PHP security releases 8.4.5, 8.3.19, 8.2.28, 8.1.32

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://fosstodon.org/@php/114156354494375611 proclaims to the world:

> 📣 Announcing the availability of:
>
> - PHP 8.4.5
> - PHP 8.3.19
> - PHP 8.2.28
> - PHP 8.1.32
>
> ‼️ These address the following security issues:
>
> - Several issues with the Stream HTTP wrapper
> - Use-After-Free during request shutdown
> - Out-of-Bounds read when using XML_OPTION_SKIP_TAGSTART
> - libxml streams can use the wrong content-type header
>
> 📝 https://www.php.net/ChangeLog-8.php
> 🎁 https://www.php.net/downloads

The Changelog link includes further details:

Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes 
Use-After-Free). (CVE-2024-11235)
https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477

Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when 
requesting a redirected resource). (CVE-2025-1219)
https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc

Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic 
auth header). (CVE-2025-1736)
https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528

Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 
1024 bytes). (CVE-2025-1861)
https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff

Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers 
without colon). (CVE-2025-1734)
https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44

Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not 
handle folded headers). (CVE-2025-1217)
https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris