The PHP development team released a new version of PHP called 5.2.3. Sorry it took some time to blog about it but I had a problem testing it. There was a problem getting it compiled for Lighttpd (the new webserver in the documentation set). It took me a while as it wasn’t quite clear why it didn’t work properly but I found out that the ‘make install’ script has changed to rename the fastcgi version of php to php-cgi and have a cli version of the php binary. This wasn’t the case when using the previous version where the php binary was also usable as a fastcgi. So I had to change the documentation as well.

Here are the major changes, bugfixes, improvements and new features:

Security Enhancements and Fixes in PHP 5.2.3:

  • Fixed an integer overflow inside chunk_split() (by Gerhard Wagner, CVE-2007-2872)
  • Fixed possible infinite loop in imagecreatefrompng. (by Xavier Roche, CVE-2007-2756)
  • Fixed ext/filter Email Validation Vulnerability (MOPB-45 by Stefan Esser, CVE-2007-1900)
  • Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()) (by bugs dot php dot net at chsc dot dk)
  • Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib.
  • Added mysql_set_charset() to allow runtime altering of connection encoding.

The key improvements of PHP 5.2.3 include:

  • Improved compilation of heredocs and interpolated strings.
  • Optimized out a couple of per-request syscalls.
  • Optimized digest generation in md5() and sha1() functions.
  • Fixed bug #41236 (Regression in timeout handling of non-blocking SSL connections during reads and writes)
  • Fixed bug #39542 (Behavior of require/include different to < 5.2.0)
  • Fixed bug #41293 (Fixed creation of HTTP_RAW_POST_DATA when there is no default post handler)
  • Fixed bug #41347 (checkdnsrr() segfaults on empty hostname)
  • Fixed bug #41353 (crash in openssl_pkcs12_read() on invalid input)
  • Fixed bug #41403 (json_decode cannot decode floats if localeconv decimal_point is not ‘.’)
  • Fixed bug #41421 (Uncaught exception from a stream wrapper segfaults)
  • Fixed bug #41504 (json_decode() incorrectly decodes JSON arrays with empty string keys).
  • Over 40 bug fixes.

For users upgrading from PHP 5.0 and PHP 5.1, an upgrade guide is available
here, detailing the changes between those releases
and PHP 5.2.3.

For a full list of changes in PHP 5.2.3, see the ChangeLog.