package/php: security bump version to 8.2.28

Fixes the following vulnerabilities:

- CVE-2025-1217: Header parser of `http` stream wrapper does not handle
  folded headers
  https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g

- CVE-2025-1219: Libxml streams use wrong `content-type` header when
  requesting a redirected resource
  https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc

- CVE-2025-1734: Streams HTTP wrapper does not fail for headers with invalid
  name and no colon
  https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44

- CVE-2025-1736: Stream HTTP wrapper header check might omit basic auth
  header
  https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528

- CVE-2025-1861: Stream HTTP wrapper truncate redirect location to 1024
  bytes
  https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff

Changelog: https://www.php.net/ChangeLog-8.php#8.2.28

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/php/php.hash

@@ -1,5 +1,5 @@
 # From https://www.php.net/downloads.php
-sha256  54747400cb4874288ad41a785e6147e2ff546cceeeb55c23c00c771ac125c6ef  php-8.2.26.tar.xz
+sha256  af8c9153153a7f489153b7a74f2f29a5ee36f5cb2c6c6929c98411a577e89c91  php-8.2.28.tar.xz
 
 # License file
 sha256  b42e4df5e50e6ecda1047d503d6d91d71032d09ed1027ba1ef29eed26f890c5a  LICENSE

package/php/php.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PHP_VERSION = 8.2.26
+PHP_VERSION = 8.2.28
 PHP_SITE = https://www.php.net/distributions
 PHP_SOURCE = php-$(PHP_VERSION).tar.xz
 PHP_INSTALL_STAGING = YES