The developers of The PHP Group have released a new release of PHP and assigned the version number 4.4.1. They recommend anyone using PHP 4.3 or PHP 4.4 to upgrade. This release fixes a number of bugs and a number of security vulnerabilities related to overwriting the GLOBALS array. The included announcement looks like this:
The PHP Development Team would like to announce the immediate release of PHP 4.4.1. This is a bug fix release, which addresses some security problems too. The security issues that this release fixes are:
- Fixed a Cross Site Scripting (XSS) vulnerabilities phpinfo() that could lead fe to cookie exposure, when a phpinfo() script is accidentally left on a production server.
- Fixed multiple safe_mode/open_basedir bypass vulnerabilities in ext/curl and ext/gd that could lead to exposure of files normally not accessible due to safe_mode or open_basedir restrictions.
- Fixed a possible $GLOBALS overwrite problem in file upload handling, extract() and import_request_variables() that could lead to unexpected security holes in scripts assumed secure. (For more information, see here).
- Fixed a problem when a request was terminated due to memory_limit constraints during certain parse_str() calls. In some cases this can result in register_globals being turned on.
- Fixed an issue with trailing slashes in allowed basedirs. They were ignored by open_basedir checks, so that specified basedirs were handled as prefixes and not as full directory names.
- Fixed an issue with calling virtual() on Apache 2. This allowed bypassing of certain configuration directives like safe_mode or open_basedir.
- Updated to the latest pcrelib to fix a possible integer overflow vulnerability announced in CAN-2005-2491.
This release also fixes 35 other defects, where the most important is the the fix that removes a notice when passing a by-reference result of a function as a by-reference value to another function. (Bug #33558).
- Added missing safe_mode checks for image* functions and cURL.
- Added missing safe_mode/open_basedir checks for file uploads.
- Fixed a memory corruption bug regarding included files.
- Fixed possible INI setting leak via virtual() in Apache 2 sapi.
- Fixed possible crash and/or memory corruption in import_request_variables().
- Fixed potential GLOBALS overwrite via import_request_variables().
- Fixed possible GLOBALS variable override when register_globals are ON.
- Fixed possible register_globals toggle via parse_str().
- Added “new_link” parameter to mssql_connect(). Bug #34369.
- Fixed bug #34850 (–program-suffix and –program-prefix not included in man page names).
- Fixed bug #34790 (preg_match_all(), named capturing groups, variable assignment/return => crash).
- Fixed bug #34742 (ftp wrapper failures caused from segmented command transfer).
- Fixed bug #34704 (Infinite recursion due to corrupt JPEG).
- Fixed bug #34645 (ctype corrupts memory when validating large numbers).
- Fixed bug #34565 (mb_send_mail does not fetch mail.force_extra_parameters).
- Fixed bug #34557 (php -m exits with “error” 1).
- Fixed bug #34456 (Possible crash inside pspell extension).
- Fixed bug #34311 (unserialize() crashes with chars above Dec 191).
- Fixed bug #34307 (on_modify handler not called to set the default value if setting from php.ini was invalid).
- Fixed bug #34302 (date(‘W’) do not return leading zeros for week 1 to 9).
- Fixed bug #34277 (array_filter() crashes with references and objects).
- Fixed bug #34191 (ob_gzhandler does not enforce trailing \0).
- Fixed bug #34156 (memory usage remains elevated after memory limit is reached).
- Fixed bug #34148 (+,- and . not supported as parts of scheme).
- Fixed bug #34137 (assigning array element by reference causes binary mess).
- Fixed bug #34068 (Numeric string as array key not cast to integer in wddx_deserialize()).
- Fixed bug #34064 (arr as param to function is allowed only if function receives argument by reference).
- Fixed bug #33989 (extract($GLOBALS,EXTR_REFS) crashes PHP).
- Fixed bug #33987 (php script as ErrorDocument causes crash in Apache 2).
- Fixed bug #33940 (array_map() fails to pass by reference when called recursively).
- Fixed bug #33690 (Crash setting some ini directives in httpd.conf).
- Fixed bug #33673 (Added detection for partially uploaded files).
- Fixed bug #33648 (Using –with-regex=system causes compile failure).
- Fixed bug #33558 (Warning with nested calls to functions returning by reference).
- Fixed bug #33383 (crash when retrieving empty LOBs).
- Fixed bug #33156 (cygwin version of settimer doesn’t accept ITIMER_PROF).
- Fixed bug #32937 (open_basedir looses trailing / in the limiter).
- Fixed bug #32589 (possible crash inside imap_mail_compose() function).
- Fixed bug #32179 (xmlrpc_encode() segfaults with recursive references).
- Fixed bug #32160 (copying a file into itself leads to data loss).
- Fixed bug #31158 (array_splice on $GLOBALS crashes).
- Fixed bug #29983 (PHP does not explicitly set mime type & charset).
- Fixed bug #29253 (array_diff with $GLOBALS argument fails).
- Fixed bug #21306 (ext/sesssion: catch bailouts of write handler during RSHUTDOWN).
|Operating systems||Windows 9x, Windows NT, Windows 2000, Linux, BSD, Windows XP, macOS, OS/2, Solaris, UNIX, Windows Server 2003|
|Website||The PHP Group|
|License type||Prerequisites (GNU/BSD/etc.)|