PHP 5.2.5 Released [08-Nov-2007] The
PHP development team would like to announce the immediate
availability of PHP 5.2.5.This release focuses on improving the stability of the PHP 5.2.x branchwith over 60 bug fixes, several of which are security related. Allusers of PHP are encouraged to upgrade to this release.
Further details about the PHP 5.2.5 release can be found in the
release announcement for 5.2.5, the full list of changes is available in the
ChangeLog for PHP 5.
Security Enhancements and Fixes in PHP 5.2.5:
- Fixed dl() to only accept filenames. Reported by Laurent Gaffie.
- Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). Reported by Laurent Gaffie.
- Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. Reported by Rasmus Lerdorf
- Fixedpossible triggering of buffer overflows inside glibc implementations ofthe fnmatch(), setlocale() and glob() functions. Reported by LaurentGaffie.
- Fixed "mail.force_extra_parameters" php.inidirective not to be modifiable in .htaccess due to the securityimplications. Reported by SecurityReason.
- Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms).
- Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()).
For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available
here, detailing the changes between those releases and PHP 5.2.5.
