PHP 5.2.5 have just been released with over 60 bug fixes, including security fixes, but the main purpose of this release is stability according to PHP.net official announcement. Many hosting providers are currenty moving all their customers from PHP4 to PHP5, such Hostdepot, who announced that complete move from PHP 4.3.10 to PHP 5.2.4 will be done on December 1st. More details on this 5.2.5 release are available here. All users of PHP are encouraged to upgrade to this release.
Security Enhancements and Fixes in PHP 5.2.5:
- Fixed dl() to only accept filenames. Reported by Laurent Gaffie.
- Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). Reported by Laurent Gaffie.
- Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. Reported by Rasmus Lerdorf
- Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie.
- Fixed “mail.force_extra_parameters” php.ini directive not to be modifiable in .htaccess due to the security implications. Reported by SecurityReason.
- Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms).
- Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()).
