PHP 5.3.7
[Arantor's Rants] Argh. »

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
PHP 5.3.7
« on August 23rd, 2011, 12:02 AM »
I doubt this will affect most of you but anyway.

http://www.theregister.co.uk/2011/08/22/php_security_warning/

Long story short: do not use PHP 5.3.7, it has a fairly nasty vulnerability in the internal crypt library that, well, doesn't crypt things properly.

It does have an impact on both SMF and Wedge, as it happens. Specifically that older forums make use of the crypt function in order to hash passwords, as well as custom indexes, will be compromised by this bug.

I doubt the older forums thing is a huge deal for the vast majority of users, but potentially the custom indexes one is. If your host uses 5.3.7, get them to upgrade to a dev version or kick them to upgrade to 5.3.8 when it is released in the next few days.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

MultiformeIngegno

  • Posts: 1,337
Re: PHP 5.3.7
« Reply #1, on August 23rd, 2011, 12:19 AM »
Thanks for the info! ;)

Dr. Deejay

  • Happy new year all!
  • Posts: 118
Re: PHP 5.3.7
« Reply #2, on August 23rd, 2011, 09:26 AM »
Yeah, thanks for the information Arantor. Glad my host didn't updated, I believe they are still on 5.2

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: PHP 5.3.7
« Reply #3, on August 23rd, 2011, 09:32 AM »
If they're on 5.2, they should be on 5.2.17 - it's been out over 6 months, and hosts don't really have much reason not to upgrade.

Antes

  • Stuff?
  • Posts: 52
Re: PHP 5.3.7
« Reply #4, on August 23rd, 2011, 09:55 AM »
Well i think my hosting waiting 5.3.X (final) to upgrade still on 2.17

thank you for info

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: PHP 5.3.7
« Reply #5, on August 23rd, 2011, 09:57 AM »
Quote
5.3.X (final)
Depends on your definition of 'final'. 5.3 final won't appear until 5.4 is considered stable, and given that 5.4 is not even yet in beta...

But if they can't even be bothered to upgrade to a security patch of PHP in 6 months after it came out, I'd be asking questions...

[Arantor's Rants] Argh. »