Educause Security Discussion mailing list archives
Heads up on PHP 5.1.0 -- was Re: [unisog] Summary PHP Reference Material
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Sat, 26 Nov 2005 11:36:20 -0500
Tim Lane - Also, on Thursday a new updated version of PHP was released (5.1.0) containing a large number of bug fixes (400+) and security patches. It is recommended that websites running 5.0 and 5.1 betas upgrade. - H. Morrow Long, CISSP, CISM, CEH University Information Security Officer Director -- Information Security Office Yale University, ITS
PHP.net news server web interface From: Ilia Alshanetsky Date: Thu Nov 24 16:38:51 2005 Subject: Proposed 5.1 Release Announcement Groups: php.announce The PHP development team is proud to announce the release of PHP 5.1. Some of the key features of PHP 5.1 include: * A complete rewrite of date handling code, with improved timezone support. * Significant performance improvements compared to PHP 5.0.X. * PDO extension is now enabled by default. * Over 30 new functions in various extensions and built-in functionality. * Bundled libraries, PCRE and SQLite upgraded to latest versions. * Over 400 various bug fixes. * PEAR upgraded to version 1.4.5 The full details of the changes in PHP 5.1.0 can be found here: http://www.php.net/ChangeLog-5.php#5.1.0 In addition to new features, this release includes a number of important security fixes: * Fixed a Cross Site Scripting (XSS) vulnerability in phpinfo() that could lead f.e. to cookie exposure, when a phpinfo() script is accidentally left on a production server. * Fixed multiple safe_mode/open_basedir bypass vulnerabilities in ext/curl and ext/gd that could lead to exposure of files normally not accessible due to safe_mode or open_basedir restrictions. * Fixed a possible $GLOBALS overwrite problem in file upload handling, extract() and import_request_variables() that could lead to unexpected security holes in scripts assumed secure. (For more information, see here). * Fixed a problem when a request was terminated due to memory_limit constraints during certain parse_str() calls. In some cases this can result in register_globals being turned on. * Fixed an issue with trailing slashes in allowed basedirs. They were ignored by open_basedir checks, so that specified basedirs were handled as prefixes and not as full directory names. * Fixed an issue with calling virtual() on Apache 2. This allowed bypassing of certain configuration directives like safe_mode or open_basedir. * Updated to the latest pcrelib to fix a possible integer overflow vulnerability announced in CAN-2005-2491. * Possible header injection in mb_send_mail() function via the To address, the first parameter of the function. All users of PHP 5.0 and early adopters of 5.1 betas are strongly advised to upgrade to 5.1 as soon as possible. An upgrade is available at http://www.php.net/README_UPGRADE_51.php. Enjoy, PHP Development Team. Written by Jim Winstead. no rights reserved. (source code)
Current thread:
- Heads up on PHP 5.1.0 -- was Re: [unisog] Summary PHP Reference Material H. Morrow Long (Nov 26)