PHP 8.3.31 was released on 2026-05-05 with 8 CVE fixes:
- CVE-2026-6735 (FPM, XSS in status endpoint)
- CVE-2026-7259 (MBString, NULL deref in
mb_ereg_search_init)
- CVE-2025-14179 (PDO_Firebird, SQLi via NUL bytes in quoted strings)
- CVE-2026-6722 (SOAP, stale
SOAP_GLOBAL(ref_map) pointer)
- CVE-2026-7261 (SOAP, UAF after header parsing failure)
- CVE-2026-7262 (SOAP, broken Apache map value NULL check)
- CVE-2026-7568 (Standard, signed integer overflow)
- CVE-2026-7258 (Standard, ctype.h
unsigned char consistency)
Reference: https://github.com/php/php-src/blob/PHP-8.3.31/NEWS
versions.json is still on 8.3.30, and the php:8.3-apache-bookworm floating tag still resolves to a 2026-04-22 image with PHP 8.3.30.
Could update.sh be run for the 8.3 line so the rebuild picks up the security fixes?
Note: a rebuild on bookworm/trixie would also resolve #1658 (Apache 2.4.66 → 2.4.67) since bookworm-security already ships apache2 2.4.67-1~deb12u1.
cc @yosifkit @tianon
PHP 8.3.31 was released on 2026-05-05 with 8 CVE fixes:
mb_ereg_search_init)SOAP_GLOBAL(ref_map)pointer)unsigned charconsistency)Reference: https://github.com/php/php-src/blob/PHP-8.3.31/NEWS
versions.jsonis still on8.3.30, and thephp:8.3-apache-bookwormfloating tag still resolves to a 2026-04-22 image with PHP 8.3.30.Could
update.shbe run for the 8.3 line so the rebuild picks up the security fixes?Note: a rebuild on bookworm/trixie would also resolve #1658 (Apache 2.4.66 → 2.4.67) since
bookworm-securityalready shipsapache2 2.4.67-1~deb12u1.cc @yosifkit @tianon