patches/packages/php-5.3.8-i486-1_slack12.1.tgz
Security fixes vs. 5.3.6 (5.3.7 was not usable):
Updated crypt_blowfish to 1.2. (CVE-2011-2483)
Fixed crash in error_log(). Reported by Mateusz Kocielski
Fixed buffer overflow on overlog salt in crypt().
Fixed bug #54939 (File path injection vulnerability in RFC1867
File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1148
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483
For those upgrading from PHP 5.2.x, be aware that quite a bit has
changed, and it will very likely not 'drop in', but PHP 5.2.x is not
supported by php.net any longer, so there wasn't a lot of choice
in the matter. We're not able to support a security fork of
PHP 5.2.x here either, so you'll have to just bite the bullet on
this. You'll be better off in the long run. :)
(* Security fix *)