PHP 5.2.4釋出,改善120項bug與記憶體限制漏洞

Posted by

PHP 5.2.4釋出,改善120項bug與記憶體限制漏洞

重要的網頁程式語言PHP,其網頁程式編譯器釋出新版PHP 5.2.4,官方也宣告於2007年12月31日正式終止對PHP4的更新與支援。不論是PHP 4系列最新版的4.4.7,還是PHP 5.1系列或PHP 5.2.3,PHP官方建議所有用戶更新到PHP 5.2.4的版本。

不過PHP 5.2有部份架構與之前的PHP 4不同,得參考PHP方面提供的PHP 5升級文件

這次的更新不但改善多達120項bug,也提高執行效率,並更新PCRE正規表示為7.2,時區資料也更新到2007年6月的版本,而先前在Windows平台使用PHP 5.2系列後發生的記憶體漏洞也隨之解決。優格網曾經有2週間在Windows平台上運作,不定時就會碰到類似的錯誤訊息,必需要重開Apache來解決,後來改用Linux平台主機就解決這項問題。而如果仍舊採用Windows平台的PHP用戶,建議更新PHP 5.2.4以避免記憶體漏洞的缺憾。


PHP 5.2.4更新的內容如下:

Security Enhancements and Fixes in PHP 5.2.4:

* Fixed a floating point exception inside wordwrap() (Reported by Mattias Bengtsson)
* Fixed several integer overflows inside the GD extension (Reported by Mattias Bengtsson)
* Fixed size calculation in chunk_split() (Reported by Gerhard Wagner)
* Fixed integer overflow in str©spn(). (Reported by Mattias Bengtsson)
* Fixed money_format() not to accept multiple %i or %n tokens. (Reported by Stanislav Malyshev)
* Fixed zend_alter_ini_entry() memory_limit interruption vulnerability. (Reported by Stefan Esser)
* Fixed INFILE LOCAL option handling with MySQL extensions not to be allowed when open_basedir or safe_mode is active. (Reported by Mattias Bengtsson)
* Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) (Reported by Maksymilian Arciemowicz)
* Fixed a possible invalid read in glob() win32 implementation (CVE-2007-3806) (Reported by shinnai)
* Fixed a possible buffer overflow in php_openssl_make_REQ (Reported by zatanzlatan at hotbrev dot com)
* Fixed an open_basedir bypass inside glob() function (Reported by dr at peytz dot dk)
* Fixed a possible open_basedir bypass inside session extension when the session file is a symlink (Reported by c dot i dot morris at durham dot ac dot uk)
* Improved fix for MOPB-03-2007.
* Corrected fix for CVE-2007-2872.

Key enhancements in PHP 5.2.4 include:

* Upgraded PCRE to version 7.2
* Added persistent connection status checker to pdo_pgsql.
* Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries.
* Fixed bug #41831 (pdo_sqlite prepared statements convert resources to strings).
* Fixed bug #41770 (SSL: fatal protocol error due to buffer issues)
* Fixed bug #41713 (Persistent memory consumption on win32 since 5.2)
* Over 120 bug fixes.

PHP 5.2.4詳細的更新列表

一直很喜歡的緞帶教堂 Ribbon Chapel
2007 年 9 月