Yesterday the PHP Group announced the release of PHP version 5.3.6. This new version of PHP fixes five security flaws in addition to providing some new features that can enhance the security of your web server and PHP applications.
Two of the five bugs fixed are rated high severity by the National Vulnerability Database; the others have not been analyzed at this time.
The first is a vulnerability in the phar extension that can cause a denial of service condition as well as possibly allow remote code execution. Phar is the PHP equivalent of the JAR Java archive format. It does not appear to be used widely for popular PHP applications.
Another vulnerability that was fixed is in the shared memory read functionality. If exploited it could also cause a denial of service condition and possibly allow the reading of sensitive areas of system memory.
Other security fixes addressed problems with the reading of EXIF data, ZIP archive handling and high values for precision INI settings. One security enhancement now enforces security settings related to the use of the FastCGI module that is often used to help accelerate PHP web applications.
If you use PHP to drive your website, update your PHP at your earliest convenience. For Linux administrators this package should be available RSN (Real Soon Now) from your distributions’ update repositories. Administrators of Windows systems and other platforms should download the latest version from http://www.php.net.