On Thu, Apr 11, 2024 at 5:10 PM <ericm...@php.net> wrote: > On 4/11/24 08:55, Athos Ribeiro wrote: > > On Thu, Apr 11, 2024 at 08:03:31AM -0700, ericm...@php.net wrote: > > The PHP development team announces the immediate availability of PHP > 8.3.6. This is a security release that addresses CVE-2024-1874, > CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757. > > > Thank you!!! > > May I ask what happened to 8.3.5 and why it was never released? > > -- > 8.3.5 was frozen at the RC1 stage and we elected to include the fixes for > the aforementioned CVEs in this release, bumping things instead to 8.3.6 to > avoid any confusion as to why someting was in a stable release that > *wasn't* included in the RC. This is rare but does happen. >
Just to add bit more details here. There was a regression in one of the fix that caused failure for the Windows build. This was missed in time because CI is not currently running on PR's in private forks for security fixes. We are looking into setting up private repo that would run CI instead of using GitHub private forks created in the advisories. That should hopefully prevent those skips. Regards Jakub
