Oden’s Temple

Due to unfortunate circumstances Windows binaries for PECL extensions will no longer be available on http://pecl4win.php.net.

Work is being done to incorporate Windows binaries for PECL extensions into pecl.php.net and will hopefully be ready during the 1st quarter 2009

The PHP Development Team would like to announce the immediate availability of PHP 5.2.8. This release addresses a regression introduced by 5.2.7 in regard to the magic_quotes functionality, which was broken by an incorrect fix to the filter extension. All users who have upgraded to 5.2.7 are encouraged to upgrade to this release. Alternatively you can apply a work-around for the bug by changing "filter.default_flags=0" in php.ini.

Due to a security bug found in the PHP 5.2.7 release, it has been removed from distribution. The bug affects configurations where magic_quotes_gpc is enabled, because it remains off even when set to on. In the meantime, use PHP 5.2.6 until PHP 5.2.8 is later released.

The PHP development team would like to announce the immediate availability of PHP 5.2.7. This release focuses on improving the stability of the PHP 5.2.x branch with over 120 bug fixes, several of which are security related. All users of PHP are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.7:

• Upgraded PCRE to version 7.8 (Fixes CVE-2008-2371)
• Fixed missing initialization of BG(page_uid) and BG(page_gid), reported by Maksymilian Arciemowicz.
• Fixed incorrect php_value order for Apache configuration, reported by Maksymilian Arciemowicz.
• Fixed a crash inside gd with invalid fonts (Fixes CVE-2008-3658).
• Fixed a possible overflow inside memnstr (Fixes CVE-2008-3659).
• Fixed security issues detailed in CVE-2008-2665 and CVE-2008-2666.
• Fixed bug #45151 (Crash with URI/file..php (filename contains 2 dots)).(Fixes CVE-2008-3660)
• Fixed bug #42862 (IMAP toolkit crash: rfc822.c legacy routine buffer overflow). (Fixes CVE-2008-2829)
• Fixed extraction of zip files and directories with crafted entries, reported by Stefan Esser.

Further details about the PHP 5.2.7 release can be found in the release announcement for 5.2.7, the full list of changes is available in the ChangeLog for PHP 5.

Update (December 6th): Added missing zip security fix

The PHP development team is proud to announce the third alpha release of the upcoming PHP 5.3.0 minor version update of PHP. Several new features have already been documented in the official documentation, others are listed on the wiki in preparation of getting documented. It is imperative that more people join the effort to complete the documentation for PHP 5.3.0. Please also review the NEWS file.

The purpose of this alpha release is to encourage users to not only actively participate in identifying bugs, but also in ensuring that all new features or necessary backwards compatibility breaks are noted in the documentation. Please report any findings to the QA mailinglist or the bug tracker.

There have been a great number of other additions and improvements since the last alpha, but here is a short overview of the most important changes:

• Namespaces (documentation has been updated to the current state)
• Rounding behavior
• ext/msql has been removed, while ext/ereg will now raise E_DEPRECATED notices
• ext/mhash has been replaced by ext/hash but full BC is maintained
• PHP now uses cc as the default compiler, instead of gcc
• A number of bug fixes to ext/pdo, ext/soap, the stream layer among others

Several under the hood changes also require in depth testing with existing applications to ensure that any backwards compatibility breaks are minimized.

The current release plan expects a stable release sometime around the end of Q1 2009.

December is a busy and exciting time of the year. PHP Advent is an attempt to capture and share doses of wisdom from a few of the people in the PHP community who have been kind enough to share their thoughts and tips. Please join us on our daily journey by subscribing to our feed or following us on Twitter. Happy holidays.