PHP 5.3.9 release was mostly meant to fix a security bug, but it introduced a new more serious bug. PHP 5.3.10 was just released to fix this issue. [...] This time it is a bug that allows arbitrary remote code execution. This means that it allows to run arbitrary code on the server, injected by an eventual attacker, so it can be used to cause many types of damage inside a server.

The upgrade to PHP 5.3.10 is highly recommended to prevent this issue from effecting your applications. The post also mentions the dropping of Suhosin support (a security plugin for PHP) on the Debian linux distribution's default installation and how the PHP community has reacted to the decision.

That was a pretty annoying bug. I never did find out what the problem was as I moved onto other problems and chalked that error up to some undiagnosed weirdness on that particular server. From time to time I would get asked on Twitter if I had ever solved the problem. My answer was always "no, and if you do solve it please let met know how you fixed it." Today, my friends, was the day.

Based on a response from Demian Katz, he was able to get around the issue with flag set on the PHPUnit command line - "-dzend.enable_gc=0". Apparently the issue has to do with garbage collection and has been a known issue since the beginning of 2011.

Since the first beta of the next major release of PHP was released a few days ago, I thought we could provide packages for people who'd like to test it and see if there software is still running. And make adjustments or report bugs, if it doesn't. Complaining after the official stable release was made is usually too late, so testing your software against beta releases is very important. For your project and for PHP.

The install involves grabbing their package from the Liip server and calling the "packager.py" executable to make the version swap. You can go back to the pre-installed PHP5 version anytime by updating the symlink back. If you want more information on the package (or to report bugs) you can find the project over in github.

The key issue was that 5.3.7 accidentally broke is_a() for a reasonably large number of users. Unfortunately the fixup release 5.3.8 did not address this 'mistake', and after a rather fruitless exchange I gave up trying to persuade the group (most people on mailing list), that reverting the change was rather critical (at least pierre supported reverting it in the 5.3.* series).

This new issue was causing some strange errors to pop up in his code because of a parameter type change in the is_a call, updating the first parameter to be an object instead of a class name. The is_a() call sends its requests to __autoload in some cases and the string->object mismatch of those parameters causes errors to be thrown. His workaround is, in your checking, just be sure to call an is_object first before passing things off to be is_a() checked and autoloaded.

Another PHP 5.3 version was released. Manuel Lemos and Ernani Joppert discuss whether you should upgrade to this new version of PHP, as well if you should try the new PHP 5.4 beta version. They also talk about the repercussion of the article about the Wrong PHP Ideas You Should Get Right and why it is important to clarify PHP haters and lovers about these PHP misconceptions.

You can either listen to this latest episode through the in-page player, by downloading the mp3 (25MB) or by subscribing to their feed and getting the latest right in your reader of choice (even iTunes).

For those who haven't put the recurring event in their calendar, the Zend Framework Monthly Bug-hunt is here again! This Thursday, Friday and Saturday (the 25th, 26th and 27th of August), we'll be hosting our monthly bug hunt. For those of you unfamiliar with the event, each month, we organize the community to help reduce the number of open issues reported against the framework

Ralph reminds everyone of the change in tracking methods in their Jira setup and how to find some issues to tackle when you start your debugging. You can also just visit this page to get the full list of unresolved issues. Additional instructions are included in the post on "getting started" resources, how your fixes help the framework and a guide you can follow to get the ball rolling.

The PHP development team would like to announce the immediate availability of PHP 5.3.8. This release fixes two issues introduced in the PHP 5.3.7 release: Fixed bug #55439 (crypt() returns only the salt for MD5), reverted a change in timeout handling restoring PHP 5.3.6 behavior, which caused mysqlnd SSL connections to hang (Bug #55283). All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.8.

As always you can download this latest release from the downloads page (Windows binaries here). This upgrade is highly recommended if you were running 5.3.7.

I read not too long ago that the mysql library in PHP is being deprecated as of v6.0 in favor of mysqli or PDO, so of course I had to update all of my database code keep on top of things. I spent about 5 or 6 hours over the course of 2 days familiarizing myself with the new syntax and updating my code offline. Without any testing, I decided I could go ahead and push the code "live" because I'm just that over-confident sometimes, although I did make a backup in case anything went wrong (or so I thought).

Two problems jumped out immediately - a SQL error caused by this bug and the other being a problem with preparing his statement inside of a session handling method.

For those who haven't put the recurring event in their calendar, the Zend Framework Monthly Bug-hunt is here again! This Thursday, Friday and Saturday (the 28th, 29th and 30th of July), we'll be hosting our monthly bug hunt. For those of you unfamiliar with the event, each month, we organize the community to help reduce the number of open issues reported against the framework.

He reminds those wanting to participate of a few pieces of information - that they'll need a CLA on file, where to find unresolved issues, getting help on the zftalk.dev IRC channel and a getting started guide for those first-timers.

Since the thing went public before new PHP version has been released, I present full details of the latest PHP vulnerability I reported - together with some sweet demo exploit. The issue was found with fuzzing being part of my recent file upload research. And I still have some more to show in the future :)

The issue, described in more detail here on bugs.php.net (as of the time of this post, unfortunately unavailable) and his code to reproduce the issue is here. Due to a bug in the code that should strip down the upload to just the filename, certain kinds of file paths can make it through. The real problem comes in when an application blindly uses this filename to write to, possibly overwriting important files. You can see a screenshot of it in action here.