This evening all Mr.Host web servers have been upgraded to PHP 5.3.14. We missed a few updates between 5.3.10 and 5.3.14, so this post outlines all the changes since 5.3.10.
5.3.11
Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:
- Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).
- Add open_basedir checks to readline_write_history and readline_read_history.
Security Enhancement affecting PHP 5.3.11 only:
- Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831).
Key enhancements in these releases include:
- Added debug info handler to DOM objects.
- Fixed bug #61172 (Add Apache 2.4 support).
5.3.12, 5.3.13
The releases complete a fix for a vulnerability in CGI-based setups (CVE-2012-2311). Note: mod_php and php-fpm are not vulnerable to this attack.
PHP 5.4.3 fixes a buffer overflow vulnerability in the apache_request_headers() (CVE-2012-2329). The PHP 5.3 series is not vulnerable to this issue.
5.3.14
The release fixes multiple security issues: A weakness in the DES implementation of crypt and a heap overflow issue in the phar extension
PHP 5.4.4 and PHP 5.3.14 fixes over 30 bugs. Please note that the use of php://fd streams is now restricted to the CLI SAPI
For a full list of changes from PHP v 5.3.10 to 5.3.14, see the ChangeLog.