Stay Informed

This week, read about:

• OpenSSL Announces Final Release of OpenSSL 3.2.0.
• PHP 8.3 Released!
• Rocky Linux 8.9 Available Now.
• Rocky Linux 9.3 Available Now. 

Key Security, Maintenance, and Features Releases

Security Based Updates

Updates to the OpenLogic CentOS Repository:
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:

• CVE-2023-4911
  • CentOS 8 - glibc-2.28-164_ol002.el8
• CVE-2018-25032
  • CentOS 8 - zlib-1.2.11-17_ol002.el8
• CVE-2022-2526
  • CentOS 8 - systemd-239-51_ol001.el8_5.2 
• CVE-2021-4157
  • CentOS 8
    • kernel-4.18.0-348.7.1_ol001.el8_5
• CentOS 6
  • tzdata-2023c-1_ol001.el6

ActiveMQ CVE-2023-46604
It's worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.

The vulnerability affects the following versions:
Apache ActiveMQ 5.18.0 before 5.18.3
Apache ActiveMQ 5.17.0 before 5.17.6
Apache ActiveMQ 5.16.0 before 5.16.7
Apache ActiveMQ before 5.15.16
Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

CVE-2023-34053, CVE-2023-34055: Spring Framework and Spring Boot vulnerabilities.

Non-Security Based Updates

Docker compose 2.23.3
bump buildx to v0.12.0 and adapt code to changes by @glours in #11217

etcd 3.4.28
etcd server

• Improve Skip getting authInfo from incoming context when auth is disabled
• Use the default write scheduler since golang.org/x/net@v0.11.0 started using round-robin scheduler.
• Add cluster ID check during data corruption detection to prevent false alarm.
• Add Learner support Snapshot RPC.

Package clientv3

• Fix Reset auth token when failing to authenticate due to auth being disabled.
• Simplify grpc dialer usage.
• Replace balancer with upstream grpc solution.
• Fix race condition when accessing cfg.Endpoints in dial().
• Fix invalid authority header issue in single endpoint scenario.

Dependencies

• Compile binaries using go 1.20.11.
• Upgrade bbolt to 1.3.8.
• Upgrade gRPC to 1.58.3 in #16997 and #16999. Note that gRPC server will reject requests with connection header (refer to grpc/grpc-go#4803).

Grafana 10.2.2
Bug fixes:

• FeatureToggle: Disable dashgpt by default and mark it as preview. #78349, @ivanortegaalba
• SaveDashboardPrompt: Reduce time to open drawer when many changes applied. #78308, @ivanortegaalba
• Alerting: Fix export with modifications URL when mounted on subpath. #78217, @gillesdemey
• Explore: Fix queries (cached & non) count in usage insights. #78216, @Elfo404
• Plugins: Keep working when there is no internet access. #78092, @leventebalogh

Jenkins 2.433

•  Deactivate the administrative monitor when all previously offline agents are again online. (issue 72159)
•  Prepare node monitors to work with configuration as code. (issue 64816)
•  Introduce an API for build visualization plugins to serve alternative build console views and an API for plugins to produce links to the build console. (issue 71715)

Keycloak 23.0
New features
#23155 [WebAuthn] origin validation not support for non-Web platforms core

Enhancements
#431 Remove Wildfly/EAP OIDC and SAML adapter downloads web
#505 Quickstarts - Wildfly upgrade and README cleanup quickstarts
#510 SAML quickstart - provisioning of SAML adapter via Galleon quickstarts
#9318 User profile configuration API is incorrectly typed docs
#10128 Improve failed test behaviour operator
#10620 Internationalized Domain Names in email address user-profile
#10713 Update the server to use RESTEasy Reactive
#10803 Persist session in JDBC store without using external infinispan cluster storage
#11668 Declarative User Profile: weird behaviour in Account Management Console user-profile
#12406 Remove "You are already logged-in" during authentication authentication
#14009 CreatedTimestamp on REST import not used
#14165 Cannot refresh RPT tokens authorization-services
#14400 Add proxy options to Keycloak CR operator
#15018 Enhancements around proxy and hostname configuration
#15072 Allow setting a help text to an attribute user-profile
#15109 Refactor patch-sources.sh used by the Operator operator
#17258 Data too long for column 'DETAILS_JSON' storage
#20343 message bundles are not included in the realm export import-export
#20584 FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
#20695 Add support for single-tenant in Microsoft Identity Provider
#20794 Can we simplify TokenManager.getRefreshExpiration() and TokenManager.getOfflineExpiration()? oidc
#20884 [Admin Console v2] Policy creation at Permissions screen missing admin/ui
#21073 Identity providers: pagination in admin REST API
#21154 Allow existing mappers for Custom Identity Providers identity-brokering
#21181 Add FAPI 2.0 security profile as default profile of client policies
#21182 Enhancing Pluggable Features of Token Manager
#21183 More flexibility for Introspection endpoint oidc
#21200 DPoP support 1st phase
#21444 Set `client_id` when using `private_key_jwt` with OIDC IdP identity-brokering
#21945 Release notes for FAPI 2
#22034 Keycloak, javascript lib to not use the escape() function adapter/javascript
#22215 DPoP verification in UserInfo endpoint oidc
#22318 Allow overriding Account Console resources for full control and backwards compatibility
#22372 Expand Group providers to allow for paginated lookup of subgroups storage
#22725 Do not initialize barrier build items for deployment dist/quarkus
#22868 Clarification on the tooltip of option "Validate Password Policy" of LDAP provider admin/ui
#23194 Add regex support in 'Condition - User attribute' execution authentication
#23340 Implement load shedding for RESTEasy reactive
#23527 Better usability when disabling user profile and loosing the previous cofiguration user-profile
#23891 Add feature flag for OAuth 2.0 device authorization grant flow oidc
#24024 User profile tweaks in registration forms user-profile
#24072 Lots of parameters related to identity brokering uses `providerId` when they expect `providerAlias` identity-brokering
#24273 Add a property to the User Profile Email Validator for max length of the local part user-profile
#24278 Transient users: documentation core
#24387 Move some UserProfile and Validation classes into keycloak-server-spi user-profile
#24494 Transient users: Consents core
#24535 Moving UPConfig and related classes from keycloak-services user-profile
#24844 Add High Availability Guide to Keycloak's main repository
#24912 Add Galleon layer metadata to the SAML Galleon feature-pack adapter/jee-saml

Bugs
#468 Cant build it quickstarts
#503 Automate Keycloak version replacement quickstarts
#508 set-version script does not update package(-lock).json files in js and nodejs quickstarts quickstarts
#515 [Keycloak Quickstarts CI failure] loginToAdminConsole method fails in ArquillianSysoutEventListenerProviderTest.testEventListenerOutput due to Unable to locate element: {"method":"css selector","selector":"#username"} exception quickstarts
#8939 PAR fails to authenticate for public client oidc
#9004 Access Token claims not imported using OpenID Connect v1.0 Identity Provider Attribute Importer Mappers oidc
#10710 Rollup.js complains about the use of eval in one of keycloak.js's dependencies adapter/javascript
#11699 Under heavy load, DefaultBruteForceProtector blocks the whole system authentication
#12062 Declarative User Profile export user-profile
#12171 Inconsistent authorization behavior when exporting data from a realm authorization-services
#14134 [keycloak 18] cannot import users with correct ID in partial import admin/api
#16379 Inconsistent handling of parenthesis in auth flow name admin/api
#16526 Token introspection response does not follow RFC6479 "scope" parameter format oidc
#19093 The create new user page requires the admin user to be given the "Manage-Realm" role in order to see the user profile attributes in the create new user page admin/api
#19125 kcadm do not update defaultGroups docs
#19154 Non working API docs link docs
#19555 When update-email feature is enabled, changing emails two times in a row causes unintuitive behaviour authentication
#20135 Searching for multiple types in the Events section gives an error admin/client-js
#20218 Role mappers must return a single value when they are not multivalued oidc
#20316 Email pattern is not compliant account/api
#20453 Admin UI incredibly slow with 300 realms admin/api
#20537 [Declarative User Profile] OIDCAttributeMapperHelper throws NumberFormatException for optional user attributes user-profile
#20763 Flaky test: org.keycloak.testsuite.admin.authentication.FlowTest#testAddRemoveFlow ci
#20830 Token-exchange is not working for OpenID Connect v1.0 provider in KC 21.1.1 token-exchange
#20852 [Declarative User Profile] Attributes are created as required by default but switch is set to "not required" user-profile
#20885 Key length is limited to 4000 characters storage
#21010 Cannot display 'Authentication Flows' screen when a realm contains more than ~4000 clients storage
#21123 NPE in getDefaultRequiredActionCaseInsensitively admin/api
#21236 Keycloak Event clientId is null when ever a logout event is fired. core
#21555 Listing realms due to realm drop-down admin/ui
#21660 Wrong convert timestamp to date account/ui
#21779 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldWorkWithScriptAuthenticator authentication
#21780 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldFailWithScriptAuthenticator authentication
#21797 DN with RDN that contains trailing backslash is imported incorrectly into Keycloak ldap
#21805 Missing labels account console account/ui
#21818 DN with RDN that contains trailing space is imported incorrectly into Keycloak ldap
#21830 Operator doesn't pass on system property 'jgroups.dns.query' to Keycloak but an env variable, leading to a warning in the log operator
#22143 WatchedSecretsTest.testSecretChangesArePropagated error in OCP ci
#22177 Missing client_id validation match when authenticating client with JWT
#22191 Verification of iss at refresh token request oidc
#22332 Selecting resource on resource based permission gives error admin/ui
#22337 kc.sh errors if using characters like semicolon inside the arguments docs
#22375 Possible NullPointerException core
#22395 Email sending fails when SPI truststore is configured and hostnameVerification set to 'ANY' core
#22432 inputOptionLabels is not used by Admin UI admin/ui
#22583 Fine grained permissions not rendering account/ui
#22638 SAML AdvancedAttributeToRoleMapper does not allow predicate evaluation on same Array Attribute saml
#22814 user search with "q" parameter ignores keys of length 1 and returns all users admin/api
#22818 inputOptionLabels is not used by Account UI v3 account/ui
#22890 Keycloak 22.0.1: NPE in Edit Identity Provider Mapper on second Save admin/api
#22937 ProviderConfigProperty.MULTIVALUED_LIST_TYPE not working in FormAction admin/ui
#22988 Cache stampede after realm cache invalidation infinispan
#23044 Docs: server_admin/topics/sessions/transient.adoc authentication
#23128 Regex defect in federation script federation-sssd-setup.sh dist/quarkus
#23173 crypto/elytron package has several bugs core
#23180 TypeError in user profile admin-ui admin/ui
#23253 CLI args not recognized when running Quarkus dev mode dist/quarkus
#23255 Several help text messages missing in saml identity provider admin/ui
#23404 Cannot assign client roles to a user when a realm contains more than ~4000 clients storage
#23444 After the recent switch to resteasy-reactive we are unable to use resteasy-classic or jersey jax-rs clients. 

Dependencies
#23582 Join group screen does not show child groups without filters admin/ui
#23616 invalid tag in .ftl file user-profile
#23692 Genetated access token exception then $ sign in client name core
#23733 OpenAPI spec doesn't match the admin API admin/api
#23753 Insufficient guard against path traversal GzipResourceEncodingProvider core
#23789 Can not create attribute group before setting/removing an annotation user-profile
#23795 Spelling errors in TokenManager.java oidc
#23970 Keycloak does not export/import userprofile data when exporting the realm user-profile
#24032 Group attributes are not saved if there are two attributes with the same key admin/ui
#24035 Admin UI: Group details page is not updated by group list dropdown actions admin/ui
#24067 Duplicate attribute groups show in list in UserProfile in admin ui admin/ui
#24077 Internal server error when no firstName and lastName added on the user with User Profile Disabled and Verify Profile Enabled user-profile
#24096 Document or avoid breaking change in UserSessionModel core
#24160 HTTP/2 - Last parameter of POST form data contains 0x00 byte in some configurations. core
#24183 Username now shown when creating a user and edit username is not allowed user-profile
#24187 Admin UI group view shows attributes of previously viewed group admin/ui
#24293 b.map is not a function error when LDAP server is offline core
#24420 User profile behaves different in keycloak 22.0.5 user-profile
#24453 Email-verified checkbox not visible anymore when user profile is enabled admin/ui
#24455 NPE when logging in with TransientUser storage
#24458 Unfriendly error message when user-storage provider not available admin/ui
#24487 show/hide password in clear text button visible for hiden field in "forgot password" flow login/ui
#24547 DPoP advertised on OIDC Well Known Endpoint even though DPoP feature is not enabled (preview feature) oidc
#24551 the `./kc.sh tools completion` command cannot be recognized correctly admin/cli
#24672 Basic auth is not RFC 2617 compliant authentication
#24697 User cannot update profile when some invalid attribute invisible to him is present on his profile user-profile
#24766 non-functioning session persistence when using JDBC over Infinispan infinispan
#24792 Invalid redirect_uri if it contains uppercase letters authentication
#24970 `jwt-decode` is being bundled into Keycloak JS admin/client-js

Node.js 20.10
Notable Changes

--experimental-default-type flag to flip module defaults

The new flag --experimental-default-type can be used to flip the default module system used by Node.js. Input that is already explicitly defined as ES modules or CommonJS, such as by a package.json "type" field or .mjs/.cjs file extension or the --input-type flag, is unaffected. What is currently implicitly CommonJS would instead be interpreted as ES modules under --experimental-default-type=module:

• String input provided via --eval or STDIN, if --input-type is unspecified.
• Files ending in .js or with no extension, if there is no package.json file present in the same folder or any parent folder.
• Files ending in .js or with no extension, if the nearest parent package.json field lacks a type field; unless the folder is inside a node_modules folder.

In addition, extensionless files are interpreted as Wasm if --experimental-wasm-modules is passed and the file contains the "magic bytes" Wasm header.

-Detect ESM syntax in ambiguous JavaScript

The new flag --experimental-detect-module can be used to automatically run ES modules when their syntax can be detected. For “ambiguous” files, which are .js or extensionless files with no package.json with a type field, Node.js will parse the file to detect ES module syntax; if found, it will run the file as an ES module, otherwise it will run the file as a CommonJS module. The same applies to string input via --eval or STDIN.

We hope to make detection enabled by default in a future version of Node.js. Detection increases startup time, so we encourage everyone—especially package authors—to add a type field to package.json, even for the default "type": "commonjs". The presence of a type field, or explicit extensions such as .mjs or .cjs, will opt out of detection.

-New flush option in file system functions

When writing to files, it is possible that data is not immediately flushed to permanent storage. This allows subsequent read operations to see stale data. This PR adds a 'flush' option to the fs.writeFile family of functions which forces the data to be flushed at the end of a successful write operation.

-Experimental WebSocket client

Adds a --experimental-websocket flag that adds a WebSocket global, as standardized by WHATWG.

-vm: fix V8 compilation cache support for vm.Script

Previously repeated compilation of the same source code using vm.Script stopped hitting the V8 compilation cache after v16.x when support for importModuleDynamically was added to vm.Script, resulting in a performance regression that blocked users (in particular Jest users) from upgrading from v16.x.

The recent fixes allow the compilation cache to be hit again for vm.Script when --experimental-vm-modules is not used even in the presence of the importModuleDynamically option, so that users affected by the performance regression can now upgrade. Ongoing work is also being done to enable compilation cache support for vm.CompileFunction.

PHP 8.3.0
Bcmath:

• Fixed GH-11761 (removing trailing zeros from numbers) (jorgsowa)

CLI:

• Added pdeathsig to builtin server to terminate workers when the master process is killed.
• Fixed bug GH-11104 (STDIN/STDOUT/STDERR is not available for CLI without a script).
• Implement GH-10024 (support linting multiple files at once using php -l).

Core:

• Fix GH-11388 (Allow "final" modifier when importing a method from a trait).
• Fixed bug GH-11406 (segfault with unpacking and magic method closure).
• Fixed bug GH-9388 (Improve unset property and __get type incompatibility error message).
• SA_ONSTACK is now set for signal handlers to be friendlier to other in-process code such as Go's cgo.
• SA_ONSTACK is now set when signals are disabled.
• Fix GH-9649: Signal handlers now do a no-op instead of crashing when executed on threads not managed by TSRM.
• Added shadow stack support for fibers.
• Fix bug GH-9965 (Fix accidental caching of default arguments with side effects).
• Implement GH-10217 (Use strlen() for determining the class_name length).
• Fix bug GH-8821 (Improve line numbers for errors in constant expressions).
• Fix bug GH-10083 (Allow comments between & and parameter).
• Zend Max Execution Timers is now enabled by default for ZTS builds on Linux.
• Fix bug GH-10469 (Disallow .. in open_basedir paths set at runtime).
• Fix bug GH-10168, GH-10582 (Various segfaults with destructors and VM return values).
• Fix bug GH-10935 (Use of trait doesn't redeclare static property if class has inherited it from its parent).
• Fix bug GH-11154 (Negative indices on empty array don't affect next chosen index).
• Fix bug GH-8846 (Implement delayed early binding for classes without parents).
• Fix bug #79836 (Segfault in concat_function).
• Fix bug #81705 (type confusion/UAF on set_error_handler with concat operation).
• Fix GH-11348 (Closure created from magic method does not accept named arguments).
• Fix GH-11388 (Allow "final" modifier when importing a method from a trait).
• Fixed bug GH-11406 (segfault with unpacking and magic method closure).
• Fixed bug GH-11507 (String concatenation performance regression in 8.3).
• Fixed GH-11488 (Missing "Optional parameter before required" deprecation on union null type).
• Implement the #[\Override] attribute RFC.
• Fixed bug GH-11601 (Incorrect handling of unwind and graceful exit exceptions).
• Added zend_call_stack_get implementation for OpenBSD.
• Add stack limit check in zend_eval_const_expr().
• Expose time spent collecting cycles in gc_status().
• Remove WeakMap entries whose key is only reachable through the entry value.
• Resolve open_basedir paths on INI update.
• Fixed oss-fuzz #60741 (Leak in open_basedir).
• Fixed segfault during freeing of some incompletely initialized objects due to OOM error (PDO, SPL, XSL).
• Introduced Zend guard recursion protection to fix __debugInfo issue.
• Fixed oss-fuzz #61712 (assertion failure with error handler during binary op).
• Fixed GH-11847 (DTrace enabled build is broken).
• Fixed OSS Fuzz #61865 (Undef variable in ++/-- for declared property that is unset in error handler).
• Fixed warning emitted when checking if a user stream is castable.
• Fixed bug GH-12123 (Compile error on MacOS with C++ extension when using ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX).
• Fixed bug GH-12189 (#[Override] attribute in trait does not check for parent class implementations).
• Fixed OSS Fuzz #62294 (Unsetting variable after ++/-- on string variable warning).
• Fixed buffer underflow when compiling memoized expression.
• Fixed oss-fuzz #63802 (OP1 leak in error path of post inc/dec).

Curl:

• Added Curl options and constants up to (including) version 7.87.

Date:

• Implement More Appropriate Date/Time Exceptions RFC.

DOM:

• Fix bug GH-8388 (DOMAttr unescapes character reference).
• Fix bug GH-11308 (getElementsByTagName() is O(N^2)).
• Fix #79700 (wrong use of libxml oldNs leads to performance problem).
• Fix #77894 (DOMNode::C14N() very slow on generated DOMDocuments even after normalisation).
• Revert changes to DOMAttr::$value and DOMAttr::$nodeValue expansion.
• Fixed bug GH-11500 (Namespace reuse in createElementNS() generates wrong output).
• Implemented DOMDocument::adoptNode(). Previously this always threw a "not yet implemented" exception.
• Fixed bug GH-9628 (Implicitly removing nodes from \DOMDocument breaks existing references).
• Added DOMNode::contains() and DOMNameSpaceNode::contains().
• Added DOMElement::getAttributeNames().
• Added DOMNode::getRootNode().
• Added DOMElement::className and DOMElement::id.
• Added DOMParentNode::replaceChildren().
• Added DOMNode::isConnected and DOMNameSpaceNode::isConnected.
• Added DOMNode::parentElement and DOMNameSpaceNode::parentElement.
• Added DOMNode::isEqualNode().
• Added DOMElement::insertAdjacentElement() and DOMElement::insertAdjacentText().
• Added DOMElement::toggleAttribute().
• Fixed bug GH-11792 (LIBXML_NOXMLDECL is not implemented or broken).
• adoptNode now respects the strict error checking property.
• Align DOMChildNode parent checks with spec.
• Fixed bug #80927 (Removing documentElement after creating attribute node: possible use-after-free).
• Fix various namespace prefix conflict resolution bugs.
• Fix calling createAttributeNS() without prefix causing the default namespace of the element to change.
• Fixed GH-11952 (Confusing warning when blocking entity loading via libxml_set_external_entity_loader).
• Fix broken cache invalidation with deallocated and reallocated document node.
• Fix compile error when php_libxml.h header is included in C++.
• Fixed bug #47531 (No way of removing redundant xmlns: declarations).

Exif:

• Removed unneeded codepaths in exif_process_TIFF_in_JPEG().

FFI:

• Implement GH-11934 (Allow to pass CData into struct and/or union fields).

Fileinfo:

• Upgrade bundled libmagic to 5.43.
• Fix GH-11408 (Unable to build PHP 8.3.0 alpha 1 / fileinfo extension).

FPM:

• The status.listen shared pool now uses the same php_values (including expose_php) and php_admin_value as the pool it is shared with.
• Added warning to log when fpm socket was not registered on the expected path.
• Fixed bug #76067 (system() function call leaks php-fpm listening sockets).
• Fixed GH-12077 (PHP 8.3.0RC1 borked socket-close-on-exec.phpt).

GD:

• Removed imagerotate "ignore_transparent" argument since it has no effect.

Intl:

• Added pattern format error infos for numfmt_set_pattern.
• Added MIXED_NUMBERS and HIDDEN_OVERLAY constants for the Spoofchecker's class.
• Updated datefmt_set_timezone/IntlDateformatter::setTimezone returns type. (David Carlier).
• Updated IntlBreakInterator::setText return type.
• Updated IntlChar::enumCharNames return type.
• Removed the BC break on IntlDateFormatter::construct which threw an exception with an invalid locale.

JSON:

• Added json_validate().

LDAP:

• Deprecate calling ldap_connect() with separate hostname and port.

LibXML:

• Fix compile error with -Werror=incompatible-function-pointer-types and old libxml2.

MBString:

• mb_detect_encoding is better able to identify the correct encoding for Turkish text.
• mb_detect_encoding's "non-strict" mode now behaves as described in the documentation. Previously, it would return false if the same byte (for example, the first byte) of the input string was invalid in all candidate encodings. More generally, it would eliminate candidate encodings from consideration when an invalid byte was seen, and if the same input byte eliminated all remaining encodings still under consideration, it would return false. On the other hand, if all candidate encodings but one were eliminated from consideration, it would return the last remaining one without regard for how many encoding errors might be encountered later in the string. This is different from the behavior described in the documentation, which says: "If strict is set to false, the closest matching encoding will be returned." (Alex Dowad)
• mb_strtolower, mb_strtotitle, and mb_convert_case implement conditional casing rules for the Greek letter sigma. For mb_convert_case, conditional casing only applies to MB_CASE_LOWER and MB_CASE_TITLE modes, not to MB_CASE_LOWER_SIMPLE and MB_CASE_TITLE_SIMPLE.
• mb_detect_encoding is better able to identify UTF-8 and UTF-16 strings with a byte-order mark.
• mb_decode_mimeheader interprets underscores in QPrint-encoded MIME encoded words as required by RFC 2047; they are converted to spaces. Underscores must be encoded as "=5F" in such MIME encoded words.
• mb_encode_mimeheader no longer drops NUL (zero) bytes when QPrint-encoding the input string. This previously caused strings in certain text encodings, especially UTF-16 and UTF-32, to be corrupted by mb_encode_mimeheader.
• Implement mb_str_pad() RFC.
• Fixed bug GH-11514 (PHP 8.3 build fails with --enable-mbstring enabled).
• Fix use-after-free of mb_list_encodings() return value.
• Fixed bug GH-11992 (utf_encodings.phpt fails on Windows 32-bit).

mysqli:

• mysqli_fetch_object raises a ValueError instead of an Exception.

Opcache:

• Added start, restart and force restart time to opcache's phpinfo section.
• Fix GH-9139: Allow FFI in opcache.preload when opcache.preload_user=root.
• Made opcache.preload_user always optional in the cli and phpdbg SAPIs.
• Allows W/X bits on page creation on FreeBSD despite system settings.
• Added memfd api usage, on Linux, for zend_shared_alloc_create_lock() to create an abstract anonymous file for the opcache's lock.
• Avoid resetting JIT counter handlers from multiple processes/threads.
• Fixed COPY_TMP type inference for references.

OpenSSL:

• Added OPENSSL_CMS_OLDMIMETYPE and PKCS7_NOOLDMIMETYPE contants to switch between mime content types.
• Fixed GH-11054: Reset OpenSSL errors when using a PEM public key.