[unisog] Heads up on PHP 5.1.0 -- was Re: Summary PHP Reference Material

H. Morrow Long morrow.long at yale.edu
Sat Nov 26 16:36:20 GMT 2005


Tim Lane -

Also, on Thursday a new updated version of PHP was released (5.1.0)
containing a large number of bug fixes (400+) and security patches. It
is recommended that websites running 5.0 and 5.1 betas upgrade.

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS

> PHP.net news server web interface
>
>
> From:
> Ilia Alshanetsky
> Date:
> Thu Nov 24 16:38:51 2005
> Subject:
> Proposed 5.1 Release Announcement
> Groups:
> php.announce
> The PHP development team is proud to announce the release of PHP 5.1.
> Some of the key features of PHP 5.1 include:
>
> * A complete rewrite of date handling code, with improved timezone  
> support.
> * Significant performance improvements compared to PHP 5.0.X.
> * PDO extension is now enabled by default.
> * Over 30 new functions in various extensions and built-in  
> functionality.
> * Bundled libraries, PCRE and SQLite upgraded to latest versions.
> * Over 400 various bug fixes.
> * PEAR upgraded to version 1.4.5
>
> The full details of the changes in PHP 5.1.0 can be found here:
> http://www.php.net/ChangeLog-5.php#5.1.0
>
> In addition to new features, this release includes a number of  
> important
> security fixes:
>
> * Fixed a Cross Site Scripting (XSS) vulnerability in phpinfo() that
> could lead f.e. to cookie exposure, when a phpinfo() script is
> accidentally left on a production server.
> * Fixed multiple safe_mode/open_basedir bypass vulnerabilities in
> ext/curl and ext/gd that could lead to exposure of files normally not
> accessible due to safe_mode or open_basedir restrictions.
> * Fixed a possible $GLOBALS overwrite problem in file upload handling,
> extract() and import_request_variables() that could lead to unexpected
> security holes in scripts assumed secure. (For more information,  
> see here).
> * Fixed a problem when a request was terminated due to memory_limit
> constraints during certain parse_str() calls. In some cases this can
> result in register_globals being turned on.
> * Fixed an issue with trailing slashes in allowed basedirs. They were
> ignored by open_basedir checks, so that specified basedirs were  
> handled
> as prefixes and not as full directory names.
> * Fixed an issue with calling virtual() on Apache 2. This allowed
> bypassing of certain configuration directives like safe_mode or
> open_basedir.
> * Updated to the latest pcrelib to fix a possible integer overflow
> vulnerability announced in CAN-2005-2491.
> * Possible header injection in mb_send_mail() function via the To
> address, the first parameter of the function.
>
> All users of PHP 5.0 and early adopters of 5.1 betas are strongly
> advised to upgrade to 5.1 as soon as possible. An upgrade is available
> at http://www.php.net/README_UPGRADE_51.php.
>
> Enjoy,
>
> PHP Development Team.
> Written by Jim Winstead. no rights reserved. (source code)
>



More information about the unisog mailing list