PHP 5.2.3 released
With the new version of PHP, version 5.2.3, the developers have fixed multiple security-related vulnerabilities. According to the release notes, it includes fixes for an integer overflow in the chunk_split() function and a possible path traversal bypassing path restrictions in safe mode resulting from a bug in the realpath() function, plus resolution of a vulnerability in the imagecreatefrompng() function that might cause it to enter an infinite loop.
Two more bug fixes, one in the timeout handling for SSL connections and one relating to missing HTTP_RAW_POST data, are revisions to patches in the previous version 5.2.2. The developers are clearly still busy cleaning up after the Month of PHP Bugs: A patch for the integrated e-mail address filter, which can be circumvented by adding a line feed character, didn't make it into version 5.2.2, but is now included in this update.
Unfortunately it is not possible to determine in detail from the release notes the possible effects of the vulnerabilities and bugs which have been fixed. Given the sparseness of the information provided, even experienced systems administrators are likely to find it difficult to estimate the urgency with which the update needs to be installed. However security services provider FrSIRT categorises the urgency as 'moderate'. The PHP development team merely indicate succinctly that all users should update to the new version.
See also:
- PHP 5.2.3 Released, official release notes for the new version
- New PHP versions fix numerous holes, article on heise Security on the previous version
(mba)