On the PHPClasses.org blog there's a new post detailing an issue that came up in the PHP 5.3.9 release that caused a large security issue (PHP 5.3.10 has, however, already been released to correct the issue).

PHP 5.3.9 release was mostly meant to fix a security bug, but it introduced a new more serious bug. PHP 5.3.10 was just released to fix this issue. [...] This time it is a bug that allows arbitrary remote code execution. This means that it allows to run arbitrary code on the server, injected by an eventual attacker, so it can be used to cause many types of damage inside a server.

The upgrade to PHP 5.3.10 is highly recommended to prevent this issue from effecting your applications. The post also mentions the dropping of Suhosin support (a security plugin for PHP) on the Debian linux distribution's default installation and how the PHP community has reacted to the decision.

On the PEAR blog today there's an update about the migration over to github that 5 million lines of code has already made:

Since October 2011, 5 million lines of the PEAR codebase has shifted to github. Hand in hand with this shift has been the tireless work of Daniel C - someone who brazenly said "I will fix the failing packages!" in the tail end of last year.

As a result of his efforts a list has been created of known good packages to use with PHP 5.4. Other results include:

• All test infrastructure upgrading to PHP 5.4 release candidates
• All database driven test suites executing properly, catching a variety of simple bugs
• Hitting a point of "near zero" patches to be applied to unmaintained packages
• Increasingly, the PEAR QA team is delivering PHP 5.3+ friendly forks of existing packages

As Paul Jones mentions in this new post to his blog the Aura project, a PHP framework, originally targeted at PHP 5.3 has changed its direction a bit - they've shifted from a focus on PHP 5.3 to the upcoming PHP 5.4 release.

When I initially announced the Aura project, it was targeted at PHP 5.3. With a stable release of PHP 5.4 impending, we have moved the target to PHP 5.4. In addition, we have made 1.0.0-beta1 releases of almost all the component packages. (See an earlier announcement from Hari KT.)

The components include: a dependency injection container, an autoloader and a view system that are all self-contained with no other dependencies. You can find the complete code for these containers (and one for combining them all into a single system) on the project's github page.

In this quick new post to his blog Mark Story talks about two new errors he ran across when upgrading his installation to PHP 5.4, both showing up under E_ALL.

I've been running the PHP5.4 RC builds for the last few months, and there are some interesting changes in the upcoming PHP release. On top of all the great new features coming in PHP5.4. After updating to PHP5.4-RC4, a few things that used to not trigger errors and silently do the wrong thing, now trigger notices or warnings.

The two he mentions deal with a new warning on illegal string offsets and the other about string offsets ("Notice: String offset cast occurred"). You can find out about more changes in the PHP 5.4 series in the various Changelogs for each Release Candidate and beta release.

Lineke Kerckhoffs-Willems has a new post to her blog today with an update about their in-progress site that wants to share tech knowledge through video, ProTalk:

A lot has happened since my October post announcing ProTalk, the secret project I am working on with my friend, Kim Rowan. So much in fact that now seems the ideal time to update you on our progress! Now, down to business! Since announcing the project in early October we have achieved the [several] project milestones.

The milestones include hosting by Combell (who also host Joind.in), a new domain, a commitment from Ibuildings for a design/logo/wireframe set and a new twitter account.

ProTalk is a "community resource aiming to provide a central point of access to video and audio content with a PHP focus." For more information and to sign up for details when they launch, check out their new site.

On the Symfony Blog today they have an update on their latest community offering, SensioLabs Connect, a service connecting Symfony developers all around the world. It's been one week since the release and there's already some changes happening.

To celebrate our 1000th user on SensioLabs Connect in a week, we have just rolled out a new version that takes into account some of the feedback we had from the community after the launch.

Changes include updates to use Gravatar images if you choose not to upload a photo, fixes for a bug with email confirmations and a few new badges added to the system - "first 100 users", "attendees of SymfonyLive" and ones based on seniority in the community. A public API is in the works, but you can grab a profile in json by adding ".json" to the end of a profile URL (like Fabien's).

The PEAR blog has a recommendation for those that might not have updated their package udage in a while - there's been major changes in many packages, but two in particular.

We've had 60 releases since July. While most are often minor improvements or bug fixes; a number of packages really stand out. Net_DNS2, and HTTP_Request2. Each of these packages represents the second edition of their respective APIs; each having been honed over time to a point of stability.

Net_DNS2 gives you the ability to communicate and resolve host names/domain names inside of a PHP application. HTTP_Request2 gives you a simple way to perform HTTP requests.

Tom Jowitt has posted his third part in his "streamlined PHP development" series today focusing on working with databases and setting it up with your automated deployment system (parts one and two).

In the first two parts of this series we covered setting up the server and an introduction to Phing. This post will cover managing our database code with dbdeploy and Phing.

He points out that there's no "silver bullet" when it comes to automated database management but he's found dbdeploy as a good tool for his needs. He includes the configuration changes to get the database login information into Phing and a few new targets/tasks to add to the Phing configuration for initializing the database and applying patches.

On McGlockenshire.com there's a recent post looking at some of the features of the upcoming PHP 5.4 release and how they'll be glad to get rid of the "prehistoric cruft" that's accumulated around the language over the years.

It's incredibly rare for the Internals crew to ever consider breaking backwards compatibility, but some of the most important changes in PHP 5.4 do just that by removing old "features." None of these changes should impact modern PHP code. If somehow you get bitten by any of these changes, chances are that your code dates from the PHP 4 era.

Included in his list of updates/removals/improvements are things like the full removal of safe_mode, dropping register_globals, pulling out call time pass by reference and the removal of the session registration methods.

On the PEAR blog there's a new post talking about some of the things coming up in July that you might want to take note of.

There's nothing quite like having your blogging system go MIA for a while to give your community an overwhelming impression that no one is home. Thankfully; despite the radio silence between updates there's quite a lot to talk about!

The updates include mentions of several new PEPr proposals for packages related to Mercurial support, Twitter and holiday date validation. There's also a mention of the large amount of PEAR channels that are popping up and the future of PEAR in PHP 5.3+ with Pyrus.