PHP 5.3.7 update closes security holes
The PHP developers have released PHP 5.3.7, a security and maintenance update to the stable branch of the PHP scripting language. Over ninety bug fixes have been applied, along with updates to the bundled Sqlite3 (to version 126.96.36.199) and PCRE (to version 8.12). The bug fixes resolve a number of crashing flaws when using tack_errors, calling unknown function names, passing NULL to the DatePeriod constructor and many more. Full details of all the modifications are in the change log.
On the security side, a high severity use after free error in substr_replace (CVE-2011-1148) and a high severity stack overflow in socket_connect (CVE-2011-1938) have also been fixed. One medium security issue fixed is a file path injection vulnerability in the file upload mechanism (CVE-2011-2022) which had meant that if an uploaded file path began with a '/' or '\', it would not have its path removed and would be used as is. The release also sees crypt_blowfish updated to version 1.2 to correct an issue with passwords with character bit 8 set (such as German umlauts), a crash in error_log prevented, and a fix to a buffer overflow in crypt().
The PHP developers also remind users that PHP 5.2 is no longer supported and encourage users to upgrade to PHP 5.3.7. The new release's source code is available to download, as are Windows binaries. PHP is licensed under the PHP License 3.01.