Skip to main content

PHP 5.3.8 released to squash critical crypto bug

The PHP Group has announced the release of PHP 5.3.8, the day after releasing a security advisory warning of a critical bug in the cryptographic function of the prior version.

PHP - the PHP Hypertext Preprocessor - version 5.3.7 was a standard release put out by the open-source group on the 18th of August, but yesterday the team alerted users to avoid upgrading until a critical flaw in the crypt function could be addressed.

The flaw, which only affected users of the MD5 algorithm, resulted in the function returning only the salt value instead of the salted hash value, breaking any system that relies on MD5 salted hashes - but working fine for other salt types.

PHP is a commonly used scripting language originally designed for the creation of dynamic web pages and since extended to include command-line functionality for scripting on many operating systems. It's a handy tool which underpins much of the web - the popular blogging platform WordPress is largely powered by PHP, for example - and a bug of this magnitude is a worry to administrators around the world.

The bug has now been addressed, along with the removal of a new function added in 5.3.7 which was found to be causing some SSL sessions to freeze and crash. Users are advised to upgrade to 5.3.8 as soon as possible - especially given that 5.3.6 itself fixed a major security flaw in the Blowfish implementation.

More information about the bug, plus a download link, can be found on the PHP homepage.