PHP 5.2.7 Released
The PHP development team would like to
announce the immediate availability of PHP 5.2.7.
This release focuses on improving the stability of the PHP 5.2.x branch with over
120 bug fixes, several of which are security related. All users of PHP are
encouraged to upgrade to this release.
Security Enhancements and Fixes in PHP 5.2.7:
Upgraded PCRE to version 7.8 (Fixes CVE-2008-2371)
Fixed missing initialization of BG(page_uid) and BG(page_gid), reported by Maksymilian Arciemowicz.
Fixed incorrect php_value order for Apache configuration, reported by Maksymilian Arciemowicz.
Fixed a crash inside gd with invalid fonts (Fixes CVE-2008-3658).
Fixed a possible overflow inside memnstr (Fixes CVE-2008-3659).
Fixed security issues detailed in CVE-2008-2665 and CVE-2008-2666.
Fixed bug #45151 (Crash with URI/file..php (filename contains 2 dots)).(Fixes CVE-2008-3660)
Fixed bug #42862 (IMAP toolkit crash: rfc822.c legacy routine buffer overflow). (Fixes CVE-2008-2829)
Fixed extraction of zip files and directories with crafted entries, reported by Stefan Esser.
Further details about the PHP 5.2.7 release can be found in the release announcement for 5.2.7, the full list of changes is available in the ChangeLog for PHP 5.
Update (December 6th):
Added missing zip security fix