[unisog] Heads up on PHP 5.1.0 -- was Re: Summary PHP Reference Material
H. Morrow Long
morrow.long at yale.edu
Sat Nov 26 16:36:20 GMT 2005
Tim Lane -
Also, on Thursday a new updated version of PHP was released (5.1.0)
containing a large number of bug fixes (400+) and security patches. It
is recommended that websites running 5.0 and 5.1 betas upgrade.
- H. Morrow Long, CISSP, CISM, CEH
University Information Security Officer
Director -- Information Security Office
Yale University, ITS
> PHP.net news server web interface
> Ilia Alshanetsky
> Thu Nov 24 16:38:51 2005
> Proposed 5.1 Release Announcement
> The PHP development team is proud to announce the release of PHP 5.1.
> Some of the key features of PHP 5.1 include:
> * A complete rewrite of date handling code, with improved timezone
> * Significant performance improvements compared to PHP 5.0.X.
> * PDO extension is now enabled by default.
> * Over 30 new functions in various extensions and built-in
> * Bundled libraries, PCRE and SQLite upgraded to latest versions.
> * Over 400 various bug fixes.
> * PEAR upgraded to version 1.4.5
> The full details of the changes in PHP 5.1.0 can be found here:
> In addition to new features, this release includes a number of
> security fixes:
> * Fixed a Cross Site Scripting (XSS) vulnerability in phpinfo() that
> could lead f.e. to cookie exposure, when a phpinfo() script is
> accidentally left on a production server.
> * Fixed multiple safe_mode/open_basedir bypass vulnerabilities in
> ext/curl and ext/gd that could lead to exposure of files normally not
> accessible due to safe_mode or open_basedir restrictions.
> * Fixed a possible $GLOBALS overwrite problem in file upload handling,
> extract() and import_request_variables() that could lead to unexpected
> security holes in scripts assumed secure. (For more information,
> see here).
> * Fixed a problem when a request was terminated due to memory_limit
> constraints during certain parse_str() calls. In some cases this can
> result in register_globals being turned on.
> * Fixed an issue with trailing slashes in allowed basedirs. They were
> ignored by open_basedir checks, so that specified basedirs were
> as prefixes and not as full directory names.
> * Fixed an issue with calling virtual() on Apache 2. This allowed
> bypassing of certain configuration directives like safe_mode or
> * Updated to the latest pcrelib to fix a possible integer overflow
> vulnerability announced in CAN-2005-2491.
> * Possible header injection in mb_send_mail() function via the To
> address, the first parameter of the function.
> All users of PHP 5.0 and early adopters of 5.1 betas are strongly
> advised to upgrade to 5.1 as soon as possible. An upgrade is available
> at http://www.php.net/README_UPGRADE_51.php.
> PHP Development Team.
> Written by Jim Winstead. no rights reserved. (source code)
More information about the unisog