The PHP development team would like to announce the immediate availability of PHP 5.4.5 and PHP 5.3.15. This release fixes over 30 bugs and includes a fix for a security related overflow issue in the stream implementation. All users of PHP are encouraged to upgrade to PHP 5.4.5 or PHP 5.3.15.


Version 5.4.5
19-July-2012

Core
Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)
Fixed bug #62432 (ReflectionMethod random corrupt memory on high concurrent)
Fixed bug #62373 (serialize() generates wrong reference to the object).
Fixed bug #62357 (compile failure: (S) Arguments missing for built-in function __memcmp)
Fixed bug #61998 (Using traits with method aliases appears to result in crash during execution)
Fixed bug #51094 (parse_ini_file() with INI_SCANNER_RAW cuts a value that includes a semi-colon)
Fixed potential overflow in _php_stream_scandir (CVE-2012-2688)

EXIF
Fixed information leak in ext exi

FPM
Fixed bug #62205 (php-fpm segfaults (null passed to strstr)
Fixed bug #62160 (Add process.priority to set nice(2) priorities)
Fixed bug #62153 (when using unix sockets, multiples FPM instances)
Fixed bug #62033 (php-fpm exits with status 0 on some failures to start)
Fixed bug #61839 (Unable to cross-compile PHP with --enable-fpm)
Fixed bug #61835 (php-fpm is not allowed to run as root)
Fixed bug #61295 (php-fpm should not fail with commented 'user'
Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI requests)
Fixed bug #61045 (fpm don't send error log to fastcgi clients). (fat) for non-root start)
Fixed bug #61026 (FPM pools can listen on the same address). (fat) can be launched without errors)

Iconv
Fixed bug #55042 (Erealloc in iconv.c unsafe)

Intl
Fixed bug #62083 (grapheme_extract() memory leaks)
Fixed bug #62081 (IntlDateFormatter constructor leaks memory when called twice)
Fixed bug #62070 (Collator::getSortKey() returns garbage)
Fixed bug #62017 (datefmt_create with incorrectly encoded timezone leaks pattern)
Fixed bug #60785 (memory leak in IntlDateFormatter constructor)
ResourceBundle constructor now accepts NULL for the first two arguments

JSON
Fixed bug #61359 (json_encode() calls too many reallocs)

libxml
Fixed bug #62266 (Custom extension segfaults during xmlParseFile with FPM SAPI)

Phar
Fixed bug #62227 (Invalid phar stream path causes crash)

Readline
Fixed bug #62186 (readline fails to compile - void function should not return a value)

Reflection
Fixed bug #62384 (Attempting to invoke a Closure more than once causes segfault)
Fixed bug #62202 (ReflectionParameter::getDefaultValue() memory leaks with constant)

Sockets
Fixed bug #62025 (__ss_family was changed on AIX 5.3)

SPL
Fixed bug #62433 (Inconsistent behavior of RecursiveDirectoryIterator to dot files)
Fixed bug #62262 (RecursiveArrayIterator does not implement Countable)

XML Writer
Fixed bug #62064 (memory leak in the XML Writer module)

Zip
Upgraded libzip to 0.10.

Version 5.3.15
19-July-2012

Zend Engine
Fixed bug #51094 (parse_ini_file() with INI_SCANNER_RAW cuts a value that includes a semi-colon)

COM
Fixed bug #62146 com_dotnet cannot be built shared

Core
Fixed potential overflow in _php_stream_scandir, CVE-2012-2688
Fixed bug #62432 (ReflectionMethod random corrupt memory on high concurrent)
Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)

Fileinfo
Fixed magic file regex support

FPM
Fixed bug #61045 (fpm don't send error log to fastcgi clients)
Fixed bug #61835 (php-fpm is not allowed to run as root)
Fixed bug #61295 (php-fpm should not fail with commented 'user' for non-root start)
Fixed bug #61026 (FPM pools can listen on the same address)
Fixed bug #62033 (php-fpm exits with status 0 on some failures to start)
Fixed bug #62153 (when using unix sockets, multiples FPM instances can be launched without errors)
Fixed bug #62160 (Add process.priority to set nice(2) priorities)
Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI requests)
Fixed bug #62205 (php-fpm segfaults (null passed to strstr))

Intl
Fixed bug #62083 (grapheme_extract() memory leaks)
Fixed bug #62081 (IntlDateFormatter constructor leaks memory when called twice)
Fixed bug #62070 (Collator::getSortKey() returns garbage)
Fixed bug #62017 (datefmt_create with incorrectly encoded timezone leaks pattern)
Fixed bug #60785 (memory leak in IntlDateFormatter constructor)

JSON
Reverted fix for bug #61537

Phar
Fixed bug #62227 (Invalid phar stream path causes crash)

Reflection
Fixed bug #62384 (Attempting to invoke a Closure more than once causes segfault)
Fixed bug #62202 (ReflectionParameter::getDefaultValue() memory leaks with constant)

SPL
Fixed bug #62262 (RecursiveArrayIterator does not implement Countable)

SQLite
Fixed open_basedir bypass, CVE-2012-3365

XML Write
Fixed bug #62064 (memory leak in the XML Writer module)

Zip
Upgraded libzip to 0.10