On january 10th 2012, the PHP group has released PHP 5.3.9, that brings over 90 bug fixes, some of which are security related :
Security Enhancements and Fixes in PHP 5.3.9:
- Added max_input_vars directive to prevent attacks based on hash collisions. (CVE-2011-4885)
- Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (CVE-2011-4566)
Key enhancements in PHP 5.3.9 include:
- Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).
- Fixed bug #55609 (mysqlnd cannot be built shared)
- Many changes to the FPM SAPI module
PHP 5.3.9 is now available on Dotdeb for :
- both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”
- both amd64 and i386 architectures
As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.
[edit] the packages have been updated to fix some Suhosin- and strtotime()-related issues. You really should upgrade at least :
- to 5.3.9-0~dotdeb.3 if you’re running Squeeze
- to 5.3.9-0~dotdeb.2 if you’re running Lenny