December 6, 2016

PHP 5.3.8 Released With Fix for Crypt() Bug

A few days ago the PHP project released PHP5.3.7 with over 90 bug fixes – some of them security related. However it was quickly discovered that there should have been 91 bugs fixed in 5.3.7 as the crypt() function  wasn’t working correctly. If crypt() is executed with MD5 salts, the return value consists of the salt only. DES and BLOWFISH salts worked as expected.

Now PHP 5.3.8 has been released to remedy this. The only other change is a back peddle in some timeout handling, thus restoring the PHP 5.3.6 behavior, which caused mysqlnd SSL connections to hang.

For a full list of changes in PHP 5.3.8, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.

One of the big security related changes in 5.3.7 was the update of crypt_blowfish to 1.2. For more details on the crypt_blowfish security changes as implemented in PHP 5.3.7+ see the crypt blowfish page.

PHP 5.3.7 Fixes Over 90 Bugs – Some Security Related (Updated)

Update: Due to unfortunate issues with 5.3.7 (see bug#55439) users should not upgrade to 5.3.7 but wait until 5.3.8 is released (it is expected in few days). According to the bug report: If crypt() is executed with MD5 salts, the return value consists of the salt only. DES and BLOWFISH salts work as expected.

(LiveHacking.Com) – The PHP development team has announced the immediate availability of PHP 5.3.7. This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which are security related.

Security Enhancements and Fixes in PHP 5.3.7:

  • Updated crypt_blowfish to 1.2. (CVE-2011-2483)
  • Fixed crash in error_log(). Reported by Mateusz Kocielski
  • Fixed buffer overflow on overlog salt in crypt().
  • Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
  • Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
  • Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)

It is also worth noting that PHP 5.2 is no longer supported and users should  upgrade to PHP 5.3.7. The new release’s source code is available to download, as are Windows binaries. Linux and FreeBSD users should see updates from their distribution providers soon.