PHP 5.3.1 released for 5 security flaws, 113 bugs
The first update to PHP 5.3 is now available providing 5 security fixes in addition a long list of bug fixes to the popular open source dynamic language.
PHP 5.3 was released at the end of June, so the 5.3.1 point update has been in the works for five months at this point.
On the security fix front two of the bug fixes are for safe mode items which could have left a PHP system at risk:
- Fixed a safe_mode bypass in tempnam().
- Fixed bug #50063 (safe_mode_include_dir fails).
The three other fixes are a collection of different issues.
Among them is a new "max_file_uploads" INI directive, which according to the PHP 5.3.1 release notes, "...can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion."
Sanity check are added to exif processing and there is a fix for an open_basedir bypass in posix_mkfifo().
While the security fixes are obviously an important reason for PHP users to migrate immediately, the long list of non-security items is also noteworthy.