October 28, 2016

PHP 5.3.6 Released – Fixes Security Bugs and Upgrades Sqlite3

The PHP development team have released PHP 5.3.6. This maintenance release is designed to improve the stability of the PHP 5.3 series and includes over 60 bug fixes, at least six of which are security related.

According to the release announcement the security enhancements and fixes in PHP 5.3.6 include:

  • Enforce security in the fastcgi protocol parsing with fpm SAPI.
  • Fixed format-string vulnerability on Phar. See CVE-2011-1153
  • Fixed integer overflow in shmop_read(). See CVE-2011-1092
  • Fixed buffer overrun with high values for precision ini setting.
  • Fixed crash on crafted tag in exif. See CVE-2011-0708
  • Fixed ZipArchive segfault with FL_UNCHANGED on empty archive. See CVE-2011-0421

Some of these bugs could have allowed hackers to obtain sensitive information from process memory, cause a denial of service or possibly execute arbitrary code.

Key enhancements in PHP 5.3.6 include:

  • Upgraded bundled Sqlite3 to version 3.7.4.
  • Upgraded bundled PCRE to version 8.11.
  • Added ability to connect to HTTPS sites through proxy with basic authentication using stream_context/http/header/Proxy-Authorization.
  • Added options to debug backtrace functions.
  • Changed default value of ini directive serialize_precision from 100 to 17.
  • Over 60 other bug fixes.

The PHP development team recommend that all users upgrade to 5.3.6 and also remind users the PHP 5.2 is no longer supported.