WARNING: As commented by Ingrid, 5.2.7 is removed and is no longer available on the PHP site. Read more about the bug here.

I’ve been notified via the PHP announcement list that version 5.2.7 is released. I have tested it today on Tiger and Leopard and I can tell you everything works as far as I can tell on my test servers.

This release incorporates several security fixes and the mandatory bugfixes.

Security Enhancements and Fixes in PHP 5.2.7:

  • Upgraded PCRE to version 7.8 (Fixes CVE-2008-2371)
  • Fixed missing initialization of BG(page_uid) and BG(page_gid), reported by Maksymilian Arciemowicz.
  • Fixed a crash inside gd with invalid fonts (Fixes CVE-2008-3658).
  • Fixed a possible overflow inside memnstr (Fixes CVE-2008-3659).
  • Fixed incorrect php_value order for Apache configuration, reported by Maksymilian Arciemowicz.
  • Fixed safe_mode related security issues detailed in CVE-2008-2665 and CVE-2008-2666.
  • Crash with URI/file..php (filename contains 2 dots) (Fixes CVE-2008-3660)
  • IMAP toolkit crash: rfc822.c legacy routine buffer overflow. (Fixes CVE-2008-2829)

Some of the key enhancements in PHP 5.2.7 include:

  • Fixed several memory leaks inside the readline and sqlite extensions
  • A number of corrections relating to date parsing inside the date extension
  • Fixed bugs relating to data retrieval in the PDO extension
  • A series of crashes in various areas of code were resolved
  • Several corrections were made to the strip_tags() function in terms of < and
  • A number of bugs were fixed in extract() function when EXTR_REFS flag is being used
  • Added the ability to log PHP errors to the SAPI (Ex. Apache log) logging facility

For instructions on how to upgrade to this release of PHP read the PHP upgrade instructions.