- security issues
  . #79812 Pcntl: Potential integer overflow in pcntl_exec()
  . CVE-2020-7071 Standard: FILTER_VALIDATE_URL accepts URLs with invalid userinfo (#77423)
  . CVE-2021-21706 Zip: ZipArchive::extractTo extracts outside of destinatio (#81420)
  . CVE-2021-21703 FPM; PHP-FPM oob R/W in root process leading to privilege escalation (#81026)
  . CVE-2021-21707 XML: special character is breaking the path in xml function (#79971)

- security issues
  . CVE-2020-7068 Use of freed hash key in the phar_parse_zipfile function (#79797)
  . CVE-2020-7070 PHP parses encoded cookie names so malicious `__Host-` cookies can be sent (#79699)

- security issues
  . CVE-2019-11048 Core: Long filenames cause OOM and temp files are not cleaned (#78875)
  . CVE-2019-11048 Core: Long variables in multipart/form-data cause OOM and temp files are not cleaned (#78876)
  . CVE-2020-7064 EXIF: Use-of-uninitialized-value in exif (#79282)
  . CVE-2020-7066 Standard: get_headers() silently truncates after a null byte (#79329)
  . CVE-2020-7063 Phar: Files added to tar with Phar::buildFromIterator have all-access permissions (#79082)
  . CVE-2020-7062 Sessions: Null Pointer Dereference in PHP Session Upload Progress (#79221)

- security issues
  . CVE-2019-13224 #78380 MBString: don't allow different encodings for onig_new_deluxe
  . CVE-2019-11050 #78793 EXIF: Use-after-free in exif parsing under memory sanitizer
  . CVE-2019-11047 #78910 EXIF: Heap-buffer-overflow READ in exif
  . CVE-2019-11046 #78878 Bcmath: Buffer underflow in bc_shift_addsub
  . CVE-2019-11045 #78863 Core: DirectoryIterator class silently truncates after a null byte
  . CVE-2019-11044 #78862 Core: link() silently truncates after a null byte on Windows
  . CVE-2019-11043 #78599 FPM: env_path_info underflow in fpm_main.c can lead to RCE
  . CVE-2019-11042 #78256 EXIF: heap-buffer-overflow on exif_process_user_comment
  . CVE-2019-11041 #78222 EXIF: heap-buffer-overflow on exif_scan_thumbnail
  . CVE-2020-7060  #79037 Mbstring: global buffer-overflow in 'mbfl_filt_conv_big5_wchar'
  . CVE-2020-7059  #79099 Standard: OOB read in php_strip_tags_ex

- refixed CVE-2019-11038 : unrefferenced gd_error

- update 7.0.33
  http://php.net/ChangeLog-7.php#7.0.33

- security issues
  . CVE-2018-17082 Apache2: XSS due to the header Transfer-Encoding: chunked (#76582)
  . CVE-2018-14883 EXIF: Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c (#76423)
  . CVE-2018-14851 EXIF: heap-buffer-overflow (READ of size 48) while reading exif data (#76557)

- update 7.0.30
- security issues
  . CVE-2018-10545 FPM: Dumpable FPM child processes allow bypassing opcache access controls (#75605)
  . CVE-2018-10549 Exif: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value (#76130)
  . CVE-2018-10546 iconv: stream filter convert.iconv leads to infinite loop on invalid sequence (#76249)
  . CVE-2018-10548 LDAP: Malicious LDAP-Server Response causes Crash (#76248)
  . CVE-2018-10547 Phar: fix for CVE-2018-5712 may not be complete (#76129)

- update 7.0.28
- security issues
  . CVE-2018-7584 stack-buffer-overflow while parsing HTTP response (#75981)

- update 7.0.27
- if upload_image_check is on, only add sec and secstr member of $_FILES

- official 7.0.26 bug fixed
  . fixed #60471 CLI Server: Random "Invalid request (unexpected EOF)" using a router script
  . fixed #74183 PCRE: preg_last_error not returning error code after error
  . fixed #75535 Standard: Inappropriately parsing HTTP response leads to PHP segment fault
  . fixed #75409 Standard: accept EFAULT in addition to ENOSYS as indicator that getrandom() is missing
  . fixed #75540 Zip: Segfault with libzip 1.3.1

- security issues
  . CVE-2016-1283 PCRE: preg_match double free

- fixed exec_dir activity
  . #15 But when using "2>&1" in exec command
  . #16 error "NULL byte detected."
- official 7.0.23 bug fixed
  . fixed Core: #75042 run-tests.php issues with EXTENSION block
  . fixed Curl: #75093 OpenSSL support not detected
  . fixed GD: #75124 gdImageGrayScale() may produce colors
  . fixed Intl: #75090 IntlGregorianCalendar doesn't have constants from parent class
  . fixed PDO_OCI: #74631 PDO_PCO with PHP-FPM: OCI environment initialized
    before PHP-FPM sets it up
  . fixed Standard: #75097 gethostname fails if your host name is 64 chars long

- official 7.0.19 bug fixed
  . fixed #74546 Core: SIGILL in ZEND_FETCH_CLASS_CONSTANT_SPEC_CONST_CONST
  . fixed #74600 Core: crash (SIGSEGV) in _zend_hash_add_or_update_i
  . fixed #74468 Int: wrong reflection on Collator::sortWithSortKeys
  . fixed #74547 MySQLi: mysqli::change_user() doesn't accept null as $database argument w/strict_types
  . fixed #51918 phar: Phar::webPhar() does not handle requests sent through PUT and DELETE method
  . fixed #74596 Opcache: SIGSEGV with opcache.revalidate_path enabled)
  . fixed #74510 Standard: win32/sendmail.c anchors CC header but not BCC
  . fixed #74457 xmlreader: Wrong reflection on XMLReader::expand

- official 7.0.20 bug fixed
  . fixed #74478 SPL: null coalescing operator failing with SplFixedArray

- pecl libevent
  . fixed #11 supplied resource is not a valid stream resource
  . fixed #14 Segmentation fault: 11 error
  . fixed #16 Bug of event_free
  . fixed #19 invalid file descriptor passed

- official 7.0.15 bug fuxed
  . fixed #73916 Core: zend_print_flat_zval_r doesn't consider reference
  . fixed #67583 FPM: double fastcgi_end_request on max_children limit
  . fixed #69993 GMP: test for gmp.h needs to test machine includes
  . fixed #73956 Intl: Link use CC instead of CXX
  . fixed #73933 LDAP: error/segfault with ldap_mod_replace and opcache
  . fixed #73949 MySQLi: leak in mysqli_fetch_object
  . fixed #69899 Mysqlnd: segfault on close() after free_result() with mysqlnd
  . fixed #71219 posix: configure script incorrectly checks for ttyname_r
  . fixed #69582 Session: session not readable by root in CLI
  . fixed #73896 SPL: spl_autoload() crashes when calls magic _call()
  . fixed #69442 Standard: closing of fd incorrect when PTS enabled
  . fixed #47021 Standard: SoapClient stumbles over WSDL delivered with "Transfer-Encoding:

- official 7.0.14 official bug fixed
  . fixed bug #73792 Core: invalid foreach loop hangs script
  . fixed bug #73753 Core: unserialized array pointer not advancing
  . fixed bug #67474 DOM: getElementsByTagNameNS filter on default ns
  . fixed bug #73462 Mysqli: Persistent connections don't set $connect_errno
  . fixed bug #73800 Mysqlnd: sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE
  . fixed bug #73154 Standard: serialize object with __sleep function crash
  . fixed bug #31875 Standard: get_defined_functions additional param to exclude disabled functions
  . fixed bug #73373 Zlib: deflate_add does not verify that output was not truncated

- official 7.0.15 official bug fixed
  . fixed bug #71519 OpenSSL add serial hex to return value array
  . fixed bug #70417 Phar:PharData::compress() doesn't close temp file
  . Fixed bug #70103 ZIP: ZipArchive::addGlob ignores remove_all_path option

- security issues
  . exec_dir: #8 backquote and $() syntax weakness after semi colon
    https://github.com/OOPS-ORG-PHP/mod_execdir/issues/8

- update 7.0.14
- official 7.0.14 bug fixed
  . fixed #73585 Core: Logging of "Internal Zend error - Missing class information"
                       missing class name
  . fixed #73663 Core: "Invalid opcode 65/16/8" occurs with a variable created
                       with list()
  . fixed #73679 Com: DOTNET read access violation using invalid codepage
  . Mysqlnd: decoding BIT columns when having more than one rows in the result
             set. 7.0+ problem
  . fixed #73612 PCRE: preg_*() may leak memory
  . fixed #73586 Stream: php_user_filter::$stream is not set to the stream the
                         filter is working on
  . fixed #46103 Reflection: ReflectionObject memory leak
  . fixed #73594 Standard: dns_get_record does not populate $additional out parameter

- update 7.0.12
- fixed libevent segmentation fault (#9)

- official 7.0.12 bug fixed
  . fixed bug #73181 Core: parse_str() without a second argument leads to crash
  . fixed bug #66773 Core: Autoload with Opcache allows importing conflicting
                           class name to namespace
  . fixed bug #66862 Core: (Sub-)Namespaces unexpected behaviour
  . fixed bug #73213 GD: Integer overflow in imageline() with antialiasing
  . fixed bug #73272 GD: imagescale() is not affected by, but affects
                         imagesetinterpolation()
  . fixed bug #73279 GD: Integer overflow in gdImageScaleBilinearPalette()
  . fixed bug #73280 GD: Stack Buffer Overflow in GD dynamicGetbuf
  . fixed bug #73273 Session: session_unset() empties values from all variables
                              in which is $_session stored
  . fixed bug #73037 SOAP: SoapServer reports Bad Request when gzipped
  . fixed bug #73237 SOAP: Nested object in "any" element overwrites other fields
  . fixed bug #73203 Standard: passing additional_parameters causes mail to fail

- security issues
  . CVE-2016-7416 Intl: add locale length check  (#73007)
  . CVE-2016-7412 Mysqlnd: Heap overflow in mysqlnd related to BIT fields (#72293)
  . CVE-2016-7414 Phar: Out of bound when verify signature of zip phar in phar_parse_zipfile (#72928)
  . CVE-2016-7417 SPL: Missing type check when unserializing SplArray (#73029)
  . CVE-2016-7413 Wddx: wddx_deserialize use-after-free (#72860)
  . CVE-2016-7418 Wddx: Out-Of-Bounds Read in php_wddx_push_element (#73065)
  . CVE-2016-7124 Core: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization). (#72663)
  . CVE-2016-7125 Core: PHP Session Data Injection Vulnerability). (#72681)
  . CVE-2016-7133 Core: memory allocator fails to realloc small block to large one). (#72742)
  . CVE-2016-7134 CURL: Heap overflow in curl_escape). (#72674)
  . CVE-2016-7128 EXIF: Memory Leakage In exif_process_IFD_in_TIFF). (#72627)
  . CVE-2016-7126 GD: select_colors write out-of-bounds). (#72697)
  . CVE-2016-7127 GD: imagegammacorrect allows arbitrary write access). (#72730)
  . CVE-2016-7129 WDDX: wddx_deserialize allows illegal memory access). (#72749)
  . CVE-2016-7130 WDDX: wddx_deserialize null dereference). (#72750)
  . CVE-2016-7131 WDDX: wddx_deserialize null dereference with invalid xml). (#72790)
  . CVE-2016-7132 WDDX: wddx_deserialize null dereference in php_wddx_pop_element). (#72799)
  . CVE-2016-6289 Core: Stack-based buffer overflow vulnerability in virtual_file_ex). (#72513)
  . CVE-2016-5385 Core: HTTP_PROXY is improperly trusted by some PHP libraries and applications). (#72573)
  . CVE-2016-5399 Bzip2: Inadequate error handling in bzread()). (#72613)
  . CVE-2016-6291 EXIF: Out of bound read in exif_process_IFD_in_MAKERNOTE). (#72603)
  . CVE-2016-6292 EXIF: NULL Pointer Dereference in exif_process_user_comment). (#72618)
  . CVE-2016-6207 GD: Integer overflow error within _gdContributionsAlloc()). (#72558)
  . CVE-2016-6294 Intl: locale_accept_from_http out-of-bounds access). (#72533)
  . CVE-2016-6295 SNMP: Use After Free Vulnerability in SNMP with GC and unserialize()). (#72479)
  . CVE-2016-6297 Zip: Stack-based buffer overflow vulnerability in php_stream_zip_opener). (#72520)
  . CVE-2015-8874 GD: Stack overflow with imagefilltoborder). (#66387)
  . CVE-2016-5766 GD: Integer Overflow in _gd2GetHeader() resulting in heap overflow). (#72339)
  . CVE-2016-5767 GD: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow). (#72446)
  . CVE-2016-5769 mcrypt: Heap Overflow due to integer overflows). (#72455)
  . CVE-2016-4473 Phar: invalid free in phar_extract_file()). (#72321)
  . CVE-2016-5772 WDDX: Double Free Courruption in wddx_deserialize). (#72340)
  . CVE-2016-5773 Zip: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize). (#72434)

- fixed setfault ncurses_mvwaddstr and so on (only cli)

- official 7.0.8 bug fixed
  . fixed #64641 GD: imagefilledpolygon doesn't draw horizontal line

- security issues
  . CVE-2016-3074 libgd: signedness vulnerability (#71912)
  . CVE-2016-3078 integer overflow in ZipArchive::getFrom* (#71923)

- fixed zend_mm_heap corrupted problems of exec_dir patch

- official 7.0.7 bug fixed
  . fixed #72221 Core: segfault, past-the-end access
  . fixed #72218 Core: If host name cannot be resolved then PHP 7 crashes
  . fixed #72308 FPM: fastcgi_finish_request and logging environment variables
  . fixed #72337 GD: invalid dimensions can lead to crash
  . fixed #72143 PCRE: preg_replace uses int instead of size_t
  . fixed #71573 PDO_pgsql: Segfault (core dumped) if paramno beyond bound
  . fixed #72294 PDO_pgsql: Segmentation fault/invalid pointer in connection with pgsql_stmt_dtor
  . fixed #72284 Phpdbg: phpdbg fatal errors with coverage
  . fixed #72195 Postgres: pg_pconnect/pg_connect cause use-after-free
  . fixed #72197 Postgres: pg_lo_create arbitrary read
  . fixed #72206 XML: xml_parser_create/xml_parser_free leaks mem
  . fixed #72369 Standard: array_merge() produces references in PHP7
  . fixed #72017 Standard: range() with float step produces unexpected result
  . fixed #72229 Standard: Wrong reference when serialize/unserialize an object
  . fixed #72300 Standard: ignore_user_abort(false) has no effect
  . fixed #72258 Zip: ZipArchive converts filenames to unrecoverable form

- official 7.0.8 bug fixed
  . fixed #43475 GD: Thick styled lines have scrambled patterns
  . fixed #53640 GD: XBM images require width to be multiple of 8
  . fixed #72399 Mbstring: Use-After-Free in MBString (search_re)
  . fixed #72405 Mbstring: mb_ereg_replace - mbc_to_code (oniguruma) - oob read access
  . fixed #72306 Standard: Heap overflow through proc_open and $env parameter
  . fixed #72439 Stream: Stream socket with remote address leads to a segmentation fault

- security issues
  . CVE-2016-3185 #71610 Soap: Type Confusion Vulnerability - SOAP / make_http_soap_request()

- official 7.0.4 bug fixed
  . fixed bug #69953 CLI Server: Support MKCALENDAR request method
  . fixed bug #71624 Core: `php -R` (PHP_MODE_PROCESS_STDIN) is broken
  . fixed bug #71806 Core: php_strip_whitespace() fails on some numerical values
  . fixed bug #71767 Core: ReflectionMethod::getDocComment returns the wrong comment
  . fixed bug #71724 Core: yield from does not count EOLs
  . Fixed bug #71575 Core: ISO C does not allow extra ‘;’ outside of a function
  . fixed bug #71470 Core: Leaked 1 hashtable iterators
  . fixed bug #71535 Core: Integer overflow in zend_mm_alloc_heap()
  . fixed bug #71596 Core: Segmentation fault on ZTS with date function (setlocale)
  . fixed bug #71622 Core: Strings used in pass-as-reference cannot be used to invoke C::$callable()
  . fixed bug #71629 Core: Out-of-bounds access in php_url_decode in context php_stream_url_wrap_rfc2397
  . fixed bug #71695 Core: Global variables are reserved before execution
  . fixed bug #71729 Core: Possible crash in zend_bin_strtod, zend_oct_strtod, zend_hex_strtod
  . fixed bug #71756 Core: Call-by-reference widens scope to uninvolved functions when used in switch
  . fixed bug #71694 Curl: Support constant CURLM_ADDED_ALREADY
  . fixed bug #71635 Date: DatePeriod::getEndDate segfault
  . fixed bug #71536 libxml: Access Violation crashes php-cgi.exe
  . fixed bug #47803, #69526 ODBC: Executing prepared statements is succesfull only for the first two statements
  . fixed bug #71659 PCRE: segmentation fault in pcre running twig tests
  . fixed bug #71625 Phar: Crash in php7.dll with bad phar filename
  . fixed bug #71317 Phar: PharData fails to open specific file
  . fixed Bug #71683 Session: Null pointer dereference in zend_hash_str_find_bucket
  . fixed bug #71617 SPL: private properties lost when unserializing ArrayObject
  . fixed bug #71660 Standard: array_column behaves incorrectly after foreach by reference

- official 7.0.5 bug fixed
  . fixed bug #71841 Core: EG(error_zval) is not handled well
  . fixed bug #71731 Core: Null coalescing operator and ArrayAccess
  . fixed bug #69659 Core: ArrayAccess, isset() and the offsetExists method
  . fixed bug #62059 Core: ArrayObject and isset are not friends
  . fixed bug #71871 Core: Interfaces allow final and abstract functions
  . fixed Bug #71859 Core: zend_objects_store_call_destructors operates on realloced memory, crashing
  . fixed bug #71750 Core: Multiple Heap Overflows in php_raw_url_encode/php_url_encode
  . fixed bug #71840 Standard: Unserialize accepts wrongly data
  . fixed bug #71837 Standard: Wrong arrays behaviour
  . fixed bug #71831 Curl: CURLOPT_NOPROXY applied as long instead of string
  . fixed bug #63171 ODBC: Script hangs after max_execution_time
  . fixed bug #71843 Opcache: null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER
  . fixed bug #52098 PDO: Own PDOStatement implementation ignore __call()
  . fixed bug #71820 Postgres: pg_fetch_object binds parameters before call constructor
  . fixed bug #71838 SPL: Deserializing serialized SPLObjectStorage-Object can't access properties in PHP
  . fixed bug #52339 SPL: SPL autoloader breaks class_exists()
  . fixed bug #67582 SPL: Cloned SplObjectStorage with overwritten getHash fails offsetExists()
  . fixed bug #71735 SPL: Double-free in SplDoublyLinkedList::offsetSet

- security fixed
  . CVE-2015-8383
  . CVE-2015-8386
  . CVE-2015-8387
  . CVE-2015-8389
  . CVE-2015-8390
  . CVE-2015-8391
  . CVE-2015-8393
  . CVE-2015-8394
- offcial bug fixed
  . fixed bug #71485 Core: Return typehint on interanal func causes Fatal error when it throws exception
  . fixed bug #71474 Core: Crash because of VM stack corruption on Magento2
  . fixed bug #71450 Core: An integer overflow bug in php_str_to_str_ex()
  . fixed bug #71449 Core: An integer overflow bug in php_implode()
  . fixed bug #71443 Core: Segfault using built-in webserver with intl using symfony
  . fixed bug #71442 Core: forward_static_call crash
  . fixed bug #71441 Core: Typehinted Generator with return in try/finally crashes
  . fixed bug #71529 Core: Variable references on array elements don't work when using count
  . fixed bug #71525 Date: Calls to date_modify will mutate timelib_rel_time, causing date_date_set issues
  . fixed bug #71269 FPM: php-fpm dumped core
  . fixed bug #71584 Opcache: Possible use-after-free of ZCG(cwd) in Zend Opcache
  . fixed bug #71537 PCRE: PCRE segfault from Opcache
  . fixed bug #71523 CURL: Copied handle with new option CURLOPT_HTTPHEADER crashes while curl_multi_exec
  . fixed memory leak in curl_getinfo()
  . fixed bug #71434 Fileinfo: finfo throws notice for specific python file
  . fixed bug #62172 FPM: FPM not working with Apache httpd 2.4 balancer/fcgi setup
  . fixed inherited functions from unspecified files being included in phpdbg_get_executable()
  . fixed bug #70720 Standard: strip_tags improper php code parsing
  . fixed bug #71501 XMLRPC: xmlrpc_encode_request ignores encoding option
  . fixed bug #71561 Zip: NULL pointer dereference in Zip::ExtractTo
- fixed malform free on zend_destory_list_tables

- official bug fixed
  . fixed bug #71442 Core: forward_static_call crash
  . fixed bug #71443 Core: Segfault using built-in webserver with intl using symfony
  . fixed bug #71449 Core: An integer overflow bug in php_implode()
  . fixed bug #71450 Core: An integer overflow bug in php_str_to_str_ex()
  . fixed bug #71434 Fileinfo: finfo throws notice for specific python file
- fixed segfault libevent

- fixed wrong build with ZTS
- official bug fixed
  . fixed bug #71397 mbstring: mb_send_mail segmentation fault
  . fixed bug #71441 opcache: Typehinted Generator with return in try/finally crashes

- official bug fixed
  . fixed bug #71336 Core: Wrong is_ref on properties as exposed via get_object_vars()
  . fixed bug #71248 Core: Wrong interface is enforced
  . fixed bug #70979 Soap: crash with bad soap request
  . Improved fix for bug #68063 Session:Empty session IDs do still start sessions
  . Fixed bug #69111 Session: Crash in SessionHandler::read()
  . Fixed bug #71038 Session: session_start() returns TRUE on failure
  . Fixed bug #71394 Session: session_regenerate_id() must close opened session on errors
  . fixed bug #71132, #71197 Standard: range() segfaults
  . fixed bug #70879 Apache2handler: Content-Length with apache2handler may be limited to 2G
- add mysql extension

- update 7.0.2
  . Fixed bug #71300 Core: Segfault in zend_fetch_string_offset
  . Fixed bug #71221 Core: Null pointer deref (segfault) in get_defined_vars via ob_start
  . Fixed bug #71201 Core: round() segfault on 64-bit builds
  . Core: support for new HTTP 451 code
  . Fixed Bug #71275 Core: Bad method called on cloning an object having a trait
  . Fixed bug #71273 Core: A wrong ext directory setup in php.ini leads to crash
  . Fixed bug #71297 Core: Memory leak with consecutive yield from
  . Fixed bug #71314 Core: var_export(INF) prints INF.0
  . Fixed bug #71227 Curl: Can't compile php_curl statically
  . Fixed bug #71225 Curl: curl_setopt() fails to set CURLOPT_POSTFIELDS with reference to CURLFile
  . Fixed bug #71249 Ldap: ldap_mod_replace/ldap_mod_add store value as string "Array"
  . Fixed bug #71202 SPL: Autoload function registered by another not activated immediately
  . Fixed bug #71204 SPL: segfault if clean spl_autoload_funcs while autoloading
  . Fixed bug #71287 Standard: Error message contains hexadecimal instead of decimal number
  . Fixed bug #71264 Standard: file_put_contents() returns unexpected value when filesystem runs full
  . Fixed bug #71245 Standard: file_get_contents() ignores "header" context option if it's a reference
  . Fixed bug #71220 Standard: Null pointer deref (segfault) in compact via ob_start
  . Fixed bug #71190 Standard: substr_replace converts integers in original $search array to strings
  . Fixed bug #71188 Standard: str_replace converts integers in original $search array to strings
  . Fixed bug #70720 Standard: strip_tags improper php code parsing