This post originated from an RSS feed registered with PHP Buzz by Chris Shiflett. Original Post: PHP Security Announcements Feed Title: Chris Shiflett's Blog Feed URL: http://www.feedburner.com/fb/static/error.html Feed Description: Author, Consultant, Programmer, Speaker, Trainer Latest PHP Buzz Posts Latest PHP Buzz Posts by Chris Shiflett Latest Posts From Chris Shiflett's Blog

I've been asked about the "security issues" that prompted the release of PHP versions 4.3.0 and 5.0.3 enough times to warrant blogging about it. I understand the concern - you visit php.net and see:

The PHP Development Team would like to announce the immediate release of PHP 4.3.10 and PHP 5.0.3. These are maintenance releases that in addition to non-critical bug fixes address several very serious security issues.

Very serious security issues? That sounds "very serious." You read the PHP 5 ChangeLog (or maybe the PHP 4 one) and see a big list of changes. At most, you can identify two changes that might be security fixes:

• Fixed potential problems with unserializing invalid serialize data.
• Fixed a bug in addslashes() handling of the '\0' character.

Luckily, better information is available:

• http://www.securityfocus.com/archive/1/384663
• http://www.hardened-php.net/advisories/012004.txt

Update: Ilia points out the 4.3.10 release notes, which have more information.