Thursday, 02 February, 2012 19:32 Written by Webmaster
The PHP development team would like to announce the immediate availability of PHP 5.3.10. This release delivers a critical security fix.
Security Fixes in PHP 5.3.10:
Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.All users are strongly encouraged to upgrade to PHP 5.3.10.
For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.
Tuesday, 10 January, 2012 21:29 Written by Webmaster
The PHP development team would like to announce the immediate availability of PHP 5.3.9. This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which are security related.
Security Enhancements and Fixes in PHP 5.3.9:
Added max_input_vars directive to prevent attacks based on hash collisions. (CVE-2011-4885) Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (CVE-2011-4566)Key enhancements in PHP 5.3.9 include:
Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of). Fixed bug #55609 (mysqlnd cannot be built shared) Many changes to the FPM SAPI moduleFor a full list of changes in PHP 5.3.9, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.
All users are strongly encouraged to upgrade to PHP 5.3.9.
Thursday, 18 August, 2011 14:02 Written by Webmaster
The PHP development team would like to announce the immediate availability of PHP 5.3.7. This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which are security related.
Security Enhancements and Fixes in PHP 5.3.7:
Updated crypt_blowfish to 1.2. (CVE-2011-2483) (more info) Fixed crash in error_log(). Reported by Mateusz Kocielski Fixed buffer overflow on overlog salt in crypt(). Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202) Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938) Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)Key enhancements in PHP 5.3.7 include:
Upgraded bundled Sqlite3 to version 3.7.7.1 Upgraded bundled PCRE to version 8.12 Fixed bug #54910 (Crash when calling call_user_func with unknown function name) Fixed bug #54585 (track_errors causes segfault) Fixed bug #54262 (Crash when assigning value to a dimension in a non-array) Fixed a crash inside dtor for error handling Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off) Fixed bug #54935 php_win_err can lead to crash Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption) Fixed bug #54305 (Crash in gc_remove_zval_from_buffer) Fixed bug #54580 (get_browser() segmentation fault when browscap ini directive is set through php_admin_value) Fixed bug #54529 (SAPI crashes on apache_config.c:197) Fixed bug #54283 (new DatePeriod(NULL) causes crash). Fixed bug #54269 (Short exception message buffer causes crash) Fixed Bug #54221 (mysqli::get_warnings segfault when used in multi queries) Fixed bug #54395 (Phar::mount() crashes when calling with wrong parameters) Fixed bug #54384 (Dual iterators, GlobIterator, SplFileObject and SplTempFileObject crash when user-space classes don't call the parent constructor) Fixed bug #54292 (Wrong parameter causes crash in SplFileObject::__construct()) Fixed bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0) Fixed bug #54281 (Crash in non-initialized RecursiveIteratorIterator) Fixed bug #54623 (Segfault when writing to a persistent socket after closing a copy of the socket) Fixed bug #54681 (addGlob() crashes on invalid flags) Over 80 other bug fixes.Windows users: please mind that we do no longer provide builds created with Visual Studio C++ 6. It is impossible to maintain a high quality and safe build of PHP for Windows using this unmaintained compiler.
For Apache SAPIs (php5_apache2_2.dll), be sure that you use a Visual Studio C++ 9 version of Apache. We recommend the Apache builds as provided by ApacheLounge. For any other SAPI (CLI, FastCGI via mod_fcgi, FastCGI with IIS or other FastCGI capable server), everything works as before. Third party extension providers must rebuild their extensions to make them compatible and loadable with the Visual Studio C++9 builds that we now provide.
All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.7.
For a full list of changes in PHP 5.3.7, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.Thursday, 17 March, 2011 13:43 Written by Webmaster
The PHP development team would like to announce the immediate availability of PHP 5.3.6. This release focuses on improving the stability of the PHP 5.3.x branch with over 60 bug fixes, some of which are security related.
Security Enhancements and Fixes in PHP 5.3.6:
Enforce security in the fastcgi protocol parsing with fpm SAPI. Fixed bug #54247 (format-string vulnerability on Phar). (CVE-2011-1153) Fixed bug #54193 (Integer overflow in shmop_read()). (CVE-2011-1092) Fixed bug #54055 (buffer overrun with high values for precision ini setting). Fixed bug #54002 (crash on crafted tag in exif). (CVE-2011-0708) Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive). (CVE-2011-0421)Key enhancements in PHP 5.3.6 include:
Upgraded bundled Sqlite3 to version 3.7.4. Upgraded bundled PCRE to version 8.11. Added ability to connect to HTTPS sites through proxy with basic authentication using stream_context/http/header/Proxy-Authorization. Added options to debug backtrace functions. Changed default value of ini directive serialize_precision from 100 to 17. Fixed Bug #53971 (isset() and empty() produce apparently spurious runtime error). Fixed Bug #53958 (Closures can't 'use' shared variables by value and by reference). Fixed bug #53577 (Regression introduced in 5.3.4 in open_basedir with a trailing forward slash). Over 60 other bug fixes.Windows users: please mind that we do no longer provide builds created with Visual Studio C++ 6. It is impossible to maintain a high quality and safe build of PHP for Windows using this unmaintained compiler.
For Apache SAPIs (php5_apache2_2.dll), be sure that you use a Visual Studio C++ 9 version of Apache. We recommend the Apache builds as provided by ApacheLounge. For any other SAPI (CLI, FastCGI via mod_fcgi, FastCGI with IIS or other FastCGI capable server), everything works as before. Third party extension providers must rebuild their extensions to make them compatible and loadable with the Visual Studio C++ 9 builds that we now provide.
All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.6.
For a full list of changes in PHP 5.3.6, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.
Thursday, 06 January, 2011 21:34 Written by Webmaster
The PHP development team would like to announce the immediate availability of PHP 5.3.5 and 5.2.17.
This release resolves a critical issue, reported as PHP bug #53632 and CVE-2010-4645, where conversions from string to double might cause the PHP interpreter to hang on systems using x87 FPU registers.
The problem is known to only affect x86 32-bit PHP processes, regardless of whether the system hosting PHP is 32-bit or 64-bit. You can test whether your system is affected by running this script from the command line.
All users of PHP are strongly advised to update to these versions immediately.