Update: Due to unfortunate issues with 5.3.7 (see bug#55439) users should not upgrade to 5.3.7 but wait until 5.3.8 is released (it is expected in few days). According to the bug report: If crypt() is executed with MD5 salts, the return value consists of the salt only. DES and BLOWFISH salts work as expected.
(LiveHacking.Com) – The PHP development team has announced the immediate availability of PHP 5.3.7. This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which are security related.
Security Enhancements and Fixes in PHP 5.3.7:
- Updated crypt_blowfish to 1.2. (CVE-2011-2483)
- Fixed crash in error_log(). Reported by Mateusz Kocielski
- Fixed buffer overflow on overlog salt in crypt().
- Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
- Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
- Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)
It is also worth noting that PHP 5.2 is no longer supported and users should upgrade to PHP 5.3.7. The new release’s source code is available to download, as are Windows binaries. Linux and FreeBSD users should see updates from their distribution providers soon.