The PHP development team would like to announce the immediateavailability of PHP 5.2.6. This release focuses on improving the stability ofthe PHP 5.2.x branch with over 120 bug fixes, several of which are security related.All users of PHP are encouraged to upgrade to this release. Further details about the PHP 5.2.6 release can be found in the release announcement for 5.2.6, the full list of changes is available in the ChangeLog for PHP 5.Security Enhancements and Fixes in PHP 5.2.6:Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin.Fixed integer overflow in printf() identified by Maksymilian Aciemowicz.Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh.Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz.Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser.Upgraded bundled PCRE to version 7.6
|
|
The PHP team is once again proud to participate in the Google Summer of Code. Ten students will "flip bits instead of burgers" this summer: Zend LLVM Extension by JoonasGovenius, mentored by NunoLopes PHP Optimizer by SamuelGraham Kelly IV, mentored by DerickRethans PhD Improvements and Updates by NicholasSloan, mentored by HannesMagnusson Replace auto* with CMake by Alejandro LeivaRojas, mentored by Pierre A.Joye gsoc:2008 - XDebug by Chung-YangLee, mentored by DavidCoallier Rewrite the run-tests.php script by CesarMontedonico, mentored by TravisSwicegood PHP Bindings for Cairo by AkshatGupta, mentored by AnantNarayanan Algorithm Optimizations by MichalDziemianko, mentored by ScottMacVicar PECL, Website Improvements by BarryCarlyon, mentored by Helgi ÞormarÞorbjörnsson Implement Unicode into PHP 6 by Henrique do NascimentoAngelo, mentored by ScottMacVicar
|
|
The PHP-QA team would like to announce the TestFest for the month of May 2008. The TestFest is an event that aims at improving the code coverage of the test suite for the PHP language itself. As part of this event, local User Groups (UG) are invited to join the TestFest. These UGs can meet physically or come together virtually. The point however is that people network to learn together. Aside from being an opportunity for all of you to make friends with like minded people in your (virtual) community, it also will hopefully reduce the work load for the PHP.net mentors.All it takes is someone to organize a UG to spearhead the event and to get others involved in writing phpt tests. The submissions will then be reviewed by members of php.net before getting included in the official test suite. Please visit the TestFest homepage to get additional details on the TestFest on how to get involved, either as a UG or by setting up the necessary infrastructure.
|
|
Once again we are glad to announce that we have been accepted to be a Google Summer of Code project. See our program for this year's GSoC.We would like to take this opportunity to say thanks to Google Inc. for this privilege to participate once again, and would like to invite everyone to look at our list of ideas: http://wiki.php.net/gsoc/2008.Students are of course more than welcome to come up with their own ideas for their proposals and we will consider each and every application that we will receive.So once again, thanks to everyone who is involved in this magnificent journey and we hope to see many of you great students and open source passionate join us in our most enjoyable Google Summer of Code projects.
|
|
The PHP development team would like to announce the immediate availability of PHP 4.4.8. It continues to improve the security and the stability of the 4.4 branch and all users are strongly encouraged to upgrade to it as soon as possible. This release wraps up all the outstanding patches for the PHP 4.4 series, and is therefore the last normal PHP 4.4 release. If necessary, releases to address security issues could be made until 2008-08-08. Security Enhancements and Fixes in PHP 4.4.8:Improved fix for MOPB-02-2007.Fixed an integer overflow inside chunk_split(). Identified by Gerhard Wagner.Fixed integer overlow in str[c]spn().Fixed regression in glob when open_basedir is on introduced by #41655 fix.Fixed money_format() not to accept multiple %i or %n tokens.Addded "max_input_nesting_level" php.ini option to limit nesting level of input variables. Fix for MOPB-03-2007.Fixed INFILE LOCAL option handling with MySQL - now not allowed when open_basedir or safe_mode is active.Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378). For a full list of changes in PHP 4.4.8, see the ChangeLog.
|
|
The PHP development team would like to announce the immediate availability of PHP 5.2.5. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, several of which are security related. All users of PHP are encouraged to upgrade to this release. Further details about the PHP 5.2.5 release can be found in the release announcement for 5.2.5, the full list of changes is available in the ChangeLog for PHP 5.Security Enhancements and Fixes in PHP 5.2.5:Fixed dl() to only accept filenames. Reported by Laurent Gaffie.Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). Reported by Laurent Gaffie.Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. Reported by Rasmus LerdorfFixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie.Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications. Reported by SecurityReason.Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms).Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()).For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.5.
|
|
The PHP documentation team is pleased to announce the initial release of the new build system that generates the PHP Manual. Written in PHP, PhD ([PH]P based [D]ocBook renderer) builds are now available for viewing at docs.php.net. Everyone is encouraged to test and use this system so that bugs will be found and squashed. Once the new build system is stable, expect additional changes to the PHP manual that will include an improved navigation system and styling for OOP documentation. Feel free to set this developmental mirror as your default by using my.php.
|
|
|
The PHP development team would like to announce the immediate availability of PHP 5.2.4. This release focuses on improving the stability of the PHP 5.2.X branch with over 120 various bug fixes in addition to resolving several low priority security bugs. All users of PHP are encouraged to upgrade to this release. Further details about the PHP 5.2.4 release can be found in the release announcement for 5.2.4, the full list of changes is available in the ChangeLog for PHP 5. Security Enhancements and Fixes in PHP 5.2.4:Fixed a floating point exception inside wordwrap() (Reported by Mattias Bengtsson)Fixed several integer overflows inside the GD extension (Reported by Mattias Bengtsson)Fixed size calculation in chunk_split() (Reported by Gerhard Wagner)Fixed integer overflow in str[c]spn(). (Reported by Stanislav Malyshev)Fixed money_format() not to accept multiple %i or %n tokens. (Reported by Stanislav Malyshev)Fixed zend_alter_ini_entry() memory_limit interruption vulnerability. (Reported by Stefan Esser)Fixed INFILE LOCAL option handling with MySQL extensions not to be allowed when open_basedir or safe_mode is active. (Reported by Stanislav Malyshev)Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) (Reported by Maksymilian Arciemowicz)Fixed a possible invalid read in glob() win32 implementation (CVE-2007-3806) (Reported by shinnai)Fixed a possible buffer overflow in php_openssl_make_REQ (Reported by zatanzlatan at hotbrev dot com)Fixed an open_basedir bypass inside glob() function (Reported by dr at peytz dot dk)Fixed a possible open_basedir bypass inside session extension when the session file is a symlink (Reported by c dot i dot morris at durham dot ac dot uk)Improved fix for MOPB-03-2007.Corrected fix for CVE-2007-2872. For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.4. |
|
|
Today it is exactly three years ago since PHP 5 has been released. In those three years it has seen many improvements over PHP 4. PHP 5 is fast, stable & production-ready and as PHP 6 is on the way, PHP 4 will be discontinued. The PHP development team hereby announces that support for PHP 4 will continue until the end of this year only. After 2007-12-31 there will be no more releases of PHP 4.4. We will continue to make critical security fixes available on a case-by-case basis until 2008-08-08. Please use the rest of this year to make your application suitable to run on PHP 5. For documentation on migration for PHP 4 to PHP 5, we would like to point you to our migration guide. There is additional information available in the PHP 5.0 to PHP 5.1 and PHP 5.1 to PHP 5.2 migration guides as well. |
|
|
The PHP development team would like to announce the immediate availability of PHP 5.2.3. This release continues to improve the security and the stability of the 5.X branch as well as addressing two regressions introduced by the previous 5.2 releases. These regressions relate to the timeout handling over non-blocking SSL connections and the lack of HTTP_RAW_POST_DATA in certain conditions. All users are encouraged to upgrade to this release. Further details about the PHP 5.2.3 release can be found in the release announcement for 5.2.3, the full list of changes is available in the ChangeLog for PHP 5. Security Enhancements and Fixes in PHP 5.2.3: Fixed an integer overflow inside chunk_split() (by Gerhard Wagner, CVE-2007-2872) Fixed possible infinite loop in imagecreatefrompng. (by Xavier Roche, CVE-2007-2756) Fixed ext/filter Email Validation Vulnerability (MOPB-45 by Stefan Esser, CVE-2007-1900) Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()) (by bugs dot php dot net at chsc dot dk) Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib. Added mysql_set_charset() to allow runtime altering of connection encoding. For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.3. |
|
|
The PHP development team would like to announce the immediate availability of PHP 5.2.2 and availability of PHP 4.4.7. These releases are major stability and security enhancements of the 5.x and 4.4.x branches, and all users are strongly encouraged to upgrade to it as soon as possible. Further details about the PHP 5.2.2 release can be found in the release announcement for 5.2.2, the full list of changes is available in the ChangeLog for PHP 5. Details about the PHP 4.4.7 release can be found in the release announcement for 4.4.7, the full list of changes is available in the ChangeLog for PHP 4. Security Enhancements and Fixes in PHP 5.2.2 and PHP 4.4.7: Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric) Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser) Fixed a bug in mb_parse_str() that can be used to activate register_globals (MOPB-26 by Stefan Esser) Fixed unallocated memory access/double free in in array_user_key_compare() (MOPB-24 by Stefan Esser) Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser) Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers. (MOPB-21 by Stefan Esser). Limit nesting level of input variables with max_input_nesting_level as fix for (MOPB-03 by Stefan Esser) Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team) Fixed a possible super-global overwrite inside import_request_variables(). (by Stefano Di Paola, Stefan Esser) Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. (by Stanislav Malyshev) Security Enhancements and Fixes in PHP 5.2.2 only: Fixed a header injection via Subject and To parameters to the mail() function (MOPB-34 by Stefan Esser) Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan Esser) Fixed substr_compare and substr_count information leak (MOPB-14 by Stefan Esser) (Stas, Ilia) Fixed a remotely trigger-able buffer overflow inside make_http_soap_request(). (by Ilia Alshanetsky) Fixed a buffer overflow inside user_filter_factory_create(). (by Ilia Alshanetsky) Security Enhancements and Fixes in PHP 4.4.7 only: XSS in phpinfo() (MOPB-8 by Stefan Esser) While majority of the issues outlined above are local, in some circumstances given specific code paths they can be triggered externally. Therefor, we strongly recommend that if you use code utilizing the functions and extensions identified as having had vulnerabilities in them, you consider upgrading your PHP. For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.2. |
|
|
The PHP team is once again proud to participate in the Google Summer of Code, and we are still looking for project ideas from interested students. In case you want to spend the summer with your favorite Open Source project, PHP, and get some money for adding an interesting project to it, you should contact us at
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
The deadline for submitting ideas is the 24th of March, 2007. Also, the current list of ideas includes suggested topics still looking for student participants. |
|
|
The PHP development team would like to announce the immediate availability of PHP 4.4.6. The main issue that this release addresses is a crash problem that was introduced in PHP 4.4.5. The problem occurs when session variables are used while register_globals is enabled. Details about the PHP 4.4.6 release can be found in the release announcement for 4.4.6, the full list of changes is available in the ChangeLog for PHP 4. |
|
|
The PHP development team would like to announce the immediate availability of PHP 5.2.1 and availability of PHP 4.4.5. These releases are major stability and security enhancements of the 5.x and 4.4.x branches, and all users are strongly encouraged to upgrade to it as soon as possible. Further details about the PHP 5.2.1 release can be found in the release announcement for 5.2.1, the full list of changes is available in the ChangeLog for PHP 5. Details about the PHP 4.4.5 release can be found in the release announcement for 4.4.5, the full list of changes is available in the ChangeLog for PHP 4. Security Enhancements and Fixes in PHP 5.2.1 and PHP 4.4.5: Fixed possible safe_mode & open_basedir bypasses inside the session extension. Fixed unserialize() abuse on 64 bit systems with certain input strings. Fixed possible overflows and stack corruptions in the session extension. Fixed an underflow inside the internal sapi_header_op() function. Fixed non-validated resource destruction inside the shmop extension. Fixed a possible overflow in the str_replace() function. Fixed possible clobbering of super-globals in several code paths. Fixed a possible information disclosure inside the wddx extension. Fixed a possible string format vulnerability in *print() functions on 64 bit systems. Fixed a possible buffer overflow inside ibase_{delete,add,modify}_user() functions. Fixed a string format vulnerability inside the odbc_result_all() function. Security Enhancements and Fixes in PHP 5.2.1 only: Prevent search engines from indexing the phpinfo() page. Fixed a number of input processing bugs inside the filter extension. Fixed allocation bugs caused by attempts to allocate negative values in some code paths. Fixed possible stack/buffer overflows inside zip, imap & sqlite extensions. Fixed several possible buffer overflows inside the stream filters. Memory limit is now enabled by default. Added internal heap protection. Extended filter extension support for $_SERVER in CGI and apache2 SAPIs. Security Enhancements and Fixes in PHP 4.4.5 only: Fixed possible overflows inside zip & imap extensions. Fixed a possible buffer overflow inside mail() function on Windows. Unbundled the ovrimos extension. The majority of the security vulnerabilities discovered and resolved can in most cases be only abused by local users and cannot be triggered remotely. However, some of the above issues can be triggered remotely in certain situations, or exploited by malicious local users on shared hosting setups utilizing PHP as an Apache module. Therefore, we strongly advise all users of PHP, regardless of the version to upgrade to the 5.2.1 or 4.4.5 releases as soon as possible. For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.1. Update: Feb 14th; Added release information for PHP 4.4.5. Update: Feb 12th; The Windows install package had problems with upgrading from previous PHP versions. That has now been fixed and new file posted in the download section. |
|
|
The PHP development team would like to announce the immediate availability of PHP 5.2.1. This release is a major stability and security enhancement of the 5.X branch, and all users are strongly encouraged to upgrade to it as soon as possible. Further details about this release can be found in the release announcement 5.2.1, the full list of changes is available in the ChangeLog PHP 5. Security Enhancements and Fixes in PHP 5.2.1: Fixed possible safe_mode & open_basedir bypasses inside the session extension. Prevent search engines from indexing the phpinfo() page. Fixed a number of input processing bugs inside the filter extension. Fixed unserialize() abuse on 64 bit systems with certain input strings. Fixed possible overflows and stack corruptions in the session extension. Fixed an underflow inside the internal sapi_header_op() function. Fixed allocation bugs caused by attempts to allocate negative values in some code paths. Fixed possible stack overflows inside zip, imap & sqlite extensions. Fixed several possible buffer overflows inside the stream filters. Fixed non-validated resource destruction inside the shmop extension. Fixed a possible overflow in the str_replace() function. Fixed possible clobbering of super-globals in several code paths. Fixed a possible information disclosure inside the wddx extension. Fixed a possible string format vulnerability in *print() functions on 64 bit systems. Fixed a possible buffer overflow inside mail() and ibase_{delete,add,modify}_user() functions. Fixed a string format vulnerability inside the odbc_result_all() function. Memory limit is now enabled by default. Added internal heap protection. Extended filter extension support for $_SERVER in CGI and apache2 SAPIs. The majority of the security vulnerabilities discovered and resolved can in most cases be only abused by local users and cannot be triggered remotely. However, some of the above issues can be triggered remotely in certain situations, or exploited by malicious local users on shared hosting setups utilizing PHP as an Apache module. Therefore, we strongly advise all users of PHP, regardless of the version to upgrade to 5.2.1 release as soon as possible. PHP 4.4.5 with equivalent security corrections will be available shortly. For users upgrading from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.1. |
|
|
The news on the front page of php.net has changed, the conference announcements are now located on their own page. The idea is to keep php.net specific news clear and also opens the door for additional news entries, like for RC releases. More changes are on the way so keep an eye out. |
|
|
The PHP documentation team is proud to present to the PHP community a few fixes and tweaks to the PHP Manual, including: an improved, XSL-based build system that will deliver compiled manuals to mirrors in a more timely manner (goodbye dsssl) manual pages can now contain images (see imagearc() for an example) updated function version information and capture system (fewer "no version information, might be only in CVS" messages) ... and more to come! Please help us improve the documentation by submitting bug reports, and adding notes to undocumented functions. |
|
|
The O'Reilly Open Source Convention 2007 will once again take place from July 23rd - 27th 2007 in Portland, Oregon, and has a PHP track as usual. The Call for Papers closes Monday February 5 2007. You can find more information at http://conferences.oreillynet.com/os2007/. |
|
|
The International PHP Conference 2007 Spring Edition will happen from May, 21st to 23rd 2007 in Stuttgart. The Call for Papers has just been opened. You can find more information at http://phpconference.com/. There's a pre-conference day on 21st of May with full day Power Workshops and a Main Conference from 22nd to 23rd of May with 1 hour sessions. Please submit your session proposals at http://phpconference.com/input. They will be voted by the Chair board consisting of Björn Schotte (Head of Chair), Christopher Kunz and Sebastian Meyen. The language for talks is both English and German. |
|
|
After the success of 2006 the PHP London user group is staging the UK's second dedicated PHP conference on Friday, 23 February 2007, in London. The conference will be a low-cost event, costing £50 for the day. Speakers include: Rasmus Lerdorf, Cal Evans, Simon Laws and Kevlin Henney. |
|
|
)