On the PHPClasses.org blog there's a new post detailing an issue that came up in the PHP 5.3.9 release that caused a large security issue (PHP 5.3.10 has, however, already been released to correct the issue).

PHP 5.3.9 release was mostly meant to fix a security bug, but it introduced a new more serious bug. PHP 5.3.10 was just released to fix this issue. [...] This time it is a bug that allows arbitrary remote code execution. This means that it allows to run arbitrary code on the server, injected by an eventual attacker, so it can be used to cause many types of damage inside a server.

The upgrade to PHP 5.3.10 is highly recommended to prevent this issue from effecting your applications. The post also mentions the dropping of Suhosin support (a security plugin for PHP) on the Debian linux distribution's default installation and how the PHP community has reacted to the decision.

The PHP development team has officially announced the release of the latest version of PHP in the 5.3.x series - PHP 5.3.10:

The PHP development team would like to announce the immediate availability of PHP 5.3.10. This release delivers a critical security fix. [...] Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.

It is highly recommended that users upgrade to this latest version to avoid falling victim to this recently introduced bug relating to the new "max_input_vars" setting added to protect from the overflow issue recently brought up in the PHP community.

Over on the PHPClasses.org blog today there's a new post looking at the next major upcoming PHP version (5.4), what it comes with and why you might want to make the upgrade.

PHP 5.4.0 is planned to be released on February, 2 2012. By the time you are reading this, it may already been out. It is a result of many months of development. Many features were proposed for this release. Some made into this version, others did not make it at least for now. So, now you may be wondering which interesting features really made it. Let me tell you more about some of the more interesting features present in this release.

The article mentions some of the usual major features that can be found in just about every "in PHP 5.4" list - traits, the built-in web server, binary notation for integers - but it also includes some of the features that didn't make the cut this time (like annotations and the inclusion of the APC caching extension). Also included are questions to ask to see if the upgrade is for you like:

• Do you need the new features?
• Do you need the updates now?
• Try it and test it in dev first - does it meet your needs or cause other bugs?

The planned release for PHP 5.4 is during the first week of February (2012). Additionally, if you'd like to give the PHP development group some help testing out the latest Release Candidate, you can find instructions here.

In this new post to his blog Nikita Popov looks at an update that might have gotten lost in the shuffle of new features coming in PHP 5.4 - some updates to htmlspecialchars.

One set of changes that I think is particularly important was largely overlooked: For PHP 5.4 cataphract (Artefacto on StackOverflow) heroically rewrote large parts of htmlspecialchars thus fixing various quirks and adding some really nice new features. Here a quick summary of the most important changes: UTF-8 as the default charset, improved error handling (ENT_SUBSTITUTE) and Doctype handling (ENT_HTML401,...).

He goes into each of these three main features in a bit more detail, providing code to illustrate the improved error handling and the new flags for Doctype handling (covering HTML 4.01, HTML 5, XML 1 and XHTML).

The PHP.net has announced the availability of the latest Release Candidate in the PHP 5.4.0 series - PHP 5.4.0 RC6:

The PHP development team announces the 6th release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site. [...] The 6th release candidate focused on improving traits. Please test them carefully and help us to identify bugs in order to ensure that the release is solid and all things behave as expected.

You can download this latest release from the PHP QA site (Windows binaries) and test it on your local instance/applications. Any and all feedback about issues should be reported to either the QA mailing list or on the bug tracker. A complete list of updates is available in the NEWS file.

The PHP development group has officially announced the release of PHP 5.3.9, the latest in the 5.3.x series.

The PHP development team would like to announce the immediate availability of PHP 5.3.9. This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which are security related.

Bugfixes and updates in this release include the max_input_vars directive, an autoloading issue with is_a and changes to the FPM SAPI module. You can see the full list of changes here or just go over and download this latest release and get to installing - source, Windows binaries.

The PHP development team has officially released PHP 5.4.0 RC5, the latest (and the second to last) release candidate for the next major version of the language.

The PHP development team announces the 5th release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site.

Bugs fixed in this version include a few to the Core, SAPI/CLI SAPI, PHP-FPM support and improvements to the session extension. Download and test out this latest version on your systems - the more feedback they receive the better! You can report issues you might find on the PHP bug tracker.

As Paul Jones mentions in this new post to his blog the Aura project, a PHP framework, originally targeted at PHP 5.3 has changed its direction a bit - they've shifted from a focus on PHP 5.3 to the upcoming PHP 5.4 release.

When I initially announced the Aura project, it was targeted at PHP 5.3. With a stable release of PHP 5.4 impending, we have moved the target to PHP 5.4. In addition, we have made 1.0.0-beta1 releases of almost all the component packages. (See an earlier announcement from Hari KT.)

The components include: a dependency injection container, an autoloader and a view system that are all self-contained with no other dependencies. You can find the complete code for these containers (and one for combining them all into a single system) on the project's github page.

The latest version of PHP in the 5.4.0 release candidate series has been posted - PHP 5.4.0 RC4, complete with new features and lots of bugfixes.

The PHP development team is proud to announce the 4th release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site. THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION! This is the 4th release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0.

Updates in this release candidate include an update to the max_input_vars directive and a fix for a segfault in the traits code. You can find the full notes for the release in the NEWS file and can download the latest from the PHP.net site - source downloads, Windows binaries.

As mentioned on the main PHP.net site, the latest Release Candidate in the PHP 5.4.x series has been released - PHP 5.4.0RC3:

The PHP development team is proud to announce the third release candidate of PHP 5.4. PHP 5.4 includes new language features and removes several legacy (deprecated) behaviours. Windows binaries can be downloaded from the Windows QA site. THIS IS A RELEASE CANDIDATE - DO NOT USE IT IN PRODUCTION!. This is the third release candidate. The release candidate phase is intended as a period of bug fixing prior to the stable release. No new features should be included before the final version of PHP 5.4.0.

Major changes include the introduction of UTS #46 mapping support in the intl extension and the inclusion of SERVER_NAME and SERVER_PORT into the $_SERVER superglobal for CLI. You can find more changes listed in the NEWS file and can download the latest from the PHP.net site (or your favorite mirror): source, Windows binaries.