Sunday, July 15. 2007
I've been so busy last few weeks I didn't get a chance to blog about the acceptance of my talk for ZendCon. So, here it is now, better late then never. This year has been quite busy in terms of security when it comes to PHP, the language and many changes were done to make the language better when it comes to security.
The talk will try to summarize the many happenings in the PHP security world in to a quick one hour talk, so it should be quite an interesting challenge
Thursday, May 31. 2007
A little less then a month had passed and we have a new PHP 5 release, 5.2.3 that can downloaded here. As with the prior patch level releases in 5.2.branch, the work continued on improving stability (over 40 bug fixes) and security with a 6 additional security fixes and improvements added. Also, this version contains a few optimizations that hopefully will make this the fastest 5.2 release yet, with improvements in string processing, md5()/sha1() generation and few less syscalls per request.
The official release announcement can be found here and the nitty gritty details can be seen in the ChangeLog.
I am also happy to say that two regressions introduced by prior releases were addressed, relating to timeouts on non-blocking SSL connection as well as lack of HTTP_RAW_POST_DATA under certain conditions.
Thursday, May 17. 2007
Thanks to the surprisingly well working wifi at the moment the slides from the PHP Security pitfalls are now available can be downloaded here.
I hope everyone who had been present at the talk had found something interesting that will help them improve the security of their code.
Wednesday, May 16. 2007
The two tutorials at php|tek went rather well, I am still surprised my voice held up for 6 hours of talking. The slides in PDF form can be found below:
Securing PHP Applications
PHP & Performance
Thursday, May 3. 2007
The PHP 5.2.2 is finally out and can be downloaded at the following URL:
http://www.php.net/downloads.php#v5
The release fixes over 120 different bugs in PHP and resolves the majority of MOPB issues identified by Stefan Esser as well as some security bugs that were identified by other security researchers as well as PHP's own developers. You can find out the full details of the changes made via the release announcement as well as the line-by-line changelog.
I recommend that all users consider upgrading to this release regardless of the version that they are currently running. However, if you must stay on PHP 4, Derick had released PHP 4.4.7 today as well that contains relevant security fixes.
Thursday, April 26. 2007
The 2nd release candidate of PHP 5.2.2 was just released and can be downloaded here:
Source Code:
http://downloads.php.net/ilia/php-5.2.2RC2.tar.bz2 (md5sum: 4752195cc5418686914ee1db08774763)
Win32 Binaries:
http://downloads.php.net/edink/php-5.2.2RC2-Win32.zip (md5sum: afa59d4219d83b7281f0101c9dae947e)
Since there were no major regressions in RC1 and RC2 only resolved pre-existing issues the goal is to proceed with the final release next Thursday. To make sure that the release is solid and does not break any existing code I would like ask everyone to test it against their code to see if everything still works as expected. If you identify any new issues since 5.2.1, please let me know.
Tuesday, April 10. 2007
The first release candidate of PHP 5.2.2 is now available for download here:
http://downloads.php.net/ilia/php-5.2.2RC1.tar.bz2 (262e36555c083d103259fea165faabaf)
http://downloads.php.net/ilia/php-5.2.2RC1.tar.gz (04e979787670d3d5e1c3e289104b65fa)
The focus of this release is twofold, number one we are continuing to stabilize the language, with over 60 bug fixes. The second goal was to improve the security of the language through an internal audit as well as by addressing previously unknown bugs identified by MOPB. As you can imagine both these goals result in a rather extensive set of changes, so testing to make sure no new bugs or regressions were introduced is critical. Therefor I would like to ask everyone, over the next few weeks to give this RC a shot with your code base to ensure there are no problems. I want to make 5.2.2 go out as soon as possible given the security improvements that it brings, with the next RC slated at just over 2 weeks from today (April 26th) and the final in early May.
If you come across any problems feel free to identify them by replying to this blog entry or by creating a bug report on http://bugs.php.net.
Saturday, March 17. 2007
Took a bit longer then I thought but the slides from my Security Tutorial and the Migrating to PHP 5.2.1 talk are filly up and can be found on the talks page (scroll to the bottom).
I hope the people who attended the talks found them interesting and I'd like to thank all the people who took the time to leave feedback, which relayed to me amazingly fast by the organizers.
A big thanks should go to the organizers as well who have done an amazing job in organizing the conference and the after-conference activities. Having a 5 star hotel for the conference was a very nice perk as well .
Tuesday, February 13. 2007
The slides for the Migrating to 5.2.1 from the Vancouver conference are now available, they can be found here:
http://ilia.ws/files/vancouver_php52.pdf
Monday, February 12. 2007
The slides from the caching talk in Vancouver are now available online and can be downloaded here:
http://ilia.ws/files/vancouver_cache.pdf
Thursday, February 8. 2007
It took a bit longer then originally anticipated, but PHP 5.2.1 was finally released today. Big thanks to all the people who have helped make this release possible, by reporting bugs, identifying security issues and of course helping to resolve those issues and improving the language in general.
The focus of this release was making PHP 5.2 more stable and more secure. The complete shopping list of changes can be found here. The official release announcement can be found at http://www.php.net/releases/5_2_1.php, it details the major changes and all of the security fixes that have been made in this release.
Given the significant number of security issues that were resolved, my recommendation is that all users of PHP, especially those running really old versions (You know who you are ) consider upgrading to this release as soon as possible. Not only will the security of your setup increase, but the stability and the performance of your PHP will improve as well.
The tarballs and the binaries that comprise this release can be found here: http://www.php.net/downloads.php
Tuesday, February 6. 2007
Through an interview on SecurityFocus Stefan Esser has just announced his plans for the "Month of PHP Bugs" (MOPB?) during March 2007.
It would be interesting to see what issues he discovers, hopefully most of them have already been reported to the PHP Security Team, in which case the upcoming 5.2.1 release will provide a resolution path for affected users. Hopefuly, unlike the MOAB and MOKB, the reported issues are not going to be infamous 0-day vulnerabilities. If they are however, which would be unfortunate, I think we'd be looking at a security fix only release in April, while releasing patches to address individual issues on a daily basis.
Either way, I have to look at this as a free security audit of PHP by someone with a clue about security and ultimately, in the long run it will only make PHP better, even if March is going to be rather busy
Thursday, January 25. 2007
I've packaged what looks the be the final RC for the 5.2.1 release, RC4. This release fixes another dozen or so bugs since the last release and from the given feedback looks to be regression free. That said I'd like to ask everyone to take a few minutes and try this RC with their code to make sure it really is as good as it seems and to ensure no new issues are introduced.
If you come across any issue please let me know via http://bugs.php.net, this blog, or internals mailing list.
The tarballs for this release can be found here:
http://downloads.php.net/ilia/php-5.2.1RC4.tar.bz2 (md5sum: f50578276f653b1f523150e3ff987f03)
http://downloads.php.net/ilia/php-5.2.1RC4.tar.gz (md5sum: 361197eb2b21b36e2e20cb132da2cf16)
Thursday, January 18. 2007
The 3rd release candidate for PHP 5.2.1 is now available for download. The tarballs can be found here:
http://downloads.php.net/ilia/php-5.2.1RC3.tar.bz2 (d3889eda8c3471ce7cf2adb35a4de736)
http://downloads.php.net/ilia/php-5.2.1RC3.tar.gz (c5b3e5540d1951d4c4b976b8a39c09ab)
and the Win32 binaries will be available in short order.
Since the last release, there are over 20 different bug fixes resolving some annoying engine issues such as the tempval leak inside foreach(). We do not anticipate any regressions to be introduced by this RC, but I would still like to ask everyone to take a few minutes and test it against their code base. If you come across any issues please report them at http://bugs.php.net/.
Depending on the stability of this release it may either be followed by a final release or another RC, therefor your feedback is critical to determining whether or not the code is stable enough to warrant the 5.2.1 final.
Wednesday, January 17. 2007
Thanks to Steph's hard work the last few months of weeklies are now available for reading. If you don't have the time or keep an eye on what's going on in the PHP community, especially on the developer mailing lists, weeklies are a quick shortcut to getting yourself up to date.
|