| PHP 5.3.10 Released! | The PHP development team would like to announce the immediate availability of PHP 5.3.10. This release delivers a critical security fix.Security Fixes in PHP 5.3.10:Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.All users are strongly encouraged to upgrade to PHP 5.3.10.For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/. |
| PHP 5.4.0 RC6 released | The PHP development team announces the 6th release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site. THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!. This is the 6th release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0. The 6th release candidate focused on improving traits. Please test them carefully and help us to identify bugs in order to ensure that the release is solid and all things behave as expected. Please take the time to test this release candidate against your code base and report any problems that you encounter to the QA mailing list and/or the PHP bug tracker. A complete list of changes since the last release candidate can be found at NEWS The next candidate will be released on Feb 2. |
| PHP 5.3.9 Released! | The PHP development team would like to announce the immediate availability of PHP 5.3.9. This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which are security related.Security Enhancements and Fixes in PHP 5.3.9:Added max_input_vars directive to prevent attacks based on hash collisions. (CVE-2011-4885)Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (CVE-2011-4566)Key enhancements in PHP 5.3.9 include:Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).Fixed bug #55609 (mysqlnd cannot be built shared)Many changes to the FPM SAPI moduleFor a full list of changes in PHP 5.3.9, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.All users are strongly encouraged to upgrade to PHP 5.3.9. |
| PHP 5.4.0 RC5 released | The PHP development team announces the 5th release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site. THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!. This is the 5th release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0. We got a lot of feedback that helped us to improve the upcoming PHP version. Please continue to help us to identify bugs in order to ensure that the release is solid and all things behave as expected. Please take the time to test this release candidate against your code base and report any problems that you encounter to the QA mailing list and/or the PHP bug tracker. A complete list of changes since the last release candidate can be found at NEWS The next and probably last release candidate will be released in 14 days. |
| PHP 5.4.0 RC4 released | The PHP development team is proud to announce the 4th release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site. THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!. This is the 4th release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0. The new release candidate fixed several bugs, including: Added max_input_vars directive to prevent attacks based on hash collisionsFixed a segfault in the traits code Read the NEWS file for a complete list of changes in this release. Please continue to help us to identify bugs in order to ensure that the release is solid and all things behave as expected. Please test this release candidate against your code base and report any problems that you encounter to the QA mailing list and/or the PHP bug tracker. The next release candidate will be released in 14 days. |
| PHP 5.4.0RC3 released | The PHP development team is proud to announce the third release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site. THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!. This is the third release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0. Changes since the previous release candidate include:The intl extension now supports UTS #46 mapping for IDNA$_SERVER['SERVER_NAME'] and $_SERVER['SERVER_PORT'] are now available in the builtin CLI server implementation.Several improvements and bug fixes in the Zend Engine, Core and other extensions. Read the NEWS file for a complete list of changes in this release. Please continue to help us to identify bugs in order to ensure that the release is solid and all things behave as expected. Please test this release candidate against your code base and report any problems that you encounter to the QA mailing list and/or the PHP bug tracker. |
| PHP 5.4 RC2 released | The PHP development team is proud to announce the second release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site. THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!. This is the second release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0. Changes since the previous release candidate include:Further bug fixes in the built-in web server.PHP-FPM is no longer marked as EXPERIMENTAL.Several improvements and bug fixes in the Zend Engine, Core and other extensions. Read the NEWS file for a complete list of changes in this release. Please continue to help us to identify bugs in order to ensure that the release is solid and all things behave as expected. Please test this release candidate against your code base and report any problems that you encounter to the QA mailing list and/or the PHP bug tracker. |
| PHP 5.4 RC1 released | The PHP development team is proud to announce the first release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site. THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION! This is the first release candidate. No new features will be included before the final version of PHP 5.4.0. The release candidate phase is intended as a period of bug fixing prior to the stable release. Changes since the last beta version include:Added class member access on instantiation (e.g. (new Foo)->bar()).Changed silent conversion of array to string to produce a notice.Numerous bug fixes and improvements in the Core and other extensions. Please help us to identify bugs in order to ensure that the release is solid and all things behave as expected. Please test this release candidate against your code base and report any problems that you encounter to the QA mailing list and/or the PHP bug tracker. Read the NEWS file for a complete list of changes in this release. |
| PHP 5.4 beta2 released | The PHP development team is proud to announce the second beta release of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! Please help us to identify bugs by testing new features and looking for unintended backward compatibility breaks, so we can fix the problems and fully document intended changes before PHP 5.4.0 is released. Report findings to the QA mailing list and/or the PHP bug tracker. This release includes numerous bug fixes and improvements since the first beta release. Read the NEWS file for a complete list of changes. |
| PHP 5.4 beta1 released | The PHP development team is proud to announce the first beta release of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviors. Windows binaries can be downloaded from the Windows QA site. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! New features were added and bugs were fixed since alpha1. Please help us to identify bugs by testing new features and looking for unintended backward compatability breaks, so we can fix the problems and fully document intended changes before PHP 5.4.0 is released. Report findings to the QA mailing list and/or the PHP bug tracker. Changes since the first alpha version include:Added callable typehint.Removed the timezone guessing algorithm. "UTC" is now used in case the timezone is not set.The mysql, mysqli and pdo_mysql extensions now use mysqlnd by default. Read the NEWS file for a complete list of changes. |
| PHP 5.3.8 Released! | The PHP development team would like to announce the immediate availability of PHP 5.3.8. This release fixes two issues introduced in the PHP 5.3.7 release:Fixed bug #55439 (crypt() returns only the salt for MD5)Reverted a change in timeout handling restoring PHP 5.3.6 behavior, which caused mysqlnd SSL connections to hang (Bug #55283).All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.8.For a full list of changes in PHP 5.3.8, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.For more details on the crypt() blowfish security issue in pre 5.3.6 see the crypt blowfish page |
| 5.3.7 upgrade warning | Due to unfortunate issues with 5.3.7 (see bug#55439) users should postpone upgrading until 5.3.8 is released (expected in a few days). |
| PHP 5.3.7 Released! | The PHP development team would like to announce the immediate availability of PHP 5.3.7. This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which are security related.Security Enhancements and Fixes in PHP 5.3.7:Updated crypt_blowfish to 1.2. (CVE-2011-2483) (more info)Fixed crash in error_log(). Reported by Mateusz KocielskiFixed buffer overflow on overlog salt in crypt().Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)Key enhancements in PHP 5.3.7 include:Upgraded bundled Sqlite3 to version 3.7.7.1Upgraded bundled PCRE to version 8.12Fixed bug #54910 (Crash when calling call_user_func with unknown function name)Fixed bug #54585 (track_errors causes segfault)Fixed bug #54262 (Crash when assigning value to a dimension in a non-array)Fixed a crash inside dtor for error handlingFixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)Fixed bug #54935 php_win_err can lead to crashFixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)Fixed bug #54305 (Crash in gc_remove_zval_from_buffer)Fixed bug #54580 (get_browser() segmentation fault when browscap ini directive is set through php_admin_value)Fixed bug #54529 (SAPI crashes on apache_config.c:197)Fixed bug #54283 (new DatePeriod(NULL) causes crash).Fixed bug #54269 (Short exception message buffer causes crash)Fixed Bug #54221 (mysqli::get_warnings segfault when used in multi queries)Fixed bug #54395 (Phar::mount() crashes when calling with wrong parameters)Fixed bug #54384 (Dual iterators, GlobIterator, SplFileObject and SplTempFileObject crash when user-space classes don't call the parent constructor)Fixed bug #54292 (Wrong parameter causes crash in SplFileObject::__construct())Fixed bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0)Fixed bug #54281 (Crash in non-initialized RecursiveIteratorIterator)Fixed bug #54623 (Segfault when writing to a persistent socket after closing a copy of the socket)Fixed bug #54681 (addGlob() crashes on invalid flags)Over 80 other bug fixes.Windows users: please mind that we do no longer provide builds created with Visual Studio C++ 6. It is impossible to maintain a high quality and safe build of PHP for Windows using this unmaintained compiler.For Apache SAPIs (php5_apache2_2.dll), be sure that you use a Visual Studio C++ 9 version of Apache. We recommend the Apache builds as provided by ApacheLounge. For any other SAPI (CLI, FastCGI via mod_fcgi, FastCGI with IIS or other FastCGI capable server), everything works as before. Third party extension providers must rebuild their extensions to make them compatible and loadable with the Visual Studio C++9 builds that we now provide.All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.7.For a full list of changes in PHP 5.3.7, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/. |
| PHP 5.4 alpha1 released | The PHP development team is proud to announce the first PHP 5.4 alpha release. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviors. Read the NEWS file for a complete list of changes. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! This alpha release exists to encourage users to identify bugs, and to ensure that all new features and backward compatibility breaks are evaluated and documented before PHP 5.4.0 is released. Please report findings to the QA mailing list and/or the PHP bug tracker. Windows binaries can be downloaded from the Windows QA site. Here is an incomplete list of changes: Added: Traits language constructAdded: Array dereferencing supportAdded: DTrace supportImproved: Improved Zend Engine memory usage and performanceMoved: ext/sqlite moved to pecl (sqlite3 support is still built-in) Please note that some legacy features have been removed, including: Removed: break/continue $var syntaxRemoved: register_globals, allow_call_time_pass_reference, and register_long_arrays ini optionsRemoved: session_is_registered(), session_registered(), and session_unregister() This is the first release that adopts the releaseprocess RFC. The next alpha will be released within four weeks. The PHP 5.4 feature set and API has not been finalized. |
| PHP Documentation update | PHP has several new documentation features that the community should be aware of: pman - PHP man pages $ pear install doc.php.net/pman$ pman strlen (this example displays a local textual version of the strlen docs) Enhanced CHM - contains user notes (over 25,000) This additional CHM file is downloadable Online Documentation Editor - allows everyone to edit the PHP manual URL: https://edit.php.net/Every manual page will link to it in the futureIncludes an IRC window to the #php.doc channel, so let's talk We hope you find the above features useful, and please write phpdoc@lists.php.net with feedback. Additional features are being refined, which includes a JSON version of the manual. |
| php.net security notice | The wiki.php.net box was compromised and the attackers were able to collect wiki account credentials. No other machines in the php.net infrastructure appear to have been affected. Our biggest concern is, of course, the integrity of our source code. We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found. The compromised machine has been wiped and we are forcing a password change for all svn accounts.We are still investigating the details of the attack which combined a vulnerability in the Wiki software with a Linux root exploit. |
| PHP 5.3.6 Released! | The PHP development team would like to announce the immediate availability of PHP 5.3.6. This release focuses on improving the stability of the PHP 5.3.x branch with over 60 bug fixes, some of which are security related.Security Enhancements and Fixes in PHP 5.3.6:Enforce security in the fastcgi protocol parsing with fpm SAPI.Fixed bug #54247 (format-string vulnerability on Phar). (CVE-2011-1153)Fixed bug #54193 (Integer overflow in shmop_read()). (CVE-2011-1092)Fixed bug #54055 (buffer overrun with high values for precision ini setting).Fixed bug #54002 (crash on crafted tag in exif). (CVE-2011-0708)Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive). (CVE-2011-0421)Key enhancements in PHP 5.3.6 include:Upgraded bundled Sqlite3 to version 3.7.4.Upgraded bundled PCRE to version 8.11.Added ability to connect to HTTPS sites through proxy with basic authentication using stream_context/http/header/Proxy-Authorization.Added options to debug backtrace functions.Changed default value of ini directive serialize_precision from 100 to 17.Fixed Bug #53971 (isset() and empty() produce apparently spurious runtime error).Fixed Bug #53958 (Closures can't 'use' shared variables by value and by reference).Fixed bug #53577 (Regression introduced in 5.3.4 in open_basedir with a trailing forward slash).Over 60 other bug fixes.Windows users: please mind that we do no longer provide builds created with Visual Studio C++ 6. It is impossible to maintain a high quality and safe build of PHP for Windows using this unmaintained compiler. For Apache SAPIs (php5_apache2_2.dll), be sure that you use a Visual Studio C++ 9 version of Apache. We recommend the Apache builds as provided by ApacheLounge. For any other SAPI (CLI, FastCGI via mod_fcgi, FastCGI with IIS or other FastCGI capable server), everything works as before. Third party extension providers must rebuild their extensions to make them compatible and loadable with the Visual Studio C++ 9 builds that we now provide. All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.6.For a full list of changes in PHP 5.3.6, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/. |
| PHP 5.3.5 and 5.2.17 Released! | The PHP development team would like to announce the immediate availability of PHP 5.3.5 and 5.2.17. This release resolves a critical issue, reported as PHP bug #53632 and CVE-2010-4645, where conversions from string to double might cause the PHP interpreter to hang on systems using x87 FPU registers. The problem is known to only affect x86 32-bit PHP processes, regardless of whether the system hosting PHP is 32-bit or 64-bit. You can test whether your system is affected by running this script from the command line. All users of PHP are strongly advised to update to these versions immediately. |
| PHP 5.2.16 Released! | The PHP development team would like to announce the immediate availability of PHP 5.2.16. This release marks the end of support for PHP 5.2. All users of PHP 5.2 are encouraged to upgrade to PHP 5.3. This release focuses on addressing a regression in open_basedir implementation introduced in 5.2.15 in addition to fixing a crash inside PDO::pgsql on data retrieval when the server is down. All users who have upgraded to 5.2.15 and are utilizing open_basedir are strongly encouraged to upgrade to 5.2.16 or 5.3.4. To prepare for upgrading to PHP 5.3, now that PHP 5.2's support ended, a migration guide available on http://php.net/migration53, details the changes between PHP 5.2 and PHP 5.3.For a full list of changes in PHP 5.2.16 see the ChangeLog at http://www.php.net/ChangeLog-5.php#5.2.16. |
| PHP 5.3.4 Released! | The PHP development team is proud to announce the immediate release of PHP 5.3.4. This is a maintenance release in the 5.3 series, which includes a large number of bug fixes. Security Enhancements and Fixes in PHP 5.3.4:Fixed crash in zip extract method (possible CWE-170).Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243).Fixed a possible double free in imap extension (Identified by Mateusz Kocielski). (CVE-2010-4150).Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709).Fixed possible flaw in open_basedir (CVE-2010-3436).Fixed MOPS-2010-24, fix string validation. (CVE-2010-2950).Fixed symbolic resolution support when the target is a DFS share.Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data) (CVE-2010-3710).Key Bug Fixes in PHP 5.3.4 include:Added stat support for zip stream.Added follow_location (enabled by default) option for the http stream support.Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al.Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend multibyte at runtime.Multiple improvements to the FPM SAPI.Over 100 other bug fixes. For users upgrading from PHP 5.2 there is a migration guide available here, detailing the changes between those releases and PHP 5.3. For a full list of changes in PHP 5.3.4, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/. |
| PHP 5.2.15 Released! | The PHP development team would like to announce the immediate availability of PHP 5.2.15. This release marks the end of support for PHP 5.2. All users of PHP 5.2 are encouraged to upgrade to PHP 5.3. This release focuses on improving the security and stability of the PHP 5.2.x branch with a small number, of predominatly security fixes. Security Enhancements and Fixes in PHP 5.2.15:Fixed extract() to do not overwrite $GLOBALS and $this when using EXTR_OVERWRITE.Fixed crash in zip extract method (possible CWE-170).Fixed a possible double free in imap extension.Fixed possible flaw in open_basedir (CVE-2010-3436).Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709).Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data).Key enhancements in PHP 5.2.15 include:Fixed bug #47643 (array_diff() takes over 3000 times longer than php 5.2.4).Fixed bug #44248 (RFC2616 transgression while HTTPS request through proxy with SoapClient object).To prepare for upgrading to PHP 5.3, now that PHP 5.2's support ended, a migration guide available on http://php.net/migration53, details the changes between PHP 5.2 and PHP 5.3.For a full list of changes in PHP 5.2.15 see the ChangeLog at http://www.php.net/ChangeLog-5.php#5.2.15. |
| PHP 5.3.3 Released! | The PHP development team would like to announce the immediate availability of PHP 5.3.3. This release focuses on improving the stability and security of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. All users are encouraged to upgrade to this release. Backwards incompatible change:Methods with the same name as the last element of a namespaced class name will no longer be treated as constructor. This change doesn't affect non-namespaced classes. There is no impact on migration from 5.2.x because namespaces were only introduced in PHP 5.3.Security Enhancements and Fixes in PHP 5.3.3:Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531).Fixed a possible resource destruction issues in shm_put_var().Fixed a possible information leak because of interruption of XOR operator.Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks.Fixed a possible memory corruption in ArrayObject::uasort().Fixed a possible memory corruption in parse_str().Fixed a possible memory corruption in pack().Fixed a possible memory corruption in substr_replace().Fixed a possible memory corruption in addcslashes().Fixed a possible stack exhaustion inside fnmatch().Fixed a possible dechunking filter buffer overflow.Fixed a possible arbitrary memory access inside sqlite extension.Fixed string format validation inside phar extension.Fixed handling of session variable serialization on certain prefix characters.Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).Fixed SplObjectStorage unserialization problems (CVE-2010-2225).Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user.Fixed possible buffer overflows when handling error packets in mysqlnd.Key enhancements in PHP 5.3.3 include:Upgraded bundled sqlite to version 3.6.23.1.Upgraded bundled PCRE to version 8.02.Added FastCGI Process Manager (FPM) SAPI.Added stream filter support to mcrypt extension.Added full_special_chars filter to ext/filter.Fixed a possible crash because of recursive GC invocation.Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).Fixed bug #52060 (Memory leak when passing a closure to method_exists()).Fixed bug #52001 (Memory allocation problems after using variable variables).Fixed bug #51723 (Content-length header is limited to 32bit integer with Apache2 on Windows).Fixed bug #48930 (__COMPILER_HALT_OFFSET__ incorrect in PHP >= 5.3). For users upgrading from PHP 5.2 there is a migration guide available on http://php.net/migration53, detailing the changes between those releases and PHP 5.3. For a full list of changes in PHP 5.3.3, see the ChangeLog. |
| PHP 5.2.14 Released! | The PHP development team would like to announce the immediate availability of PHP 5.2.14. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. This release marks the end of the active support for PHP 5.2. Following this release the PHP 5.2 series will receive no further active bug maintenance. Security fixes for PHP 5.2 might be published on a case by cases basis. All users of PHP 5.2 are encouraged to upgrade to PHP 5.3.Security Enhancements and Fixes in PHP 5.2.14:Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs.Fixed a possible interruption array leak in strrchr().(CVE-2010-2484)Fixed a possible interruption array leak in strchr(), strstr(), substr(), chunk_split(), strtok(), addcslashes(), str_repeat(), trim().Fixed a possible memory corruption in substr_replace().Fixed SplObjectStorage unserialization problems (CVE-2010-2225).Fixed a possible stack exaustion inside fnmatch().Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).Fixed handling of session variable serialization on certain prefix characters.Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz Kocielski.Key enhancements in PHP 5.2.14 include:Upgraded bundled PCRE to version 8.02.Updated timezone database to version 2010.5.Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).Fixed bug #52237 (Crash when passing the reference of the property of a non-object).Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).Fixed bug #51822 (Segfault with strange __destruct() for static class variables).Fixed bug #51552 (debug_backtrace() causes segmentation fault and/or memory issues).Fixed bug #49267 (Linking fails for iconv on MacOS: "Undefined symbols: _libiconv").To prepare for upgrading to PHP 5.3, now that PHP 5.2's support ended, a migration guide available on http://php.net/migration53, details the changes between PHP 5.2 and PHP 5.3.For a full list of changes in PHP 5.2.14 see the ChangeLog at http://www.php.net/ChangeLog-5.php#5.2.14. |
| TestFest 2010 | PHP is proud to announce TestFest 2010. TestFest is PHP's annual campaign to increase the overall code coverage of PHP through PHPT tests. During TestFest, PHP User Groups and individuals around the world organize local events where new tests are written and new contributors are introduced to PHP's testing suite. Last year was very successful with 887 tests submitted and a code coverage increase of 2.5%. This year we hope to do better. TestFest's own SVN repository and reporting tools are back online for this year's event. New to TestFest this year are automated test environment build tools as well as screencasts showing those build tools in action. Please visit the TestFest 2010 wiki page for all the details on events being organized in your area, or find out how you can organize your own event. |
| PHP 5.3.2 Released! | The PHP development team is proud to announce the immediate release of PHP 5.3.2. This is a maintenance release in the 5.3 series, which includes a large number of bug fixes. Security Enhancements and Fixes in PHP 5.3.2:Improved LCG entropy. (Rasmus, Samy Kamkar)Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia)Key Bug Fixes in PHP 5.3.2 include:Added support for SHA-256 and SHA-512 to php's crypt.Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check.Fixed bug #51059 (crypt crashes when invalid salt are given).Fixed bug #50940 Custom content-length set incorrectly in Apache sapis.Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes long).Fixed bug #50723 (Bug in garbage collector causes crash).Fixed bug #50661 (DOMDocument::loadXML does not allow UTF-16).Fixed bug #50632 (filter_input() does not return default value if the variable does not exist).Fixed bug #50540 (Crash while running ldap_next_reference test cases).Fixed bug #49851 (http wrapper breaks on 1024 char long headers).Over 60 other bug fixes. For users upgrading from PHP 5.2 there is a migration guide available here, detailing the changes between those releases and PHP 5.3. Further information and downloads: For a full list of changes in PHP 5.3.2, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/. |
| PHP 5.2.13 Released! | The PHP development team would like to announce the immediate availability of PHP 5.2.13. This release focuses on improving the stability of the PHP 5.2.x branch with over 40 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release. Security Enhancements and Fixes in PHP 5.2.13:Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)Fixed a possible open_basedir/safe_mode bypass in session extension identified by Grzegorz Stachowiak. (Ilia)Improved LCG entropy. (Rasmus, Samy Kamkar) Further details about the PHP 5.2.13 release can be found in the release announcement, and the full list of changes are available in the ChangeLog. |
| PHP 5.2.12 Released! | The PHP development team would like to announce the immediate availability of PHP 5.2.12. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release. Security Enhancements and Fixes in PHP 5.2.12:Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion, identified by Bogdan Calin. (CVE-2009-4017, Ilia)Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check, identified by Stefan Esser. (CVE-2009-4143, Stas)Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com) Further details about the PHP 5.2.12 release can be found in the release announcement, and the full list of changes are available in the ChangeLog. |
| PHP 5.3.1 Released! | The PHP development team would like to announce the immediate availability of PHP 5.3.1. This release focuses on improving the stability of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. All users of PHP are encouraged to upgrade to this release.Security Enhancements and Fixes in PHP 5.3.1:Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.Added missing sanity checks around exif processing.Fixed a safe_mode bypass in tempnam().Fixed a open_basedir bypass in posix_mkfifo().Fixed failing safe_mode_include_dir.Further details about the PHP 5.3.1 release can be found in the release announcement, and the full list of changes are available in the ChangeLog. |
| PHP 5.2.11 Released! | The PHP development team would like to announce the immediate availability of PHP 5.2.11. This release focuses on improving the stability of the PHP 5.2.x branch with over 75 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release. Security Enhancements and Fixes in PHP 5.2.11:Fixed certificate validation inside php_openssl_apply_verification_policy. (Ryan Sleevi, Ilia)Fixed sanity check for the color index in imagecolortransparent(). (Pierre)Added missing sanity checks around exif processing. (Ilia)Fixed bug #44683 (popen crashes when an invalid mode is passed). (Pierre) Further details about the PHP 5.2.11 release can be found in the release announcement, and the full list of changes are available in the ChangeLog. |
| PHP TestFest 2009 Winners | A group of winners of PHP elePHPhants or TestFest mugs have been picked at random from the people that contributed the 887 tests during the 2009 PHP TestFest. Winners of elePHPhantsMark Schaschke TestFest London May 2009Patrick Allaert Belgian PHP Testfest 2009Rafael Dohms testfest PHPSP on 2009-06-20Guilherme Blanco testfest PHPSP on 2009-06-20Fabio Fabbrucci Italian PHP TestFest 2009 Cesena 19-20-21 juneRodrigo Moyle testfest PHPSP on 2009-06-20Edgar Ferreira da Silva testfest PHPSP on 2009-06-20Marco Fabbri PHPTestFest Cesena Italia on 2009-06-20Jason Easter Testfest 2009 2009-06-20Simon Westcott PHPNW Testfest 2009Winners of mugsTim Eggert Testfest Berlin 2009-05-09Till Klampaeckel TestFest 2009Havard Eide Norway 2009-06-09 \o/Ŕlex Corretgé - CataloniaFrancesco Fullone TestFest Cesena Italia on 2009-06-20Ivan Rosolen testfest PHPSP on 2009-06-20Moritz Neuhaeuser Testfest Berlin 2009-05-10Daniel Convissor TestFest 2009 NYPHPMatt Raines testfest London 2009-05-09Winners will be contacted shortly. Once again a huge thank you! to everyone who helped to make this year's TestFest such an outstanding success! |
| Subversion Migration Complete | The migration from CVS to Subversion is complete. The web interface is at svn.php.net. You can read about it at php.net/svn.php, wiki.php.net/vcs/svnfaq. The URL to feed to your svn client is http://svn.php.net/repository. There is also a github mirror. Please use that instead of trying to do a full git clone from the svn repository. See the instructions at wiki.php.net/vcs/svnfaq#git Many thanks to Gwynne who did the bulk of the work and also all the other folks who pitched in. It was a major effort to move 14 years of CVS history to another RCS. |
