PHP 5.3.3 and 5.2.14 Officially Released

The PHP Development Team just announced today the availability of PHP 5.3.3 and PHP 5.2.14. The PHP 5.3.3 comes on improving the stability and security of the 5.3.x branch with more than 100 bug fixes, some of which are security related so all users are highly encouraged to upgrade to this release.

According to the release announcement, PHP 5.3.3 change the backward compatibility. It stated that methods with the same name as the last element of a namespaced class name will no longer be treated as constructor. This change doesn’t affect non-namespaced classes.

Below are the security enhancements and fixes in PHP 5.3.3:

  • Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531).
  • Fixed a possible resource destruction issues in shm_put_var().
  • Fixed a possible information leak because of interruption of XOR operator.
  • Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks.
  • Fixed a possible memory corruption in ArrayObject::uasort().
  • Fixed a possible memory corruption in parse_str().
  • Fixed a possible memory corruption in pack().
  • Fixed a possible memory corruption in substr_replace().
  • Fixed a possible memory corruption in addcslashes().
  • Fixed a possible stack exhaustion inside fnmatch().
  • Fixed a possible dechunking filter buffer overflow.
  • Fixed a possible arbitrary memory access inside sqlite extension.
  • Fixed string format validation inside phar extension.
  • Fixed handling of session variable serialization on certain prefix characters.
  • Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).
  • Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
  • Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user.
  • Fixed possible buffer overflows when handling error packets in mysqlnd.

Key enhancements in PHP 5.3.3 include:

  • Upgraded bundled sqlite to version 3.6.23.1.
  • Upgraded bundled PCRE to version 8.02.
  • Added FastCGI Process Manager (FPM) SAPI.
  • Added stream filter support to mcrypt extension.
  • Added full_special_chars filter to ext/filter.
  • Fixed a possible crash because of recursive GC invocation.
  • Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
  • Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).
  • Fixed bug #52060 (Memory leak when passing a closure to method_exists()).
  • Fixed bug #52001 (Memory allocation problems after using variable variables).
  • Fixed bug #51723 (Content-length header is limited to 32bit integer with Apache2 on Windows).
  • Fixed bug #48930 (__COMPILER_HALT_OFFSET__ incorrect in PHP >= 5.3).

For users upgrading from PHP 5.2 there is a migration guide available on http://php.net/migration53, detailing the changes between those releases and PHP 5.3. For a full list of changes in PHP 5.3.3, see the ChangeLog.

The PHP 5.2.14 Release

The PHP 5.2.14 focuses on improving the stability and security of the 5.2.x branch with more than 60 bug fixes, some of which are security related. This release is the last 5.2.x branch marking the end of support for PHP 5.2 meaning there is no further active bug maintenance. All PHP 5.2.x users are highly encouraged to upgrade to PHP 5.3.

Security Enhancements and Fixes in PHP 5.2.14:

  • Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs.
  • Fixed a possible interruption array leak in strrchr().(CVE-2010-2484)
  • Fixed a possible interruption array leak in strchr(), strstr(), substr(), chunk_split(), strtok(), addcslashes(), str_repeat(), trim().
  • Fixed a possible memory corruption in substr_replace().
  • Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
  • Fixed a possible stack exaustion inside fnmatch().
  • Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).
  • Fixed handling of session variable serialization on certain prefix characters.
  • Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz Kocielski.

Key enhancements in PHP 5.2.14 include:

  • Upgraded bundled PCRE to version 8.02.
  • Updated timezone database to version 2010.5.
  • Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
  • Fixed bug #52237 (Crash when passing the reference of the property of a non-object).
  • Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).
  • Fixed bug #51822 (Segfault with strange __destruct() for static class variables).
  • Fixed bug #51552 (debug_backtrace() causes segmentation fault and/or memory issues).
  • Fixed bug #49267 (Linking fails for iconv on MacOS: “Undefined symbols: _libiconv”).

To prepare for upgrading to PHP 5.3, now that PHP 5.2′s support ended, a migration guide available onhttp://php.net/migration53, details the changes between PHP 5.2 and PHP 5.3.

For a full list of changes in PHP 5.2.14 see the ChangeLog.

Source: The PHP Website

Incoming search terms for this post:

Share
If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

Related Posts

By: Fuad NAHDI Date: July 23, 2010
4:21 am
Categories: Apache / PHP
Post tags: , ,
Our Sponsors Internet Faxing Reviews HP Pavilion Notebooks Free Collaboration Tools
Feedback
Related posts:
Leave a Comment