PHP 5.3.9 released with hash DoS fix
The PHP developers have announced the release of PHP 5.3.9 which includes the ability to limit the number of input parameters in HTTP requests. The fix addresses the denial of service attack issue which was presented at the 28th Chaos Communication Congress and has led to fixes being applied to many web servers, frameworks and languages. The underlying flaw – that it is possible to make hashes collide and force a system to spend much more CPU time reordering hashed data structures – still persists, but by setting the
max_input_vars directive to a suitably low value, it makes it impossible to send sufficient parameters to trigger that problem. Another denial of service fix in 5.3.9 addresses an integer overflow when processing EXIF headers in JPEG files.
The release also contains numerous non-security-related fixes to areas including garbage collection, memory management, DateTime, PHP-FPM SAPI and SOAP. The developers describe key enhancements that include stopping the
is_a function triggering autoload and allowing mysqlnd to be built shared. A full list of the changes can be found in the change log and the updated source code is available from the download page. Windows binaries for 5.3.9 are also available. All PHP users are encouraged to upgrade to 5.3.9 by the developers.
In other PHP news, the fifth release candidate of PHP 5.4.0 has been released. The first release candidate was made available in November 2011. The developers expect another release candidate, which they hope will be "probably the last release candidate", to be released around 21 January. PHP is distributed under the terms of the PHP Licence 3.01.