Download PHP 4.4.1

The developers of The PHP Group have released a new release of PHP and assigned the version number 4.4.1. They recommend anyone using PHP 4.3 or PHP 4.4 to upgrade. This release fixes a number of bugs and a number of security vulnerabilities related to overwriting the GLOBALS array. The included announcement looks like this:

The PHP Development Team would like to announce the immediate release of PHP 4.4.1. This is a bug fix release, which addresses some security problems too. The security issues that this release fixes are:

• Fixed a Cross Site Scripting (XSS) vulnerabilities phpinfo() that could lead fe to cookie exposure, when a phpinfo() script is accidentally left on a production server.
• Fixed multiple safe_mode/open_basedir bypass vulnerabilities in ext/curl and ext/gd that could lead to exposure of files normally not accessible due to safe_mode or open_basedir restrictions.
• Fixed a possible $GLOBALS overwrite problem in file upload handling, extract() and import_request_variables() that could lead to unexpected security holes in scripts assumed secure. (For more information, see here).
• Fixed a problem when a request was terminated due to memory_limit constraints during certain parse_str() calls. In some cases this can result in register_globals being turned on.
• Fixed an issue with trailing slashes in allowed basedirs. They were ignored by open_basedir checks, so that specified basedirs were handled as prefixes and not as full directory names.
• Fixed an issue with calling virtual() on Apache 2. This allowed bypassing of certain configuration directives like safe_mode or open_basedir.
• Updated to the latest pcrelib to fix a possible integer overflow vulnerability announced in CAN-2005-2491.

This release also fixes 35 other defects, where the most important is the the fix that removes a notice when passing a by-reference result of a function as a by-reference value to another function. (Bug #33558).

changes:

• Added missing safe_mode checks for image* functions and cURL.
• Added missing safe_mode/open_basedir checks for file uploads.
• Fixed a memory corruption bug regarding included files.
• Fixed possible INI setting leak via virtual() in Apache 2 sapi.
• Fixed possible crash and/or memory corruption in import_request_variables().
• Fixed potential GLOBALS overwrite via import_request_variables().
• Fixed possible GLOBALS variable override when register_globals are ON.
• Fixed possible register_globals toggle via parse_str().
• Added “new_link” parameter to mssql_connect(). Bug #34369.
• Fixed bug #34850 (–program-suffix and –program-prefix not included in man page names).
• Fixed bug #34790 (preg_match_all(), named capturing groups, variable assignment/return => crash).
• Fixed bug #34742 (ftp wrapper failures caused from segmented command transfer).
• Fixed bug #34704 (Infinite recursion due to corrupt JPEG).
• Fixed bug #34645 (ctype corrupts memory when validating large numbers).
• Fixed bug #34565 (mb_send_mail does not fetch mail.force_extra_parameters).
• Fixed bug #34557 (php -m exits with “error” 1).
• Fixed bug #34456 (Possible crash inside pspell extension).
• Fixed bug #34311 (unserialize() crashes with chars above Dec 191).
• Fixed bug #34307 (on_modify handler not called to set the default value if setting from php.ini was invalid).
• Fixed bug #34302 (date(‘W’) do not return leading zeros for week 1 to 9).
• Fixed bug #34277 (array_filter() crashes with references and objects).
• Fixed bug #34191 (ob_gzhandler does not enforce trailing \0).
• Fixed bug #34156 (memory usage remains elevated after memory limit is reached).
• Fixed bug #34148 (+,- and . not supported as parts of scheme).
• Fixed bug #34137 (assigning array element by reference causes binary mess).
• Fixed bug #34068 (Numeric string as array key not cast to integer in wddx_deserialize()).
• Fixed bug #34064 (arr[] as param to function is allowed only if function receives argument by reference).
• Fixed bug #33989 (extract($GLOBALS,EXTR_REFS) crashes PHP).
• Fixed bug #33987 (php script as ErrorDocument causes crash in Apache 2).
• Fixed bug #33940 (array_map() fails to pass by reference when called recursively).
• Fixed bug #33690 (Crash setting some ini directives in httpd.conf).
• Fixed bug #33673 (Added detection for partially uploaded files).
• Fixed bug #33648 (Using –with-regex=system causes compile failure).
• Fixed bug #33558 (Warning with nested calls to functions returning by reference).
• Fixed bug #33383 (crash when retrieving empty LOBs).
• Fixed bug #33156 (cygwin version of settimer doesn’t accept ITIMER_PROF).
• Fixed bug #32937 (open_basedir looses trailing / in the limiter).
• Fixed bug #32589 (possible crash inside imap_mail_compose() function).
• Fixed bug #32179 (xmlrpc_encode() segfaults with recursive references).
• Fixed bug #32160 (copying a file into itself leads to data loss).
• Fixed bug #31158 (array_splice on $GLOBALS crashes).
• Fixed bug #29983 (PHP does not explicitly set mime type & charset).
• Fixed bug #29253 (array_diff with $GLOBALS argument fails).
• Fixed bug #21306 (ext/sesssion: catch bailouts of write handler during RSHUTDOWN).

[break]The following downloads are ready:
Source bz2
Source tarball
Windows installer
Windows Zipped