Mr.Host Web Hosting - reliable, affordable, Canadian web hosting.

This evening all Mr.Host web servers have been upgraded to PHP 5.3.8

This release fixes two issues introduced in the PHP 5.3.7 release:

• Fixed bug #55439 (crypt() returns only the salt for MD5)
• Reverted a change in timeout handling restoring PHP 5.3.6 behavior, which caused mysqlnd SSL connections to hang (Bug #55283).

This evening all Mr.Host web servers have been upgraded to PHP 5.3.7

Security Enhancements and Fixes in PHP 5.3.7:

• Updated crypt_blowfish to 1.2. (CVE-2011-2483)
• Fixed crash in error_log(). Reported by Mateusz Kocielski
• Fixed buffer overflow on overlog salt in crypt().
• Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
• Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
• Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)

Key enhancements in PHP 5.3.7 include:

• Upgraded bundled Sqlite3 to version 3.7.7.1
• Upgraded bundled PCRE to version 8.12
• Fixed bug #54910 (Crash when calling call_user_func with unknown function name)
• Fixed bug #54585 (track_errors causes segfault)
• Fixed bug #54262 (Crash when assigning value to a dimension in a non-array)
• Fixed a crash inside dtor for error handling
• Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)
• Fixed bug #54935 php_win_err can lead to crash
• Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)
• Fixed bug #54305 (Crash in gc_remove_zval_from_buffer)
• Fixed bug #54580 (get_browser() segmentation fault when browscap ini directive is set through php_admin_value)
• Fixed bug #54529 (SAPI crashes on apache_config.c:197)
• Fixed bug #54283 (new DatePeriod(NULL) causes crash).
• Fixed bug #54269 (Short exception message buffer causes crash)
• Fixed Bug #54221 (mysqli::get_warnings segfault when used in multi queries)
• Fixed bug #54395 (Phar::mount() crashes when calling with wrong parameters)
• Fixed bug #54384 (Dual iterators, GlobIterator, SplFileObject and SplTempFileObject crash when user-space classes don’t call the parent constructor)
• Fixed bug #54292 (Wrong parameter causes crash in SplFileObject::__construct())
• Fixed bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0)
• Fixed bug #54281 (Crash in non-initialized RecursiveIteratorIterator)
• Fixed bug #54623 (Segfault when writing to a persistent socket after closing a copy of the socket)
• Fixed bug #54681 (addGlob() crashes on invalid flags)
• Over 80 other bug fixes.

This evening all Mr.Host web servers have been upgraded to PHP 5.3.6.

Security Enhancements and Fixes in PHP 5.3.6:

• Enforce security in the fastcgi protocol parsing with fpm SAPI.
• Fixed bug #54247 (format-string vulnerability on Phar). (CVE-2011-1153)
• Fixed bug #54193 (Integer overflow in shmop_read()). (CVE-2011-1092)
• Fixed bug #54055 (buffer overrun with high values for precision ini setting).
• Fixed bug #54002 (crash on crafted tag in exif). (CVE-2011-0708)
• Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive). (CVE-2011-0421)

Key enhancements in PHP 5.3.6 include:

• Upgraded bundled Sqlite3 to version 3.7.4.
• Upgraded bundled PCRE to version 8.11.
• Added ability to connect to HTTPS sites through proxy with basic authentication using stream_context/http/header/Proxy-Authorization.
• Added options to debug backtrace functions.
• Changed default value of ini directive serialize_precision from 100 to 17.
• Fixed Bug #53971 (isset() and empty() produce apparently spurious runtime error).
• Fixed Bug #53958 (Closures can’t ‘use’ shared variables by value and by reference).
• Fixed bug #53577 (Regression introduced in 5.3.4 in open_basedir with a trailing forward slash).
• Over 60 other bug fixes.

For a full list of changes in PHP 5.3.6, see the ChangeLog.