xref: /web-php/releases/4_4_1.php (revision f1cb7e74) 
1<?php
2$_SERVER['BASE_PAGE'] = 'releases/4_4_1.php';
3include_once __DIR__ . '/../include/prepend.inc';
4site_header("PHP 4.4.1 Release Announcement");
5?>
6
7<h1>PHP 4.4.1. Release Announcement</h1>
8<p>
9The PHP Development Team would like to announce the immediate release of
10<a href="/downloads.php">PHP 4.4.1</a>.
11</p>
12<p>
13This is a bug fix release, which addresses some security problems too. The
14security issues that this release fixes are:
15<ul>
16<li>Fixed a Cross Site Scripting (<a href='http://www.cgisecurity.com/articles/xss-faq.shtml'>XSS</a>)
17	vulnerability in <a href='/phpinfo'>phpinfo</a>() that could
18	lead f.e. to cookie exposure, when a phpinfo() script is accidently left
19	on a production server.</li>
20<li>Fixed multiple safe_mode/open_basedir bypass vulnerabilities in ext/curl
21	and ext/gd that could lead to exposure of files normally not accessible due
22	to safe_mode or open_basedir restrictions.</li>
23<li>Fixed a possible $GLOBALS overwrite problem in file upload handling,
24	extract() and import_request_variables() that could lead to unexpected
25	security holes in scripts assumed secure. (For more information, see <a
26	href='http://www.hardened-php.net/globals-problem'>here</a>).</li>
27<li>Fixed a problem when a request was terminated due to memory_limit
28	constraints during certain
29	<a href='/parse_str'>parse_str</a>() calls. In some cases
30	this can result in register_globals being turned on.</li>
31<li>Fixed an issue with trailing slashes in allowed basedirs. They were ignored
32	by open_basedir checks, so that specified basedirs were handled as prefixes
33	and not as full directory names.</li>
34<li>Fixed an issue with calling <a href='/virtual'>virtual</a>()
35	on Apache 2. This allowed bypassing of certain configuration directives
36	like safe_mode or open_basedir.</li>
37<li>Updated to the latest pcrelib to fix a possible integer overflow
38	vulnerability announced in <a href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491'>CAN-2005-2491</a>.</li>
39</ul>
40</p>
41<p>
42This release also fixes 35 other defects, where the most important is the
43the fix that removes a notice when passing a by-reference result of a function
44as a by-reference value to another function. (Bug #<a href='http://bugs.php.net/33558'>33558</a>).
45</p>
46<p>
47 For a full list of changes in PHP 4.4.1, see the
48 <a href="/ChangeLog-4.php#4.4.1">ChangeLog</a>.
49</p>
50
51<?php site_footer(); ?>
52