This event, in the heart of London's vibrant technical scene, brings together the best minds from open source enterprise software development. The newly-formed Sensio Labs UK is delighted to serve up a UK edition of the wildly successful Symfony Live events, with two days (September 13th & 14th) of excellent technical content for you to enjoy.

Day one is workshop day, we'll spend the day absorbing knowledge from industry leaders in a choice of two in-depth workshops. On workshop day we're also offering the opportunity to take the Symfony Certified Developer Exam - be sure to book your slot if you think you have what it takes!

For the main conference day on Friday we're pulling out all the stops to make this a festival of technology and inspiration that you'll remember. Whether you're new to Symfony, already using Symfony 1, or an experienced developer looking to find out more, this event will have something to make you glad you came along.

The Web Developer Conference (WDC) for web developers from the 17th - 18th of September, 2012 in Hamburg, Germany. The conference is geared towards developers of web applications, content and online managers, agencies and web-masters.

The WDC will be represented by the German trade magazine web & mobile developer. More information about the conference can be found on the conference website.

The PHP development team would like to announce the immediate availability of PHP 5.4.5 and PHP 5.3.15. This release fixes over 30 bugs and includes a fix for a security related overflow issue in the stream implementation. All users of PHP are encouraged to upgrade to PHP 5.4.5 or PHP 5.3.15.

For source downloads of PHP 5.4.5 and PHP 5.3.15 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes are recorded in the ChangeLog.

The Northeast PHP conference is a two day event coordinated by three PHP user groups in the northeast region: Boston PHP, Atlantic Canada PHP, and Vermont PHP. The entire event is being organized organized by community volunteers and members just like you. We are completely non profit, and open source.

There will be nothing quite like it. With two fun-filled days full of great topics from over 40 experts, it's like three years of Meetups jam packed into two days!

Check out the Northeast PHP website for a listing of the talks and speakers lined up.

  • What: Northeast PHP Conference
  • When: Sat-Sun August 11-12, 2012 8am-5pm
  • *Where: Microsoft NERD
  • *Tickets: Tickets go on sale June 28th!

The PHP development team would like to announce the immediate availability of PHP 5.4.4 and PHP 5.3.14. All users of PHP are encouraged to upgrade to PHP 5.4.4 or PHP 5.3.14.

The release fixes multiple security issues: A weakness in the DES implementation of crypt and a heap overflow issue in the phar extension

PHP 5.4.4 and PHP 5.3.14 fixes over 30 bugs. Please note that the use of php://fd streams is now restricted to the CLI SAPI

For source downloads of PHP 5.4.4 and PHP 5.3.14 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes are recorded in the ChangeLog.

The PHP development team would like to announce the immediate availability of PHP 5.4.3 and PHP 5.3.13. All users are encouraged to upgrade to PHP 5.4.3 or PHP 5.3.13

The releases complete a fix for a vulnerability in CGI-based setups (CVE-2012-2311). Note: mod_php and php-fpm are not vulnerable to this attack.

PHP 5.4.3 fixes a buffer overflow vulnerability in the apache_request_headers() (CVE-2012-2329). The PHP 5.3 series is not vulnerable to this issue.

For source downloads of PHP 5.4.3 and PHP 5.3.13 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes are recorded in the ChangeLog.

PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected.

One way to address these CGI issues is to reject the request if the query string contains a '-' and no '='. It can be done using Apache's mod_rewrite like this:


    RewriteCond %{QUERY_STRING} ^[^=]*$
    RewriteCond %{QUERY_STRING} %2d|\- [NC]
    RewriteRule .? - [F,L]
    

Note that this will block otherwise safe requests like ?top-40 so if you have query parameters that look like that, adjust your regex accordingly.

Another set of releases are planned for Tuesday, May, 8th. These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only).

We apologize for the inconvenience created with these releases and the (lack of) communication around them.

There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected) that has gone unnoticed for at least 8 years. Section 7 of the CGI spec states:

Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "=" characters.

So, requests that do not have a "=" in the query string are treated differently from those who do in some CGI implementations. For PHP this means that a request containing ?-s may dump the PHP source code for the page, but a request that has ?-s&=1 is fine.

A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable.

If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.

To fix this, update to PHP 5.3.12 or PHP 5.4.2.

We recognize that since CGI is a rather outdated way to run PHP, it may not be feasible to upgrade these sites to a modern version of PHP. An alternative is to configure your web server to not let these types of requests with query strings starting with a "-" and not containing a "=" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:


         RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
         RewriteRule ^(.*) $1? [L]
     

If you are writing your own rule, be sure to take the urlencoded ?%2ds version into account.

Making a bad week worse, we had a bug in our bug system that toggled the private flag of a bug report to public on a comment to the bug report causing this issue to go public before we had time to test solutions to the level we would like. Please report any issues via bugs.php.net.

For source downloads of PHP 5.3.12 and PHP 5.4.2 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. A ChangeLog exists.

DevConf 2012 in Moscow, Russia on Jun 9 - Jun 10

DevConf is the ultimate meeting place for russian-speaking web-developers, combining several language-specific conferences under one roof.

This year DevConf will include the following sections:

  • DevConf::PHP();
  • DevConf::Perl();
  • DevConf::RoR();
  • DevConf::Python();
  • DevConf::Javascript();

Each section will feature several talks from the active contributors/authors of the language. Among the invited speakers are Derick Rethans (XDebug creator), David Soria Parra (active PHP contributor), Andrey Aksyonov (author of Sphinx), Alexander Makarov (one of the main contributors to Yii), Sergey Petrunya (of MariaDB fame), Ilya Alekseev (OpenStack Nova contributor) and many others, see more details on the official website.

The PHP development team announces the immediate availability of PHP 5.3.11 and PHP 5.4.1. These releases focuses on improving the stability of the current PHP branches with over 60 bug fixes, some of which are security related.

Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:

  • Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).
  • Add open_basedir checks to readline_write_history and readline_read_history.

Security Enhancement affecting PHP 5.3.11 only:

  • Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831).

Key enhancements in these releases include:

  • Added debug info handler to DOM objects.
  • Fixed bug #61172 (Add Apache 2.4 support).

For a full list of changes in PHP 5.3.11 and PHP 5.4.1, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/.

All users of PHP are strongly encouraged to upgrade to PHP 5.3.11 or PHP 5.4.1.