(crypt()'s problem was already fixed our php53-5.3.7nb1 package.)
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
23 Aug 2011, PHP 5.3.8
- Core:
. Fixed bug #55439 (crypt() returns only the salt for MD5). (Stas)
- OpenSSL:
. Reverted a change in timeout handling restoring PHP 5.3.6 behavior,
as the new behavior caused mysqlnd SSL connections to hang (#55283).
(Pierre, Andrey, Johannes)
PHP 5.3.7 Released!
[18-Aug-2011] The PHP development team would like to announce the immediate
availability of PHP 5.3.7. This release focuses on improving the stability of
the PHP 5.3.x branch with over 90 bug fixes, some of which are security
related.
Security Enhancements and Fixes in PHP 5.3.7:
* Updated crypt_blowfish to 1.2. (CVE-2011-2483)
* Fixed crash in error_log(). Reported by Mateusz Kocielski
* Fixed buffer overflow on overlog salt in crypt().
* Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload
filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
* Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
* Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)
Key enhancements in PHP 5.3.7 include:
* Upgraded bundled Sqlite3 to version 3.7.7.1
* Upgraded bundled PCRE to version 8.12
* Fixed bug #54910 (Crash when calling call_user_func with unknown function
name)
* Fixed bug #54585 (track_errors causes segfault)
* Fixed bug #54262 (Crash when assigning value to a dimension in a non-array)
* Fixed a crash inside dtor for error handling
* Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)
* Fixed bug #54935 php_win_err can lead to crash
* Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)
* Fixed bug #54305 (Crash in gc_remove_zval_from_buffer)
* Fixed bug #54580 (get_browser() segmentation fault when browscap ini
directive is set through php_admin_value)
* Fixed bug #54529 (SAPI crashes on apache_config.c:197)
* Fixed bug #54283 (new DatePeriod(NULL) causes crash).
* Fixed bug #54269 (Short exception message buffer causes crash)
* Fixed Bug #54221 (mysqli::get_warnings segfault when used in multi queries)
* Fixed bug #54395 (Phar::mount() crashes when calling with wrong parameters)
* Fixed bug #54384 (Dual iterators, GlobIterator, SplFileObject and
SplTempFileObject crash when user-space classes don't call the parent
constructor)
* Fixed bug #54292 (Wrong parameter causes crash in
SplFileObject::__construct())
* Fixed bug #54291 (Crash iterating DirectoryIterator for dir name starting
with \0)
* Fixed bug #54281 (Crash in non-initialized RecursiveIteratorIterator)
* Fixed bug #54623 (Segfault when writing to a persistent socket after closing
a copy of the socket)
* Fixed bug #54681 (addGlob() crashes on invalid flags)
* Over 80 other bug fixes.
PHP 5.3.6 Released!
[17-Mar-2011]
The PHP development team would like to announce the immediate availability
of PHP 5.3.6. This release focuses on improving the stability of the PHP
5.3.x branch with over 60 bug fixes, some of which are security related.
Security Enhancements and Fixes in PHP 5.3.6:
* Enforce security in the fastcgi protocol parsing with fpm SAPI.
* Fixed bug #54247 (format-string vulnerability on Phar). (CVE-2011-1153)
* Fixed bug #54193 (Integer overflow in shmop_read()). (CVE-2011-1092)
* Fixed bug #54055 (buffer overrun with high values for precision ini setting).
* Fixed bug #54002 (crash on crafted tag in exif). (CVE-2011-0708)
* Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty
archive). (CVE-2011-0421)
Key enhancements in PHP 5.3.6 include:
* Upgraded bundled Sqlite3 to version 3.7.4.
* Upgraded bundled PCRE to version 8.11.
* Added ability to connect to HTTPS sites through proxy with basic
authentication using stream_context/http/header/Proxy-Authorization.
* Added options to debug backtrace functions.
* Changed default value of ini directive serialize_precision from 100 to 17.
* Fixed Bug #53971 (isset() and empty() produce apparently spurious
runtime error).
* Fixed Bug #53958 (Closures can't 'use' shared variables by value and
by reference).
* Fixed bug #53577 (Regression introduced in 5.3.4 in open_basedir
with a trailing forward slash).
* Over 60 other bug fixes.
* Add fix for VAX floating point handling (Bug #53682), r307192 from
PHP's repositry. (It is in PHP 5.2.17 but not in 5.3.5).
06 Jan 2011, PHP 5.3.5
- Fixed Bug #53632 (infinite loop with x87 fpu). (Scott, Rasmus)
The PHP development team is proud to announce the immediate release of PHP
5.3.4. This is a maintenance release in the 5.3 series, which includes a large
number of bug fixes.
Security Enhancements and Fixes in PHP 5.3.4:
* Fixed crash in zip extract method (possible CWE-170).
* Paths with NULL in them (foo\0bar.txt) are now considered as invalid
(CVE-2006-7243).
* Fixed a possible double free in imap extension (Identified by Mateusz
Kocielski). (CVE-2010-4150).
* Fixed NULL pointer dereference in
ZipArchive::getArchiveComment. (CVE-2010-3709).
* Fixed possible flaw in open_basedir (CVE-2010-3436).
* Fixed MOPS-2010-24, fix string validation. (CVE-2010-2950).
* Fixed symbolic resolution support when the target is a DFS share.
* Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with
large amount of data) (CVE-2010-3710).
Key Bug Fixes in PHP 5.3.4 include:
* Added stat support for zip stream.
* Added follow_location (enabled by default) option for the http stream
support.
* Added a 3rd parameter to get_html_translation_table. It now takes a charset
hint, like htmlentities et al.
* Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend
multibyte at runtime.
* Multiple improvements to the FPM SAPI.
* Over 100 other bug fixes.
For users upgrading from PHP 5.2 there is a migration guide available here,
detailing the changes between those releases and PHP 5.3.
For a full list of changes in PHP 5.3.4, see the ChangeLog. For source
downloads please visit our downloads page, Windows binaries can be found on
windows.php.net/download/.
- Rewrote var_export() to use smart_str rather than output buffering,
prevents data disclosure if a fatal error occurs (CVE-2010-2531).
(Scott)
- Fixed a NULL pointer dereference when processing invalid XML-RPC
requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
- Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
(Stas)
- A large number of not security related bug fixes
This package and lang/php5 aren't installed at the same time.
Setting PHP_VERSION_DEFAULT as "5" or "53" to select PHP 5.2.x or 5.3.x.
PHP is an HTML-embedded scripting language. It is modular, with
some object-oriented features. Much of its syntax is borrowed from
C, Java and Perl with a couple of unique PHP-specific features
thrown in. The language is designed to allow web developers to
write dynamically generated pages quickly.
