[atomic] PHP 5.2.12

[scott]

This is a release announcement for PHP 5.2.12. This is primarily a bugfix release, and a highly recommended update due to the nature of the security issues posed by 5.2.11 and below.

Changelog:
* Security Fixes
o Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (Rasmus)
o Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (Rasmus)
o Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion. (Ilia)
o Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check, identified by Stefan Esser. (Stas)
o Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (Moriyoshi, hello at iwamot dot com)
* Updated timezone database to version 2009.19 (2009s). (Derick)
* Added LIBXML_PARSEHUGE constant to overrides the maximum text size of a single text node when using libxml2.7.3+. (Kalle)
* Changed "post_max_size" php.ini directive to allow unlimited post size by setting it to 0. (Rasmus)
* Fixed error_log() to be binary safe when using message_type 3. (Jani)
* Fixed unnecessary invocation of setitimer when timeouts have been disabled. (Arvind Srinivasan)
* Fixed crash in com_print_typeinfo when an invalid typelib is given. (Pierre)
* Fixed crash in SQLiteDatabase::ArrayQuery() and SQLiteDatabase::SingleQuery() when calling using Reflection. (Felipe)
* Fixed crash when instantiating PDORow and PDOStatement through Reflection. (Felipe)
* Fixed memory leak in openssl_pkcs12_export_to_file(). (Felipe)
* Fixed bug #50445 (PDO-ODBC stored procedure call from Solaris 64-bit causes seg fault). (davbrown4 at yahoo dot com, Felipe)
* Fixed bug #50345 (nanosleep not detected properly on some solaris versions). (Jani)
* Fixed bug #50323 (Allow use of ; in values via ;; in PDO DSN). (Ilia, Pierrick)
* Fixed bug #50285 (xmlrpc does not preserve keys in encoded indexed arrays). (Felipe)
* Fixed bug #50282 (xmlrpc_encode_request() changes object into array in calling function). (Felipe)
* Fixed bug #50266 (conflicting types for llabs). (Jani)
* Fixed bug #50255 (isset() and empty() silently casts array to object). (Felipe)
* Fixed bug #50219 (soap call Segmentation fault on a redirected url). (Pierrick)
* Fixed bug #50209 (Compiling with libedit cannot find readline.h). (tcallawa at redhat dot com)
* Fixed bug #50207 (segmentation fault when concatenating very large strings on 64bit linux). (Ilia)
* Fixed bug #50195 (pg_copy_to() fails when table name contains schema. (Ilia)
* Fixed bug #50185 (ldap_get_entries() return false instead of an empty array when there is no error). (Jani)
* Fixed bug #50174 (Incorrectly matched docComment). (Felipe)
* Fixed bug #50168 (FastCGI fails with wrong error on HEAD request to non-existent file). (Dmitry)
* Fixed bug #50162 (Memory leak when fetching timestamp column from Oracle database). (Felipe)
* Fixed bug #50158 (FILTER_VALIDATE_EMAIL fails with valid addresses containing = or ?). (Pierrick)
* Fixed bug #50073 (parse_url() incorrect when ? in fragment). (Ilia)
* Fixed bug #50006 (Segfault caused by uksort()). (Felipe)
* Fixed bug #50005 (Throwing through Reflection modified Exception object makes segmentation fault). (Felipe)
* Fixed bug #49990 (SNMP3 warning message about security level printed twice). (Jani)
* Fixed bug #49985 (pdo_pgsql prepare() re-use previous aborted transaction). (ben dot pineau at gmail dot com, Ilia, Matteo)
* Fixed bug #49972 (AppendIterator undefined function crash). (Johannes)
* Fixed bug #49921 (Curl post upload functions changed). (Ilia)
* Fixed bug #49855 (import_request_variables() always returns NULL). (Ilia, sjoerd at php dot net)
* Fixed bug #49847 (exec() fails to return data inside 2nd parameter, given output lines >4095 bytes). (Ilia)
* Fixed bug #49809 (time_sleep_until() is not available on OpenSolaris). (Jani)
* Fixed bug #49757 (long2ip() can return wrong value in a multi-threaded applications). (Ilia, Florian Anderiasch)
* Fixed bug #49738 (calling mcrypt() after mcrypt_generic_deinit() crashes). (Sriram Natarajan)
* Fixed bug #49719 (ReflectionClass::hasProperty returns true for a private property in base class). (Felipe)
* Fixed bug #49698 (Unexpected change in strnatcasecmp()). (Rasmus)
* Fixed bug #49677 (ini parser crashes with apache2 and using ${something} ini variables). (Jani)
* Fixed bug #49660 (libxml 2.7.3+ limits text nodes to 10MB). (Felipe)
* Fixed bug #49647 (DOMUserData does not exist). (Rob)
* Fixed bug #49630 (imap_listscan() function missing). (Felipe)
* Fixed bug #49627 (error_log to specified file does not log time according to date.timezone). (Dmitry)
* Fixed bug #49578 (make install-pear fails). (Hannes)
* Fixed bug #49536 (mb_detect_encoding() returns incorrect results when mbstring.strict_mode is turned on). (Moriyoshi)
* Fixed bug #49531 (CURLOPT_INFILESIZE sometimes causes warning "CURLPROTO_FILE cannot be set"). (Felipe)
* Fixed bug #49528 (UTF-16 strings prefixed by BOMs wrongly converted). (Moriyoshi)
* Fixed bug #49521 (PDO fetchObject sets values before calling constructor). (Pierrick)
* Fixed bug #49517 (cURL's CURLOPT_FILE prevents file from being deleted after fclose()). (Ilia)
* Fixed bug #49472 (Constants defined in Interfaces can be overridden). (Felipe)
* Fixed bug #49354 (mb_strcut() cuts wrong length when offset is in the middle of a multibyte character). (Moriyoshi)
* Fixed bug #49332 (Build error with Snow Leopard). (Scott)
* Fixed bug #49244 (Floating point NaN cause garbage characters). (Sjoerd)
* Fixed bug #49174 (crash when extending PDOStatement and trying to set queryString property). (Felipe)
* Fixed bug #49098 (mysqli segfault on error). (Rasmus)
* Fixed bug #48805 (IPv6 socket transport is not working). (Ilia)
* Fixed bug #48764 (PDO_pgsql::query() always uses implicit prepared statements if v3 proto available). (Matteo, Mark Kirkwood)
* Fixed bug #47848 (importNode doesn't preserve attribute namespaces). (Rob)
* Fixed bug #45120 (PDOStatement->execute() returns true then false for same statement). (Pierrick)
* Fixed bug #34852 (Failure in odbc_exec() using oracle-supplied odbc driver). (tim dot tassonis at trivadis dot com)

To upgrade:
yum upgrade php

[mneese]

I have updated, but i wonder is there any adjustments that need to be made in the php.ini file due to

Code: Select all

Added "max_file_uploads" INI directive

Does this rewrite the php.ini file...?... and if it does are we then required to re enter changes we have made in the past?

DO the asl rewrites stick?

[scott]

The php.ini will not be overwritten on a package upgrade. This is standard design component of most rpm based upgrades, if there is a newer config file it will be named <original file name>.rpmnew. If a package every overrides an existing config, that config will be renamed, to <original file name>.rpmsave

[Highland]

Does this include the 5.3 backports you were doing to 11-3?

[scott]

not yet, this was primarily a security and bugfix update