV sizes or missing required IV in mcrypt_encrypt, mcrypt_decrypt and the deprecated mode functions.
    • Use /dev/urandom as the default source for mcrypt_create_iv().
  • Mbstring:
    • Upgraded to oniguruma 5.9.5 (Anatol)
    • Fixed bug #67199 (mb_regex_encoding mismatch).
  • Milter:
    • Fixed bug #67715 (php-milter does not build and crashes randomly).
  • mysqli:
    • Added new function mysqli_get_links_stats() as well as new INI variable mysqli.rollback_on_cached_plink of type bool (Andrey)
    • Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed) (Remi)
    • Fixed building against an external libmysqlclient.
  • mysqlnd:
    • Disabled flag for SP OUT variables for 5.5+ servers as they are not natively supported by the overlying APIs.
    • Added a new fetching mode to mysqlnd.
    • Added support for gb18030 from MySQL 5.7.
  • Network:
    • Fixed bug #67717 (segfault in dns_get_record). (CVE-2014-3597)
    • Fixed bug #67432 (Fix potential segfault in dns_get_record()). (CVE-2014-4049)
  • OCI8:
    • Fixed bug #66875 (Improve performance of multi-row OCI_RETURN_LOB queries) (Perrier, Chris Jones)
  • ODBC:
    • Fixed bug #60616 (odbc_fetch_into returns junk at end of multi-byte char fields).
  • OpenSSL:
    • Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas).
    • Fixed bug #67609 (TLS connections fail behind HTTP proxy).
    • Fixed broken build against OpenSSL older than 0.9.8 where ECDH unavailable.
    • Fixed bug #67666 (Subject altNames doesn't support wildcard matching).
    • Fixed bug #67224 (Fall back to crypto_type from context if not specified explicitly in stream_socket_enable_crypto).
    • Fixed bug #65698 (certificates validity parsing does not work past 2050).
    • Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME).
    • Peer certificates now verified by default in client socket operations (RFC: https://wiki.php.net/rfc/tls-peer-verification).
    • New openssl.cafile and openssl.capath ini directives.
    • Added crypto_method option for the ssl stream context.
    • Added certificate fingerprint support.
    • Added explicit TLSv1.1 and TLSv1.2 stream transports.
    • Fixed bug #65729 (CN_match gives false positive).
    • Peer name verification matches SAN DNS names for certs using the Subject Alternative Name x509 extension.
    • Fixed segfault when built against OpenSSL>=1.0.1 (Daniel Lowrey)
    • Added SPKAC support.
    • Fallback to Windows CA cert store for peer verification if no openssl.cafile ini directive or "cafile" SSL context option specified in Windows.
    • The openssl.cafile and openssl.capath ini directives introduced in alpha2 now have PHP_INI_PERDIR accessibility (was PHP_INI_ALL).
    • New "peer_name" SSL context option replaces "CN_match" (which still works as before but triggers E_DEPRECATED).
    • Fixed segfault when accessing non-existent context for client SNI use (Daniel Lowrey)
    • Fixed bug #66501 (Add EC key support to php_openssl_is_private_key).
    • Fixed bug #47030 (add new boolean "verify_peer_name" SSL context option allowing clients to verify cert names separately from the cert itself). "verify_peer_name" is enabled by default for client streams.
    • Fixed bug #65538 ("cafile" SSL context option now supports stream wrappers).
    • New openssl_get_cert_locations() function to aid CA file and peer verification debugging.
    • Encrypted stream wrappers now disable TLS compression by default.
    • New "capture_session_meta" SSL context option allows encrypted client and server streams access to negotiated protocol/cipher information.
    • New "honor_cipher_order" SSL context option allows servers to prioritize cipher suites of their choosing when negotiating SSL/TLS handshakes.
    • New "single_ecdh_use" and "single_dh_use" SSL context options allow for improved forward secrecy in encrypted stream servers.
    • New "dh_param" SSL context option allows stream servers control over the parameters when negotiating DHE cipher suites.
    • New "ecdh_curve" SSL context option allowing stream servers to specify the curve to use when negotiating ephemeral ECDHE ciphers (defaults to NIST P-256).
    • New "rsa_key_size" SSL context option gives stream servers control over the key size (in bits) used for RSA key agreements.
    • Crypto methods for encrypted client and server streams now use bitwise flags for fine-grained protocol support.
    • Added new tlsv1.0 stream wrapper to specify TLSv1 client/server method. tls wrapper now negotiates TLSv1, TLSv1.1 or TLSv1.2.
    • Encrypted client streams now enable SNI by default.
    • Encrypted streams now prioritize ephemeral key agreement and high strength ciphers by default.
    • New OPENSSL_DEFAULT_STREAM_CIPHERS constant exposes default cipher list.
    • New STREAM_CRYPTO_METHOD_* constants for enhanced control over the crypto methods negotiated encrypted server/client sessions.
    • Encrypted stream servers now automatically mitigate potential DoS vector arising from client-initiated TLS renegotiation. New "reneg_limit", "reneg_window" and "reneg_limit_callback" SSL context options for custom renegotiation limiting control.
    • Fixed memory leak in windows cert verification on verify failure.
    • Peer certificate capturing via SSL context options now functions even if peer verification fails.
    • Encrypted TLS servers now support the server name indication TLS extension via the new "SNI_server_certs" SSL context option.
    • Fixed bug #66833 (Default disgest algo is still MD5, switch to SHA1).
    • Fixed bug #66942 (memory leak in openssl_seal()).
    • Fixed bug #66952 (memory leak in openssl_open()).
    • Fixed bug #66840 (Fix broken build when extension built separately).
  • OPcache:
    • Added an optimization of class constants and constant calls to some internal functions (Laruence, Dmitry)
    • Added an optimization pass to convert FCALL_BY_NAME into DO_FCALL.
    • Added an optimization pass to merged identical constants (and related cache_slots) in op_array->literals table.
    • Added script level constant replacement optimization pass.
    • Added function opcache_is_script_cached().
    • Added information about interned strings usage.
    • Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault happen) (Dmitry, Laruence)
  • PCRE:
    • Fixed bug #67238 (Ungreedy and min/max quantifier bug, applied patch from the upstream).
    • Upgraded to PCRE 8.34.
    • Added support for (*MARK) backtracking verbs.
  • pgsql:
    • Fixed bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756), which affected builds against libpq < 7.3.
    • pg_insert()/pg_select()/pg_update()/pg_delete() are no longer EXPERIMENTAL.
    • Implemented FR #25854 (Return value for pg_insert should be resource instead of bool).
    • Implemented FR #41146 (Add "description" with exteneded flag pg_meta_data(). pg_meta_data(resource $conn, string $table [, bool extended]) It also made pg_meta_data() return "is enum" always).
    • Read-only access to the socket stream underlying database connections is exposed via a new pg_socket() function to allow read/write polling when establishing asynchronous connections and executing queries in non-blocking applications.
    • Asynchronous connections are now possible using the PGSQL_CONNECT_ASYNC flag in conjunction with a new pg_connect_poll() function and connection polling status constants.
    • New pg_flush() and pg_consume_input() functions added to manually complete non-blocking reads/writes to underlying connection sockets.
    • pg_version() returns full report which obtained by PQparameterStatus().
    • Added pg_lo_truncate().
    • Added 64bit large object support for PostgreSQL 9.3 and later.
    • Fixed bug #67555 (Cannot build against libpq 7.3).
  • phpdbg:
    • Fixed bug #67575 (Compilation fails for phpdbg when the build directory != src directory).
    • Fixed bug #67499 (readline feature not enabled when build with libedit).
    • Fixed issue #94 (List behavior is inconsistent).
    • Fixed issue #97 (The prompt should always ensure it is on a newline).
    • Fixed issue #98 (break if does not seem to work).
    • Fixed issue #99 (register function has the same behavior as run).
    • Fixed issue #100 (No way to list the current stack/frames) (Help entry was missing).
    • Fixed bug which caused phpdbg to fail immediately on startup in non-debug builds.
    • Fixed bug #67212 (phpdbg uses non-standard TIOCGWINSZ).
    • Included phpdbg sapi (RFC: https://wiki.php.net/rfc/phpdbg).
    • Added watchpoints (watch command).
    • Renamed some commands (next => continue and how to step).
    • Fixed issue #85 (Added stdin/stdout/stderr constants and their php:// wrappers).
  • PDO:
    • Fixed bug #66604 ('pdo/php_pdo_error.h' not copied to the include dir).
  • PDO-ODBC:
    • Fixed bug #50444 (PDO-ODBC changes for 64-bit).
  • PDO_pgsql:
    • Fixed bug #42614 (PDO_pgsql: add pg_get_notify support).
    • Fixed bug #63657 (pgsqlCopyFromFile, pgsqlCopyToArray use Postgres < 7.3 syntax).
    • Cleaned up code by increasing the requirements to libpq versions providing PQexecParams, PQprepare, PQescapeStringConn, PQescapeByteaConn. According to the release notes that means 8.0.8+ or 8.1.4+.
    • Deprecated PDO::PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT, an undocument constant effectively equivalent to PDO::ATTR_EMULATE_PREPARES.
    • Added PDO::PGSQL_ATTR_DISABLE_PREPARES constant to execute the queries without preparing them, while still passing parameters separately from the command text using PQexecParams.
  • PDO_firebird:
    • Fixed bug #66071 (memory corruption in error handling) (Popa)
  • Phar:
    • Fixed bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name).
    • Fixed bug #67587 (Redirection loop on nginx with FPM).
  • readline:
    • Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt).
    • Fixed bug #67496 (Save command history when exiting interactive shell with control-c).
  • Reflection:
    • Implemented FR #67713 (loosen the restrictions on ReflectionClass::newInstanceWithoutConstructor()).
  • Session:
    • Fixed bug #67694 (Regression in session_regenerate_id()).
    • Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas).
    • Fixed bug #66827 (Session raises E_NOTICE when session name variable is array).
    • Fixed bug #65315 (session.hash_function silently fallback to default md5) (Yasuo)
    • Implemented FR #17860 (Session write short circuit).
    • Implemented FR #20421 (session_abort() and session_reset() function).
    • Remove session_gc() and session_serializer_name() wich were introduced in the first 5.6.0 alpha.
  • SimpleXML:
    • Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol)
  • SQLite:
    • Updated the bundled libsqlite to the version 3.8.3.1 (Anatol)
    • Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3).
  • SOAP:
    • Implemented FR #49898 (Add SoapClient::__getCookies()).
  • SPL:
    • Revert fix for #67064 (BC issues).
    • Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting). (CVE-2014-4698)
    • Fixed bug #67538 (SPL Iterators use-after-free). (CVE-2014-4670)
    • Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion). (CVE-2014-3515)
    • Fixed bug #67359 (Segfault in recursiveDirectoryIterator).
    • Fixed bug #66127 (Segmentation fault with ArrayObject unset).
    • Implemented FR #67453 (Allow to unserialize empty data).
    • Fixed bug #66834 (empty() does not work on classes that extend ArrayObject) (Tjerk)
    • Fixed bug #66702 (RegexIterator::INVERT_MATCH does not invert).
  • Standard:
    • Implemented FR #65634 (HTTP wrapper is very slow with protocol_version 1.1).
    • Implemented Change crypt() behavior w/o salt RFC. (Yasuo) https://wiki.php.net/rfc/crypt_function_salt
    • Implemented FR #49824 (Change array_fill() to allow creating empty array).
  • Streams:
    • Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects).
  • Tokenizer:
    • Fixed bug #67395 (token_name() does not return name for T_POW and T_POW_EQUAL token).
  • XMLReader:
    • Fixed bug #55285 (XMLReader::getAttribute/No/Ns methods inconsistency).
  • XSL:
    • Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded with "file://").
  • Zip:
    • update libzip to version 1.11.2. PHP don't use any ilibzip private symbol anymore.
    • new method ZipArchive::setPassword($password).
    • add --with-libzip option to build with system libzip.
    • new methods: ZipArchive::setExternalAttributesName($name, $opsys, $attr [, $flags]) ZipArchive::setExternalAttributesIndex($idx, $opsys, $attr [, $flags]) ZipArchive::getExternalAttributesName($name, &$opsys, &$attr [, $flags]) ZipArchive::getExternalAttributesIndex($idx, &$opsys, &$attr [, $flags])
  • Zlib:
    • Fixed bug #67865 (internal corruption phar error). Mike
    • Fixed bug #67724 (chained zlib filters silently fail with large amounts of data).