xref: /web-php/releases/5_1_0.php (revision f1cb7e74)
1<?php
2$_SERVER['BASE_PAGE'] = 'releases/5_1_0.php';
3include_once __DIR__ . '/../include/prepend.inc';
4site_header("PHP 5.1.0 Release Announcement");
5?>
6
7<h1>PHP 5.1.0. Release Announcement</h1>
8<p>
9The PHP development team is proud to announce the release of PHP <a href="/downloads.php">PHP 5.1.0</a>.<br>
10Some of the key features of <a href="/downloads.php">PHP 5.1.0</a> include:
11</p>
12<p>
13<ul>
14<li>A complete rewrite of date handling code, with improved timezone support.</li>
15<li>Significant performance improvements compared to PHP 5.0.X.</li>
16<li>PDO extension is now enabled by default.</li>
17<li>Over 30 new functions in various extensions and built-in functionality.</li>
18<li>Bundled libraries, PCRE and SQLite upgraded to latest versions.</li>
19<li>Over 400 various bug fixes.</li>
20<li>PEAR upgraded to version 1.4.5</li>
21</ul>
22</p>
23
24<p>
25 For a full list of changes in PHP 5.1.0, see the
26 <a href="/ChangeLog-5.php#5.1.0">ChangeLog</a>.
27</p>
28
29<p>
30In addition to new features, this release includes a number of important security fixes:
31<ul>
32<li>Fixed a Cross Site Scripting (<a href='http://www.cgisecurity.com/articles/xss-faq.shtml'>XSS</a>)
33	vulnerability in <a href='/phpinfo'>phpinfo</a>() that could
34	lead f.e. to cookie exposure, when a phpinfo() script is accidently left
35	on a production server.</li>
36<li>Fixed multiple safe_mode/open_basedir bypass vulnerabilities in ext/curl
37	and ext/gd that could lead to exposure of files normally not accessible due
38	to safe_mode or open_basedir restrictions.</li>
39<li>Fixed a possible $GLOBALS overwrite problem in file upload handling,
40	extract() and import_request_variables() that could lead to unexpected
41	security holes in scripts assumed secure. (For more information, see <a
42	href='http://www.hardened-php.net/globals-problem'>here</a>).</li>
43<li>Fixed a problem when a request was terminated due to memory_limit
44	constraints during certain
45	<a href='/parse_str'>parse_str</a>() calls. In some cases
46	this can result in register_globals being turned on.</li>
47<li>Fixed an issue with trailing slashes in allowed basedirs. They were ignored
48	by open_basedir checks, so that specified basedirs were handled as prefixes
49	and not as full directory names.</li>
50<li>Fixed an issue with calling <a href='/virtual'>virtual</a>()
51	on Apache 2. This allowed bypassing of certain configuration directives
52	like safe_mode or open_basedir.</li>
53<li>Updated to the latest pcrelib to fix a possible integer overflow
54	vulnerability announced in <a href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491'>CAN-2005-2491</a>.</li>
55<li>Possible header injection in mb_send_mail() function via the &quot;To&quot; address, the first parameter of the function.</li>
56</ul>
57</p>
58
59<p>
60All users of PHP 5.0 and early adopters of 5.1 betas are strongly advised to upgrade to 5.1 as soon as
61possible. Furthermore, 5.1 branch obsoletes the 5.0 PHP branch.
62</p>
63
64<p><a href="/migration51">Upgrading Guide</a> is available to ease the transition from prior PHP versions.</p>
65
66<?php site_footer(); ?>
67