News Archive - releases

Here are the most important news items we have tagged with "releases" on PHP.net.


PHP 5.4.3 y PHP 5.3.13 liberados!

El equipo de desarrollo de PHP desea anunciar la disponibilidad inmediata de PHP 5.4.3 y PHP 5.3.13. Se recomienda a todos los usuarios a actualizar a PHP 5.4.3 y PHP 5.3.13.

Estas versiones complementan las correcciones para la vulnerabilidad de instalaciones basadas en CGI (CVE-2012-2311). Nota: mod_php y php-fpm no son vulnerables a este ataque.

PHP 5.4.3 soluciona una vulnerabilidad de desborde de buffer en apache_request_headers() (CVE-2012-2329). La serie PHP 5.3 no es vulnerable a este problema.

Para descargar el código fuente de 5.4.3 y PHP 5.3.13 ingrese a la sección de descargas, Binarios para Windows pueden encontrarse en windows.php.net/download/. Una lista de completa de cambios puede encontrarse en ChangeLog.


PHP 5.3.12 y PHP 5.4.2 liberados!

Existe una vulnerabilidad en ciertas instalaciones badadas en CGI (Apache+mod_php y nginx+php-fpm no están afectadas) que no habia sido identificada en los últimos 8 años. Sección 7 de la especificación CGI afirma:

Algunos sistemas soportan un método para suplir un array de cadenas de carácteres a el script CGI. Esto solo es usado en caso de una búsqueda 'indexada', Esto se indentica con una petición HTTP "GET" ó "HEAD" con una URL de búsqueda que no tenga carácteres "=" codificados.

Asi que, las peticiones que no tengan un "=" en la cadena de consulta son tratados de manera diferente para esas implementaciones de CGI. Para PHP esto significa que una petición que contenga ?-s podría volcar el código de PHP de la pagina, aunque una petición con ?-s&=1 estaría bien.

Un gran número de sitios con PHP corren tanto con el modulo de Apache con mod_php como con php-fpm bajo nginx. Ninguno de esas instalaciones son vulnerables a esto. A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this.

Si estás usando Apache con mod_cgi para PHP podrías ser vulnerable. Para saber si lo es, solamente agrega un ?-s al final de cualquiera de sus URLs. Si ve un código fuente, entonces es vulnerable. Si su sitio se visualiza normalmente entonces no.

Para solucionar esto actualiza a PHP 5.3.12 o PHP 5.4.2.

Reconocemos que CGI es un metodo desactualizado para correr PHP y que podría no ser posible actualizar a una versión más reciente de PHP. Una alternativa es configurar su servidor web para no permitir este tipo de peticiones con empezando con un "-" y además sin un "=". Agregar una regla como esta no debería romper ningún sitio. Usando mod_rewrite de Apache sería algo así:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

Si tiene sus propias reglas asegurese de codificar ?%2ds.

Para terminar una mala semana, tenemos un bug en nuestro sistema de errores haciendo que la bandera de privacidad no funcionara haciendo público este inconveniente sin que tuveriamos tiempo de probar una solución al nivel que queriamos. Por favor reporta cualquier problema en bugs.php.net.

Binarios para Windows pueden encontrarse en windows.php.net/download/. Una lista de completa de cambios puede encontrarse en ChangeLog.


PHP 3.0.6 has been released!

Merry Christmas! 3.0.6 is ready to go. This is mostly a maintenance release. Some new modules make their first apperance in this version. Support for Adobe PDF and FDF as well as XML and an initial Interbase module are now available. If you need any of these features, or if you see something in the ChangeLog that might apply to you, then upgrade.


PHP 3.0 Released

PHP 3.0 is finally here! After 10 months of development PHP Version 3.0 is ready for production environments. Coupled with the release of the final version of Apache-1.3.0 today, the combination provides an unbeatable web hosting platform suitable for both small and large web sites.

PHP 3.0 is the latest evolution of the PHP/FI 2.0 language and it offers some dramatic enhancements. It is more than twice as fast, it uses less memory, it has a more consistent language implementation and a much wider set of expressions and language features than PHP/FI 2.0. An included conversion program will help you migrate your PHP 2 scripts to PHP 3.

Read the full anouncement.


PHP 3.0.11 has been released!

Hot on the heels of 3.0.10, along comes another release to fix a few problems on Windows and some Unix platforms. If 3.0.10 worked for you, there's probably no need to upgrade. 3.0.10 featured bug fixes, including the last of the fsockopen() and URL fopen() problems, we hope. The dbm database abstraction layer had the mode flag for dba_open() brought into line with dbm_open(), which means "w" will not create a non-existent database (use "c" instead). The documentation has also been moved into its own repository, and the generated HTML documentation is included in the tar.gz instead of the SGML source. For a more complete list of all of the changes, see the ChangeLog.


PHP 3.0.9 has been released!

More bug fixes, including many in the OCI8 module, and an important fix for fgets() on socket connections. Also added support for PCRE (Perl-compatible Regular Expressions library), t1lib (PostScript Type-1 fonts with GD), and mhash. For a more complete list of all of the changes, see the ChangeLog.



PHP 3.0.18 released

PHP 3.0.18 was released. This is a bug-fix release, including fixes for file uploads and a backported imagetypes() function from PHP 4.0. The ChangeLog contains a full list of changes.


PHP 4.0.3 Released

Version 4.0.3 includes several security-oriented fixes and enhancements, as well as several new features and bug fixes. It is strongly recommended for all users of PHP to upgrade to this version. You can read the changelog here.



PHP 4.0.1 Released!

The first maintenance release for PHP 4.0 is out. The new release features increased stability under Windows, improved error handling, several new features and lots of bug fixes. (the full list of changes is available) It's a recommended upgrade for all PHP users. Download now!


PHP 4.0.0 Released!

It's here, it's ready, and it has the long awaited 'Release' tag. The successor of PHP 3.0 has finally been released. At this point, everyone is encouraged to begin upgrading their systems to use this version. Download it now!


PHP 3.0.16 released

PHP 3.0.16 was released. This is mostly a bug fix release which adds support for gd-1.8, ucd-snmp 4.1, and high-resolution timers on OS/2. OpenBSD support has been improved considerably. The source package and Win32 binaries are available from the PHP homepage. The ChangeLog contains a full list of changes.



PHP 3.0.13 has been released

The long-awaited release of PHP 3.0 contains numerous bug fixes and a bonus of new features. Support for GNU recode, portable access to stdio streams, enhanced FTP support, support for Mcal and IMSP, as well as PNG functions for gd make this release a must for every user of PHP. The ChangeLog provides a complete list of changes.


PHP 4.1.0 Released!

PHP 4.1.0 is a key new release in the PHP 4 family. It includes highly-improved performance, especially under Windows; a more security-friendly way of accepting form variables; output compression; and much, much more. Read the full release announcement, or check out the changelog. Windows binaries are also available.


PHP-GTK version 0.1 released

PHP-GTK

The 0.1 release of PHP-GTK is now available. PHP-GTK is a PHP extension that provides an object-oriented interface to GTK+ toolkit and enables you to write client-side cross-platform GUI applications. Win32 binary version should be available a little later.

Note that this version requires PHP CVS version to compile, but it can be run under 4.0.5 and later.

A talk on PHP-GTK was presented by Andrei Zmievski and Frank Kromann at the 2001 O'Reilly Open Source Conference in San Diego. The slides from the talk can be viewed online. For more information, visit the PHP-GTK website.


PHP 4.0.6 Released!

PHP 4.0.6 is a maintenance release, that features many bug fixes from PHP 4.0.5, and is especially much more efficient in its memory requirements. Users that skipped the 4.0.5 upgrade may wish to jump directly from 4.0.4 to the much more stable 4.0.6. For a full list of changes, check out the Change Log.


PHP 4.0.5 Released!

PHP 4.0.5 is a maintenance release, that features many bug fixes from PHP 4.0.4, as well as output compression, new experimental FastCGI support, and significantly improved thread-safe versions. For a full list of changes, check out the ChangeLog.


Patch Level 1 released for PHP 4.0.4

Due to two security issues found in the Apache module version of PHP 4.0, PHP 4.0.4pl1 has been released. This bug-fix release also fixes a few party-crashing bugs that were discovered in PHP 4.0.4.


PHP 4.3.0 Released!

The PHP developers are pleased to announce the immediate availability of PHP 4.3.0, the latest and greatest version of this extremely popular and widely used scripting language.

This release contains a multitude of changes, bug fixes and improvements over the previous one, PHP 4.2.3. It further elevates PHP's standing as a serious contender in the general purpose scripting language arena. Please see the full release announcement.


PHP 4.2.3 Released

PHP 4.2.3 has been released with a large number of bug fixes. It is a maintenance release, and is a recommended update for all users of PHP, and Windows users in particular. A complete list of changes can be found in the ChangeLog.


PHP 4.2.2 released in response to vulnerability

The PHP Group today announced the details of a serious vulnerability in PHP versions 4.2.0 and 4.2.1. A security update, PHP 4.2.2, fixes the issue. Everyone running affected versions of PHP is encouraged to upgrade immediately. The new 4.2.2 release doesn't include other changes, so upgrading from 4.2.1 is safe and painless.



PHP 4.2.1 released

The PHP Group is happy to announce the immediate availability of PHP 4.2.1, the latest version of the widely-used, general-purpose scripting language that is especially well-suited for Web development.

This latest release contains several bug fixes as found in PHP 4.2.0. These include fixes for the session, com and mbstring extensions, as well as a major upgrade of the DomXML extension. Also a few extra checks for safe_mode were added. For more information, see the PHP 4.2.1 release announcement.


PHP 4.2.0 released

The PHP Group is happy to announce the immediate availability of PHP 4.2.0, the latest version of the widely-used, general-purpose scripting language that is especially well-suited for Web development.

This latest release contains over one hundred changes, bug fixes and improvements over the previous release, PHP 4.1.2. Among the highlights are experimental support for Apache 2, cleanups in variable handling and overhauls of various PHP components, including the domxml, posix, sockets and iconv extensions. For more information, see the PHP 4.2.0 release announcement.


PHP-GTK 0.5.0 released

PHP-GTK has reached version 0.5.0, also known as "monday starts on saturday". The version number was bumped from 0.1.1 to this one to indicate that PHP-GTK is now a fairly mature and stable extension and can be used for a variety of applications (just look on Freshmeat).

Also taking this opportunity, we would like to ask if some of you would consider helping out with PHP-GTK documentation. It would be a great way to learn this exciting extension and also contribute to the project.


First PHP dedicated DVD released!

Conference PHP Quebec

The PHP Québec is pleased to announce the immediate availability of PHP Québec DVD. Over 6 hours of conferences, recorded in Montréal, in March 2003. DVD is subtitled in English and French, making legendary sessions from Rasmus and Zeev available anywhere in the world.

This DVD makes a nice christmas present for every PHP enthusiast. Available in English or French.


PHP 4.3.4 released!

The PHP developers are proud to announce the immediate availability of PHP 4.3.4. This release contains a fair number of bug fixes and we recommend that all users of PHP upgrade to this version. Full list of fixes can be found in the ChangeLog.


PHP 5.0.0 Beta 2 released

PHP 5.0.0 Beta 2 has been released. This is the first feature complete version of PHP 5, and we recommend for PHP users to try it. PHP 5 is still not ready for production use!

Some of the more major changes include:

  • PHP 5 features the Zend Engine 2.
  • XML support has been completely redone in PHP 5, all extensions are now focused around the excellent libxml2 library (http://www.xmlsoft.org/).
  • SQLite has been bundled with PHP. For more information on SQLite, please visit their website.
  • A new SimpleXML extension for easily accessing and manipulating XML as PHP objects. It can also interface with the DOM extension and vice-versa.
  • Streams have been greatly improved, including the ability to access low-level socket operations on streams.

There have been many changes since Beta 1, some of them documented in the ChangeLog and most language changes are documented on our PHP 5/Zend Engine 2 page.


PHP 4.3.3 released!

The PHP developers are proud to announce the immediate availability of PHP 4.3.3. This release contains a large number of bug fixes and we strongly recommend that all users of PHP upgrade to this version. Full list of fixes can be found in the ChangeLog.


PHP 4.3.2 Released!

The PHP developers are proud to announce the immediate availability of PHP 4.3.2. This release contains a large number of bug fixes and is a strongly recommended update for all users of PHP. Full list of fixes can be found in the ChangeLog file.



PHP 4.3.10 & 5.0.3 released!

The PHP Development Team would like to announce the immediate release of PHP 4.3.10 and PHP 5.0.3. These are maintenance releases that in addition to non-critical bug fixes address several very serious security issues. All Users of PHP are strongly encouraged to upgrade to one of these releases as soon as possible.

For changes since PHP 4.3.9, please consult the PHP 4 ChangeLog. For changes since PHP 5.0.2, please consult the PHP 5 ChangeLog.


PHP 5.0.2 released!

PHP 5

The PHP Development Team is proud to announce the immediate release of PHP 5.0.2. This is a maintenance release that in addition to many non-critical bug fixes, addresses a problem with GPC input processing. All Users of PHP 5 are encouraged to upgrade to this release as soon as possible.

For changes since PHP 5.0.1, please consult the ChangeLog.


PHP 4.3.9 released!

PHP 4

The PHP Development Team is proud to announce the immediate release of PHP 4.3.9. This is a maintenance release that in addition to over 50 non-critical bug fixes, addresses a problem with GPC input processing. This release also re-introduces ability to write GIF images via the bundled GD extension. All Users of PHP are encouraged to upgrade to this release as soon as possible.

For changes since PHP 4.3.8, please consult the ChangeLog.


PHP 5.0.1 Released!

PHP 5

The PHP Development Team would like to announce the immediate availability of PHP 5.0.1. This is a maintenance release that in addition to many non-critical bug fixes also includes new UNIX and Windows installation docs which are now auto-generated from the PHP Manual.

For changes since PHP 5.0.0, please consult the ChangeLog.


PHP 5.0.0 Released!

PHP 5

The PHP team is proud to announce the final release of PHP 5!

Some of the key features of PHP 5 include:

  • The Zend Engine II with a new object model and dozens of new features.
  • XML support has been completely redone in PHP 5, all extensions are now focused around the excellent libxml2 library (http://www.xmlsoft.org/).
  • A new SimpleXML extension for easily accessing and manipulating XML as PHP objects. It can also interface with the DOM extension and vice-versa.
  • A brand new built-in SOAP extension for interoperability with Web Services.
  • A new MySQL extension named MySQLi for developers using MySQL 4.1 and later. This new extension includes an object-oriented interface in addition to a traditional interface; as well as support for many of MySQL's new features, such as prepared statements.
  • SQLite has been bundled with PHP. For more information on SQLite, please visit their website.
  • Streams have been greatly improved, including the ability to access low-level socket operations on streams.
  • And lots more...

For changes since Release Candidate 3, please consult the ChangeLog.


PHP 4.3.8 released!

PHP 4

PHP Development Team would like to announce the immediate availability of PHP 4.3.8. This release is made in response to several security issues that have been discovered since the 4.3.7 release. All users of PHP are strongly encouraged to upgrade to PHP 4.3.8 as soon as possible.



PHP 5 Release Candidate 2 Released!

PHP 5

The second Release Candidate of PHP 5 is now available! This mostly bug fix release improves PHP 5's stability and irons out some of the remaining issues before PHP 5 can be deemed release quality. Note that it is still not recommended for mission-critical use but people are encouraged to start playing with it and report any problems.

Key changes since Release Candidate 1 include:

  • The Zend Engine I compatibility mode (zend.ze1_compatibility_mode) has been re-implemented to more accurately support PHP 4's object auto-clone behavior.
  • All object-oriented extensions except for MySQLi have moved to studlyCaps. This includes SQLite, SOAP, Reflection API, Ming and others.
  • Implementing an interfaces and/or abstract method with the wrong prototype is now a fatal error. For backwards compatibility, re-implementing regular methods with the wrong prototype will only result in an E_STRICT warning.
  • Features as described in the Release Candidate 1 release announcement
  • And lots more...

For changes since Release Candidate 1, please consult the ChangeLog.


PHP 5 Release Candidate 1 Released!

PHP 5

The first Release Candidate of PHP 5 is finally here! The move from Beta stage to RC stage means that PHP 5 is now feature complete, and is quite stable - stable enough for everyone to start playing with. Note that it is still not recommended for mission-critical use.

Some of the key features of PHP 5 include:

  • The Zend Engine II with a new object model and dozens of new features.
  • XML support has been completely redone in PHP 5, all extensions are now focused around the excellent libxml2 library (http://www.xmlsoft.org/).
  • A new MySQL extension named MySQLi for developers using MySQL 4.1 and later. This new extension includes an object-oriented interface in addition to a traditional interface; as well as support for many of MySQL's new features, such as prepared statements.
  • SQLite has been bundled with PHP. For more information on SQLite, please visit their website.
  • A brand new built-in SOAP extension for interoperability with Web Services.
  • A new SimpleXML extension for easily accessing and manipulating XML as PHP objects. It can also interface with the DOM extension and vice-versa.
  • Streams have been greatly improved, including the ability to access low-level socket operations on streams.
  • And lots more...

For changes since Beta 4, please consult the ChangeLog.


PHP 5.1.1 Released

The PHP Development Team would like to announce the immediate release of PHP 5.1.1.
This is a regression correction release aimed at addressing several issues introduced by PHP 5.1.0, the core changes as follows:

  • Native date class is withdrawn to prevent namespace conflict with PEAR's date package.
  • Fixed fatal parse error when the last line of the script is a PHP comment.
  • eval() hangs when the code being evaluated ends with a comment.
  • Usage of \{$var} in PHP 5.1.0 resulted in the output of {$var} instead of the $var variable's value enclosed in {}.
  • Fixed inconsistency in the format of PHP_AUTH_DIGEST between Apache 1 and 2 sapis.
  • Improved safe_mode/open_basedir checks inside the cURL extension.
The complete details about all of the changes can be found in the PHP 5 ChangeLog.


PHP 5.1.0 Released

The PHP development team is proud to announce the release of PHP 5.1.0.
Some of the key features of PHP 5.1.0 include:

  • A complete rewrite of date handling code, with improved timezone support.
  • Significant performance improvements compared to PHP 5.0.X.
  • PDO extension is now enabled by default.
  • Over 30 new functions in various extensions and built-in functionality.
  • Bundled libraries, PCRE and SQLite upgraded to latest versions.
  • Over 400 various bug fixes.
  • PEAR upgraded to version 1.4.5
In addition to new features, this release includes a number of important security fixes and we recommend that all users of PHP 5.0 and early adopters of PHP 5.1 betas upgrade to this release as soon as possible. The complete details about all of the changes can be found in the PHP 5 ChangeLog and an upgrading guide is available as well.


PHP 4.4.1 Released

PHP 4.4.1 is now available for download. This version is a maintenance release, that contains numerous bug fixes, including a number of security fixes related to the overwriting of the GLOBALS array. All users of PHP 4.3 and 4.4 are encouraged to upgrade to this version.

The full list of changes in PHP 4.4.1 is available in the PHP 4 ChangeLog.


PHP 5.0.5 Released

PHP 5.0.5 is now available for download. This version is a maintenance release, that contains numerous bug fixes, including security fixes to vulnerabilities found in the XMLRPC package. All users of PHP 5.0 are encouraged to upgrade to this version.

The full list of changes in PHP 5.0.5 is available in the PHP 5 ChangeLog.


PHP 4.4.0 Released

The PHP Development Team would like to announce the immediate release of PHP 4.4.0. This is a maintenance release that addresses a serious memory corruption problem within PHP concerning references. If references were used in a wrong way, PHP could create memory corruptions which would not always surface or be visible. The increased middle digit was required because the fix that corrected the problem with references changed PHP's internal API, breaking binary compatibility with the PHP 4.3.* series. PHP 4.4.0 does not have any new features, and is solely a bugfix release; however, it is strongly recommended that you read the more detailed release announcement available here prior to upgrading your PHP 4 installation.

For changes in PHP 4.4.0 since PHP 4.3.11, please consult the PHP 4 ChangeLog.



PHP 5.0.4 and 4.3.11 Released

The PHP Development Team would like to announce the immediate release of PHP 5.0.4 and 4.3.11. These are maintenance releases that in addition to non-critical bug fixes address several security issues. All Users of PHP are strongly encouraged to upgrade to one of these releases as soon as possible.

For changes in PHP 5.0.4 since PHP 5.0.3, please consult the PHP 5 ChangeLog. For changes in PHP 4.3.11 since PHP 4.3.10, please consult the PHP 4 ChangeLog.


PHP 5.2.0 Released

The PHP development team is proud to announce the immediate release of PHP 5.2.0. This release is a major improvement in the 5.X series, which includes a large number of new features, bug fixes and security enhancements. Further details about this release can be found in the release announcement 5.2.0, the full list of changes is available in the ChangeLog PHP 5.

All users of PHP, especially those using earlier PHP 5 releases are advised to upgrade to this release as soon as possible. This release also obsoletes the 5.1 branch of PHP.

For users upgrading from PHP 5.0 and PHP 5.1 there is an upgrading guide available here, detailing the changes between those releases and PHP 5.2.0.


PHP 5.1.6 Released

The PHP development team would like to announce the immediate availability of PHP 5.1.6. This release contains a fix for memory_limit restriction on 64 bit systems that was not included in PHP 5.1.5.


PHP 4.4.4 and PHP 5.1.5 Released

The PHP development team would like to announce the immediate availability of PHP 5.1.5 and 4.4.4. These two releases address a series of security problems that were discovered since the release of PHP 5.1.4 and 4.4.3. The new releases include the following changes:

  • Added missing safe_mode/open_basedir checks inside the error_log(), file_exists(), imap_open() and imap_reopen() functions.
  • Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems.
  • Fixed possible open_basedir/safe_mode bypass in cURL extension and on PHP 5.1.5 with realpath cache.
  • Fixed overflow in GD extension on invalid GIF images.
  • Fixed a buffer overflow inside sscanf() function.
  • Fixed an out of bounds read inside stripos() function.
  • Fixed memory_limit restriction on 64 bit system.

Further details about this release can be found in the release announcements (5.1.5 and 4.4.4), and the full list of changes is available in the ChangeLogs (PHP 4, PHP 5).


PHP 4.4.3 Released

The PHP development team is proud to announce the release of PHP 4.4.3. This release combines small number of bug fixes and resolves a number of security issues. Some of the key changes of PHP 4.4.3 include:

  • Disallow certain characters in session names.
  • Fixed a buffer overflow inside the wordwrap() function.
  • Prevent jumps to parent directory via the 2nd parameter of the tempnam() function.
  • Improved safe_mode check for the error_log() function.
  • Fixed cross-site scripting inside the phpinfo() function.
  • Fixed offset/length parameter validation inside the substr_compare() function.
  • Upgraded bundled PCRE library to version 6.6
  • Over 20 various bug fixes.

Further details about this release can be found in the release announcement and the full list of changes is available in the PHP 4 ChangeLog.


PHP 5.1.4 Released

A critical bug with $_POST array handling as well as the FastCGI sapi have been discovered in PHP 5.1.3. A new PHP release 5.1.4 is now available to address these issues. All PHP users are encouraged to upgrade to this release as soon as possible.

Further details about this release can be found in the release announcement and the full list of changes is available in the PHP 5 ChangeLog.
The tarballs were updated to include the PEAR's phar file, previously missing from the release.


PHP 5.1.3 Released

The PHP development team is proud to announce the release of PHP 5.1.3. This release combines small number of feature enhancements with a significant amount of bug fixes and resolves a number of security issues. Some of the key changes of PHP 5.1.3 include:

  • Disallow certain characters in session names.
  • Fixed a buffer overflow inside the wordwrap() function.
  • Prevent jumps to parent directory via the 2nd parameter of the tempnam() function.
  • Enforce safe_mode for the source parameter of the copy() function.
  • Fixed cross-site scripting inside the phpinfo() function.
  • Fixed offset/length parameter validation inside the substr_compare() function.
  • Fixed a heap corruption inside the session extension.
  • Fixed a bug that would allow variable to survive unset().
  • Fixed a number of crashes in the DOM, SOAP and PDO extensions.
  • Upgraded bundled PCRE library to version 6.6
  • The use of the var keyword to declare properties no longer raises a deprecation E_STRICT.
  • FastCGI interface was completely reimplemented.
  • Multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions.
  • Over 120 various bug fixes.

Further details about this release can be found in the release announcement and the full list of changes is available in the PHP 5 ChangeLog.


PHP 4.4.2 Released

The PHP development team is proud to announce the release of PHP 4.4.2. This release address a few small security issues, and also corrects some regressions that occurred in PHP 4.4.1. All PHP 4 users are encouraged to upgrade to this release. Some of the key changes of PHP 4.4.2 include:

  • HTTP Response Splitting has been addressed in the header() function.
  • An XSS problem inside the error reporting functionality has been removed.
  • Apache 2 regression with sub-request handling on non-Linux systems has been fixed.
  • A regression with the key() and current() functions have been fixed.
  • Over 30 various bug fixes.

Further details about this release can be found in the release announcement and the full list of changes is available in the PHP 4 ChangeLog.


PHP 5.1.2 Released

The PHP development team is proud to announce the release of PHP 5.1.2. This release combines small feature enhancements with a fair number of bug fixes and addresses three security issues. All PHP 5 users are encouraged to upgrade to this release. Some of the key changes of PHP 5.1.2 include:

  • HTTP Response Splitting has been addressed in ext/session and in the header() function.
  • Fixed format string vulnerability in ext/mysqli.
  • Fixed possible cross-site scripting problems in certain error conditions.
  • Hash & XMLWriter extensions added and enabled by default.
  • Upgraded OCI8 extension.
  • Over 85 various bug fixes.

Further details about this release can be found in the release announcement and the full list of changes is available in the PHP 5 ChangeLog.


PHP 5.2.5 Released

The PHP development team would like to announce the immediate availability of PHP 5.2.5. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, several of which are security related. All users of PHP are encouraged to upgrade to this release.

Further details about the PHP 5.2.5 release can be found in the release announcement for 5.2.5, the full list of changes is available in the ChangeLog for PHP 5.

Security Enhancements and Fixes in PHP 5.2.5:

  • Fixed dl() to only accept filenames. Reported by Laurent Gaffie.
  • Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). Reported by Laurent Gaffie.
  • Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. Reported by Rasmus Lerdorf
  • Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie.
  • Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications. Reported by SecurityReason.
  • Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms).
  • Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()).

For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.5.


PHP 5.2.4 Released

The PHP development team would like to announce the immediate availability of PHP 5.2.4. This release focuses on improving the stability of the PHP 5.2.X branch with over 120 various bug fixes in addition to resolving several low priority security bugs. All users of PHP are encouraged to upgrade to this release.

Further details about the PHP 5.2.4 release can be found in the release announcement for 5.2.4, the full list of changes is available in the ChangeLog for PHP 5.

Security Enhancements and Fixes in PHP 5.2.4:

  • Fixed a floating point exception inside wordwrap() (Reported by Mattias Bengtsson)
  • Fixed several integer overflows inside the GD extension (Reported by Mattias Bengtsson)
  • Fixed size calculation in chunk_split() (Reported by Gerhard Wagner)
  • Fixed integer overflow in str[c]spn(). (Reported by Mattias Bengtsson)
  • Fixed money_format() not to accept multiple %i or %n tokens. (Reported by Stanislav Malyshev)
  • Fixed zend_alter_ini_entry() memory_limit interruption vulnerability. (Reported by Stefan Esser)
  • Fixed INFILE LOCAL option handling with MySQL extensions not to be allowed when open_basedir or safe_mode is active. (Reported by Mattias Bengtsson)
  • Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) (Reported by Maksymilian Arciemowicz)
  • Fixed a possible invalid read in glob() win32 implementation (CVE-2007-3806) (Reported by shinnai)
  • Fixed a possible buffer overflow in php_openssl_make_REQ (Reported by zatanzlatan at hotbrev dot com)
  • Fixed an open_basedir bypass inside glob() function (Reported by dr at peytz dot dk)
  • Fixed a possible open_basedir bypass inside session extension when the session file is a symlink (Reported by c dot i dot morris at durham dot ac dot uk)
  • Improved fix for MOPB-03-2007.
  • Corrected fix for CVE-2007-2872.

For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.4.


PHP 5.2.3 Released

The PHP development team would like to announce the immediate availability of PHP 5.2.3. This release continues to improve the security and the stability of the 5.X branch as well as addressing two regressions introduced by the previous 5.2 releases. These regressions relate to the timeout handling over non-blocking SSL connections and the lack of HTTP_RAW_POST_DATA in certain conditions. All users are encouraged to upgrade to this release.

Further details about the PHP 5.2.3 release can be found in the release announcement for 5.2.3, the full list of changes is available in the ChangeLog for PHP 5.

Security Enhancements and Fixes in PHP 5.2.3:

  • Fixed an integer overflow inside chunk_split() (by Gerhard Wagner, CVE-2007-2872)
  • Fixed possible infinite loop in imagecreatefrompng. (by Xavier Roche, CVE-2007-2756)
  • Fixed ext/filter Email Validation Vulnerability (MOPB-45 by Stefan Esser, CVE-2007-1900)
  • Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()) (by bugs dot php dot net at chsc dot dk)
  • Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib.
  • Added mysql_set_charset() to allow runtime altering of connection encoding.

For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.3.


PHP 5.2.2 and PHP 4.4.7 Released

The PHP development team would like to announce the immediate availability of PHP 5.2.2 and availability of PHP 4.4.7. These releases are major stability and security enhancements of the 5.x and 4.4.x branches, and all users are strongly encouraged to upgrade to it as soon as possible. Further details about the PHP 5.2.2 release can be found in the release announcement for 5.2.2, the full list of changes is available in the ChangeLog for PHP 5. Details about the PHP 4.4.7 release can be found in the release announcement for 4.4.7, the full list of changes is available in the ChangeLog for PHP 4.

Security Enhancements and Fixes in PHP 5.2.2 and PHP 4.4.7:

  • Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric)
  • Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser)
  • Fixed a bug in mb_parse_str() that can be used to activate register_globals (MOPB-26 by Stefan Esser)
  • Fixed unallocated memory access/double free in in array_user_key_compare() (MOPB-24 by Stefan Esser)
  • Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser)
  • Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers. (MOPB-21 by Stefan Esser).
  • Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team)
  • Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. (by Stanislav Malyshev)

Security Enhancements and Fixes in PHP 5.2.2 only:

  • Fixed a header injection via Subject and To parameters to the mail() function (MOPB-34 by Stefan Esser)
  • Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan Esser)
  • Fixed substr_compare and substr_count information leak (MOPB-14 by Stefan Esser) (Stas, Ilia)
  • Fixed a remotely trigger-able buffer overflow inside make_http_soap_request(). (by Ilia Alshanetsky)
  • Fixed a buffer overflow inside user_filter_factory_create(). (by Ilia Alshanetsky)
  • Fixed a possible super-global overwrite inside import_request_variables(). (by Stefano Di Paola, Stefan Esser)
  • Limit nesting level of input variables with max_input_nesting_level as fix for (MOPB-03 by Stefan Esser)

Security Enhancements and Fixes in PHP 4.4.7 only:

  • XSS in phpinfo() (MOPB-8 by Stefan Esser)

While majority of the issues outlined above are local, in some circumstances given specific code paths they can be triggered externally. Therefor, we strongly recommend that if you use code utilizing the functions and extensions identified as having had vulnerabilities in them, you consider upgrading your PHP.

For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.2.

Update: May 4th; The PHP 4.4.7 Windows build was updated due to the faulty Apache2 module shipped with the original

Update: May 23th; By accident a couple of fixes where listed as fixed in both PHP 5.2.2 and 4.4.7 but where however only fixed in PHP 5.2.2. The PHP 4 ChangeLog was not affected.



PHP 5.2.1 and PHP 4.4.5 Released

The PHP development team would like to announce the immediate availability of PHP 5.2.1 and availability of PHP 4.4.5. These releases are major stability and security enhancements of the 5.x and 4.4.x branches, and all users are strongly encouraged to upgrade to it as soon as possible. Further details about the PHP 5.2.1 release can be found in the release announcement for 5.2.1, the full list of changes is available in the ChangeLog for PHP 5. Details about the PHP 4.4.5 release can be found in the release announcement for 4.4.5, the full list of changes is available in the ChangeLog for PHP 4.

Security Enhancements and Fixes in PHP 5.2.1 and PHP 4.4.5:

  • Fixed possible safe_mode & open_basedir bypasses inside the session extension.
  • Fixed unserialize() abuse on 64 bit systems with certain input strings.
  • Fixed possible overflows and stack corruptions in the session extension.
  • Fixed an underflow inside the internal sapi_header_op() function.
  • Fixed non-validated resource destruction inside the shmop extension.
  • Fixed a possible overflow in the str_replace() function.
  • Fixed possible clobbering of super-globals in several code paths.
  • Fixed a possible information disclosure inside the wddx extension.
  • Fixed a possible string format vulnerability in *print() functions on 64 bit systems.
  • Fixed a possible buffer overflow inside ibase_{delete,add,modify}_user() functions.
  • Fixed a string format vulnerability inside the odbc_result_all() function.

Security Enhancements and Fixes in PHP 5.2.1 only:

  • Prevent search engines from indexing the phpinfo() page.
  • Fixed a number of input processing bugs inside the filter extension.
  • Fixed allocation bugs caused by attempts to allocate negative values in some code paths.
  • Fixed possible stack/buffer overflows inside zip, imap & sqlite extensions.
  • Fixed several possible buffer overflows inside the stream filters.
  • Memory limit is now enabled by default.
  • Added internal heap protection.
  • Extended filter extension support for $_SERVER in CGI and apache2 SAPIs.

Security Enhancements and Fixes in PHP 4.4.5 only:

  • Fixed possible overflows inside zip & imap extensions.
  • Fixed a possible buffer overflow inside mail() function on Windows.
  • Unbundled the ovrimos extension.

The majority of the security vulnerabilities discovered and resolved can in most cases be only abused by local users and cannot be triggered remotely. However, some of the above issues can be triggered remotely in certain situations, or exploited by malicious local users on shared hosting setups utilizing PHP as an Apache module. Therefore, we strongly advise all users of PHP, regardless of the version to upgrade to the 5.2.1 or 4.4.5 releases as soon as possible.

For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.1.

Update: Feb 14th; Added release information for PHP 4.4.5.

Update: Feb 12th; The Windows install package had problems with upgrading from previous PHP versions. That has now been fixed and new file posted in the download section.


PHP 5.2.8 Released!

The PHP Development Team would like to announce the immediate availability of PHP 5.2.8. This release addresses a regression introduced by 5.2.7 in regard to the magic_quotes functionality, which was broken by an incorrect fix to the filter extension. All users who have upgraded to 5.2.7 are encouraged to upgrade to this release. Alternatively you can apply a work-around for the bug by changing "filter.default_flags=0" in php.ini.


PHP 5.2.7 Released

The PHP development team would like to announce the immediate availability of PHP 5.2.7. This release focuses on improving the stability of the PHP 5.2.x branch with over 120 bug fixes, several of which are security related. All users of PHP are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.7:

  • Upgraded PCRE to version 7.8 (Fixes CVE-2008-2371)
  • Fixed missing initialization of BG(page_uid) and BG(page_gid), reported by Maksymilian Arciemowicz.
  • Fixed incorrect php_value order for Apache configuration, reported by Maksymilian Arciemowicz.
  • Fixed a crash inside gd with invalid fonts (Fixes CVE-2008-3658).
  • Fixed a possible overflow inside memnstr (Fixes CVE-2008-3659).
  • Fixed security issues detailed in CVE-2008-2665 and CVE-2008-2666.
  • Fixed bug #45151 (Crash with URI/file..php (filename contains 2 dots)).(Fixes CVE-2008-3660)
  • Fixed bug #42862 (IMAP toolkit crash: rfc822.c legacy routine buffer overflow). (Fixes CVE-2008-2829)
  • Fixed extraction of zip files and directories with crafted entries, reported by Stefan Esser.

Further details about the PHP 5.2.7 release can be found in the release announcement for 5.2.7, the full list of changes is available in the ChangeLog for PHP 5.


Update (December 6th): Added missing zip security fix


PHP 5.3 alpha3 released!

The PHP development team is proud to announce the third alpha release of the upcoming PHP 5.3.0 minor version update of PHP. Several new features have already been documented in the official documentation, others are listed on the wiki in preparation of getting documented. It is imperative that more people join the effort to complete the documentation for PHP 5.3.0. Please also review the NEWS file.

THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION!

The purpose of this alpha release is to encourage users to not only actively participate in identifying bugs, but also in ensuring that all new features or necessary backwards compatibility breaks are noted in the documentation. Please report any findings to the QA mailinglist or the bug tracker.

There have been a great number of other additions and improvements since the last alpha, but here is a short overview of the most important changes:

  • Namespaces (documentation has been updated to the current state)
  • Rounding behavior
  • ext/msql has been removed, while ext/ereg will now raise E_DEPRECATED notices
  • ext/mhash has been replaced by ext/hash but full BC is maintained
  • PHP now uses cc as the default compiler, instead of gcc
  • A number of bug fixes to ext/pdo, ext/soap, the stream layer among others

Several under the hood changes also require in depth testing with existing applications to ensure that any backwards compatibility breaks are minimized.

The current release plan expects a stable release sometime around the end of Q1 2009.


PHP 4.4.9 released!

The PHP development team would like to announce the immediate availability of PHP 4.4.9. It continues to improve the security and the stability of the 4.4 branch and all users are strongly encouraged to upgrade to it as soon as possible. This release wraps up all the outstanding patches for the PHP 4.4 series, and is therefore the last PHP 4.4 release.

Security Enhancements and Fixes in PHP 4.4.9:

  • Updated PCRE to version 7.7.
  • Fixed overflow in memnstr().
  • Fixed crash in imageloadfont when an invalid font is given.
  • Fixed open_basedir handling issue in the curl extension.
  • Fixed mbstring.func_overload set in .htaccess becomes global.

For a full list of changes in PHP 4.4.9, see the ChangeLog.


PHP 5.3 alpha1 released!

The PHP development team is proud to announce the first alpha release of the upcoming minor version update of PHP. Windows binaries will be available starting with alpha2 (intermediate snapshots available at snaps.php.net). The new version PHP 5.3 is expected to improve stability and performance as well as add new language syntax and extensions. Several new features have already been documented in the official documentation, others are listed on the wiki in preparation of getting documented. Please also review the NEWS file.

THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION!

The purpose of this alpha release is to encourage users to not only actively participate in identifying bugs, but also in ensuring that all new features or necessary backwards compatibility breaks are noted in the documentation. Please report any findings to the QA mailinglist or the bug tracker.

There have been a great number of other additions and improvements, but here is a short overview of the most important changes:

Several under the hood changes also require in depth testing with existing applications to ensure that any backwards compatibility breaks are minimized. This is especially important for users that require the undocumented Zend engine multibyte support.

The current release plan states that there will be alpha/beta/RC releases in 2-3 week intervals with an expected stable release of PHP 5.3 between mid September and mid October of 2008.


PHP 5.2.6 Released

The PHP development team would like to announce the immediateavailability of PHP 5.2.6. This release focuses on improving the stability ofthe PHP 5.2.x branch with over 120 bug fixes, several of which are security related.All users of PHP are encouraged to upgrade to this release.

Further details about the PHP 5.2.6 release can be found in the release announcement for 5.2.6, the full list of changes is available in the ChangeLog for PHP 5.

Security Enhancements and Fixes in PHP 5.2.6:

  • Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin.
  • Fixed integer overflow in printf() identified by Maksymilian Aciemowicz.
  • Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh.
  • Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz.
  • Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser.
  • Upgraded bundled PCRE to version 7.6

Update (May 6th): The Windows installers were missing the XSL and IMAP extensions.

Update (May 3rd): The Windows archives were missing the XSL and IMAP extensions.


PHP 4.4.8 Released

The PHP development team would like to announce the immediate availability of PHP 4.4.8. It continues to improve the security and the stability of the 4.4 branch and all users are strongly encouraged to upgrade to it as soon as possible. This release wraps up all the outstanding patches for the PHP 4.4 series, and is therefore the last normal PHP 4.4 release. If necessary, releases to address security issues could be made until 2008-08-08.

Security Enhancements and Fixes in PHP 4.4.8:

  • Improved fix for MOPB-02-2007.
  • Fixed an integer overflow inside chunk_split(). Identified by Gerhard Wagner.
  • Fixed integer overlow in str[c]spn().
  • Fixed regression in glob when open_basedir is on introduced by #41655 fix.
  • Fixed money_format() not to accept multiple %i or %n tokens.
  • Added "max_input_nesting_level" php.ini option to limit nesting level of input variables. Fix for MOPB-03-2007.
  • Fixed INFILE LOCAL option handling with MySQL - now not allowed when open_basedir or safe_mode is active.
  • Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378).

For a full list of changes in PHP 4.4.8, see the ChangeLog.


PHP 5.2.12 Released!

The PHP development team would like to announce the immediate availability of PHP 5.2.12. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.12:

  • Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
  • Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
  • Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion, identified by Bogdan Calin. (CVE-2009-4017, Ilia)
  • Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check, identified by Stefan Esser. (CVE-2009-4143, Stas)
  • Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com)

Further details about the PHP 5.2.12 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.


PHP 5.3.1 Released!

The PHP development team would like to announce the immediate availability of PHP 5.3.1. This release focuses on improving the stability of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. All users of PHP are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.3.1:

  • Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
  • Added missing sanity checks around exif processing.
  • Fixed a safe_mode bypass in tempnam().
  • Fixed a open_basedir bypass in posix_mkfifo().
  • Fixed failing safe_mode_include_dir.

Further details about the PHP 5.3.1 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.


PHP 5.2.11 Released!

The PHP development team would like to announce the immediate availability of PHP 5.2.11. This release focuses on improving the stability of the PHP 5.2.x branch with over 75 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.11:

  • Fixed certificate validation inside php_openssl_apply_verification_policy. (Ryan Sleevi, Ilia)
  • Fixed sanity check for the color index in imagecolortransparent(). (Pierre)
  • Added missing sanity checks around exif processing. (Ilia)
  • Fixed bug #44683 (popen crashes when an invalid mode is passed). (Pierre)

Further details about the PHP 5.2.11 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.


PHP 5.3.0 Released!

The PHP development team is proud to announce the immediate release of PHP 5.3.0. This release is a major improvement in the 5.X series, which includes a large number of new features and bug fixes.

Some of the key new features include: namespaces, late static binding, closures, optional garbage collection for cyclic references, new extensions (like ext/phar, ext/intl and ext/fileinfo), over 140 bug fixes and much more.

For users upgrading from PHP 5.2 there is a migration guide available here, detailing the changes between those releases and PHP 5.3.0.

Further details about the PHP 5.3.0 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.


PHP 5.2.10 Released!

The PHP development team would like to announce the immediate availability of PHP 5.2.10. This release focuses on improving the stability of the PHP 5.2.x branch with over 100 bug fixes, one of which is security related. All users of PHP are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.10:

  • Fixed bug #48378 (exif_read_data() segfaults on certain corrupted .jpeg files). (Pierre)

Further details about the PHP 5.2.10 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.


PHP 5.2.9-2 (Windows) released

The PHP Development Team would like to announce the availability of a new Windows build for PHP - PHP 5.2.9-2

This release focuses on fixing security flaws in the included OpenSSL library (CVE-2009-0590, CVE-2009-0591 and CVE-2009-0789). The security advisory is available here.

The OpenSSL library has been updated to 0.9.8k, which includes fixes for these flaws.

Note: Only the Windows binaries are affected. There are no changes to the PHP sources, therefore no source releases are necessary.

Updated 9th of April: Added the missing OCI8 DLL


5.2.9-1 (for Windows) released

The PHP Development Team would like to announce the availability of a new Windows build of PHP - PHP 5.2.9-1

This release focuses on fixing a security flaw introduced by the cURL library (CVE-2009-0037). Please see the following for a full description: http://curl.haxx.se/docs/adv_20090303.html

Please note that the cURL related function is disabled when open_basedir or safe_mode enabled.

Note: Only the Windows packages are affected.


PHP 5.2.9 Released!

The PHP development team would like to announce the immediate availability of PHP 5.2.9. This release focuses on improving the stability of the PHP 5.2.x branch with over 50 bug fixes, several of which are security related. All users of PHP are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.9:

  • Fixed security issue in imagerotate(), background colour isn't validated correctly with a non truecolour image. Reported by Hamid Ebadi, APA Laboratory (Fixes CVE-2008-5498). (Scott)
  • Fixed a crash on extract in zip when files or directories entry names contain a relative path. (Pierre)
  • Fixed explode() behavior with empty string to respect negative limit. (Shire)
  • Fixed a segfault when malformed string is passed to json_decode(). (Scott)

Further details about the PHP 5.2.9 can be found in the release announcement for 5.2.9 the full list of changes is available in the ChangeLog for PHP 5.


PHP 5.2.16 Released!

The PHP development team would like to announce the immediate availability of PHP 5.2.16. This release marks the end of support for PHP 5.2. All users of PHP 5.2 are encouraged to upgrade to PHP 5.3.

This release focuses on addressing a regression in open_basedir implementation introduced in 5.2.15 in addition to fixing a crash inside PDO::pgsql on data retrieval when the server is down. All users who have upgraded to 5.2.15 and are utilizing open_basedir are strongly encouraged to upgrade to 5.2.16 or 5.3.4.

To prepare for upgrading to PHP 5.3, now that PHP 5.2's support ended, a migration guide available on http://php.net/migration53, details the changes between PHP 5.2 and PHP 5.3.

For a full list of changes in PHP 5.2.16 see the ChangeLog at http://www.php.net/ChangeLog-5.php#5.2.16.


PHP 5.3.4 Released!

The PHP development team is proud to announce the immediate release of PHP 5.3.4. This is a maintenance release in the 5.3 series, which includes a large number of bug fixes.

Security Enhancements and Fixes in PHP 5.3.4:

  • Fixed crash in zip extract method (possible CWE-170).
  • Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243).
  • Fixed a possible double free in imap extension (Identified by Mateusz Kocielski). (CVE-2010-4150).
  • Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709).
  • Fixed possible flaw in open_basedir (CVE-2010-3436).
  • Fixed MOPS-2010-24, fix string validation. (CVE-2010-2950).
  • Fixed symbolic resolution support when the target is a DFS share.
  • Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data) (CVE-2010-3710).

Key Bug Fixes in PHP 5.3.4 include:

  • Added stat support for zip stream.
  • Added follow_location (enabled by default) option for the http stream support.
  • Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al.
  • Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend multibyte at runtime.
  • Multiple improvements to the FPM SAPI.
  • Over 100 other bug fixes.

For users upgrading from PHP 5.2 there is a migration guide available here, detailing the changes between those releases and PHP 5.3.

For a full list of changes in PHP 5.3.4, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.


PHP 5.2.15 Released!

The PHP development team would like to announce the immediate availability of PHP 5.2.15. This release marks the end of support for PHP 5.2. All users of PHP 5.2 are encouraged to upgrade to PHP 5.3.

This release focuses on improving the security and stability of the PHP 5.2.x branch with a small number, of predominatly security fixes.

Security Enhancements and Fixes in PHP 5.2.15:

  • Fixed extract() to do not overwrite $GLOBALS and $this when using EXTR_OVERWRITE.
  • Fixed crash in zip extract method (possible CWE-170).
  • Fixed a possible double free in imap extension.
  • Fixed possible flaw in open_basedir (CVE-2010-3436).
  • Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709).
  • Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data).

Key enhancements in PHP 5.2.15 include:

  • Fixed bug #47643 (array_diff() takes over 3000 times longer than php 5.2.4).
  • Fixed bug #44248 (RFC2616 transgression while HTTPS request through proxy with SoapClient object).

To prepare for upgrading to PHP 5.3, now that PHP 5.2's support ended, a migration guide available on http://php.net/migration53, details the changes between PHP 5.2 and PHP 5.3.

For a full list of changes in PHP 5.2.15 see the ChangeLog at http://www.php.net/ChangeLog-5.php#5.2.15.


PHP 5.3.3 Released!

The PHP development team would like to announce the immediate availability of PHP 5.3.3. This release focuses on improving the stability and security of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. All users are encouraged to upgrade to this release.

Backwards incompatible change:

  • Methods with the same name as the last element of a namespaced class name will no longer be treated as constructor. This change doesn't affect non-namespaced classes.

    <?php
    namespace Foo;
    class Bar {
    public function Bar() {
    // treated as constructor in PHP 5.3.0-5.3.2
    // treated as regular method in PHP 5.3.3
    }
    }
    ?>

    There is no impact on migration from 5.2.x because namespaces were only introduced in PHP 5.3.

Security Enhancements and Fixes in PHP 5.3.3:

  • Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531).
  • Fixed a possible resource destruction issues in shm_put_var().
  • Fixed a possible information leak because of interruption of XOR operator.
  • Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks.
  • Fixed a possible memory corruption in ArrayObject::uasort().
  • Fixed a possible memory corruption in parse_str().
  • Fixed a possible memory corruption in pack().
  • Fixed a possible memory corruption in substr_replace().
  • Fixed a possible memory corruption in addcslashes().
  • Fixed a possible stack exhaustion inside fnmatch().
  • Fixed a possible dechunking filter buffer overflow.
  • Fixed a possible arbitrary memory access inside sqlite extension.
  • Fixed string format validation inside phar extension.
  • Fixed handling of session variable serialization on certain prefix characters.
  • Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).
  • Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
  • Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user.
  • Fixed possible buffer overflows when handling error packets in mysqlnd.

Key enhancements in PHP 5.3.3 include:

  • Upgraded bundled sqlite to version 3.6.23.1.
  • Upgraded bundled PCRE to version 8.02.
  • Added FastCGI Process Manager (FPM) SAPI.
  • Added stream filter support to mcrypt extension.
  • Added full_special_chars filter to ext/filter.
  • Fixed a possible crash because of recursive GC invocation.
  • Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
  • Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).
  • Fixed bug #52060 (Memory leak when passing a closure to method_exists()).
  • Fixed bug #52001 (Memory allocation problems after using variable variables).
  • Fixed bug #51723 (Content-length header is limited to 32bit integer with Apache2 on Windows).
  • Fixed bug #48930 (__COMPILER_HALT_OFFSET__ incorrect in PHP >= 5.3).

For users upgrading from PHP 5.2 there is a migration guide available on http://php.net/migration53, detailing the changes between those releases and PHP 5.3.

For a full list of changes in PHP 5.3.3, see the ChangeLog.


PHP 5.2.14 Released!

The PHP development team would like to announce the immediate availability of PHP 5.2.14. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related.

This release marks the end of the active support for PHP 5.2. Following this release the PHP 5.2 series will receive no further active bug maintenance. Security fixes for PHP 5.2 might be published on a case by cases basis. All users of PHP 5.2 are encouraged to upgrade to PHP 5.3.

Security Enhancements and Fixes in PHP 5.2.14:

  • Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs.
  • Fixed a possible interruption array leak in strrchr().(CVE-2010-2484)
  • Fixed a possible interruption array leak in strchr(), strstr(), substr(), chunk_split(), strtok(), addcslashes(), str_repeat(), trim().
  • Fixed a possible memory corruption in substr_replace().
  • Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
  • Fixed a possible stack exaustion inside fnmatch().
  • Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).
  • Fixed handling of session variable serialization on certain prefix characters.
  • Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz Kocielski.

Key enhancements in PHP 5.2.14 include:

  • Upgraded bundled PCRE to version 8.02.
  • Updated timezone database to version 2010.5.
  • Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
  • Fixed bug #52237 (Crash when passing the reference of the property of a non-object).
  • Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).
  • Fixed bug #51822 (Segfault with strange __destruct() for static class variables).
  • Fixed bug #51552 (debug_backtrace() causes segmentation fault and/or memory issues).
  • Fixed bug #49267 (Linking fails for iconv on MacOS: "Undefined symbols: _libiconv").

To prepare for upgrading to PHP 5.3, now that PHP 5.2's support ended, a migration guide available on http://php.net/migration53, details the changes between PHP 5.2 and PHP 5.3.

For a full list of changes in PHP 5.2.14 see the ChangeLog at http://www.php.net/ChangeLog-5.php#5.2.14.


PHP 5.3.2 Released!

The PHP development team is proud to announce the immediate release of PHP 5.3.2. This is a maintenance release in the 5.3 series, which includes a large number of bug fixes.

Security Enhancements and Fixes in PHP 5.3.2:

  • Improved LCG entropy. (Rasmus, Samy Kamkar)
  • Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
  • Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia)

Key Bug Fixes in PHP 5.3.2 include:

  • Added support for SHA-256 and SHA-512 to php's crypt.
  • Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check.
  • Fixed bug #51059 (crypt crashes when invalid salt are given).
  • Fixed bug #50940 Custom content-length set incorrectly in Apache sapis.
  • Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes long).
  • Fixed bug #50723 (Bug in garbage collector causes crash).
  • Fixed bug #50661 (DOMDocument::loadXML does not allow UTF-16).
  • Fixed bug #50632 (filter_input() does not return default value if the variable does not exist).
  • Fixed bug #50540 (Crash while running ldap_next_reference test cases).
  • Fixed bug #49851 (http wrapper breaks on 1024 char long headers).
  • Over 60 other bug fixes.

For users upgrading from PHP 5.2 there is a migration guide available here, detailing the changes between those releases and PHP 5.3.

Further information and downloads:

For a full list of changes in PHP 5.3.2, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.


PHP 5.2.13 Released!

The PHP development team would like to announce the immediate availability of PHP 5.2.13. This release focuses on improving the stability of the PHP 5.2.x branch with over 40 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.13:

  • Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
  • Fixed a possible open_basedir/safe_mode bypass in session extension identified by Grzegorz Stachowiak. (Ilia)
  • Improved LCG entropy. (Rasmus, Samy Kamkar)

Further details about the PHP 5.2.13 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.


PHP 5.4.0 RC4 released

The PHP development team is proud to announce the 4th release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site.

THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!.

This is the 4th release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0.

The new release candidate fixed several bugs, including:

  • Added max_input_vars directive to prevent attacks based on hash collisions
  • Fixed a segfault in the traits code

Read the NEWS file for a complete list of changes in this release.

Please continue to help us to identify bugs in order to ensure that the release is solid and all things behave as expected. Please test this release candidate against your code base and report any problems that you encounter to the QA mailing list and/or the PHP bug tracker.

The next release candidate will be released in 14 days.


PHP 5.4.0RC3 released

The PHP development team is proud to announce the third release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site.

THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!.

This is the third release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0.

Changes since the previous release candidate include:

  • The intl extension now supports UTS #46 mapping for IDNA
  • $_SERVER['SERVER_NAME'] and $_SERVER['SERVER_PORT'] are now available in the builtin CLI server implementation.
  • Several improvements and bug fixes in the Zend Engine, Core and other extensions.

Read the NEWS file for a complete list of changes in this release.

Please continue to help us to identify bugs in order to ensure that the release is solid and all things behave as expected. Please test this release candidate against your code base and report any problems that you encounter to the QA mailing list and/or the PHP bug tracker.


PHP 5.4 RC2 released

The PHP development team is proud to announce the second release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site.

THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!.

This is the second release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0.

Changes since the previous release candidate include:

  • Further bug fixes in the built-in web server.
  • PHP-FPM is no longer marked as EXPERIMENTAL.
  • Several improvements and bug fixes in the Zend Engine, Core and other extensions.

Read the NEWS file for a complete list of changes in this release.

Please continue to help us to identify bugs in order to ensure that the release is solid and all things behave as expected. Please test this release candidate against your code base and report any problems that you encounter to the QA mailing list and/or the PHP bug tracker.


PHP 5.4 RC1 released

The PHP development team is proud to announce the first release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site.

THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!

This is the first release candidate. No new features will be included before the final version of PHP 5.4.0. The release candidate phase is intended as a period of bug fixing prior to the stable release.

Changes since the last beta version include:

  • Added class member access on instantiation (e.g. (new Foo)->bar()).
  • Changed silent conversion of array to string to produce a notice.
  • Numerous bug fixes and improvements in the Core and other extensions.

Please help us to identify bugs in order to ensure that the release is solid and all things behave as expected. Please test this release candidate against your code base and report any problems that you encounter to the QA mailing list and/or the PHP bug tracker.

Read the NEWS file for a complete list of changes in this release.


PHP 5.4 beta2 released

The PHP development team is proud to announce the second beta release of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site.

THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION!

Please help us to identify bugs by testing new features and looking for unintended backward compatibility breaks, so we can fix the problems and fully document intended changes before PHP 5.4.0 is released. Report findings to the QA mailing list and/or the PHP bug tracker.

This release includes numerous bug fixes and improvements since the first beta release.

Read the NEWS file for a complete list of changes.


PHP 5.4 beta1 released

The PHP development team is proud to announce the first beta release of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviors. Windows binaries can be downloaded from the Windows QA site.

THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION!

New features were added and bugs were fixed since alpha1. Please help us to identify bugs by testing new features and looking for unintended backward compatability breaks, so we can fix the problems and fully document intended changes before PHP 5.4.0 is released. Report findings to the QA mailing list and/or the PHP bug tracker.

Changes since the first alpha version include:

  • Added callable typehint.
  • Removed the timezone guessing algorithm. "UTC" is now used in case the timezone is not set.
  • The mysql, mysqli and pdo_mysql extensions now use mysqlnd by default.

Read the NEWS file for a complete list of changes.


PHP 5.3.8 Released!

The PHP development team would like to announce the immediate availability of PHP 5.3.8. This release fixes two issues introduced in the PHP 5.3.7 release:

  • Fixed bug #55439 (crypt() returns only the salt for MD5)
  • Reverted a change in timeout handling restoring PHP 5.3.6 behavior, which caused mysqlnd SSL connections to hang (Bug #55283).

All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.8.

For a full list of changes in PHP 5.3.8, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.

For more details on the crypt() blowfish security issue in pre 5.3.6 see the crypt blowfish page


PHP 5.3.7 Released!

The PHP development team would like to announce the immediate availability of PHP 5.3.7. This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which are security related.

Security Enhancements and Fixes in PHP 5.3.7:

  • Updated crypt_blowfish to 1.2. (CVE-2011-2483) (more info)
  • Fixed crash in error_log(). Reported by Mateusz Kocielski
  • Fixed buffer overflow on overlog salt in crypt().
  • Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
  • Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
  • Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)

Key enhancements in PHP 5.3.7 include:

  • Upgraded bundled Sqlite3 to version 3.7.7.1
  • Upgraded bundled PCRE to version 8.12
  • Fixed bug #54910 (Crash when calling call_user_func with unknown function name)
  • Fixed bug #54585 (track_errors causes segfault)
  • Fixed bug #54262 (Crash when assigning value to a dimension in a non-array)
  • Fixed a crash inside dtor for error handling
  • Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)
  • Fixed bug #54935 php_win_err can lead to crash
  • Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)
  • Fixed bug #54305 (Crash in gc_remove_zval_from_buffer)
  • Fixed bug #54580 (get_browser() segmentation fault when browscap ini directive is set through php_admin_value)
  • Fixed bug #54529 (SAPI crashes on apache_config.c:197)
  • Fixed bug #54283 (new DatePeriod(NULL) causes crash).
  • Fixed bug #54269 (Short exception message buffer causes crash)
  • Fixed Bug #54221 (mysqli::get_warnings segfault when used in multi queries)
  • Fixed bug #54395 (Phar::mount() crashes when calling with wrong parameters)
  • Fixed bug #54384 (Dual iterators, GlobIterator, SplFileObject and SplTempFileObject crash when user-space classes don't call the parent constructor)
  • Fixed bug #54292 (Wrong parameter causes crash in SplFileObject::__construct())
  • Fixed bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0)
  • Fixed bug #54281 (Crash in non-initialized RecursiveIteratorIterator)
  • Fixed bug #54623 (Segfault when writing to a persistent socket after closing a copy of the socket)
  • Fixed bug #54681 (addGlob() crashes on invalid flags)
  • Over 80 other bug fixes.

Windows users: please mind that we do no longer provide builds created with Visual Studio C++ 6. It is impossible to maintain a high quality and safe build of PHP for Windows using this unmaintained compiler.

For Apache SAPIs (php5_apache2_2.dll), be sure that you use a Visual Studio C++ 9 version of Apache. We recommend the Apache builds as provided by ApacheLounge. For any other SAPI (CLI, FastCGI via mod_fcgi, FastCGI with IIS or other FastCGI capable server), everything works as before. Third party extension providers must rebuild their extensions to make them compatible and loadable with the Visual Studio C++9 builds that we now provide.

All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.7.

For a full list of changes in PHP 5.3.7, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.


PHP 5.4 alpha1 released

The PHP development team is proud to announce the first PHP 5.4 alpha release. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviors. Read the NEWS file for a complete list of changes.

THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION!

This alpha release exists to encourage users to identify bugs, and to ensure that all new features and backward compatibility breaks are evaluated and documented before PHP 5.4.0 is released. Please report findings to the QA mailing list and/or the PHP bug tracker. Windows binaries can be downloaded from the Windows QA site.

Here is an incomplete list of changes:

  • Added: Traits language construct
  • Added: Array dereferencing support
  • Added: DTrace support
  • Improved: Improved Zend Engine memory usage and performance
  • Moved: ext/sqlite moved to pecl (sqlite3 support is still built-in)

Please note that some legacy features have been removed, including:

  • Removed: break/continue $var syntax
  • Removed: register_globals, allow_call_time_pass_reference, and register_long_arrays ini options
  • Removed: session_is_registered(), session_registered(), and session_unregister()

This is the first release that adopts the releaseprocess RFC. The next alpha will be released within four weeks. The PHP 5.4 feature set and API has not been finalized.


PHP 5.3.6 Released!

The PHP development team would like to announce the immediate availability of PHP 5.3.6. This release focuses on improving the stability of the PHP 5.3.x branch with over 60 bug fixes, some of which are security related.

Security Enhancements and Fixes in PHP 5.3.6:

  • Enforce security in the fastcgi protocol parsing with fpm SAPI.
  • Fixed bug #54247 (format-string vulnerability on Phar). (CVE-2011-1153)
  • Fixed bug #54193 (Integer overflow in shmop_read()). (CVE-2011-1092)
  • Fixed bug #54055 (buffer overrun with high values for precision ini setting).
  • Fixed bug #54002 (crash on crafted tag in exif). (CVE-2011-0708)
  • Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive). (CVE-2011-0421)

Key enhancements in PHP 5.3.6 include:

  • Upgraded bundled Sqlite3 to version 3.7.4.
  • Upgraded bundled PCRE to version 8.11.
  • Added ability to connect to HTTPS sites through proxy with basic authentication using stream_context/http/header/Proxy-Authorization.
  • Added options to debug backtrace functions.
  • Changed default value of ini directive serialize_precision from 100 to 17.
  • Fixed Bug #53971 (isset() and empty() produce apparently spurious runtime error).
  • Fixed Bug #53958 (Closures can't 'use' shared variables by value and by reference).
  • Fixed bug #53577 (Regression introduced in 5.3.4 in open_basedir with a trailing forward slash).
  • Over 60 other bug fixes.

Windows users: please mind that we do no longer provide builds created with Visual Studio C++ 6. It is impossible to maintain a high quality and safe build of PHP for Windows using this unmaintained compiler.

For Apache SAPIs (php5_apache2_2.dll), be sure that you use a Visual Studio C++ 9 version of Apache. We recommend the Apache builds as provided by ApacheLounge. For any other SAPI (CLI, FastCGI via mod_fcgi, FastCGI with IIS or other FastCGI capable server), everything works as before. Third party extension providers must rebuild their extensions to make them compatible and loadable with the Visual Studio C++ 9 builds that we now provide.

All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.6.

For a full list of changes in PHP 5.3.6, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.


PHP 5.3.5 and 5.2.17 Released!

The PHP development team would like to announce the immediate availability of PHP 5.3.5 and 5.2.17.

This release resolves a critical issue, reported as PHP bug #53632 and CVE-2010-4645, where conversions from string to double might cause the PHP interpreter to hang on systems using x87 FPU registers.

The problem is known to only affect x86 32-bit PHP processes, regardless of whether the system hosting PHP is 32-bit or 64-bit. You can test whether your system is affected by running this script from the command line.

All users of PHP are strongly advised to update to these versions immediately.


PHP 5.4.3 and PHP 5.3.13 Released!

The PHP development team would like to announce the immediate availability of PHP 5.4.3 and PHP 5.3.13. All users are encouraged to upgrade to PHP 5.4.3 or PHP 5.3.13

The releases complete a fix for a vulnerability in CGI-based setups (CVE-2012-2311). Note: mod_php and php-fpm are not vulnerable to this attack.

PHP 5.4.3 fixes a buffer overflow vulnerability in the apache_request_headers() (CVE-2012-2329). The PHP 5.3 series is not vulnerable to this issue.

For source downloads of PHP 5.4.3 and PHP 5.3.13 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes are recorded in the ChangeLog.


PHP 5.3.12 and PHP 5.4.2 Released!

There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected) that has gone unnoticed for at least 8 years. Section 7 of the CGI spec states:

Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "=" characters.

So, requests that do not have a "=" in the query string are treated differently from those who do in some CGI implementations. For PHP this means that a request containing ?-s may dump the PHP source code for the page, but a request that has ?-s&=1 is fine.

A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable.

If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.

To fix this, update to PHP 5.3.12 or PHP 5.4.2.

We recognize that since CGI is a rather outdated way to run PHP, it may not be feasible to upgrade these sites to a modern version of PHP. An alternative is to configure your web server to not let these types of requests with query strings starting with a "-" and not containing a "=" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:

         RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
         RewriteRule ^(.*) $1? [L]
     

If you are writing your own rule, be sure to take the urlencoded ?%2ds version into account.

Making a bad week worse, we had a bug in our bug system that toggled the private flag of a bug report to public on a comment to the bug report causing this issue to go public before we had time to test solutions to the level we would like. Please report any issues via bugs.php.net.

For source downloads of PHP 5.3.12 and PHP 5.4.2 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. A ChangeLog exists.


PHP 5.3.11 And PHP 5.4.1 Released!

The PHP development team announces the immediate availability of PHP 5.3.11 and PHP 5.4.1. These releases focuses on improving the stability of the current PHP branches with over 60 bug fixes, some of which are security related.

Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:

  • Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).
  • Add open_basedir checks to readline_write_history and readline_read_history.

Security Enhancement affecting PHP 5.3.11 only:

  • Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831).

Key enhancements in these releases include:

  • Added debug info handler to DOM objects.
  • Fixed bug #61172 (Add Apache 2.4 support).

For a full list of changes in PHP 5.3.11 and PHP 5.4.1, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.

All users of PHP are strongly encouraged to upgrade to PHP 5.3.11 or PHP 5.4.1.


PHP 5.4.1RC2 Released for Testing

The PHP development team would like to announce the 2nd release candidate of PHP 5.4.1. Windows binaries can be downloaded from the Windows QA site.

THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!

This is the 2nd release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. The release candidate fixes a critical issue when using the internal classes in multiple threads.

A complete list of changes since the last release candidate can be found in the NEWS file.

Please help us to identify bugs in order to ensure that the release is solid and all things behave as expected by taking the time to test this release candidate against your code base and reporting any problems that you encounter to the QA mailing list and/or the PHP bug tracker.

PHP 5.4.1 final will be released on April 26.


PHP 5.4.0 released!

The PHP development team is proud to announce the immediate availability of PHP 5.4.0. This release is a major leap forward in the 5.x series, which includes a large number of new features and bug fixes.

Some of the key new features include: traits, a shortened array syntax, a built-in webserver for testing purposes and more. PHP 5.4.0 significantly improves performance, memory footprint and fixes over 100 bugs.

For users upgrading from PHP 5.3 there is a migration guide available here, detailing the changes between those releases and PHP 5.4.0.

Further details about the PHP 5.4.0 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.

Please note that it may take a while until the release is available on all mirrors.


PHP 5.4.0 RC8 released

The PHP development team would like to announce the 8th release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site.

THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION! .

This is the 8th release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0.

The 7th and 8th release candidates focus on fixing critical bugs and security vulnerabilities, including:

  • A buffer overflow in htmlspecialchars() and htmlentities() (bug #60965).
  • Improving the max_input_vars configuration directive to check nested variables.

A complete list of changes since the last release candidate can be found in the NEWS file.

We've received a lot of feedback that has helped to improve the upcoming release of PHP 5.4.0. Please continue to help us to identify bugs in order to ensure that the release is solid and all things behave as expected by taking the time to test this release candidate against your code base and reporting any problems that you encounter to the QA mailing list and/or the PHP bug tracker.

The next release candidate will be released on March 1.


PHP 5.3.10 Released!

The PHP development team would like to announce the immediate availability of PHP 5.3.10. This release delivers a critical security fix.

Security Fixes in PHP 5.3.10:

  • Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.

All users are strongly encouraged to upgrade to PHP 5.3.10.

For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.


PHP 5.4.0 RC6 released

The PHP development team announces the 6th release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site.

THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!.

This is the 6th release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0.

The 6th release candidate focused on improving traits. Please test them carefully and help us to identify bugs in order to ensure that the release is solid and all things behave as expected. Please take the time to test this release candidate against your code base and report any problems that you encounter to the QA mailing list and/or the PHP bug tracker.

A complete list of changes since the last release candidate can be found at NEWS

The next candidate will be released on Feb 2.


PHP 5.3.9 Released!

The PHP development team would like to announce the immediate availability of PHP 5.3.9. This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which are security related.

Security Enhancements and Fixes in PHP 5.3.9:

  • Added max_input_vars directive to prevent attacks based on hash collisions. (CVE-2011-4885)
  • Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (CVE-2011-4566)

Key enhancements in PHP 5.3.9 include:

  • Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).
  • Fixed bug #55609 (mysqlnd cannot be built shared)
  • Many changes to the FPM SAPI module

For a full list of changes in PHP 5.3.9, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.

All users are strongly encouraged to upgrade to PHP 5.3.9.


PHP 5.4.0 RC5 released

The PHP development team announces the 5th release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site.

THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!.

This is the 5th release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0.

We got a lot of feedback that helped us to improve the upcoming PHP version. Please continue to help us to identify bugs in order to ensure that the release is solid and all things behave as expected. Please take the time to test this release candidate against your code base and report any problems that you encounter to the QA mailing list and/or the PHP bug tracker.

A complete list of changes since the last release candidate can be found at NEWS

The next and probably last release candidate will be released in 14 days.



Cache file /data/nikos/phalconphp.com/php-site/public/../app/cache/phpreleases could not be written