The PHP development team released a new version of PHP called 5.2.3. Sorry it took some time to blog about it but I had a problem testing it. There was a problem getting it compiled for Lighttpd (the new webserver in the documentation set). It took me a while as it wasn’t quite clear why it didn’t work properly but I found out that the ‘make install’ script has changed to rename the fastcgi version of php to php-cgi and have a cli version of the php binary. This wasn’t the case when using the previous version where the php binary was also usable as a fastcgi. So I had to change the documentation as well.
Here are the major changes, bugfixes, improvements and new features:
Security Enhancements and Fixes in PHP 5.2.3:
- Fixed an integer overflow inside chunk_split() (by Gerhard Wagner, CVE-2007-2872)
- Fixed possible infinite loop in imagecreatefrompng. (by Xavier Roche, CVE-2007-2756)
- Fixed ext/filter Email Validation Vulnerability (MOPB-45 by Stefan Esser, CVE-2007-1900)
- Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()) (by bugs dot php dot net at chsc dot dk)
- Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib.
- Added mysql_set_charset() to allow runtime altering of connection encoding.
The key improvements of PHP 5.2.3 include:
- Improved compilation of heredocs and interpolated strings.
- Optimized out a couple of per-request syscalls.
- Optimized digest generation in md5() and sha1() functions.
- Fixed bug #41236 (Regression in timeout handling of non-blocking SSL connections during reads and writes)
- Fixed bug #39542 (Behavior of require/include different to < 5.2.0)
- Fixed bug #41293 (Fixed creation of HTTP_RAW_POST_DATA when there is no default post handler)
- Fixed bug #41347 (checkdnsrr() segfaults on empty hostname)
- Fixed bug #41353 (crash in openssl_pkcs12_read() on invalid input)
- Fixed bug #41403 (json_decode cannot decode floats if localeconv decimal_point is not ‘.’)
- Fixed bug #41421 (Uncaught exception from a stream wrapper segfaults)
- Fixed bug #41504 (json_decode() incorrectly decodes JSON arrays with empty string keys).
- Over 40 bug fixes.
For users upgrading from PHP 5.0 and PHP 5.1, an upgrade guide is available
here, detailing the changes between those releases
and PHP 5.2.3.
For a full list of changes in PHP 5.2.3, see the ChangeLog.