26Jul

PHP 5.3.3 Upgrade


This evening all Mr.Host web servers have been upgraded to PHP 5.3.3

Backwards incompatible change:

  • Methods with the same name as the last element of a namespaced class name will no longer be treated as constructor. This change doesn’t affect non-namespaced classes.
<?php

namespace Foo;

class Bar {
    public function Bar() {

        // treated as constructor in PHP 5.3.0-5.3.2
        // treated as regular method in PHP 5.3.3
    }
}

?>

There is no impact on migration from 5.2.x because namespaces were only introduced in PHP 5.3.

Security Enhancements and Fixes in PHP 5.3.3:

  • Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531).
  • Fixed a possible resource destruction issues in shm_put_var().
  • Fixed a possible information leak because of interruption of XOR operator.
  • Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks.
  • Fixed a possible memory corruption in ArrayObject::uasort().
  • Fixed a possible memory corruption in parse_str().
  • Fixed a possible memory corruption in pack().
  • Fixed a possible memory corruption in substr_replace().
  • Fixed a possible memory corruption in addcslashes().
  • Fixed a possible stack exhaustion inside fnmatch().
  • Fixed a possible dechunking filter buffer overflow.
  • Fixed a possible arbitrary memory access inside sqlite extension.
  • Fixed string format validation inside phar extension.
  • Fixed handling of session variable serialization on certain prefix characters.
  • Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).
  • Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
  • Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user.
  • Fixed possible buffer overflows when handling error packets in mysqlnd.

Key enhancements in PHP 5.3.3 include:

  • Upgraded bundled sqlite to version 3.6.23.1.
  • Upgraded bundled PCRE to version 8.02.
  • Added FastCGI Process Manager (FPM) SAPI.
  • Added stream filter support to mcrypt extension.
  • Added full_special_chars filter to ext/filter.
  • Fixed a possible crash because of recursive GC invocation.
  • Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
  • Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).
  • Fixed bug #52060 (Memory leak when passing a closure to method_exists()).
  • Fixed bug #52001 (Memory allocation problems after using variable variables).
  • Fixed bug #51723 (Content-length header is limited to 32bit integer with Apache2 on Windows).
  • Fixed bug #48930 (__COMPILER_HALT_OFFSET__ incorrect in PHP >= 5.3).

For users upgrading from PHP 5.2 there is a migration guide available on http://php.net/migration53, detailing the changes between those releases and PHP 5.3.

For a full list of changes in PHP 5.3.3, see the ChangeLog.

06Mar

PHP 5.3.2 Upgrade


This evening all Mr.Host web servers have been upgraded to PHP 5.3.2

Security Enhancements and Fixes in PHP 5.3.2:

  • Improved LCG entropy. (Rasmus, Samy Kamkar)
  • Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
  • Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia)

Key Bug Fixes in PHP 5.3.2 include:

  • Added support for SHA-256 and SHA-512 to php’s crypt.
  • Added protection for $_SESSION from interrupt corruption and improved “session.save_path” check.
  • Fixed bug #51059 (crypt crashes when invalid salt are given).
  • Fixed bug #50940 Custom content-length set incorrectly in Apache sapis.
  • Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes long).
  • Fixed bug #50723 (Bug in garbage collector causes crash).
  • Fixed bug #50661 (DOMDocument::loadXML does not allow UTF-16).
  • Fixed bug #50632 (filter_input() does not return default value if the variable does not exist).
  • Fixed bug #50540 (Crash while running ldap_next_reference test cases).
  • Fixed bug #49851 (http wrapper breaks on 1024 char long headers).
  • Over 60 other bug fixes.

For users upgrading from PHP 5.2 there is a migration guide available here, detailing the changes between those releases and PHP 5.3.

Further information and downloads:

For a full list of changes in PHP 5.3.2, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.

 

20Nov

PHP 5.3.1 Upgrade


This evening all Mr.Host web servers have been upgraded to PHP 5.3.1

Security Enhancements and Fixes in PHP 5.3.1:

  • Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
  • Added missing sanity checks around exif processing.
  • Fixed a safe_mode bypass in tempnam().
  • Fixed a open_basedir bypass in posix_mkfifo().
  • Fixed failing safe_mode_include_dir.

Further details about the PHP 5.3.1 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.

09Nov

PHP 5 Upgrade Complete


The upgrade to PHP 5.2.6 was completed a few hours ago, and so far there does not seem to be any adverse affects.

PHP 5.x not only provides literally hundreds of new features, but is also significantly faster than the 4.x branch of PHP. This upgrade will give Mr.Host customers access to some of the more cutting edge web-based applications, as well as allow them to build more dynamic, feature-rich websites.

If you’re experiencing any adverse affects from this upgrade, or have any questions or concerns, please don’t hesitate to contact us directly.

 

26Oct

PHP 5 Upgrade


We’re going to be upgrading all the Mr.Host web servers to the newest version of PHP5 (5.2.6) from the current version (4.4.8) we’re running, in the next few weeks.

For those of you using PHP for your web applications, we’ve setup a temporary test URL, running PHP 5.2.6, for all your sites on port 81 (the default web port is 80)- so for example, you can access your site on both:

http://www.mrhost.ca/ (port 80 – PHP4)

and

http://www.mrhost.ca:81/ (port 81 – PHP5)

Replacing www.mrhost.ca with your website URL.

Most websites should not see any difference between the two versions of PHP, but we are encouraging you to completely test your site under this new test URL; all of the issues related to this upgrade are available here:

http://ca.php.net/manual/en/migration5.php

For those of you not using PHP on your website, you have absolutely nothing to do for this upgrade.

Not sure if you’re affected? Let us know, and we can figure it out for you.

We’ll be aiming to make the final switch for Nov 9th, barring any major issues.

If you have any questions, please don’t hesitate to e-mail us.