Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 228993

Summary: PHP 5.2.1 is released
Product: [Fedora] Fedora Reporter: Robert Scheck <redhat-bugzilla>
Component: phpAssignee: Joe Orton <jorton>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: 5.2.1-2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-17 13:58:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Robert Scheck 2007-02-16 12:34:34 UTC
Description of problem:
PHP 5.2.1 and PHP 4.4.5 Released

[14-Feb-2007] The PHP development team would like to announce the immediate 
availability of PHP 5.2.1 and availability of PHP 4.4.5. These releases are 
major stability and security enhancements of the 5.x and 4.4.x branches, and 
all users are strongly encouraged to upgrade to it as soon as possible. Further 
details about the PHP 5.2.1 release can be found in the release announcement 
for 5.2.1, the full list of changes is available in the ChangeLog for PHP 5. 
Details about the PHP 4.4.5 release can be found in the release announcement 
for 4.4.5, the full list of changes is available in the ChangeLog for PHP 4. 

Security Enhancements and Fixes in PHP 5.2.1 and PHP 4.4.5: 
Fixed possible safe_mode & open_basedir bypasses inside the session extension.
Fixed unserialize() abuse on 64 bit systems with certain input strings.
Fixed possible overflows and stack corruptions in the session extension.
Fixed an underflow inside the internal sapi_header_op() function.
Fixed non-validated resource destruction inside the shmop extension.
Fixed a possible overflow in the str_replace() function.
Fixed possible clobbering of super-globals in several code paths.
Fixed a possible information disclosure inside the wddx extension.
Fixed a possible string format vulnerability in *print() functions on 64 bit 
Fixed a possible buffer overflow inside ibase_{delete,add,modify}_user() 
Fixed a string format vulnerability inside the odbc_result_all() function.

Security Enhancements and Fixes in PHP 5.2.1 only: 
Prevent search engines from indexing the phpinfo() page.
Fixed a number of input processing bugs inside the filter extension.
Fixed allocation bugs caused by attempts to allocate negative values in some 
code paths.
Fixed possible stack/buffer overflows inside zip, imap & sqlite extensions.
Fixed several possible buffer overflows inside the stream filters.
Memory limit is now enabled by default.
Added internal heap protection.
Extended filter extension support for $_SERVER in CGI and apache2 SAPIs.

Security Enhancements and Fixes in PHP 4.4.5 only: 
Fixed possible overflows inside zip & imap extensions.
Fixed a possible buffer overflow inside mail() function on Windows.
Unbundled the ovrimos extension.

The majority of the security vulnerabilities discovered and resolved can in 
most cases be only abused by local users and cannot be triggered remotely. 
However, some of the above issues can be triggered remotely in certain 
situations, or exploited by malicious local users on shared hosting setups 
utilizing PHP as an Apache module. Therefore, we strongly advise all users of 
PHP, regardless of the version to upgrade to the 5.2.1 or 4.4.5 releases as 
soon as possible. 

For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is 
available here, detailing the changes between those releases and PHP 5.2.1.

Version-Release number of selected component (if applicable):

Expected results:
Upgrade to 5.2.1 ;-)

Comment 1 Robert Scheck 2007-02-17 13:58:09 UTC
PHP 5.2.1 was pushed to Rawhide, thanks and closing.