PHP 5.3.10 released, update now

sugarcrmdevelopers —  February 9, 2012 — 2 Comments

If you haven’t already, be sure to upgrade to the latest PHP 5.3.10 release, as it contains fixes for several security vulnerabilities that have been recently reported. You can grab the tarballs here and Windows binaries here; be sure to check with your distro to make sure it is up to date as well.

We have lots of users still using PHP 5.2.x out there, and we strongly encourage you to upgrade your instances as soon as possible. Not only has there not been any bug fixes for the 5.2 line in the past year, but you are also missing out on all of these security issues that affect your version of PHP that are fixed in 5.3.10 ( taken from the PHP changelog at http://www.php.net/ChangeLog-5.php ):

  • Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.
  • Updated crypt_blowfish to 1.2. (CVE-2011-2483) (Solar Designer) (more info)
  • Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). (Felipe) Reported by Krzysztof Kotowicz. (CVE-2011-2202)
  • Fixed bug #54238 (use-after-free in substr_replace()). (Stas) (CVE-2011-1148)
  • Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938) Found by Mateusz Kocielski, Marek Kroemeke and Filip Palian. (Felipe)
  • Fixed bug #54002 (crash on crafted tag, reported by Luca Carettoni). (Pierre) (CVE-2011-0708)
  • Fixed bug #54247 (format-string vulnerability on Phar). (Felipe) (CVE-2011-1153)
  • Fixed bug #54193 (Integer overflow in shmop_read()). (Felipe) Reported by Jose Carlos Norte (CVE-2011-1092)
  • Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive). (Stas, Maksymilian Arciemowicz). (CVE-2011-0421)

This along with the numerous performance and stability gains in the the PHP 5.3 release are definitely good reasons to make the switch today.

2 responses to PHP 5.3.10 released, update now

  1. 

    It is worth noting that the main vulnerably noted above was only introduced in 5.3.9, so if you are running an older version 
    arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830 is not a problem – more information here: 
    http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/  

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s