Friday, February 9, 2007

PHP 5.2.1 Released

Thanks to Eris, i finally found an update to PHP 5. Actually, i browsed PHP site few days ago (and also yesterday) and i couldn't found any update on PHP, but today, they have changed their front page and also released an update to their latest 5.2.x version (4.4.x version with relevant changes will be available soon).

There's a bunch of updates included in this version and they urged every developer and web hosting should upgrade to this version as this version also added new meta data to prevent search engines indexing the page with phpinfo() information which can be used to infiltrate the system or looking for vulnerable configuration of PHP itself.

Here's the security enhancement on PHP 5.2.1:
* Fixed possible safe_mode & open_basedir bypasses inside the session extension.
* Prevent search engines from indexing the phpinfo() page.
* Fixed a number of input processing bugs inside the filter extension.
* Fixed unserialize() abuse on 64 bit systems with certain input strings.
* Fixed possible overflows and stack corruptions in the session extension.
* Fixed an underflow inside the internal sapi_header_op() function.
* Fixed allocation bugs caused by attempts to allocate negative values in some code paths.
* Fixed possible stack overflows inside zip, imap & sqlite extensions.
* Fixed several possible buffer overflows inside the stream filters.
* Fixed non-validated resource destruction inside the shmop extension.
* Fixed a possible overflow in the str_replace() function.
* Fixed possible clobbering of super-globals in several code paths.
* Fixed a possible information disclosure inside the wddx extension.
* Fixed a possible string format vulnerability in *print() functions on 64 bit systems.
* Fixed a possible buffer overflow inside mail() and ibase_{delete,add,modify}_user() functions.
* Fixed a string format vulnerability inside the odbc_result_all() function.
* Memory limit is now enabled by default.
* Added internal heap protection.
* Extended filter extension support for $_SERVER in CGI and apache2 SAPIs.

Detailed improvements/fixes can be seen at the Changelog.

Time to upgrade to the latest PHP....