The PHP-QA team would like to announce the TestFest for the month of May 2008. The TestFest is an event that aims at improving the code coverage of the test suite for the PHP language itself. As part of this event, local User Groups (UG) are invited to join the TestFest. These UGs can meet physically or come together virtually. The point however is that people network to learn together. Aside from being an opportunity for all of you to make friends with like minded people in your (virtual) community, it also will hopefully reduce the work load for the PHP.net mentors.All it takes is someone to organize a UG to spearhead the event and to get others involved in writing phpt tests. The submissions will then be reviewed by members of php.net before getting included in the official test suite. Please visit the TestFest homepage to get additional details on the TestFest on how to get involved, either as a UG or by setting up the necessary infrastructure.

PHP.NET

The PHP development team would like to announce the immediate availability of PHP 4.4.8. It continues to improve the security and the stability of the 4.4 branch and all users are strongly encouraged to upgrade to it as soon as possible. This release wraps up all the outstanding patches for the PHP 4.4 series, and is therefore the last normal PHP 4.4 release. If necessary, releases to address security issues could be made until 2008-08-08. Security Enhancements and Fixes in PHP 4.4.8:Improved fix for MOPB-02-2007.Fixed an integer overflow inside chunk_split(). Identified by Gerhard Wagner.Fixed integer overlow in str[c]spn().Fixed regression in glob when open_basedir is on introduced by #41655 fix.Fixed money_format() not to accept multiple %i or %n tokens.Addded "max_input_nesting_level" php.ini option to limit nesting level of input variables. Fix for MOPB-03-2007.Fixed INFILE LOCAL option handling with MySQL - now not allowed when open_basedir or safe_mode is active.Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378). For a full list of changes in PHP 4.4.8, see the ChangeLog.

PHP.NET

The PHP development team would like to announce the immediate availability of PHP 5.2.5. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, several of which are security related. All users of PHP are encouraged to upgrade to this release. Further details about the PHP 5.2.5 release can be found in the release announcement for 5.2.5, the full list of changes is available in the ChangeLog for PHP 5.Security Enhancements and Fixes in PHP 5.2.5:Fixed dl() to only accept filenames. Reported by Laurent Gaffie.Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). Reported by Laurent Gaffie.Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. Reported by Rasmus LerdorfFixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie.Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications. Reported by SecurityReason.Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms).Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()).For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.5.

PHP.NET

The PHP documentation team is pleased to announce the initial release of the new build system that generates the PHP Manual. Written in PHP, PhD ([PH]P based [D]ocBook renderer) builds are now available for viewing at docs.php.net. Everyone is encouraged to test and use this system so that bugs will be found and squashed. Once the new build system is stable, expect additional changes to the PHP manual that will include an improved navigation system and styling for OOP documentation. Feel free to set this developmental mirror as your default by using my.php.

PHP.NET

The PHP development team would like to announce the immediate availability of PHP 5.2.4. This release focuses on improving the stability of the PHP 5.2.X branch with over 120 various bug fixes in addition to resolving several low priority security bugs. All users of PHP are encouraged to upgrade to this release. Further details about the PHP 5.2.4 release can be found in the release announcement for 5.2.4, the full list of changes is available in the ChangeLog for PHP 5. Security Enhancements and Fixes in PHP 5.2.4:Fixed a floating point exception inside wordwrap() (Reported by Mattias Bengtsson)Fixed several integer overflows inside the GD extension (Reported by Mattias Bengtsson)Fixed size calculation in chunk_split() (Reported by Gerhard Wagner)Fixed integer overflow in str[c]spn(). (Reported by Stanislav Malyshev)Fixed money_format() not to accept multiple %i or %n tokens. (Reported by Stanislav Malyshev)Fixed zend_alter_ini_entry() memory_limit interruption vulnerability. (Reported by Stefan Esser)Fixed INFILE LOCAL option handling with MySQL extensions not to be allowed when open_basedir or safe_mode is active. (Reported by Stanislav Malyshev)Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) (Reported by Maksymilian Arciemowicz)Fixed a possible invalid read in glob() win32 implementation (CVE-2007-3806) (Reported by shinnai)Fixed a possible buffer overflow in php_openssl_make_REQ (Reported by zatanzlatan at hotbrev dot com)Fixed an open_basedir bypass inside glob() function (Reported by dr at peytz dot dk)Fixed a possible open_basedir bypass inside session extension when the session file is a symlink (Reported by c dot i dot morris at durham dot ac dot uk)Improved fix for MOPB-03-2007.Corrected fix for CVE-2007-2872. For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.4.

PHP.NET