The wiki.php.net box was compromised and the attackers were able to collect wiki account credentials. No other machines in the php.net infrastructure appear to have been affected. Our biggest concern is, of course, the integrity of our source code. We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found. The compromised machine has been wiped and we are forcing a password change for all svn accounts.

We are still investigating the details of the attack which combined a vulnerability in the Wiki software with a Linux root exploit.

The PHP development team would like to announce the immediate availability of PHP 5.3.6. This release focuses on improving the stability of the PHP 5.3.x branch with over 60 bug fixes, some of which are security related.

Security Enhancements and Fixes in PHP 5.3.6:

• Enforce security in the fastcgi protocol parsing with fpm SAPI.
• Fixed bug #54247 (format-string vulnerability on Phar). (CVE-2011-1153)
• Fixed bug #54193 (Integer overflow in shmop_read()). (CVE-2011-1092)
• Fixed bug #54055 (buffer overrun with high values for precision ini setting).
• Fixed bug #54002 (crash on crafted tag in exif). (CVE-2011-0708)
• Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive). (CVE-2011-0421)

Key enhancements in PHP 5.3.6 include:

• Upgraded bundled Sqlite3 to version 3.7.4.
• Upgraded bundled PCRE to version 8.11.
• Added ability to connect to HTTPS sites through proxy with basic authentication using stream_context/http/header/Proxy-Authorization.
• Added options to debug backtrace functions.
• Changed default value of ini directive serialize_precision from 100 to 17.
• Fixed Bug #53971 (isset() and empty() produce apparently spurious runtime error).
• Fixed Bug #53958 (Closures can't 'use' shared variables by value and by reference).
• Fixed bug #53577 (Regression introduced in 5.3.4 in open_basedir with a trailing forward slash).
• Over 60 other bug fixes.

Windows users: please mind that we do no longer provide builds created with Visual Studio C++ 6. It is impossible to maintain a high quality and safe build of PHP for Windows using this unmaintained compiler.

For Apache SAPIs (php5_apache2_2.dll), be sure that you use a Visual Studio C++ 9 version of Apache. We recommend the Apache builds as provided by ApacheLounge. For any other SAPI (CLI, FastCGI via mod_fcgi, FastCGI with IIS or other FastCGI capable server), everything works as before. Third party extension providers must rebuild their extensions to make them compatible and loadable with the Visual Studio C++9 builds that we now provide.

All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.6.

For a full list of changes in PHP 5.3.6, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.

The PHP development team would like to announce the immediate availability of PHP 5.3.5 and 5.2.17.

This release resolves a critical issue, reported as PHP bug #53632 and CVE-2010-4645, where conversions from string to double might cause the PHP interpreter to hang on systems using x87 FPU registers.

The problem is known to only affect x86 32-bit PHP processes, regardless of whether the system hosting PHP is 32-bit or 64-bit. You can test whether your system is affected by running this script from the command line.

All users of PHP are strongly advised to update to these versions immediately.

The PHP development team would like to announce the immediate availability of PHP 5.2.16. This release marks the end of support for PHP 5.2. All users of PHP 5.2 are encouraged to upgrade to PHP 5.3.

This release focuses on addressing a regression in open_basedir implementation introduced in 5.2.15 in addition to fixing a crash inside PDO::pgsql on data retrieval when the server is down. All users who have upgraded to 5.2.15 and are utilizing open_basedir are strongly encouraged to upgrade to 5.2.16 or 5.3.4.

To prepare for upgrading to PHP 5.3, now that PHP 5.2's support ended, a migration guide available on http://php.net/migration53, details the changes between PHP 5.2 and PHP 5.3.

For a full list of changes in PHP 5.2.16 see the ChangeLog at http://www.php.net/ChangeLog-5.php#5.2.16.

The PHP development team is proud to announce the immediate release of PHP 5.3.4. This is a maintenance release in the 5.3 series, which includes a large number of bug fixes.

Security Enhancements and Fixes in PHP 5.3.4:

• Fixed crash in zip extract method (possible CWE-170).
• Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243).
• Fixed a possible double free in imap extension (Identified by Mateusz Kocielski). (CVE-2010-4150).
• Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709).
• Fixed possible flaw in open_basedir (CVE-2010-3436).
• Fixed MOPS-2010-24, fix string validation. (CVE-2010-2950).
• Fixed symbolic resolution support when the target is a DFS share.
• Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data) (CVE-2010-3710).

Key Bug Fixes in PHP 5.3.4 include:

• Added stat support for zip stream.
• Added follow_location (enabled by default) option for the http stream support.
• Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al.
• Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend multibyte at runtime.
• Multiple improvements to the FPM SAPI.
• Over 100 other bug fixes.

For users upgrading from PHP 5.2 there is a migration guide available here, detailing the changes between those releases and PHP 5.3.

For a full list of changes in PHP 5.3.4, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.