Matthew Turland is looking to "save you some grief" by pointing out an issue he recently had trouble with and eventually found out was a bug in PHP.

It's pretty rare that I encounter a bug in the software I run that hampers my ability to work or my server environment's ability to function normally. However, I encountered one last week that has taken me and several Rackspace support technicians nearly a week to figure out, namely PHP bug #43677.

The issue was that PHP seemed to be "forgetting" the include_path in the current script (not Apache). The bug has been found in PHP 5.2.5 (and possible in all of the 5.2.x releases as well). The problem has been fixed in the latest CVS version and a patch has been created for those that want to correct the problem right away.

Demian Turner has posted about the latest version of the Seagull framework (0.6.3) and an update to correct a remote file disclosure issue (up to version 0.6.4).

Well it took a bit of time but after quite a few months a new release of Seagull is finally out, 0.6.3 (0.6.4). Things have been keeping pretty busy with the startup I'm working on, but it's been a great opportunity to refine some features of the framework and optimize the performance. The early indications are good, after less than 10 weeks of going live Kindo users are creating up to 20k profiles/day and the server load is staying comfortably below 0.5.

The update is a different download that helps correct an issue with the framework allowing user-inputted values from the GET string. Be sure and update your version to keep this security issue under wraps.

Dave Dash has posted about a method he developed, using a custom prepend file, to correctly obtain the PATH_INFO information for his server.

symfony and other applications rely on the server's PATH_INFO being set properly. Unfortunately, I use a nonstandard server that doesn't natively support CGI [...] but I can't figure out how to do a urldecode in my configuration.

To get around the issue, he created a file he prepended to each request (via auto_prepend_file) that took the value and urldecoded it to put it in another $_SERVER value.

Stefan Esser has a new post mentioning a new patch that he's created to help correct an issue with the ZVAL Reference Counter that could cause a buffer overflow in an application.

When a PHP application is run in PHP 4 it can overflow the variable reference counter because it is only 16 bit wide. Whenever this happens it will result in a double destruction of the underlying variable. A local attacker can easily create PHP code that uses such a double destruction to execute arbitrary code within the process executing PHP (e.g. webserver process). This allows bypassing restrictions enforced by disable_functions, open_basedir, SAFE_MODE or to launch direct local root exploits against the target system.

The patch [tar.gz] fixes the issue and keeps from breaking anything from the past (backwards compatibility). You can either grab it now and apply it to your distribution (the sooner the better) or wait until it gets merged into the PHP CVS version and released with the next bug fix release.