PHP 5.4.15 / 5.5.0 RC 1 - Changelog

What's new in PHP 5.4.15:

May 9th, 2013

Core:
· Fixed bug #64578 (debug_backtrace in set_error_handler corrupts zend heap: segfault).
· Fixed bug #64458 (dns_get_record result with string of length -1).
· Fixed bug #64433 (follow_location parameter of context is ignored for most response codes).
· Fixed bug #47675 (fd leak on Solaris).
· Fixed bug #64577 (fd leak on Solaris).

Fileinfo:
· Upgraded libmagic to 5.14.

Streams:
· Fixed Windows x64 version of stream_socket_pair() and improved error handling.

Zip:
· Fixed bug #64342 (ZipArchive::addFile() has to check for file existence).

What's new in PHP 5.4.14:

April 11th, 2013

Core:
· Fixed bug #64529 (Ran out of opcode space).
· Fixed bug #64515 (Memoryleak when using the same variablename two times in function declaration).
· Fixed bug #64432 (more empty delimiter warning in strX methods).
· Fixed bug #64417 (ArrayAccess::&offsetGet() in a trait causes fatal error).
· Fixed bug #64370 (microtime(true) less than $_SERVER['REQUEST_TIME_FLOAT']).
· Fixed bug #64239 (Debug backtrace changed behavior since 5.4.10 or 5.4.11).
· Fixed bug #63976 (Parent class incorrectly using child constant in class property).
· Fixed bug #63914 (zend_do_fcall_common_helper_SPEC does not handle exceptions properly).
· Fixed bug #62343 (Show class_alias In get_declared_classes()).

PCRE:
· Merged PCRE 8.32.

SNMP:
· Fixed bug #61981 (OO API, walk: $suffix_as_key is not working correctly).

Zip:
· Fixed bug #64452 (Zip crash intermittently).

What's new in PHP 5.5.0 Alpha 6:

March 15th, 2013

Core:
· Fixed bug #49348 (Uninitialized ++$foo->bar; does not cause a notice).

Sockets:
· Fixed bug #64287 (sendmsg/recvmsg shutdown handler causes segfault).

PCRE:
· Merged PCRE 8.32.

DateTime:
· Fixed bug #64359 (strftime crash with VS2012).

What's new in PHP 5.4.12:

February 22nd, 2013

Core:
· Fixed bug #64099 (Wrong TSRM usage in zend_register_class alias).
· Fixed bug #64011 (get_html_translation_table() output incomplete with HTML_ENTITIES and ISO-8859-1).
· Fixed bug #63982 (isset() inconsistently produces a fatal error on protected property).
· Fixed bug #63943 (Bad warning text from strpos() on empty needle).
· Fixed bug #63899 (Use after scope error in zend_compile).
· Fixed bug #63893 (Poor efficiency of strtr() using array with keys of very different length).
· Fixed bug #63882 (zend_std_compare_objects crash on recursion).
· Fixed bug #63462 (Magic methods called twice for unset protected properties).
· Fixed bug #62524 (fopen follows redirects for non-3xx statuses).
· Support BITMAPV5HEADER in getimagesize().

Date:
· Fixed bug #63699 (Performance improvements for various ext/date functions).
· Fixed bug #55397 Comparsion of incomplete DateTime causes SIGSEGV.

FPM:
· Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11).

Litespeed:
· Fixed bug #63228 (-Werror=format-security error in lsapi code).

sqlite3:
· Fixed bug #63921 (sqlite3::bindvalue and relative PHP functions aren't using sqlite3_*_int64 API).

· PDO_OCI
· Fixed bug #57702 (Multi-row BLOB fetches).
· Fixed bug #52958 (Segfault in PDO_OCI on cleanup after running a long testsuite).

PDO_sqlite:
· Fixed bug #63916 (PDO::PARAM_INT casts to 32bit int internally even on 64bit builds in pdo_sqlite).

What's new in PHP 5.4.10:

December 20th, 2012

Core:
· Fixed bug #63635 (Segfault in gc_collect_cycles).
· Fixed bug #63512 (parse_ini_file() with INI_SCANNER_RAW removes quotes from value).
· Fixed bug #63468 (wrong called method as callback with inheritance).
· Fixed bug #63451 (config.guess file does not have AIX 7 defined, shared objects are not created).
· Fixed bug #61557 (Crasher in tt-rss backend.php).
· Fixed bug #61272 (ob_start callback gets passed empty string).

Date:
· bug #63666 (Poor date() performance).
· Fixed bug #63435 (Datetime::format('u') sometimes wrong by 1 microsecond).

Imap:
· Fixed bug #63126 (DISABLE_AUTHENTICATOR ignores array).

Json:
· Fixed bug #63588 (use php_next_utf8_char and remove duplicate implementation).

MySQLi:
· Fixed bug #63361 (missing header).

MySQLnd:
· Fixed bug #63398 (Segfault when polling closed link).

Fileinfo:
· Fixed bug #63590 (Different results in TS and NTS under Windows).

FPM:
· Fixed bug #63581 Possible null dereference and buffer overflow.

Pdo_sqlite:
· Fixed bug #63149 getColumnMeta should return the table name when system SQLite used.

Apache2 Handler SAPI:
· Enabled Apache 2.4 configure option for Windows.

Reflection:
· Fixed bug #63614 (Fatal error on Reflection).

SOAP:
· Fixed bug #63271 (SOAP wsdl cache is not enabled after initial requests).

Sockets:
· Fixed bug #49341 (Add SO_REUSEPORT support for socket_set_option()).

What's new in PHP 5.4.9:

November 23rd, 2012

Core:
· Fixed bug #63305 (zend_mm_heap corrupted with traits).
· Fixed bug #63369 ((un)serialize() leaves dangling pointers, causes crashes).
· Fixed bug #63241 (PHP fails to open Windows deduplicated files).
· daniel dot stelter-gliese at innogames dot de)
· Fixed bug #62444 (Handle leak in is_readable on windows).

Curl:
· Fixed bug #63363 (Curl silently accepts boolean true for SSL_VERIFYHOST).
· Patch by John Jawed GitHub PR #221

Fileinfo:
· Fixed bug #63248 (Load multiple magic files from a directory under Windows).

Libxml:
· Fixed bug #63389 (Missing context check on libxml_set_streams_context()
· causes memleak).

Mbstring:
· Fixed bug #63447 (max_input_vars doesn't filter variables when
· mbstring.encoding_translation = On).

OCI8:
· Fixed bug #63265 (Add ORA-00028 to the PHP_OCI_HANDLE_ERROR macro)

PCRE:
· Fixed bug #63180 (Corruption of hash tables).
· Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite).
· Fixed bug #63284 (Upgrade PCRE to 8.31).

PDO:
· Fixed bug #63235 (buffer overflow in use of SQLGetDiagRec).

PDO_pgsql:
· Fixed bug #62593 (Emulate prepares behave strangely with PARAM_BOOL).

Phar:
· Fixed bug #63297 (Phar fails to write an openssl based signature).

Streams:
· Fixed bug #63240 (stream_get_line() return contains delimiter string).

Reflection:
· Fixed bug #63399 (ReflectionClass::getTraitAliases() incorrectly resolves
· traitnames).

What's new in PHP 5.4.7:

September 13th, 2012

Core:
· Fixed bug (segfault while build with zts and GOTO vm-kind). (Laruence)
· Fixed bug #62955 (Only one directive is loaded from "Per Directory Values"
· Windows registry).
· Fixed bug #62844 (parse_url() does not recognize //). (Andrew Faulds).
· Fixed bug #62829 (stdint.h included on platform where HAVE_STDINT_H is not
· set).
· Fixed bug #62763 (register_shutdown_function and extending class).
· Fixed bug #62725 (Calling exit() in a shutdown function does not return
· the exit value).
· Fixed bug #62744 (dangling pointers made by zend_disable_class).
· Fixed bug #62716 (munmap() is called with the incorrect length).
· Fixed bug #62358 (Segfault when using traits a lot).
· Fixed bug #62328 (implementing __toString and a cast to string fails)
· Fixed bug #51363 (Fatal error raised by var_export() not caught by error
· handler).
· Fixed bug #40459 (Stat and Dir stream wrapper methods do not call
· constructor).

CURL:
· Fixed bug #62912 (CURLINFO_PRIMARY_* AND CURLINFO_LOCAL_* not exposed).
· Fixed bug #62839 (curl_copy_handle segfault with CURLOPT_FILE).

DateTime:
· Fixed bug #62852 (Unserialize invalid DateTime causes crash).

Intl:
· Fixed Spoofchecker not being registered on ICU 49.1.
· Fix bug #62933 (ext/intl compilation error on icu 3.4.1).
· Fix bug #62915 (defective cloning in several intl classes).
Installation:
· Fixed bug #62460 (php binaries installed as binary.dSYM).

PCRE:
· Fixed bug #55856 (preg_replace should fail on trailing garbage).
· reg dot php at alf dot nu)
PDO:
· Fixed bug #62685 (Wrong return datatype in PDO::inTransaction()).

Reflection:
· Fixed bug #62892 (ReflectionClass::getTraitAliases crashes on importing
· trait methods as private). (Felipe)
· Fixed bug #62715 (ReflectionParameter::isDefaultValueAvailable() wrong
· result). (Laruence)

Session:
· Fixed bug (segfault due to retval is not initialized).
· Fixed bug (segfault due to PS(mod_user_implemented) not be reseted
· when close handler call exit).

SPL:
· Fixed bug #62904 (Crash when cloning an object which inherits SplFixedArray)
· Laruence)
· Implemented FR #62840 (Add sort flag to ArrayObject::ksort).

Standard:
· Fixed bug #62836 (Seg fault or broken object references on unserialize()).

FPM:
· Merged PR 121 by minitux to add support for slow request counting on PHP
· FPM status page. (Lars)

What's new in PHP 5.3.16:

September 13th, 2012

Core:
· Fixed bug #62763 (register_shutdown_function and extending class).
· Fixed bug #62744 (dangling pointers made by zend_disable_class).
· Fixed bug #62716 (munmap() is called with the incorrect length).
· Fixed bug #62460 (php binaries installed as binary.dSYM).
· Fixed bug #60194 (--with-zend-multibyte and --enable-debug reports LEAK with run-test.php).

CURL:
· Fixed bug #62839 (curl_copy_handle segfault with CURLOPT_FILE).
· Fixed bug #62499 (curl_setopt($ch, CURLOPT_COOKIEFILE, "") returns false).
· DateTime
· Fixed bug #62500 (Segfault in DateInterval class when extended).
· Enchant
· Fixed bug #62838 (enchant_dict_quick_check() destroys zval, but fails to initialize it).

PDO:
· Fixed bug #62685 (Wrong return datatype in PDO::inTransaction()).

Reflection:
· Fixed bug #62715 (ReflectionParameter::isDefaultValueAvailable() wrong result).

Session:
· Fixed bug (segfault due to retval is not initialized).

SPL:
· Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault).

What's new in PHP 5.4.6:

August 16th, 2012

CLI Server:
· Implemented FR #62700 (have the console output 'Listening on http://localhost:8000').

Core:
· Fixed bug #62661 (Interactive php-cli crashes if include() is used in auto_prepend_file).
· Fixed bug #62653: (unset($array[$float]) causes a crash).
· Fixed bug #62565 (Crashes due non-initialized internal properties_table).
· Fixed bug #60194 (--with-zend-multibyte and --enable-debug reports LEAK with run-test.php).

CURL:
· Fixed bug #62499 (curl_setopt($ch, CURLOPT_COOKIEFILE, "") returns false).

DateTime:
· Fixed Bug #62500 (Segfault in DateInterval class when extended).

Fileinfo:
· Fixed bug #61964 (finfo_open with directory causes invalid free).

Intl:
· Fixed bug #62564 (Extending MessageFormatter and adding property causes crash).

MySQLnd:
· Fixed bug #62594 (segfault in mysqlnd_res_meta::set_mode).

readline:
· Fixed bug #62612 (readline extension compilation fails with sapi / cli / cli.h: No such file).

Reflection:
· Implemented FR #61602 (Allow access to name of constant used as default value).

SimpleXML:
· Implemented FR #55218 Get namespaces from current node.

SPL:
· Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault).
· Fixed bug #61527 (ArrayIterator gives misleading notice on next() when moved to the end).

Streams:
· Fixed bug #62597 (segfault in php_stream_wrapper_log_error with ZTS build).

Zlib:
· Fixed bug #55544 (ob_gzhandler always conflicts with zlib.output_compression).

What's new in PHP 5.4.5:

July 19th, 2012

Core:
· Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed
· Salt).
· Fixed bug #62432 (ReflectionMethod random corrupt memory on high
· concurrent).
· Fixed bug #62373 (serialize() generates wrong reference to the object).
· Fixed bug #62357 (compile failure: (S) Arguments missing for built-in
· function __memcmp).
· Fixed bug #61998 (Using traits with method aliases appears to result in
· crash during execution).
· Fixed bug #51094 (parse_ini_file() with INI_SCANNER_RAW cuts a value that
· includes a semi-colon).
· Fixed potential overflow in _php_stream_scandir (CVE-2012-2688).

EXIF:
· Fixed information leak in ext exif

FPM:
· Fixed bug #62205 (php-fpm segfaults (null passed to strstr)).
· Fixed bug #62160 (Add process.priority to set nice(2) priorities).
· Fixed bug #62153 (when using unix sockets, multiples FPM instances
· Fixed bug #62033 (php-fpm exits with status 0 on some failures to start).
· (fat)
· Fixed bug #61839 (Unable to cross-compile PHP with --enable-fpm).
· Fixed bug #61835 (php-fpm is not allowed to run as root).
· Fixed bug #61295 (php-fpm should not fail with commented 'user'
· Fixed bug #61218 (FPM drops connection while receiving some binary values
· in FastCGI requests).
· Fixed bug #61045 (fpm don't send error log to fastcgi clients).
· for non-root start). (fat)
· Fixed bug #61026 (FPM pools can listen on the same address).
· can be launched without errors).

Iconv:
· Fix bug #55042 (Erealloc in iconv.c unsafe).

Intl:
· Fixed bug #62083 (grapheme_extract() memory leaks).
· ResourceBundle constructor now accepts NULL for the first two arguments.
· Fixed bug #62081 (IntlDateFormatter constructor leaks memory when called
· twice).
· Fixed bug #62070 (Collator::getSortKey() returns garbage).
· Fixed bug #62017 (datefmt_create with incorrectly encoded timezone leaks
· pattern).
· Fixed bug #60785 (memory leak in IntlDateFormatter constructor).

JSON:
· Fixed bug #61359 (json_encode() calls too many reallocs).

libxml:
· Fixed bug #62266 (Custom extension segfaults during xmlParseFile with FPM
· SAPI).

Phar:
· Fixed bug #62227 (Invalid phar stream path causes crash).

Readline:
· Fixed bug #62186 (readline fails to compile - void function should not
· return a value).

Reflection:
· Fixed bug #62384 (Attempting to invoke a Closure more than once causes
· segfault).
· Fixed bug #62202 (ReflectionParameter::getDefaultValue() memory leaks
· with constant).

Sockets:
· Fixed bug #62025 (__ss_family was changed on AIX 5.3).

SPL:
· Fixed bug #62433 (Inconsistent behavior of RecursiveDirectoryIterator to
· dot files).
· Fixed bug #62262 (RecursiveArrayIterator does not implement Countable).


XML Writer:
· Fixed bug #62064 (memory leak in the XML Writer module).

Zip:
· Upgraded libzip to 0.10.1

What's new in PHP 5.4.4:

June 14th, 2012

· The release fixes multiple security issues: A weakness in the DES implementation of crypt and a heap overflow issue in the phar extension
· PHP 5.4.4 and PHP 5.3.14 fixes over 30 bugs. Please note that the use of php://fd streams is now restricted to the CLI SAPI

What's new in PHP 5.4.3:

May 9th, 2012

· PHP 5.4.3 fixes a buffer overflow vulnerability in the apache_request_headers() (CVE-2012-2329).

What's new in PHP 5.4.2:

May 4th, 2012

· There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected) that has gone unnoticed for at least 8 years. If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.

· To fix this, update to PHP 5.3.12 or PHP 5.4.2.

What's new in PHP 5.4.1:

April 27th, 2012

CLI Server:
· Fixed bug #61461 (missing checks around malloc() calls).
· Implemented #60850 (Built in web server does not set $_SERVER['SCRIPT_FILENAME'] when using router).

Core:
· Fixed crash in ZTS using same class in many threads.
· Fixed bug #61374 (html_entity_decode tries to decode code points that don't exist in ISO-8859-1).
· Fixed bug #61225 (Incorrect lexing of 0b00*+).
· Fixed bug #61106 (Segfault when using header_register_callback).
· Fixed bug #61052 (Missing error check in trait 'insteadof' clause).
· Fixed bug #61011 (Crash when an exception is thrown by __autoload accessing a static property).
· Fixed bug #60978 (exit code incorrect).
· Fixed bug #60911 (Confusing error message when extending traits).
· Fixed bug #60717 (Order of traits in use statement can cause a fatal error).
· Fixed bug #60573 (type hinting with "self" keyword causes weird errors).
· Fileinfo
· Fix fileinfo test problems.

Intl:
· Fixed bug #61487 (Incorrent bounds checking in grapheme_strpos).

mbstring:
· MFH mb_ereg_replace_callback() for security enhancements.

mysqlnd:
· Fixed bug #60948 (mysqlnd FTBFS when -Wformat-security is enabled).

Standard:
· Fixed memory leak in substr_replace.
· Make max_file_uploads ini directive settable outside of php.
· Fixed bug #61409 (Bad formatting on phpinfo()).
· Fixed bug #60222 (time_nanosleep() does validate input params).
· Fixed bug #60106 (stream_socket_server silently truncates long unix socket paths).

What's new in PHP 5.3.11:

April 27th, 2012

Core:
· Fixed bug #61650 (ini parser crashes when using ${xxxx} ini variables (without apache2)).
· Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes).
· Fixed bug #61165 (Segfault - strip_tags()).
· Fixed bug #61095 (Incorect lexing of 0x00*+).
· Fixed bug #61087 (Memory leak in parse_ini_file when specifying invalid scanner mode).
· Fixed bug #61072 (Memory leak when restoring an exception handler).
· Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX).
· Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical vars).
· Fixed bug #60895 (Possible invalid handler usage in windows random functions).
· Fixed bug #60825 (Segfault when running symfony 2 tests).
· Fixed bug #60801 (strpbrk() mishandles NUL byte).
· Fixed bug #60569 (Nullbyte truncates Exception $message).
· Fixed bug #60227 (header() cannot detect the multi-line header with CR).
· Fixed bug #60222 (time_nanosleep() does validate input params).
· Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).
· Fixed bug #52719 (array_walk_recursive crashes if third param of the function is by reference).
· Improve performance of set_exception_handler while doing reset.
· Fixed bug #51860 (Include fails with toplevel symlink to /).

DOM:
· Added debug info handler to DOM objects.

FPM:
· Fixed bug #61430 (Transposed memset() params in sapi/fpm/fpm/fpm_shm.)
· Fixed bug #60811 (php-fpm compilation problem).

Fileinfo:
· Upgraded libmagic to 5.
· Fixed bug #61565 where php_stream_open_wrapper_ex tries to open a directory descriptor under windows.
· Fixed bug #61566 failure caused by the posix lseek and read versions under windows in cdf_read().
· Fixed bug #61173 (Unable to detect error from finfo constructor).
· Firebird Database extension (ibase)
· Fixed bug #60802 (ibase_trans() gives segfault when passing params).
· Ibase
· Fixed bug #60947 (Segmentation fault while executing ibase_db_info).

Installation:
· Fixed bug #61172 (Add Apache 2.4 support).

mysqli:
· Fixed bug #61003 (mysql_stat() require a valid connection).

PDO_mysql:
· Fixed bug #61207 (PDO::nextRowset() after a multi-statement query doesn't always work).
· Fixed bug #61194 (PDO should export compression flag with myslqnd).

PDO_odbc:
· Fixed bug #61212 (PDO ODBC Segfaults on SQL_SUCESS_WITH_INFO).

PDO_pgsql:
· Fixed bug #61267 (pdo_pgsql's PDO::exec() returns the number of SELECTed rows on postgresql >= 9).
· PDO_Sqlite extension
· Add createCollation support.

pgsql:
· Fixed bug #60718 (Compile problem with libpq (PostgreSQL 7.3 or less).

Phar:
· Fixed bug #61184 (Phar::webPhar() generates headers with trailing NUL bytes).

Readline:
· Fixed bug #61088 (Memory leak in readline_callback_handler_install).
· Add open_basedir checks to readline_write_history and readline_read_history.

· Reflection"
· Fixed bug #61388 (ReflectionObject:getProperties() issues invalid reads when get_properties returns a hash table with (inaccessible) dynamic numeric properties).
· Fixed bug #60968 (Late static binding doesn't work with ReflectionMethod::invokeArgs()).

Session:
· Fixed bug #60860 (session.save_handler=user without defined function core dumps).
· Fixed bug #60634 (Segmentation fault when trying to die() in SessionHandler::write()).

SOAP:
· Fixed bug #61423 (gzip compression fails).
· Fixed bug #60887 (SoapClient ignores user_agent option and sends no User-Agent header).
· Fixed bug #60842, Fixed bug #51775 (Chunked response parsing error when chunksize length line is > 10 bytes).
· Fixed bug #49853 (Soap Client stream context header option ignored).

SPL:
· Fixed memory leak when calling SplFileInfo's constructor twice.
· Fixed bug #61418 (Segmentation fault when DirectoryIterator's or FilesystemIterator's iterators are requested more than once without having had its dtor callback called in between).
· Fixed bug #61347 (inconsistent isset behavior of Arrayobject).
· Fixed bug #61326 (ArrayObject comparison).
· SQLite3 extension
· Add createCollation() method.

Streams:
· Fixed bug #61371 (stream_context_create() causes memory leaks on use streams_socket_create).
· Fixed bug #61253 (Wrappers opened with errors concurrency problem on ZTS).
· Fixed bug #61115 (stream related segfault on fatal error in php_stream_context_link).
· Fixed bug #60817 (stream_get_line() reads from stream even when there is already sufficient data buffered). stream_get_line() now behaves more like fgets(), as is documented.
· Further fix for bug Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together with the last read).
· Fixed bug #60106 (stream_socket_server silently truncates long unix socket paths).

Tidy:
· Fixed bug #54682 (tidy null pointer dereference).

XMLRPC:
· Fixed bug #61264 (xmlrpc_parse_method_descriptions leaks temporary variable).
· Fixed bug #61097 (Memory leak in xmlrpc functions copying zvals).

Zlib:
· Fixed bug #61306 (initialization of global inappropriate for ZTS).
· Fixed bug #61287 (A particular string fails to decompress).
· Fixed bug #61139 (gzopen leaks when specifying invalid mode).

What's new in PHP 5.4.0:

March 3rd, 2012

· autoconf 2.59+ is now supported (and required) for generating the configure script with ./buildconf. Autoconf 2.60+ is desirable otherwise the configure help order may be incorrect.

Removed legacy features:
· break/continue $var syntax.
· Safe mode and all related ini options.
· register_globals and register_long_arrays ini options.
· import_request_variables().
· allow_call_time_pass_reference.
· define_syslog_variables ini option and its associated function.
· highlight.bg ini option.
· Session bug compatibility mode (session.bug_compat_42 and session.bug_compat_warn ini options).
· session_is_registered(), session_register() and session_unregister() functions.
· y2k_compliance ini option.
· magic_quotes_gpc, magic_quotes_runtime and magic_quotes_sybase ini options. get_magic_quotes_gpc, get_magic_quotes_runtime are kept but always return false, set_magic_quotes_runtime raises an E_CORE_ERROR.
· Removed support for putenv("TZ=..") for setting the timezone.
· Removed the timezone guessing algorithm in case the timezone isn't set with date.timezone or date_default_timezone_set(). Instead of a guessed timezone, "UTC" is now used instead.

Moved extensions to PECL:
· ext/sqlite. (Note: the ext/sqlite3 and ext/pdo_sqlite extensions are not affected)

General improvements:
· Added short array syntax support ([1,2,3]), see UPGRADING guide for full details.
· Added binary numbers format (0b001010).
· Added support for Class::{expr}() syntax.
· Added multibyte support by default. Previously php had to be compiled with enable-zend-multibyte. Now it can be enabled or disabled through zend.multibyte directive in php.ini.
· Removed compile time dependency from ext/mbstring.
· Added support for Traits.
· Added closure $this support back.
· Added array dereferencing support.
· Added callable typehint.
· Added indirect method call through array. #47160.
· Added DTrace support.
· Added class member access on instantiation (e.g. (new foo)->bar()) support.
· is now always available regardless of the short_open_tag setting.
Implemented Zend Signal Handling (configurable option enable-zend-signals, off by default):
· Improved output layer, see README.NEW-OUTPUT-API for internals.
· Improved unix build system to allow building multiple PHP binary SAPIs and one SAPI module the same time. #53271, #52419.
· Implemented closure rebinding as parameter to bindTo.
· Improved the warning message of incompatible arguments.
· Improved ternary operator performance when returning arrays.
· Changed error handlers to only generate docref links when the docref_root INI setting is not empty.
· Changed silent conversion of array to string to produce a notice.
· Changed default value of "default_charset" php.ini option from ISO-8859-1 to UTF-8.
· Changed silent casting of null/''/false into an Object when adding a property into a warning.
· Changed E_ALL to include E_STRICT.
· Disabled windows CRT warning by default, can be enabled again using the ini directive windows_show_crt_warnings.
· Fixed bug #55378: Binary number literal returns float number though its value is small enough.

Improved Zend Engine memory usage:
· Improved parse error messages.
· Replaced zend_function.pass_rest_by_reference by ZEND_ACC_PASS_REST_BY_REFERENCE in zend_function.fn_flags.
· Replaced zend_function.return_reference by ZEND_ACC_RETURN_REFERENCE in zend_function.fn_flags.
· Removed zend_arg_info.required_num_args as it was only needed for internal functions. Now the first arg_info for internal functions (which has special meaning) is represented by zend_internal_function_info structure.
· Moved zend_op_array.size, size_var, size_literal, current_brk_cont, backpatch_count into CG(context) as they are used only during compilation.
· Moved zend_op_array.start_op into EG(start_op) as it's used only for 'interactive' execution of single top-level op-array.
· Replaced zend_op_array.done_pass_two by ZEND_ACC_DONE_PASS_TWO in zend_op_array.fn_flags.
· op_array.vars array is trimmed (reallocated) during pass_two.
· Replaced zend_class_entry.constants_updated by ZEND_ACC_CONSTANTS_UPDATED in zend_class_entry.ce_flags.
· Reduced the size of zend_class_entry by sharing the same memory space by different information for internal and user classes. See zend_class_entry.info union.
· Reduced size of temp_variable.

Improved Zend Engine, performance tweaks and optimizations:
· Inlined most probable code-paths for arithmetic operations directly into executor.
· Eliminated unnecessary iterations during request startup/shutdown.
· Changed $GLOBALS into a JIT autoglobal, so it's initialized only if used. (this may affect opcode caches!)
· Improved performance of @ (silence) operator.
· Simplified string offset reading. $str[1][0] is now a legal construct.
· Added caches to eliminate repeatable run-time bindings of functions, classes, constants, methods and properties.
· Added concept of interned strings. All strings constants known at compile time are allocated in a single copy and never changed.
· ZEND_RECV now always has IS_CV as its result.
· ZEND_CATCH now has to be used only with constant class names.
· ZEND_FETCH_DIM_? may fetch array and dimension operands in different order.
· Simplified ZEND_FETCH_*_R operations. They can't be used with the EXT_TYPE_UNUSED flag any more. This is a very rare and useless case. ZEND_FREE might be required after them instead.
· Split ZEND_RETURN into two new instructions ZEND_RETURN and ZEND_RETURN_BY_REF.
· Optimized access to global constants using values with pre-calculated hash_values from the literals table.
· Optimized access to static properties using executor specialization. A constant class name may be used as a direct operand of ZEND_FETCH_* instruction without previous ZEND_FETCH_CLASS.
· zend_stack and zend_ptr_stack allocation is delayed until actual usage.

Other improvements to Zend Engine:
· Added an optimization which saves memory and emalloc/efree calls for empty HashTables.
· Added ability to reset user opcode handlers.
· Changed the structure of op_array.opcodes. The constant values are moved from opcode operands into a separate literal table.
· Fixed (disabled) inline-caching for ZEND_OVERLOADED_FUNCTION methods.
· Fixed bug #43200 (Interface implementation / inheritence not possible in abstract classes).

Improved core functions:
· Added optional argument to debug_backtrace() and debug_print_backtrace() to limit the amount of stack frames returned.
· Added hex2bin() function.
· number_format() no longer truncates multibyte decimal points and thousand separators to the first byte. #53457.
· Added support for object references in recursive serialize() calls. #36424.
· Added support for SORT_NATURAL and SORT_FLAG_CASE in array sort functions (sort, rsort, ksort, krsort, asort, arsort and array_multisort). #55158.
· Added stream metadata API support and stream_metadata() stream class handler.
· User wrappers can now define a stream_truncate() method that responds to truncation, e.g. through ftruncate(). #53888.
· Improved unserialize() performance.
· Changed array_combine() to return empty array instead of FALSE when both parameter arrays are empty. #34857.
· Fixed invalid free in call_user_method() function.
· Fixed crypt_blowfish handling of 8-bit characters. (CVE-2011-2483).
· Fixed bug #61095 (Incorect lexing of 0x00*+).
· Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with $double=false).
· Fixed bug #60895 (Possible invalid handler usage in windows random functions).
· Fixed bug #60879 (unserialize() Does not invoke __wakeup() on object).
· Fixed bug #60825 (Segfault when running symfony 2 tests).
· Fixed bug #60809 (TRAITS - PHPDoc Comment Style Bug).
· Fixed bug #60627 (httpd.worker segfault on startup with php_value).
· Fixed bug #60613 (Segmentation fault with $cls->{expr}() syntax).
· Fixed bug #60611 (Segmentation fault with Cls::{expr}() syntax).
· Fixed bug #60558 (Invalid read and writes).
· Fixed bug #60536 (Traits Segfault).
· Fixed bug #60444 (Segmentation fault with include & class extending).
· Fixed bug #60362 (non-existent sub-sub keys should not have values).
· Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e).
· Fixed bug #60321 (ob_get_status(true) no longer returns an array when buffer is empty).
· Fixed bug #60282 (Segfault when using ob_gzhandler() with open buffers).
· Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings).
· Fixed bug #60227 (header() cannot detect the multi-line header with CR(0x0D)).
· Fixed bug #60174 (Notice when array in method prototype error).
· Fixed bug #60169 (Conjunction of ternary and list crashes PHP).
· Fixed bug #60120 (proc_open's streams may hang with stdin/out/err when
· the data exceeds or is equal to 2048 bytes).
· Fixed bug #60099 (__halt_compiler() works in braced namespaces).
· Fixed bug #60038 (SIGALRM cause segfault in php_error_cb).
· Fixed bug #55874 (GCC does not provide __sync_fetch_and_add on some archs).
· Fixed bug #55871 (Interruption in substr_replace()).
· Fixed bug #55825 (Missing initial value of static locals in trait methods).
· Fixed bug #55801 (Behavior of unserialize has changed).
· Fixed bug #55622 (memory corruption in parse_ini_string).
· Fixed bug #55758 (Digest Authenticate missed in 5.4) .
· Fixed bug #55748 (multiple NULL Pointer Dereference with zend_strndup()) (CVE-2011-4153).
· Fixed bug #55749 (TOCTOU issue in getenv() on Windows builds).
· Fixed bug #55705 (Omitting a callable typehinted argument causes a segfault).
· Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).
· Fixed bug #55471 (ZTS build broken with dtrace).
· Fixed bug #55124 (recursive mkdir fails with current (dot) directory in path).
· Fixed bug #55084 (Function registered by header_register_callback is called only once per process).
· Implement #54514 (Get php binary path during script execution).
· Fixed bug #52624 (tempnam() by-pass open_basedir with nonexistent directory).
· Fixed bug #52211 (iconv() returns part of string on error).
· Fixed bug #51860 (Include fails with toplevel symlink to /).

Improved generic SAPI support:
· Added $_SERVER['REQUEST_TIME_FLOAT'] to include microsecond precision.
· Added max_input_vars directive to prevent attacks based on hash collisions.
· Added header_register_callback() which is invoked immediately prior to the sending of headers and after default headers have been added.
· Added http_response_code() function. #52555.
· Fixed bug #55500 (Corrupted $_FILES indices lead to security concern).
· Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices).

Improved Apache SAPI:
· Fixed bug #60205 (possible integer overflow in content_length).

Improved CLI SAPI:
· Added friendly log messages. #55109.
· Added built-in web server that is intended for testing purpose.
· Added command line option --rz which shows information of the named Zend extension.
· Interactive readline shell improvements
· Added "cli.pager" php.ini setting to set a pager for output.
· Added "cli.prompt" php.ini setting to configure the shell prompt.
· Added shortcut #inisetting=value to change ini settings at run-time.
· Changed shell not to terminate on fatal errors.
· Interactive shell works with shared readline extension. #53878.
· Fixed bug #60591 (Memory leak when access a non-exists file).
· Fixed bug #60523 (PHP Errors are not reported in browsers using built-in SAPI).
· Fixed bug #60477 (Segfault after two multipart/form-data POST requests, one 200 RQ and one 404).
· Implement #60390 (Missing $_SERVER['SERVER_PORT']).
· Fixed bug #60180 ($_SERVER["PHP_SELF"] incorrect).
· Fixed bug #60159 (Router returns false, but POST is not passed to requested resource).
· Fixed bug #60146 (Last 2 lines of page not being output).
· Fixed bug #60115 (memory definitely lost in cli server).
· Fixed bug #60112 (If URI does not contain a file, index.php is not served).
· Fixed bug #55759 (memory leak when using built-in server).
· Fixed bug #55755 (SegFault when outputting header WWW-Authenticate).
· Fixed bug #55747 (request headers missed in $_SERVER).
· Fixed bug #55726 (Changing the working directory makes router script inaccessible).
· Fixed bug #55463 (cli-server missing _SERVER[REMOTE_ADDR]).
· Fixed bug #55450 (Built in web server not accepting file uploads).
· Fixed bug #55423 (cli-server could not output correctly in some case).

Improved CGI/FastCGI SAPI:
· Added apache compatible functions: apache_child_terminate(), getallheaders(), apache_request_headers() and apache_response_headers().
· Improved performance of FastCGI request parsing.
· Fixed reinitialization of SAPI callbacks after php_module_startup().

Improved PHP-FPM SAPI:
· Added partial syslog support (on error_log only). #52052.
· Added .phar to default authorized extensions.
· Added process.max to control the number of process FPM can fork. #55166.
· Dropped restriction of not setting the same value multiple times, the last one holds.
· Lowered default value for Process Manager. #54098.
· Enhanced security by limiting access to user defined extensions. #55181.
· Enhanced error log when the primary script can't be open. #60199.
· Removed EXPERIMENTAL flag.
· Fixed bug #60659 (FPM does not clear auth_user on request accept).
· Fixed bug #60629 (memory corruption when web server closed the fcgi fd).

Improved Litespeed SAPI:
· Fixed bug #55769 (Make Fails with "Missing Separator" error).
· Improved BCmath extension
· Fixed bug #60377 (bcscale related crashes on 64bits platforms).

Improved CURL extension:
· Added support for CURLOPT_MAX_RECV_SPEED_LARGE and CURLOPT_MAX_SEND_SPEED_LARGE. #51815.
· Fixed bug #60439 (curl_copy_handle segfault when used with CURLOPT_PROGRESSFUNCTION).

Improved Date extension:
· Added the + modifier to parseFromFormat to allow trailing text in the string to parse without throwing an error.
· Improved DBA extension
· Added Tokyo Cabinet abstract DB support.
· Added Berkeley DB 5 support.

Improved DOM extension:
· Added the ability to pass options to loadHTML.
· Improved filesystem functions
· scandir() now accepts SCANDIR_SORT_NONE as a possible sorting_order value. #53407.

Improved fileinfo extension:
· Fixed possible memory leak in finfo_open().
· Fixed memory leak when calling the Finfo constructor twice.
· Fixed bug #60094 (C++ comment fails in c89).

Improved HASH extension:
· Added Jenkins's one-at-a-time hash support.
· Added FNV-1 hash support.
· Made Adler32 algorithm faster. #53213.
· Removed Salsa10/Salsa20, which are actually stream ciphers.
· Fixed bug #60221 (Tiger hash output byte order).

Improved intl extension:
· Added Spoofchecker class, allows checking for visibly confusable characters and other security issues.
· Added Transliterator class, allowing transliteration of strings.
· Added support for UTS #46.
· Fixed memory leak in several Intl locale functions.
· Fixed build on Fedora 15 / Ubuntu 11.
· Fixed bug #55562 (grapheme_substr() returns false on big length).

Improved JSON extension:
· Added new json_encode() option JSON_UNESCAPED_UNICODE. #53946.
· Added JsonSerializable interface.
· Added JSON_BIGINT_AS_STRING, extended json_decode() sig with $options.
· Added support for JSON_NUMERIC_CHECK option in json_encode() that converts numeric strings to integers.
· Added new json_encode() option JSON_UNESCAPED_SLASHES. #49366.
· Added new json_encode() option JSON_PRETTY_PRINT. #44331.

Improved LDAP extension:
· Added paged results support. #42060.

Improved mbstring extension:
· Added Shift_JIS/UTF-8 Emoji (pictograms) support.
· Added JIS X0213:2004 (Shift_JIS-2004, EUC-JP-2004, ISO-2022-JP-2004) support.
· Ill-formed UTF-8 check for security enhancements.
· Added MacJapanese (Shift_JIS) and gb18030 encoding support.
· Added encode/decode in hex format to mb_[en|de]code_numericentity().
· Added user JIS X0213:2004 (Shift_JIS-2004, EUC-JP-2004, ISO-2022-JP-2004) support.
· Added the user defined area for CP936 and CP950.
· Fixed possible crash in mb_ereg_search_init() using empty pattern.
· Fixed bug #60306 (Characters lost while converting from cp936 to utf8).

Improved MS SQL extension:
· Fixed bug #60267 (Compile failure with freetds 0.91).
· Improved MySQL extensions
· MySQL: Deprecated mysql_list_dbs(). #50667.
· mysqlnd: Added named pipes support. #48082.
· MySQLi: Added iterator support in MySQLi. mysqli_result implements Traversable.
· PDO_mysql: Removed support for linking with MySQL client libraries older than 4.1.
· ext/mysql, mysqli and pdo_mysql now use mysqlnd by default.
· Fixed bug #55473 (mysql_pconnect leaks file descriptors on reconnect).
· Fixed bug #55653 (PS crash with libmysql when binding same variable as param and out).

Improved OpenSSL extension:
· Added AES support. #48632.
· Added a "no_ticket" SSL context option to disable the SessionTicket TLS extension. #53447.
· Added no padding option to openssl_encrypt()/openssl_decrypt().
· Use php's implementation for Windows Crypto API in openssl_random_pseudo_bytes.
· On error in openssl_random_pseudo_bytes() made sure we set strong result to false.
· Fixed segfault with older versions of OpenSSL.
· Fixed possible attack in SSL sockets with SSL 3.0 / TLS 1.0. CVE-2011-3389.
· Fixed bug #61124 (Crash when decoding an invalid base64 encoded string).
· Fixed bug #60279 (Fixed NULL pointer dereference in stream_socket_enable_crypto, case when ssl_handle of session_stream is not initialized.

Improved Oracle Database extension (OCI8):
· Increased maximum Oracle error message buffer length for new 11.2.0.3 size.
· Improved internal initalization failure error messages.
· Fixed bug #59985 (show normal warning text for OCI_NO_DATA).
· Improved PDO
· Fixed PDO objects binary incompatibility.
· PDO DBlib driver
· Added nextRowset support.
· Fixed bug #60033 (Incorrectly merged PDO dblib patches break uniqueidentifier column type).
· Fixed bug #50755 (PDO DBLIB Fails with OOM).
· Improved Pdo Firebird driver
· Fixed bug #53280 (segfaults if query column count less than param count).
· Fixed bug #48877 ("bindValue" and "bindParam" do not work for PDO Firebird).
· Fixed bug #47415 (segfaults when passing lowercased column name to bindColumn).

Improved PostgreSQL extension:
· Added support for "extra" parameter for PGNotify().

Improved preg extension:
· Changed third parameter of preg_match_all() to optional. #53238.

Improved readline extension:
· Fixed bug #54450 (Enable callback support when built against libedit).

Improved Reflection extension:
· Added ReflectionClass::newInstanceWithoutConstructor() to create a new instance of a class without invoking its constructor. #55490.
· Added ReflectionExtension::isTemporary() and ReflectionExtension::isPersistent() methods.
· Added ReflectionZendExtension class.
· Added ReflectionClass::isCloneable().
· Fixed bug #60367 (Reflection and Late Static Binding).
· Fixed bug #60357 (__toString() method triggers E_NOTICE "Array to string conversion").

Improved Session extension:
· Expose session status via new function, session_status. #52982.
· Added support for object-oriented session handlers.
· Added support for storing upload progress feedback in session data.
· Changed session.entropy_file to default to /dev/urandom or /dev/arandom if either is present at compile time.
· Fixed bug #60860 (session.save_handler=user without defined function core dumps).
· Implement #60551 (session_set_save_handler should support a core's session handler interface).
· Fixed bug #60640 (invalid return values).
· Improved SNMP extension
· Added OO API. #53594 (php-snmp rewrite).
· Sanitized return values of existing functions. Now it returns FALSE on failure.
· Allow ~infinite OIDs in GET/GETNEXT/SET queries. Autochunk them to max_oids upon request.
· Introducing unit tests for extension with ~full coverage. IPv6 support. (#42918)
· Way of representing OID value can now be changed when SNMP_VALUE_OBJECT is used for value output mode. Use or'ed SNMP_VALUE_LIBRARY(default if not specified) or SNMP_VALUE_PLAIN. (#54502)
· Fixed bug #60749 (SNMP module should not strip non-standard SNMP port from hostname).
· Fixed bug #60585 (php build fails with USE flag snmp when IPv6 support is disabled).
· Fixed bug #53862 (snmp_set_oid_output_format does not allow returning to default).
· Fixed bug #51336 (snmprealwalk (snmp v1) does not handle end of OID tree correctly).
· Fixed bug #46065 (snmp_set_quick_print() persists between requests).
· Fixed bug #45893 (Snmp buffer limited to 2048 char).
· Fixed bug #44193 (snmp v3 noAuthNoPriv doesn't work).
· Improved SOAP extension
· Added new SoapClient option "keep_alive". #60329.
· Fixed basic HTTP authentication for WSDL sub requests.

Improved SPL extension:
· Added RegexIterator::getRegex() method.
· Added SplObjectStorage::getHash() hook.
· Added CallbackFilterIterator and RecursiveCallbackFilterIterator.
· Added missing class_uses(..) as pointed out by #55266.
· Immediately reject wrong usages of directories under Spl(Temp)FileObject and friends.
· FilesystemIterator, GlobIterator and (Recursive)DirectoryIterator now use the default stream context.
· Fixed bug #60201 (SplFileObject::setCsvControl does not expose third argument via Reflection).
· Fixed bug #55807 (Wrong value for splFileObject::SKIP_EMPTY).
· Fixed bug #55287 (spl_classes() not includes CallbackFilter classes)

Improved Sysvshm extension:
· Fixed bug #55750 (memory copy issue in sysvshm extension).

Improved Tidy extension:
· Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference).

Improved Tokenizer extension:
· Fixed bug #54089 (token_get_all with regards to __halt_compiler is not binary safe).

Improved XSL extension:
· Added XsltProcessor::setSecurityPrefs($options) and getSecurityPrefs() to define forbidden operations within XSLT stylesheets, default is not to enable write operations from XSLT. Fixed bug #54446.
· XSL doesn't stop transformation anymore, if a PHP function can't be called

Improved ZLIB extension:
· Re-implemented non-file related functionality.
· Fixed bug #55544 (ob_gzhandler always conflicts with zlib.output_compression).

What's new in PHP 5.3.10:

February 3rd, 2012

· Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.

What's new in PHP 5.3.9:

January 11th, 2012

Core:
· Added max_input_vars directive to prevent attacks based on hash collisions (Dmitry).
· Fixed bug #60205 (possible integer overflow in content_length). (Laruence)
· Fixed bug #60139 (Anonymous functions create cycles not detected by the GC). (Dmitry)
· Fixed bug #60138 (GC crash with referenced array in RecursiveArrayIterator) (Dmitry).
· Fixed bug #60120 (proc_open's streams may hang with stdin/out/err when the data exceeds or is equal to 2048 bytes). (Pierre, Pascal Borreli)
· Fixed bug #60099 (__halt_compiler() works in braced namespaces). (Felipe)
· Fixed bug #60019 (Function time_nanosleep() is undefined on OS X). (Ilia)
· Fixed bug #55874 (GCC does not provide __sync_fetch_and_add on some archs). (klightspeed at netspace dot net dot au)
· Fixed bug #55798 (serialize followed by unserialize with numeric object prop. gives integer prop). (Gustavo)
· Fixed bug #55749 (TOCTOU issue in getenv() on Windows builds). (Pierre)
· Fixed bug #55707 (undefined reference to `__sync_fetch_and_add_4' on Linux parisc). (Felipe)
· Fixed bug #55674 (fgetcsv & str_getcsv skip empty fields in some tab-separated records). (Laruence)
· Fixed bug #55649 (Undefined function Bug()). (Laruence)
· Fixed bug #55622 (memory corruption in parse_ini_string). (Pierre)
· Fixed bug #55576 (Cannot conditionally move uploaded file without race condition). (Gustavo)
· Fixed bug #55510: $_FILES 'name' missing first character after upload. (Arpad)
· Fixed bug #55509 (segfault on x86_64 using more than 2G memory). (Laruence)
· Fixed bug #55504 (Content-Type header is not parsed correctly on HTTP POST request). (Hannes)
· Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of). (alan_k)
· Fixed bug #52461 (Incomplete doctype and missing xmlns). (virsacer at web dot de, Pierre)
· Fixed bug #55366 (keys lost when using substr_replace an array). (Arpad)
· Fixed bug #55273 (base64_decode() with strict rejects whitespace after pad). (Ilia)
· Fixed bug #52624 (tempnam() by-pass open_basedir with nonnexistent directory). (Felipe)
· Fixed bug #50982 (incorrect assumption of PAGE_SIZE size). (Dmitry)
· Fixed invalid free in call_user_method() function. (Felipe)
· Fixed bug #43200 (Interface implementation / inheritence not possible in abstract classes). (Felipe)

BCmath:
· Fixed bug #60377 (bcscale related crashes on 64bits platforms). (shm)

Calendar:
· Fixed bug #55797 (Integer overflow in SdnToGregorian leads to segfault (in optimized builds). (Gustavo)

cURL:
· Fixed bug #60439 (curl_copy_handle segfault when used with CURLOPT_PROGRESSFUNCTION). (Pierrick)
· Fixed bug #54798 (Segfault when CURLOPT_STDERR file pointer is closed before calling curl_exec). (Hannes)
· Fixed issues were curl_copy_handle() would sometimes lose copied preferences. (Hannes)

DateTime:
· Fixed bug #60373 (Startup errors with log_errors on cause segfault). (Derick)
· Fixed bug #60236 (TLA timezone dates are not converted properly from timestamp). (Derick)
· Fixed bug #55253 (DateTime::add() and sub() result -1 hour on objects with time zone type 2). (Derick)
· Fixed bug #54851 (DateTime::createFromFormat() doesn't interpret "D"). (Derick)
· Fixed bug #53502 (strtotime with timezone memory leak). (Derick)
· Fixed bug #52062 (large timestamps with DateTime::getTimestamp and DateTime::setTimestamp). (Derick)
· Fixed bug #51994 (date_parse_from_format is parsing invalid date using 'yz' format). (Derick)
· Fixed bug #52113 (Seg fault while creating (by unserialization) DatePeriod). (Derick)
· Fixed bug #48476 (cloning extended DateTime class without calling parent::__constr crashed PHP). (Hannes)

EXIF:
· Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (Stas, flolechaud at gmail dot com)

Fileinfo:
· Fixed bug #60094 (C++ comment fails in c89). (Laruence)
· Fixed possible memory leak in finfo_open(). (Felipe)
· Fixed memory leak when calling the Finfo constructor twice. (Felipe)

Filter:
· Fixed Bug #55478 (FILTER_VALIDATE_EMAIL fails with internationalized domain name addresses containing >1 -). (Ilia)

FTP:
· Fixed bug #60183 (out of sync ftp responses). (bram at ebskamp dot me, rasmus)

Gd:
· Fixed bug #60160 (imagefill() doesn't work correctly for small images). (Florian)

Intl:
· Fixed bug #60192 (SegFault when Collator not constructed properly). (Florian)
· Fixed memory leak in several Intl locale functions. (Felipe)

JSON:
· Fixed bug #55543 (json_encode() with JSON_NUMERIC_CHECK fails on objects with numeric string properties). (Ilia, dchurch at sciencelogic dot com)

mbstring:
· Fixed possible crash in mb_ereg_search_init() using empty pattern. (Felipe)

MS SQL:
· Fixed bug #60267 (Compile failure with freetds 0.91). (Felipe)

MySQL:
· Fixed bug #55550 (mysql.trace_mode miscounts result sets). (Johannes)

MySQLi extension:
· Fixed bug #55859 (mysqli->stat property access gives error). (Andrey)
· Fixed bug #55582 (mysqli_num_rows() returns always 0 for unbuffered, when mysqlnd is used). (Andrey)
· Fixed bug #55703 (PHP crash when calling mysqli_fetch_fields). (eran at zend dot com, Laruence)

mysqlnd:
· Fixed bug #55609 (mysqlnd cannot be built shared). (Johannes)
· Fixed bug #55067 (MySQL doesn't support compression - wrong config option). (Andrey)

NSAPI SAPI:
· Don't set $_SERVER['HTTPS'] on unsecure connection (bug #55403). (Uwe Schindler)

OpenSSL:
· Fixed bug #60279 (Fixed NULL pointer dereference in stream_socket_enable_crypto, case when ssl_handle of session_stream is not initialized.) (shm)
· Fix segfault with older versions of OpenSSL. (Scott)

Oracle Database extension (OCI8):
· Fixed bug #59985 (show normal warning text for OCI_NO_DATA). (Chris Jones)
· Increased maximum Oracle error message buffer length for new 11.2.0.3 size. (Chris Jones)
· Improve internal initalization failure error messages. (Chris Jones)

PDO:
· Fixed bug #55776 (PDORow to session bug). (Johannes)

PDO Firebird:
· Fixed bug #48877 ("bindValue" and "bindParam" do not work for PDO Firebird). (Mariuz)
· Fixed bug #47415 (PDO_Firebird segfaults when passing lowercased column name to bindColumn).
· Fixed bug #53280 (PDO_Firebird segfaults if query column count less than param count). (Mariuz)

PDO MySQL driver:
· Fixed bug #60155 (pdo_mysql.default_socket ignored). (Johannes)
· Fixed bug #55870 (PDO ignores all SSL parameters when used with mysql native driver). (Pierre)
· Fixed bug #54158 (MYSQLND+PDO MySQL requires #define MYSQL_OPT_LOCAL_INFILE). (Andrey)

PDO OCI driver:
· Fixed bug #55768 (PDO_OCI can't resume Oracle session after it's been killed). (mikhail dot v dot gavrilov at gmail dot com, Chris Jones, Tony)

Phar:
· Fixed bug #60261 (NULL pointer dereference in phar). (Felipe)
· Fixed bug #60164 (Stubs of a specific length break phar_open_from_fp scanning for __HALT_COMPILER). (Ralph Schindler)
· Fixed bug #53872 (internal corruption of phar). (Hannes)
· Fixed bug #52013 (Unable to decompress files in a compressed phar). (Hannes)

PHP-FPM SAPI:
· Fixed bug #60659 (FPM does not clear auth_user on request accept). (bonbons at linux-vserver dot org)
· Fixed bug #60629 (memory corruption when web server closed the fcgi fd). (fat)
· Fixed bug #60179 (php_flag and php_value does not work properly). (fat)
· Fixed bug #55526 (Heartbeat causes a lot of unnecessary events). (fat)
· Fixed bug #55533 (The -d parameter doesn't work). (fat)
· Implemented FR #52569 (Add the "ondemand" process-manager to allow zero children). (fat)
· Fixed bug #55486 (status show BIG processes number). (fat)
· Fixed bug #55577 (status.html does not install). (fat)
· Backported from 5.4 branch (Dropped restriction of not setting the same value multiple times, the last one holds). (giovanni at giacobbi dot net, fat)
· Backported FR #55166 from 5.4 branch (Added process.max to control the number of process FPM can fork). (fat)
· Backported FR #55181 from 5.4 branch (Enhance security by limiting access to user defined extensions). (fat)
· Backported FR #54098 from 5.4 branch (Lowered process manager default value). (fat)
· Backported FR #52052 from 5.4 branch (Added partial syslog support). (fat)
· Implemented FR #54577 (Enhanced status page with full status and details about each processes. Also provide a web page (status.html) for real-time FPM status. (fat)
· Enhance error log when the primary script can't be open. FR #60199. (fat)
· Added .phar to default authorized extensions. (fat)

Postgres:
· Fixed bug #60244 (pg_fetch_* functions do not validate that row param is >0). (Ilia)

Reflection:
· Fixed bug #60367 (Reflection and Late Static Binding). (Laruence)

Session:
· Fixed bug #55267 (session_regenerate_id fails after header sent). (Hannes)

SimpleXML:
· Reverted the SimpleXML->query() behaviour to returning empty arrays instead of false when no nodes are found as it was since 5.3.3 (bug #48601). (chregu, rrichards)

SOAP:
· Fixed bug #54911 (Access to a undefined member in inherit SoapClient may cause Segmentation Fault). (Dmitry)
· Fixed bug #48216 (PHP Fatal error: SOAP-ERROR: Parsing WSDL: Extra content at the end of the doc, when server uses chunked transfer encoding with spaces after chunk size). (Dmitry)
· Fixed bug #44686 (SOAP-ERROR: Parsing WSDL with references). (Dmitry)

Sockets:
· Fixed bug #60048 (sa_len a #define on IRIX). (china at thewrittenword dot com)

SPL:
· Fixed bug #60082 (Crash in ArrayObject() when using recursive references). (Tony)
· Fixed bug #55807 (Wrong value for splFileObject::SKIP_EMPTY). (jgotti at modedemploi dot fr, Hannes)
· Fixed bug #54304 (RegexIterator::accept() doesn't work with scalar values). (Hannes)

Streams:
· Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together with the last read). (Gustavo)

Tidy:
· Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference). (Maksymilian Arciemowicz, Felipe)

· XSL:Added xsl.security_prefs ini option to define forbidden operations within XSLT stylesheets, default is not to enable write operations. This option won't be in 5.4, since there's a new method. Fixes Bug #54446. (Chregu, Nicolas Gregoire)

What's new in PHP 5.4.0 RC 2:

December 9th, 2011

Core:
· Fixed bug #60227 (header() cannot detect the multi-line header with CR(0x0D)). (rui)
· Fixed bug #60099 (__halt_compiler() works in braced namespaces). (Felipe)
· Fixed bug #55874 (GCC does not provide __sync_fetch_and_add on some archs). (klightspeed at netspace dot net dot au)
· Fixed bug #52624 (tempnam() by-pass open_basedir with nonexistent directory). (Felipe)
· Fixed bug #55748 (multiple NULL Pointer Dereference with zend_strndup()) (CVE-2011-4153). (Stas)
· Fixed invalid free in call_user_method() function. (Felipe)

Zend Engine:
· Fixed bug #43200 (Interface implementation / inheritence not possible in abstract classes). (Felipe)

CLI SAPI:
· Fixed bug #60159 (Router returns false, but POST is not passed to requested resource). (Laruence)
· Fixed bug #55759 (memory leak when using built-in server). (Laruence)

Improved PHP-FPM SAPI:
· Enhance error log when the primary script can't be open. FR #60199. (fat)
· Remove EXPERIMENTAL flag. (fat)
· Added .phar to default authorized extensions. (fat)

BCmath:
· Fixed bug #60377 (bcscale related crashes on 64bits platforms) (shm)

Fileinfo:
· Fixed possible memory leak in finfo_open(). (Felipe)
· Fixed memory leak when calling the Finfo constructor twice. (Felipe)

Intl:
· Fixed memory leak in several Intl locale functions. (Felipe)

Mbstring:
· Fixed bug #60306 (Characters lost while converting from cp936 to utf8). (Laruence)
· Fixed possible crash in mb_ereg_search_init() using empty pattern. (Felipe)

MS SQL:
· Fixed bug #60267 (Compile failure with freetds 0.91). (Felipe)

OpenSSL:
· Fixed bug #60279 (Fixed NULL pointer dereference in stream_socket_enable_crypto, case when ssl_handle of session_stream is not initialized.) (shm)

Oracle Database extension (OCI8):
· Fixed bug #59985 (show normal warning text for OCI_NO_DATA) (Chris Jones)

Output:
· Fixed bug #60321 (ob_get_status(true) no longer returns an array when buffer is empty). (Pierrick)
· Fixed bug #60282 (Segfault when using ob_gzhandler() with open buffers).(Laruence)

Reflection:
· Fixed bug #60357 (__toString() method triggers E_NOTICE "Array to string conversion"). (Laruence)

SOAP extension:
· Added new SoapClient option "keep_alive". FR #60329. (Pierrick)

Tidy:
· Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference). (Maksymilian Arciemowicz, Felipe)

What's new in PHP 5.4.0 Alpha 3:

August 12th, 2011

Added features:
· Short array syntax, see UPGRADING guide for full details
· Binary numbers format (0b001010).
· Support for Class::{expr}() syntax

Removed features:
· Removed magic_quotes_gpc, magic_quotes_runtime and magic_quotes_sybase ini options.
· get_magic_quotes_gpc, get_magic_quotes_runtime are kept but always return false, set_magic_quotes_runtime raises an E_CORE_ERROR.

· Changed E_ALL to include E_STRICT. (Stas)
· Improved core functions
· Fixed bug #55124 (recursive mkdir fails with current (dot) directory in path).

Improved PHP-FPM SAPI:
· Added process.max to control the number of process FPM can fork. FR #55166.
· Dropped restriction of not setting the same value multiple times, the last
· one holds. (

SPL extension:
· Added missing class_uses(..) as pointed out by #55266
· Fixed bug #55287 (spl_classes() not includes CallbackFilter classes)

What's new in PHP 5.4.0 Alpha 2:

August 12th, 2011

General improvements:
· Zend Signal Handling.
· Improved Zend Engine
· Improved parse error messages.

Improved CLI SAPI:
· Added built-in web server that is intended for testing purpose.

Improved PHP-FPM SAPI:
· Added partial syslog support (on error_log only). FR #52052.
· Lowered default value for Process Manager. FR #54098.
· Enhance security by limiting access to user defined extensions.
· FR #55181.

Improved core functions:
· Changed http_response_code() to be able to set a response code.
· Fixed crypt_blowfish handling of 8-bit characters. (CVE-2011-2483)
· Fixed bug#55084 (Function registered by header_register_callback is
· called only once per process).

Improved DOM extension:
· Added the ability to pass options to loadHTML (Chregu, fxmulder at gmail dot com)

OpenSSL extension:
· Use php's implementation for Windows Crypto API in openssl_random_pseudo_bytes

What's new in PHP 5.4.0 Alpha 1:

July 1st, 2011

· autoconf 2.59+ is now supported (and required) for generating the
· configure script with ./buildconf. Autoconf 2.60+ is desirable otherwise the configure help order may be incorrect.

Removed legacy features:
· break/continue $var syntax.
· Safe mode and all related ini options.
· register_globals and register_long_arrays ini options.
· import_request_variables().
· allow_call_time_pass_reference.
· define_syslog_variables ini option and its associated function.
· highlight.bg ini option.
· Session bug compatibility mode (session.bug_compat42 and
· session.bug_compat_warn ini options).
· session_is_registered(), session_register() and session_unregister()
· functions.
· y2k_compliance ini option.

Moved extensions to PECL:
· .ext/sqlite.

· Changed $_SERVER['REQUEST_TIME'] to include microsecond precision.
· Changed default value of "default_charset" php.ini option from ISO-8859-1 to
· UTF-8.
· Changed array_combine() to return empty array instead of FALSE when both
· parameter arrays are empty. FR #34857.
· Changed third parameter of preg_match_all() to optional. FR #53238.)
· Changed silent casting of null/''/false into an Object when adding
· a property into a warning.

What's new in PHP 5.3.6:

March 18th, 2011

· Upgraded bundled Sqlite3 to version 3.7.4. (Ilia)
· Upgraded bundled PCRE to version 8.11. (Ilia)

Zend Engine:
· Indirect reference to $this fails to resolve if direct $this is never used in method.
· Added options to debug backtrace functions. (Stas)
· Fixed bug numerous crashes due to setlocale (crash on error, pcre, mysql etc.) on Windows in thread safe mode. (Pierre)
· Fixed Bug #53971 (isset() and empty() produce apparently spurious runtime error). (Dmitry)
· Fixed Bug #53958 (Closures can't 'use' shared variables by value and by reference). (Dmitry)
· Fixed Bug #53629 (memory leak inside highlight_string()). (Hannes, Ilia)
· Fixed Bug #51458 (Lack of error context with nested exceptions). (Stas)
· Fixed Bug #47143 (Throwing an exception in a destructor causes a fatal error). (Stas)
· Fixed bug #43512 (same parameter name can be used multiple times in
· method/function definition). (Felipe)

Core:
· Added ability to connect to HTTPS sites through proxy with basic authentication using stream_context/http/header/Proxy-Authorization (Dmitry)
· Changed default value of ini directive serialize_precision from 100 to 17.
· Fixed bug #54055 (buffer overrun with high values for precision ini setting).
· Fixed bug #53959 (reflection data for fgetcsv out-of-date). (Richard)
· Fixed bug #53577 (Regression introduced in 5.3.4 in open_basedir with a trailing forward slash). (lekensteyn at gmail dot com, Pierre)
· Fixed bug #53682 (Fix compile on the VAX). (Rasmus, jklos)
· Fixed bug #48484 (array_product() always returns 0 for an empty array).
· Fixed bug #48607 (fwrite() doesn't check reply from ftp server before exiting).

Calendar extension:
· Fixed bug #53574 (Integer overflow in SdnToJulian, sometimes leading to segfault).

DOM extension:
· Implemented FR #39771 (Made DOMDocument::saveHTML accept an optional DOMNode like DOMDocument::saveXML).

DateTime extension:
· Fixed a bug in DateTime->modify() where absolute date/time statements had no effect. (Derick)
· Fixed bug #53729 (DatePeriod fails to initialize recurrences on 64bit big-endian systems).
· Fixed bug #52808 (Segfault when specifying interval as two dates). (Stas)
· Fixed bug #52738 (Can't use new properties in class extended from DateInterval).
· Fixed bug #52290 (setDate, setISODate, setTime works wrong when DateTime created from timestamp).
· Fixed bug #52063 (DateTime constructor's second argument doesn't have a null default value). (Gustavo, Stas)

Exif extension:
· Fixed bug #54002

Filter extension:
· Fixed bug #53924 (FILTER_VALIDATE_URL doesn't validate port number).
· Fixed bug #53150 (FILTER_FLAG_NO_RES_RANGE is missing some IP ranges).
· Fixed bug #52209 (INPUT_ENV returns NULL for set variables (CLI)). (Ilia)
· Fixed bug #47435 (FILTER_FLAG_NO_RES_RANGE don't work with ipv6).

Fileinfo extension:
· Fixed bug #54016 (finfo_file() Cannot determine filetype in archives).

Gettext:
· Fixed bug #53837 (_() crashes on Windows when no LANG or LANGUAGE environment variable are set).

IMAP extension:
· Implemented FR #53812 (get MIME headers of the part of the email). (Stas)
· Fixed bug #53377 (imap_mime_header_decode() doesn't ignore \t during long MIME header unfolding). (Adam)

Intl extension:
· Fixed bug #53612 (Segmentation fault when using cloned several intl
· objects).
· Fixed bug #53512 (NumberFormatter::setSymbol crash on bogus $attr values).
· Implemented clone functionality for number, date & message formatters.

JSON extension:
· Fixed bug #53963 (Ensure error_code is always set during some failed
· decodings).

mysqlnd:
· Fixed problem with always returning 0 as num_rows for unbuffered sets.

MySQL Improved extension:
· Added 'db' and 'catalog' keys to the field fetching functions (FR #39847).
· Fixed buggy counting of affected rows when using the text protocol. The
· collected statistics were wrong when multi_query was used with mysqlnd
· Fixed bug #53795 (Connect Error from MySqli (mysqlnd) when using SSL).
· Fixed bug #53503 (mysqli::query returns false after successful LOAD DATA
· query).
· Fixed bug #53425 (mysqli_real_connect() ignores client flags when built to
· call libmysql).

OpenSSL extension:
· Fixed stream_socket_enable_crypto() not honoring the socket timeout in
· server mode. (Gustavo)
· Fixed bug #54060 (Memory leaks when openssl_encrypt). (Pierre)
· Fixed bug #54061 (Memory leaks when openssl_decrypt). (Pierre)
· Fixed bug #53592 (stream_socket_enable_crypto() busy-waits in client mode).
· Implemented FR #53447 (Cannot disable SessionTicket extension for servers
· that do not support it) by adding a no_ticket SSL context option.

PDO MySQL driver:
· Fixed bug #53551 (PDOStatement execute segfaults for pdo_mysql driver).
· Implemented FR #47802 (Support for setting character sets in DSN strings).

PDO Oracle driver:
· Fixed bug #39199 (Cannot load Lob data with more than 4000 bytes on
· ORACLE 10).

PDO PostgreSQL driver:
· Fixed bug #53517 (segfault in pgsql_stmt_execute() when postgres is down).

Phar extension:
· Fixed bug #54247 (format-string vulnerability on Phar).
· (CVE-2011-1153)
· Fixed bug #53541 (format string bug in ext/phar).
· Fixed bug #53898 (PHAR reports invalid error message, when the directory
· does not exist). (Ilia)

PHP-FPM SAPI:
· Enforce security in the fastcgi protocol parsing.
· Fixed bug #53777 (php-fpm log format now match php_error log format).
· Fixed bug #53527 (php-fpm --test doesn't set a valuable return value).
· Fixed bug #53434 (php-fpm slowlog now also logs the original request).

Readline extension:
· Fixed bug #53630 (Fixed parameter handling inside readline() function).

Reflection extension:
· Fixed bug #53915 (ReflectionClass::getConstant(s) emits fatal error on
· constants with self::).

Shmop extension:
· Fixed bug #54193 (Integer overflow in shmop_read()).
· Reported by Jose Carlos Norte (CVE-2011-1092)

SNMP extension:
· Fixed bug #51336 (snmprealwalk (snmp v1) does not handle end of OID tree
· correctly).

SOAP extension:
· Fixed possible crash introduced by the NULL poisoning patch.

SPL extension:
· Fixed memory leak in DirectoryIterator::getExtension() and
· SplFileInfo::getExtension().
· Fixed bug #53914 (SPL assumes HAVE_GLOB is defined).
· Fixed bug #53515 (property_exists incorrect on ArrayObject null and 0 values).
· Fixed bug #49608 (Using CachingIterator on DirectoryIterator instance
· segfaults).
· Added SplFileInfo::getExtension(). FR #48767. (Peter Cowburn)

SQLite3 extension:
· Fixed memory leaked introduced by the NULL poisoning patch.
· Mateusz Kocielski, Pierre)
· Fixed memory leak on SQLite3Result and SQLite3Stmt when assigning to a
· reference.
· Add SQlite3_Stmt::readonly() for checking if a statement is read only.
· Implemented FR #53466 (SQLite3Result::columnType() should return false after all of the rows have been fetched). (Scott)

Streams:
· Fixed bug #54092 (Segmentation fault when using HTTP proxy with the FTP
· wrapper).
· Fixed bug #53913 (Streams functions assume HAVE_GLOB is defined).
· Fixed bug #53903 (userspace stream stat callback does not separate the
· elements of the returned array before converting them).
· Implemented FR #26158 (open arbitrary file descriptor with fopen).
· Tokenizer Extension
· Fixed bug #54089 (token_get_all() does not stop after __halt_compiler).

XSL extension:
· Fixed memory leaked introduced by the NULL poisoning patch.

Zip extension:
· Added the filename into the return value of stream_get_meta_data().
· Fixed bug #53923 (Zip functions assume HAVE_GLOB is defined). (Adam)
· Fixed bug #53893 (Wrong return value for ZipArchive::extractTo()). (Pierre)
· Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive). (CVE-2011-0421)
· Fixed bug #53854 (Missing constants for compression type).
· Fixed bug #53603 (ZipArchive should quiet stat errors).
· Fixed bug #53579 (stream_get_contents() segfaults on ziparchive streams).
· Fixed bug #53568 (swapped memset arguments in struct initialization).
· Fixed bug #53166 (Missing parameters in docs and reflection definition).
· Fixed bug #49072 (feof never returns true for damaged file in zip).

What's new in PHP 5.3.5:

March 11th, 2011

· This release resolves a critical issue, reported as PHP bug #53632, where conversions from string to double might cause the PHP interpreter to hang on systems using x87 FPU registers.
· Fixed bug #53632 (PHP hangs on numeric value 2.2250738585072011e-308).

What's new in PHP 5.3.4:

December 10th, 2010

Security Enhancements and Fixes:
· Fixed crash in zip extract method (possible CWE-170).
· Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243).
· Fixed a possible double free in imap extension (Identified by Mateusz Kocielski). (CVE-2010-4150).
· Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709).
· Fixed possible flaw in open_basedir (CVE-2010-3436).
· Fixed MOPS-2010-24, fix string validation. (CVE-2010-2950).
· Fixed symbolic resolution support when the target is a DFS share.
· Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data) (CVE-2010-3710).

Key Bug Fixes:
· Added stat support for zip stream.
· Added follow_location (enabled by default) option for the http stream support.
· Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al.
· Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend multibyte at runtime.
· Multiple improvements to the FPM SAPI.
· Over 100 other bug fixes.

What's new in PHP 5.3.3:

August 10th, 2010

· Methods with the same name as the last element of a namespaced class name will no longer be treated as constructor. This change doesn't affect non-namespaced classes.

· There is no impact on migration from 5.2.x because namespaces were only introduced in PHP 5.3.

Security Enhancements and Fixes:
· Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs (CVE-2010-2531).
· Fixed a possible resource destruction issues in shm_put_var().
· Fixed a possible information leak because of interruption of XOR operator.
· Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks.
· Fixed a possible memory corruption in ArrayObject::uasort().
· Fixed a possible memory corruption in parse_str().
· Fixed a possible memory corruption in pack().
· Fixed a possible memory corruption in substr_replace().
· Fixed a possible memory corruption in addcslashes().
· Fixed a possible stack exhaustion inside fnmatch().
· Fixed a possible dechunking filter buffer overflow.
· Fixed a possible arbitrary memory access inside sqlite extension.
· Fixed string format validation inside phar extension.
· Fixed handling of session variable serialization on certain prefix characters.
· Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).
· Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
· Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user.
· Fixed possible buffer overflows when handling error packets in mysqlnd.

Key enhancements:
· Upgraded bundled sqlite to version 3.6.23.1.
· Upgraded bundled PCRE to version 8.02.
· Added FastCGI Process Manager (FPM) SAPI.
· Added stream filter support to mcrypt extension.
· Added full_special_chars filter to ext/filter.
· Fixed a possible crash because of recursive GC invocation.
· Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
· Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).
· Fixed bug #52060 (Memory leak when passing a closure to method_exists()).
· Fixed bug #52001 (Memory allocation problems after using variable variables).
· Fixed bug #51723 (Content-length header is limited to 32bit integer with Apache2 on Windows).
· Fixed bug #48930 (__COMPILER_HALT_OFFSET__ incorrect in PHP >= 5.3).

What's new in PHP 5.3.2:

March 4th, 2010

Security Enhancements and Fixes:
· Improved LCG entropy. (Rasmus, Samy Kamkar)
· Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
· Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia)

Key Bug Fixes:
· Added support for SHA-256 and SHA-512 to php's crypt.
· Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check.
· Fixed bug #51059 (crypt crashes when invalid salt are given).
· Fixed bug #50940 Custom content-length set incorrectly in Apache sapis.
· Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes long).
· Fixed bug #50723 (Bug in garbage collector causes crash).
· Fixed bug #50661 (DOMDocument::loadXML does not allow UTF-16).
· Fixed bug #50632 (filter_input() does not return default value if the variable does not exist).
· Fixed bug #50540 (Crash while running ldap_next_reference test cases).
· Fixed bug #49851 (http wrapper breaks on 1024 char long headers).
· Over 60 other bug fixes.

What's new in PHP 5.3.1:

November 20th, 2009

· Security Fixes
· Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion. (Ilia)
· Added missing sanity checks around exif processing. (Ilia)
· Fixed a safe_mode bypass in tempnam(). (Rasmus)
· Fixed a open_basedir bypass in posix_mkfifo(). (Rasmus)
· Fixed bug #50063 (safe_mode_include_dir fails). (Johannes, christian at elmerot dot se)
· Added error constant when json_encode() detects an invalid UTF-8 sequence. (Scott)
· Added support for ACL on Windows for thread safe SAPI (Apache2 for example) and fix its support on NTS. (Pierre)
· Upgraded bundled sqlite to version 3.6.19. (Scott)
· Updated timezone database to version 2009.17 (2009q). (Derick)
· Fixed crash in com_print_typeinfo when an invalid typelib is given. (Pierre)
· Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (Rasmus)
· Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (Rasmus)
· Fixed certificate validation inside php_openssl_apply_verification_policy (Ryan Sleevi, Ilia)
· Fixed crash in SQLiteDatabase::ArrayQuery() and SQLiteDatabase::SingleQuery() when calling using Reflection. (Felipe)
· Fixed crash when instantiating PDORow and PDOStatement through Reflection. (Felipe)
· Fixed sanity check for the color index in imagecolortransparent. (Pierre)
· Fixed scandir/readdir when used mounted points on Windows. (Pierre)
· Fixed zlib.deflate compress filter to actually accept level parameter. (Jani)
· Fixed leak on error in popen/exec (and related functions) on Windows. (Pierre)
· Fixed possible bad caching of symlinked directories in the realpath cache on Windows. (Pierre)
· Fixed atime and mtime in stat related functions on Windows. (Pierre)
· Fixed spl_autoload_unregister/spl_autoload_functions wrt. Closures and Functors. (Christian Seiler)
· Fixed open_basedir circumvention for "mail.log" ini directive. (Maksymilian Arciemowicz, Stas)
· Fixed signature generation/validation for zip archives in ext/phar. (Greg)
· Fixed memory leak in stream_is_local(). (Felipe, Tony)
· Fixed BC break in mime_content_type(), removes the content encoding. (Scott)
· Changed ini file directives [PATH=](on Win32) and [HOST=](on all) to be case insensitive (garretts)
· Restored shebang line check to CGI sapi (not checked by scanner anymore). (Jani)
· Improve symbolic, mounted volume and junctions support for realpath on Windows. (Pierre)
· Improved readlink on Windows, suppress ?? and use the drive syntax only. (Pierre)
· Improved dns_get_record() AAAA support on windows. Always available when IPv6 is support is installed, format is now the same than on unix. (Pierre)
· Improved the DNS functions on OSX to use newer APIs, also use Bind 9 API where available on other platforms. (Scott)
· Improved shared extension loading on OSX to use the standard Unix dlopen() API. (Scott)
· Fixed bug #50063 (safe_mode_include_dir fails). (Johannes, christian at elmerot dot se)
· Fixed bug #50052 (Different Hashes on Windows and Linux on wrong Salt size). (Pierre)
· Fixed bug #49910 (no support for ././@LongLink for long filenames in phar tar support). (Greg)
· Fixed bug #49908 (throwing exception in __autoload crashes when interface is not defined). (Felipe)
· Fixed bug #49847 (exec() fails to return data inside 2nd parameter, given output lines >4095 bytes). (Ilia)
· Fixed bug #49809 (time_sleep_until() is not available on OpenSolaris). (Jani)
· Fixed bug #49757 (long2ip() can return wrong value in a multi-threaded applications). (Ilia, Florian Anderiasch)
· Fixed bug #49738 (calling mcrypt after mcrypt_generic_deinit crashes). (Sriram Natarajan)
· Fixed bug #49732 (crashes when using fileinfo when timestamp conversion fails). (Pierre)
· Fixed bug #49698 (Unexpected change in strnatcasecmp()). (Rasmus)
· Fixed bug #49630 (imap_listscan function missing). (Felipe)
· Fixed bug #49572 (use of C++ style comments causes build failure). (Sriram Natarajan)
· Fixed bug #49531 (CURLOPT_INFILESIZE sometimes causes warning "CURLPROTO_FILE cannot be set"). (Felipe)
· Fixed bug #49517 (cURL's CURLOPT_FILE prevents file from being deleted after fclose). (Ilia)
· Fixed bug #49470 (FILTER_SANITIZE_EMAIL allows disallowed characters). (Ilia)
· Fixed bug #49447 (php engine need to correctly check for socket API return status on windows). (Sriram Natarajan)
· Fixed bug #49391 (ldap.c utilizing deprecated ldap_modify_s). (Ilia)
· Fixed bug #49361 (wordwrap() wraps incorrectly on end of line boundaries). (Ilia, code-it at mail dot ru)
· Fixed bug #49372 (segfault in php_curl_option_curl). (Pierre)
· Fixed bug #49306 (inside pdo_mysql default socket settings are ignored). (Ilia)
· Fixed bug #49289 (bcmath module doesn't compile with phpize configure). (Jani)
· Fixed bug #49286 (php://input (php_stream_input_read) is broken). (Jani)
· Fixed bug #49269 (Ternary operator fails on Iterator object when used inside foreach declaration). (Etienne, Dmitry)
· Fixed bug #49236 (Missing PHP_SUBST(PDO_MYSQL_SHARED_LIBADD)). (Jani)
· Fixed bug #49223 (Inconsistency using get_defined_constants). (Garrett)
· Fixed bug #49193 (gdJpegGetVersionString() inside gd_compact identifies wrong type in declaration). (Ilia)
· Fixed bug #49183 (dns_get_record does not return NAPTR records). (Pierre)
· Fixed bug #49144 (Import of schema from different host transmits original authentication details). (Dmitry)
· Fixed bug #49142 (crash when exception thrown from __tostring()). (David Soria Parra)
· Fixed bug #49986 (Missing ICU DLLs on windows package). (Pierre)
· Fixed bug #49132 (posix_times returns false without error). (phpbugs at gunnu dot us)
· Fixed bug #49125 (Error in dba_exists C code). (jdornan at stanford dot edu)
· Fixed bug #49122 (undefined reference to mysqlnd_stmt_next_result on compile with --with-mysqli and MySQL 6.0). (Jani)
· Fixed bug #49108 (2nd scan_dir produces segfault). (Felipe)
· Fixed bug #49098 (mysqli segfault on error). (Rasmus)
· Fixed bug #49095 (proc_get_status['exitcode'] fails on win32). (Felipe)
· Fixed bug #49092 (ReflectionFunction fails to work with functions in fully qualified namespaces). (Kalle, Jani)
· Fixed bug #49074 (private class static fields can be modified by using reflection). (Jani)
· Fixed bug #49072 (feof never returns true for damaged file in zip). (Pierre)
· Fixed bug #49065 ("disable_functions" php.ini option does not work on Zend extensions). (Stas)
· Fixed bug #49064 (--enable-session=shared does not work: undefined symbol: php_url_scanner_reset_vars). (Jani)
· Fixed bug #49056 (parse_ini_file() regression in 5.3.0 when using non-ASCII strings as option keys). (Jani)
· Fixed bug #49052 (context option headers freed too early when using --with-curlwrappers). (Jani)
· Fixed bug #49047 (The function touch() fails on directories on Windows). (Pierre)
· Fixed bug #49032 (SplFileObject::fscanf() variables passed by reference). (Jani)
· Fixed bug #49027 (mysqli_options() doesn't work when using mysqlnd). (Andrey)
· Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars restrictions). (Ilia)
· Fixed bug #49012 (phar tar signature algorithm reports as Unknown (0) in getSignature() call). (Greg)
· Fixed bug #49020 (phar misinterprets ustar long filename standard). (Greg)
· Fixed bug #49018 (phar tar stores long filenames wit prefix/name reversed). (Greg)
· Fixed bug #49014 (dechunked filter broken when serving more than 8192 bytes in a chunk). (andreas dot streichardt at globalpark dot com, Ilia)
· Fixed bug #49000 (PHP CLI in Interactive mode (php -a) crashes when including files from function). (Stas)
· Fixed bug #48994 (zlib.output_compression does not output HTTP headers when set to a string value). (Jani)
· Fixed bug #48980 (Crash when compiling with pdo_firebird). (Felipe)
· Fixed bug #48962 (cURL does not upload files with specified filename). (Ilia)
· Fixed bug #48929 (Double
· after HTTP headers when "header" context option is an array). (David Zülke)
· Fixed bug #48913 (Too long error code strings in pdo_odbc driver). (naf at altlinux dot ru, Felipe)
· Fixed bug #48912 (Namespace causes unexpected strict behaviour with extract()). (Dmitry)
· Fixed bug #48909 (Segmentation fault in mysqli_stmt_execute()). (Andrey)
· Fixed bug #48899 (is_callable returns true even if method does not exist in parent class). (Felipe)
· Fixed bug #48893 (Problems compiling with Curl). (Felipe)
· Fixed bug #48872 (string.c: errors: duplicate case values). (Kalle)
· Fixed bug #48854 (array_merge_recursive modifies arrays after first one). (Felipe)
· Fixed bug #48805 (IPv6 socket transport is not working). (Ilia)
· Fixed bug #48802 (printf() returns incorrect outputted length). (Jani)
· Fixed bug #48880 (Random Appearing open_basedir problem). (Rasmus, Gwynne)
· Fixed bug #48791 (open office files always reported as corrupted). (Greg)
· Fixed bug #48788 (RecursiveDirectoryIterator doesn't descend into symlinked directories). (Ilia)
· Fixed bug #48783 (make install will fail saying phar file exists). (Greg)
· Fixed bug #48774 (SIGSEGVs when using curl_copy_handle()). (Sriram Natarajan)
· Fixed bug #48771 (rename() between volumes fails and reports no error on Windows). (Pierre)
· Fixed bug #48768 (parse_ini_*() crash with INI_SCANNER_RAW). (Jani)
· Fixed bug #48763 (ZipArchive produces corrupt archive). (dani dot church at gmail dot com, Pierre)
· Fixed bug #48762 (IPv6 address filter still rejects valid address). (Felipe)
· Fixed bug #48757 (ReflectionFunction::invoke() parameter issues). (Kalle)
· Fixed bug #48754 (mysql_close() crash php when no handle specified). (Johannes, Andrey)
· Fixed bug #48752 (Crash during date parsing with invalid date). (Pierre)
· Fixed bug #48746 (Unable to browse directories within Junction Points). (Pierre, Kanwaljeet Singla)
· Fixed bug #48745 (mysqlnd: mysql_num_fields returns wrong column count for mysql_list_fields). (Andrey)
· Fixed bug #48740 (PHAR install fails when INSTALL_ROOT is not the final install location). (james dot cohen at digitalwindow dot com, Greg)
· Fixed bug #48733 (CURLOPT_WRITEHEADER|CURLOPT_FILE|CURLOPT_STDERR warns on files that have been opened with r+). (Ilia)
· Fixed bug #48719 (parse_ini_*(): scanner_mode parameter is not checked for sanity). (Jani)
· Fixed bug #48718 (FILTER_VALIDATE_EMAIL does not allow numbers in domain components). (Ilia)
· Fixed bug #48681 (openssl signature verification for tar archives broken). (Greg)
· Fixed bug #48660 (parse_ini_*(): dollar sign as last character of value fails). (Jani)
· Fixed bug #48645 (mb_convert_encoding() doesn't understand hexadecimal html-entities). (Moriyoshi)
· Fixed bug #48637 ("file" fopen wrapper is overwritten when using --with-curlwrappers). (Jani)
· Fixed bug #48608 (Invalid libreadline version not detected during configure). (Jani)
· Fixed bug #48400 (imap crashes when closing stream opened with OP_PROTOTYPE flag). (Jani)
· Fixed bug #48377 (error message unclear on converting phar with existing file). (Greg)
· Fixed bug #48247 (Infinite loop and possible crash during startup with errors when errors are logged). (Jani)
· Fixed bug #48198 error: 'MYSQLND_LLU_SPEC' undeclared. Cause for #48780 and #46952 - both fixed too. (Andrey)
· Fixed bug #48189 (ibase_execute error in return param). (Kalle)
· Fixed bug #48182 (ssl handshake fails during asynchronous socket connection). (Sriram Natarajan)
· Fixed bug #48116 (Fixed build with Openssl 1.0). (Pierre, Al dot Smith at aeschi dot ch dot eu dot org)
· Fixed bug #48057 (Only the date fields of the first row are fetched, others are empty). (info at programmiernutte dot net)
· Fixed bug #47481 (natcasesort() does not sort extended ASCII characters correctly). (Herman Radtke)
· Fixed bug #47351 (Memory leak in DateTime). (Derick, Tobias John)
· Fixed bug #47273 (Encoding bug in SoapServer->fault). (Dmitry)
· Fixed bug #46682 (touch() afield returns different values on windows). (Pierre)
· Fixed bug #46614 (Extended MySQLi class gives incorrect empty() result). (Andrey)
· Fixed bug #46020 (with Sun Java System Web Server 7.0 on HPUX, #define HPUX). (Uwe Schindler)
· Fixed bug #45905 (imagefilledrectangle() clipping error). (markril at hotmail dot com, Pierre)
· Fixed bug #45554 (Inconsistent behavior of the u format char). (Derick)
· Fixed bug #45141 (setcookie will output expires years of >4 digits). (Ilia)
· Fixed bug #44683 (popen crashes when an invalid mode is passed). (Pierre)
· Fixed bug #43510 (stream_get_meta_data() does not return same mode as used in fopen). (Jani)
· Fixed bug #42434 (ImageLine w/ antialias = 1px shorter). (wojjie at gmail dot com, Kalle)
· Fixed bug #40013 (php_uname() does not return nodename on Netware (Guenter Knauf)
· Fixed bug #38091 (Mail() does not use FQDN when sending SMTP helo). (Kalle, Rick Yorgason)
· Fixed bug #28038 (Sent incorrect RCPT TO commands to SMTP server) (Garrett)
· Fixed bug #27051 (Impersonation with FastCGI does not exec process as impersonated user). (Pierre)
· Fixed PECL bug #16842 (oci_error return false when NO_DATA_FOUND is raised). (Chris Jones)

What's new in PHP 5.3.0 RC2:

May 8th, 2009

· The PHP development team is proud to announce the second release candidate of PHP 5.3.0 (PHP 5.3.0RC2). This RC focuses on bug fixes and stability improvements, and we hope only minimal changes are required for the next candidate (RC3).

What's new in PHP 5.2.8:

January 30th, 2009

· The PHP Development Team would like to announce the immediate availability of PHP 5.2.8. This release addresses a regression introduced by 5.2.7 in regard to the magic_quotes functionality, which was broken by an incorrect fix to the filter extension. All users who have upgraded to 5.2.7 are encouraged to upgrade to this release. Alternatively you can apply a work-around for the bug by changing "filter.default_flags=0" in php.ini.

What's new in PHP 5.2.1:

February 27th, 2007

· Fixed possible safe_mode & open_basedir bypasses inside the session extension.
· Fixed unserialize() abuse on 64 bit systems with certain input strings.
· Fixed possible overflows and stack corruptions in the session extension.
· Fixed an underflow inside the internal sapi_header_op() function.
· Prevent search engines from indexing the phpinfo() page.
· Fixed a number of input processing bugs inside the filter extension.
· Fixed allocation bugs caused by attempts to allocate negative values in some code paths.
· Fixed possible stack/buffer overflows inside zip, imap & sqlite extensions.
· Fixed several possible buffer overflows inside the stream filters.
· Memory limit is now enabled by default.
· Added internal heap protection.
· Extended filter extension support for $_SERVER in CGI and apache2 SAPIs.
· Fixed non-validated resource destruction inside the shmop extension.
· Fixed a possible overflow in the str_replace() function.
· Fixed possible clobbering of super-globals in several code paths.
· Fixed a possible information disclosure inside the wddx extension.
· Fixed a possible string format vulnerability in *print() functions on 64 bit systems.
· Fixed a possible buffer overflow inside ibase_{delete,add,modify}_user() functions.
· Fixed a string format vulnerability inside the odbc_result_all() function.

What's new in PHP 5.1.6:

August 25th, 2006

· Fixed memory_limit on 64bit systems. (Stefan E.)
· Fixed bug #38488(Access to "php://stdin" and family crashes PHP on win32). (Dmitry)

What's new in PHP 5.1.5:

August 18th, 2006

· Added missing safe_mode/open_basedir checks inside the error_log(), file_exists(), imap_open() and imap_reopen() functions.
· Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems.
· Fixed possible open_basedir/safe_mode bypass in cURL extension and with realpath cache.
· Fixed overflow in GD extension on invalid GIF images.
· Fixed a buffer overflow inside sscanf() function.
· Fixed an out of bounds read inside stripos() function.
· Fixed memory_limit restriction on 64 bit system.