PHP 4.4.3 closes four-month-old holes
New PHP version 4.4.3 eliminates 20 non-critical flaws as well as several security holes that have been open for months. This includes one in the wordwrap() function that can provoke a buffer overflow, although the developers did not indicate whether it was possible to plant and execute code using that particular flaw. Also eliminated were vulnerabilities in the tempname() and phpinfo() functions. These were cleaned out from PHP 5 from version 5.1.3 in the beginning of May, and have been public since mid-April 2006.
Beyond that, the Safe_mode check for the error_log() function was improved and the parameter validation in substr_compare() was made more secure. The PCRE (Perl Compatible Regular Expressions) library for evaluation of regular expressions was updated in PHP 4.4.3 to version 6.6. The developers recommend installing the updates as soon as possible. Users should also consider, however, whether the complete switchover to PHP 5 makes more sense.
- PHP 4.4.3, Release announcement from php.net