Zend releases PHP 5.3.9 - Fixes DoS issues

as demonstrated at the 28th Chaos Communication Congress

Posted by on January 14, 2012

The developers of PHP have released PHP 5.3.9. It adds the ability to limit the number of parameters in a HTTP request. This will fix a denial of service attack which was demonstrated at the 28th Chaos Communication Congress. This flaw made hash collisions possible and could force a system to spend much more CPU time reordering hashed data structures. With the new max_input_vars directive, administrators can set this to a suitable low value and prevent the triggering of this exploit. This update also fixes an interger overflow when processing EXIF headers in JPEG files preventing this DoS exploit.

Also, there are several non-security related fixes to areas including memory management, SOAP, PHP-FPM SAPI, and garbage collection. A full list of changes can be found here.

The next Release Candidate of PHP 5.4.0 has been released. This marks the fifth release candidate, the first of which was released in November 2011. The developers are projecting one more release candidate before a final release.

PHP is distributed unders the terms of PHP License 3.01, a certified Open Source license.

← Return