The official announcement
A few days ago, the PHP Group released PHP 5.3.1 :
The PHP development team would like to announce the immediate availability of PHP 5.3.1. This release focuses on improving the stability of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. All users of PHP are encouraged to upgrade to this release.
Security Enhancements and Fixes in PHP 5.3.1:
- Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
- Added missing sanity checks around exif processing.
- Fixed a safe_mode bypass in tempnam().
- Fixed a open_basedir bypass in posix_mkfifo().
- Fixed failing safe_mode_include_dir.
The Dotdeb changes
On the Debian side, some changes were made :
- the packages are now patched with the official Suhosin patch.
- beside the apache2, apache2filter, CGI and CLI flavours, the FPM one has now its own dedicated package, named “php5-fpm”. It will allow you to have greater performances and a lot of more features on a CGI-style installation (FYI, an init script, a config file and a nginx config sample are provided).
How to install?
Because migrating from PHP 5.2. to PHP 5.3 can break some applications, here is the Dotdeb release policy :
- PHP 5.2 is still the default branch for Debian Lenny for some weeks/months. PHP 5.3 packages are kept on a separate repository.
- PHP 5.3 will be the default branch for the upcoming Debian Squeeze (mid-2010)
Then , to install PHP 5.3 on your Debian “Lenny” box, just add these two entries in your /etc/apt/sources.list :
deb http://php53.dotdeb.org stable all deb-src http://php53.dotdeb.org stable all
Now launch your favorite commands (apt-get update && apt-get upgrade) to upgrade your box.