|
|
|
On 24 Oct 2013 06:15:39 +0000 Google started saying www.php.net was hosting malware. The Google Webmaster Tools were initially quite delayed in showing the reason why and when they did it looked a lot like a false positive because we had some minified/obfuscated javascript being dynamically injected into userprefs.js. This looked suspicious to us as well, but it was actually written to do exactly that so we were quite certain it was a false positive, but we kept digging. It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted. Google's crawler caught one of these small windows where the wrong file was being served, but of course, when we looked at it manually it looked fine. So more confusion. We are still investigating how someone caused that file to be changed, but in the meantime we have migrated www/static to new clean servers. The highest priority is obviously the source code integrity and after a quick: git fsck --no-reflog --full --strict on all our repos plus manually checking the md5sums of the PHP distribution files we see no evidence that the PHP code has been compromised. We have a mirror of our git repos on github.com and we will manually check git commits as well and have a full post-mortem on the intrusion when we have a clearer picture of what happened.
|
|
|
Full View / NID: 46046 / Submitted by: The Zilla of Zuron
|
|
|
We are continuing to work through the repercussions of the php.net malware issue described in a news post earlier today. As part of this, the php.net systems team have audited every server operated by php.net, and have found that two servers were compromised: the server which hosted the www.php.net, static.php.net and git.php.net domains, and was previously suspected based on the JavaScript malware, and the server hosting bugs.php.net. The method by which these servers were compromised is unknown at this time.All affected services have been migrated off those servers. We have verified that our Git repository was not compromised, and it remains in read only mode as services are brought back up in full.As it's possible that the attackers may have accessed the private key of the php.net SSL certificate, we have revoked it immediately. We are in the process of getting a new certificate, and expect to restore access to php.net sites that require SSL (including bugs.php.net and wiki.php.net) in the next few hours.To summarise, the situation right now is that:JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013.Neither the source tarball downloads nor the Git repository were modified or compromised.Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.Over the next few days, we will be taking further action:php.net users will have their passwords reset. Note that users of PHP are unaffected by this: this is solely for people committing code to projects hosted on svn.php.net or git.php.net.We will provide a full post mortem in due course, most likely next week. You can also get updates from the official php.net Twitter: @official_php.
|
|
|
Full View / NID: 46045 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the immediate availability of PHP 5.4.21. About 10 bugs were fixed. All PHP 5.4 users are encouraged to upgrade to this version. For source downloads of PHP 5.4.21 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
|
|
|
Full View / NID: 45994 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the immediate availability of PHP 5.5.5. This release fixes about twenty bugs against PHP 5.5.4, some of them regarding the build system. All PHP users are encouraged to upgrade to this new version.For source downloads of PHP 5.5.5 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
|
|
|
Full View / NID: 48053 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the immediate availability of PHP 5.5.5. This release fixes about twenty bugs against PHP 5.5.4, some of them regarding the build system. All PHP users are encouraged to upgrade to this new version.For source downloads of PHP 5.5.5 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
|
|
|
Full View / NID: 45995 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the immediate availability of PHP 5.5.4. This release fixes several bugs against PHP 5.5.3. All PHP users are encouraged to upgrade to this new version.For source downloads of PHP 5.5.4 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
|
|
|
Full View / NID: 45864 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the immediate availability of PHP 5.4.20. About 30 bugs were fixed. All PHP 5.4 users are encouraged to upgrade to this version. For source downloads of PHP 5.4.20 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
|
|
|
Full View / NID: 45863 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the immediate availability of PHP 5.4.19 and PHP 5.5.3. These releases fix a bug in the patch for CVE-2013-4248 in OpenSSL module and compile failure with ZTS enabled in PHP 5.4. All PHP users are encouraged to upgrade to either PHP 5.5.3 or PHP 5.4.19.For source downloads of PHP 5.4.19 and PHP 5.5.3 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
|
|
|
Full View / NID: 45700 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the immediate availability of PHP 5.5.2. About 20 bugs were fixed, including security issue in OpenSSL module (CVE-2013-4248) and session fixation problem (CVE-2011-4718). All users of PHP are encouraged to upgrade to this release.For source downloads of PHP 5.5.2 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
|
|
|
Full View / NID: 48054 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the immediate availability of PHP 5.5.2. About 20 bugs were fixed, including security issue in OpenSSL module (CVE-2013-4248). All users of PHP are encouraged to upgrade to this release.For source downloads of PHP 5.5.2 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
|
|
|
Full View / NID: 45683 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the immediate availability of PHP 5.4.18. About 30 bugs were fixed, including security issues CVE-2013-4113 and CVE-2013-4248. All users of PHP are encouraged to upgrade to this release.For source downloads of PHP 5.4.18 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
|
|
|
Full View / NID: 48055 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the immediate availability of PHP 5.4.18. About 30 bugs were fixed, including security issues CVE-2013-4113 and CVE-2013-4073. All users of PHP are encouraged to upgrade to this release.For source downloads of PHP 5.4.18 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
|
|
|
Full View / NID: 45681 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the immediate availability of PHP 5.5.1. About 20 bugs were fixed including a security fix in the XML parser (Bug #65236).For source downloads of PHP 5.5.1 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
|
|
|
Full View / NID: 45556 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the immediate availability of PHP 5.3.27. About 10 bugs were fixed, including a security fix in the XML parser (Bug #65236).Please Note: This will be the last regular release of the PHP 5.3 series. All users of PHP are encouraged to upgrade to PHP 5.4 or PHP 5.5. The PHP 5.3 series will receive only security fixes for the next year.For source downloads of PHP 5.3.27 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
|
|
|
Full View / NID: 45520 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the immediate availability of PHP 5.4.17. About 20 bugs were fixed. All users of PHP are encouraged to upgrade to this release.For source downloads of PHP 5.4.17 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
|
|
|
Full View / NID: 48056 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the immediate availability of PHP 5.4.17. About 20 bugs were fixed. All users of PHP are encouraged to upgrade to this release.For source downloads of PHP 5.4.17 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
|
|
|
Full View / NID: 45478 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team is proud to announce the immediate availability of PHP 5.5.0. This release includes a large number of new features and bug fixes. The key features of PHP 5.5.0 include:Added generators and coroutines.Added the finally keyword.Added a simplified password hashing API.Added support for constant array/string dereferencing.Added scalar class name resolution via ::class.Added support for using empty() on the result of function calls and other expressions.Added support for non-scalar Iterator keys in foreach.Added support for list() constructs in foreach statements.Added the Zend OPcache extension for opcode caching.The GD library has been upgraded to version 2.1 adding new functions and improving existing functionality.A lot more improvements and fixes.Changes that affect compatibility:PHP logo GUIDs have been removed.Windows XP and 2003 support dropped.Case insensitivity is no longer locale specific. All case insensitive matching for function, class and constant names is now performed in a locale independent manner according to ASCII rules. For users upgrading from PHP 5.4, a migration guide is available detailing the changes between 5.4 and 5.5.0. For a full list of changes in PHP 5.5.0, see the ChangeLog.
|
|
|
Full View / NID: 48057 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team is proud to announce the immediate availability of PHP 5.5.0. This release includes a large number of new features and bug fixes. The key features of PHP 5.5.0 include:Added generators and coroutines.Added the finally keyword.Added a simplified password hashing API.Added support for constant array/string dereferencing.Added scalar class name resolution via ::class.Added support for using empty() on the result of function calls and other expressions.Added support for non-scalar Iterator keys in foreach.Added support for list() constructs in foreach statements.Added the Zend OPcache extension for opcode caching.The GD library has been upgraded to version 2.1 adding new functions and improving existing functionality.A lot more improvements and fixes.Changes that affect compatibility:PHP logo GUIDs have been removed.Windows XP and 2003 support dropped.Case insensitivity is no longer locale specific. All case insensitive matching for function, class and constant names is now performed in a locale independent manner according to ASCII rules. For users upgrading from PHP 5.4, a migration guide is available detailing the changes between 5.4 and 5.5.0. For a full list of changes in PHP 5.5.0, see the ChangeLog.
|
|
|
Full View / NID: 45393 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the availability of PHP 5.5 RC3. This release fixes some bugs against RC2. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! You can find an incomplete changelog of PHP 5.5.0RC3 here : Fixed bug causing segfault in gc_zval_possible_root)Fixed bug about a heap based buffer overflow in quoted_printable_encodehash_pbkdf2() truncates data when using default length and hex output To get the full changelog, please, check the NEWS file attached to the archive. For source downloads of PHP 5.5.0RC3 please visit the download page, Windows binaries can be found on windows.php.net/qa/. We were pleased if you could test this release candidate against your code base and report any problems that you encounter to the QA mailing list and/or the PHP bug tracker. Thanks you helping us making PHP better.
|
|
|
Full View / NID: 48058 / Submitted by: The Zilla of Zuron
|
|
|
The PHP development team announces the availability of PHP 5.5 RC3. This release fixes some bugs against RC2. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! You can find an incomplete changelog of PHP 5.5.0RC3 here : Fixed bug causing segfault in gc_zval_possible_root)Fixed bug about a heap based buffer overflow in quoted_printable_encodehash_pbkdf2() truncates data when using default length and hex output To get the full changelog, please, check the NEWS file attached to the archive. For source downloads of PHP 5.5.0RC3 please visit the download page, Windows binaries can be found on windows.php.net/qa/. We were pleased if you could test this release candidate against your code base and report any problems that you encounter to the QA mailing list and/or the PHP bug tracker. Thanks you helping us making PHP better.
|
|
|
Full View / NID: 45299 / Submitted by: The Zilla of Zuron
|
|
; void('');){kind=link}
