Newsgroups: php.general,php.internals
Path: news.php.net
Xref: news.php.net php.general:314556 php.internals:54691
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain prohost.org designates 209.85.214.42 as permitted sender)
MIME-Version: 1.0
Date: Thu, 18 Aug 2011 11:05:45 -0400
Message-ID: <CAJy+15wt1xn2r6Ae29jr28L5f5ZJGearf11Nu24w10sofpk8nA@mail.gmail.com>
To: PHP Developers Mailing List <internals@lists.php.net>, php-general@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: PHP 5.3.7 Released!
From: ilia@prohost.org (Ilia Alshanetsky)

The PHP development team would like to announce the immediate
availability of PHP 5.3.7. This release focuses on improving the
stability of the PHP 5.3.x branch with over 90 bug fixes, some of
which are security related.

Security Enhancements and Fixes in PHP 5.3.7:

  * Updated crypt_blowfish to 1.2. (CVE-2011-2483)
  * Fixed crash in error_log(). Reported by Mateusz Kocielski
  * Fixed buffer overflow on overlog salt in crypt().
  * Fixed bug #54939 (File path injection vulnerability in RFC1867
File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
  * Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
  * Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)

Key enhancements in PHP 5.3.7 include:

  * Upgraded bundled Sqlite3 to version 3.7.7.1
  * Upgraded bundled PCRE to version 8.12
  * Fixed bug #54910 (Crash when calling call_user_func with unknown
function name)
  * Fixed bug #54585 (track_errors causes segfault)
  * Fixed bug #54262 (Crash when assigning value to a dimension in a non-array)
  * Fixed a crash inside dtor for error handling
  * Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)
  * Fixed bug #54935 php_win_err can lead to crash
  * Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)
  * Fixed bug #54305 (Crash in gc_remove_zval_from_buffer)
  * Fixed bug #54580 (get_browser() segmentation fault when browscap
ini directive is set through php_admin_value)
  * Fixed bug #54529 (SAPI crashes on apache_config.c:197)
  * Fixed bug #54283 (new DatePeriod(NULL) causes crash).
  * Fixed bug #54269 (Short exception message buffer causes crash)
  * Fixed Bug #54221 (mysqli::get_warnings segfault when used in multi queries)
  * Fixed bug #54395 (Phar::mount() crashes when calling with wrong parameters)
  * Fixed bug #54384 (Dual iterators, GlobIterator, SplFileObject and
SplTempFileObject crash when user-space classes don't call the parent
constructor)
  * Fixed bug #54292 (Wrong parameter causes crash in
SplFileObject::__construct())
  * Fixed bug #54291 (Crash iterating DirectoryIterator for dir name
starting with \0)
  * Fixed bug #54281 (Crash in non-initialized RecursiveIteratorIterator)
  * Fixed bug #54623 (Segfault when writing to a persistent socket
after closing a copy of the socket)
  * Fixed bug #54681 (addGlob() crashes on invalid flags)
  * Over 80 other bug fixes.

Windows users: please mind that we do no longer provide builds created
with Visual Studio C++ 6. It is impossible to maintain a high quality
and safe build of PHP for Windows using this unmaintained compiler.

For Apache SAPIs (php5_apache2_2.dll), be sure that you use a Visual
Studio C++ 9 version of Apache. We recommend the Apache builds as
provided by ApacheLounge. For any other SAPI (CLI, FastCGI via
mod_fcgi, FastCGI with IIS or other FastCGI capable server),
everything works as before. Third party extension providers  must
rebuild their extensions to make them compatible and loadable with the
Visual Studio C++9 builds that we now provide.</p>

All PHP users should note that the PHP 5.2 series is NOT supported
anymore. All users are strongly encouraged to upgrade to PHP 5.3.7.