PHP 5.2.7 released

[Mchl]

The PHP development team would like to announce the immediateavailability of PHP 5.2.7. This release focuses on improving the stability ofthe PHP 5.2.x branch with over 120 bug fixes, several of which are security related.All users of PHP are encouraged to upgrade to this release.

 

Security Enhancements and Fixes in PHP 5.2.7:

 

    * Upgraded PCRE to version 7.8 (Fixes CVE-2008-2371)

    * Fixed missing initialization of BG(page_uid) and BG(page_gid), reported by Maksymilian Arciemowicz.

    * Fixed incorrect php_value order for Apache configuration, reported by Maksymilian Arciemowicz.

    * Fixed a crash inside gd with invalid fonts (Fixes CVE-2008-3658).

    * Fixed a possible overflow inside memnstr (Fixes CVE-2008-3659).

    * Fixed security issues detailed in CVE-2008-2665 and CVE-2008-2666.

    * Fixed bug #45151 (Crash with URI/file..php (filename contains 2 dots)).(Fixes CVE-2008-3660)

    * Fixed bug #42862 (IMAP toolkit crash: rfc822.c legacy routine buffer overflow). (Fixes CVE-2008-2829)

 

Further details about the PHP 5.2.7 release can be found in the release announcement for 5.2.7, the full list of changes is available in the ChangeLog for PHP 5.

 

Get it while it's hot!

[Mchl]

Due to a security bug found in the PHP 5.2.7 release, it has been removed from distribution. The bug affects configurations where magic_quotes_gpc is enabled, because it remains off even when set to on. In the meantime, use PHP 5.2.6 until PHP 5.2.8 is later released.

 

Or disable magic quotes for heaven's sake!

[PFMaBiSmAd]

Magic quotes WAS a security bug because it allowed bad and insecure code to function as though it was good and secure.

 

There is also increasing evidence in the type of new bugs getting into php versions that a few of the programmers/management at php.net are not paying proper attention/thinking or have the proper skills to be messing with the language. This magic quotes problem was the result of php6 code/operation leaking into the php5.2.x branch.