A few days ago the PHP project released PHP5.3.7 with over 90 bug fixes – some of them security related. However it was quickly discovered that there should have been 91 bugs fixed in 5.3.7 as the crypt() function wasn’t working correctly. If crypt() is executed with MD5 salts, the return value consists of the salt only. DES and BLOWFISH salts worked as expected.
Now PHP 5.3.8 has been released to remedy this. The only other change is a back peddle in some timeout handling, thus restoring the PHP 5.3.6 behavior, which caused mysqlnd SSL connections to hang.
One of the big security related changes in 5.3.7 was the update of crypt_blowfish to 1.2. For more details on the crypt_blowfish security changes as implemented in PHP 5.3.7+ see the crypt blowfish page.