PHP Security Announcements20 Dec 2004
I've been asked about the "security issues" that prompted the release of PHP versions 4.3.0 and 5.0.3 enough times to warrant blogging about it. I understand the concern - you visit php.net and see:
The PHP Development Team would like to announce the immediate release of PHP 4.3.10 and PHP 5.0.3. These are maintenance releases that in addition to non-critical bug fixes address several very serious security issues.
Very serious security issues? That sounds "very serious." You read the PHP 5 ChangeLog (or maybe the PHP 4 one) and see a big list of changes. At most, you can identify two changes that might be security fixes:
- Fixed potential problems with unserializing invalid serialize data.
- Fixed a bug in addslashes() handling of the '\0' character.
Luckily, better information is available:
Update: Ilia points out the 4.3.10 release notes, which have more information.