PHP 5.2.6 plugs security holes
The developers of the PHP scripting language have issued Version 5.2.6, which fixes numerous bugs and plugs some security holes. The changes are comprehensive, including bug fixes to modules that link to third-party products. PHP 5.2.6 also rectifies several flaws that could have caused a crash.
The developers have eliminated errors in the
FastCGI programming interface that could cause stack-based buffer overflows. An integer overflow in
printf() has been fixed, and a previously unknown security leak, number CVE-2008-0599 in the Common Vulnerabilties and Exposures (CVE) database, is said to have been eliminated from PHP 5.2.6. A hole in cURL that attackers could have exploited in order to bypass
safe_mode and a defective patch that was supposed to rectify an endless loop in
zlib have also been corrected.
The accompanying version of the Perl-compatible regular expressions library (PCRE) has now been updated to Version 7.6, which in turn plugs some security holes in that library. A workaround has been included for an error in
libcurl 7.16.2 that might have caused a crash.
The new version has not yet appeared on the download page of the PHP Project, but is already available as a direct download. The change log has not been updated past PHP 5.2.5 either, but the changes are shown in the NEWS file in the source code archive.
Administrators should update to the current version of PHP as soon as possible, because some of the errors it eliminates allow the injection of malicious code. Further tips on safeguarding a PHP-based web server are given in a background article at heise Security, Server peace - Individual security measures for PHP applications.
- change log for PHP 5 by the developers of PHP
- download of the PHP 5.2.6 source code
- download of PHP 5.2.6 for Windows