Today it is exactly three years ago since PHP 5 has been released. In those three years it has seen many improvements over PHP 4. PHP 5 is fast, stable & production-ready and as PHP 6 is on the way, PHP 4 will be discontinued. The PHP development team hereby announces that support for PHP 4 will continue until the end of this year only. After 2007-12-31 there will be no more releases of PHP 4.4. We will continue to make critical security fixes available on a case-by-case basis until 2008-08-08. Please use the rest of this year to make your application suitable to run on PHP 5. For documentation on migration for PHP 4 to PHP 5, we would like to point you to our migration guide. There is additional information available in the PHP 5.0 to PHP 5.1 and PHP 5.1 to PHP 5.2 migration guides as well.

PHP.NET

The PHP development team would like to announce the immediate availability of PHP 5.2.3. This release continues to improve the security and the stability of the 5.X branch as well as addressing two regressions introduced by the previous 5.2 releases. These regressions relate to the timeout handling over non-blocking SSL connections and the lack of HTTP_RAW_POST_DATA in certain conditions. All users are encouraged to upgrade to this release. Further details about the PHP 5.2.3 release can be found in the release announcement for 5.2.3, the full list of changes is available in the ChangeLog for PHP 5. Security Enhancements and Fixes in PHP 5.2.3: Fixed an integer overflow inside chunk_split() (by Gerhard Wagner, CVE-2007-2872) Fixed possible infinite loop in imagecreatefrompng. (by Xavier Roche, CVE-2007-2756) Fixed ext/filter Email Validation Vulnerability (MOPB-45 by Stefan Esser, CVE-2007-1900) Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()) (by bugs dot php dot net at chsc dot dk) Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib. Added mysql_set_charset() to allow runtime altering of connection encoding. For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.3.

PHP.NET

The PHP development team would like to announce the immediate availability of PHP 5.2.2 and availability of PHP 4.4.7. These releases are major stability and security enhancements of the 5.x and 4.4.x branches, and all users are strongly encouraged to upgrade to it as soon as possible. Further details about the PHP 5.2.2 release can be found in the release announcement for 5.2.2, the full list of changes is available in the ChangeLog for PHP 5. Details about the PHP 4.4.7 release can be found in the release announcement for 4.4.7, the full list of changes is available in the ChangeLog for PHP 4. Security Enhancements and Fixes in PHP 5.2.2 and PHP 4.4.7: Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric) Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser) Fixed a bug in mb_parse_str() that can be used to activate register_globals (MOPB-26 by Stefan Esser) Fixed unallocated memory access/double free in in array_user_key_compare() (MOPB-24 by Stefan Esser) Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser) Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers. (MOPB-21 by Stefan Esser). Limit nesting level of input variables with max_input_nesting_level as fix for (MOPB-03 by Stefan Esser) Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team) Fixed a possible super-global overwrite inside import_request_variables(). (by Stefano Di Paola, Stefan Esser) Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. (by Stanislav Malyshev) Security Enhancements and Fixes in PHP 5.2.2 only: Fixed a header injection via Subject and To parameters to the mail() function (MOPB-34 by Stefan Esser) Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan Esser) Fixed substr_compare and substr_count information leak (MOPB-14 by Stefan Esser) (Stas, Ilia) Fixed a remotely trigger-able buffer overflow inside make_http_soap_request(). (by Ilia Alshanetsky) Fixed a buffer overflow inside user_filter_factory_create(). (by Ilia Alshanetsky) Security Enhancements and Fixes in PHP 4.4.7 only: XSS in phpinfo() (MOPB-8 by Stefan Esser) While majority of the issues outlined above are local, in some circumstances given specific code paths they can be triggered externally. Therefor, we strongly recommend that if you use code utilizing the functions and extensions identified as having had vulnerabilities in them, you consider upgrading your PHP. For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.2.

PHP.NET

The PHP team is once again proud to participate in the Google Summer of Code, and we are still looking for project ideas from interested students. In case you want to spend the summer with your favorite Open Source project, PHP, and get some money for adding an interesting project to it, you should contact us at The deadline for submitting ideas is the 24th of March, 2007. Also, the current list of ideas includes suggested topics still looking for student participants.

PHP.NET

The PHP team is proud to once again participate in the Google Summer of Code. We are still looking for project ideas of interested students. In case you want to spend your summer with your favorite open source project, PHP, and get some money for adding an interesting project to it, you should contact us at The deadline for submitting ideas is the 24th of March 2007. The current list of ideas can be seen here http://php.net/ideas, which includes suggested topics still looking for student participants. If you have not heard of the Google Summer of Code, then have a look here http://code.google.com/soc.

PHP.NET