14 DAY TRIAL // The PHP development team has released a new version of the PHP interpreter in order to address a recently discovered bug in the crypt() function that affects MD5 hash validation.
The bug was accidentally introduced in PHP 5.3.7 while fixing a buffer overflow vulnerability in crypt() that could be exploited with overly-long salts.
However, the PHP developers realized after last week's security update that MD5 hash validation is no longer working properly.
More precisely, when crypt() is used to compare a password with a salted MD5 hash it always fails to produce a match because only the salt is returned.
This function is used by many applications for authentication purposes, which means that their users could no longer log in and use their accounts. Implementations that use other hashing algorithms like DES and BLOWFISH through crypt() were not impacted.
The development team rushed to push out a patched PHP version as soon as possible and this landed today in the form of PHP 5.3.8. All users are strongly encouraged to upgrade to this version as it also contains patches for the security vulnerabilities addressed in 5.3.7.
In addition to fixing the crypt() bug, the new PHP version also addresses a serious bug in OpenSSL timeout handling which caused persistent SSL connections to hang.
"The MySQLi ignores SSL options set with mysqli_ssl_set() for persistent connections (works fine for non-persistent connections)," the bug report explains.
"All PHP users should note that the PHP 5.2 series is NOT supported anymore," the PHP developers warn, 5.3.8 being the single stable version available. PHP 5.4.0 Alpha 3 ca also be downloaded for testing purposes.
The latest version of PHP can be downloaded from here.