[TYPO3-dev] which php-version?

Steffen Kamper steffen at sk-typo3.de
Wed Sep 5 20:04:48 CEST 2007 

Hi,

today it was very frustration trying TYPO3 with php5.2.4.
5.2.0 - too many errors, not working
5.2.1 - too many errors, not working
5.2.2 - works, but has some errors and security lacks
5.2.3 - works, but has also many errors

Hoped that 5.2.4 would fix, announcement:
 * Security Enhancements and Fixes in PHP 5.2.4:
o Fixed a floating point exception inside wordwrap() (Reported by Mattias 
Bengtsson)
o Fixed several integer overflows inside the GD extension (Reported by 
Mattias Bengtsson)
o Fixed size calculation in chunk_split() (Reported by Gerhard Wagner)
o Fixed integer overflow in str[c]spn(). (Reported by Mattias Bengtsson)
o Fixed money_format() not to accept multiple %i or %n tokens. (Reported by 
Stanislav Malyshev)
o Fixed zend_alter_ini_entry() memory_limit interruption vulnerability. 
(Reported by Stefan Esser)
o Fixed INFILE LOCAL option handling with MySQL extensions not to be allowed 
when open_basedir or safe_mode is active. (Reported by Mattias Bengtsson)
o Fixed session.save_path and error_log values to be checked against 
open_basedir and safe_mode (CVE-2007-3378) (Reported by Maksymilian 
Arciemowicz)
o Fixed a possible invalid read in glob() win32 implementation 
(CVE-2007-3806) (Reported by shinnai)
o Fixed a possible buffer overflow in php_openssl_make_REQ (Reported by 
zatanzlatan at hotbrev dot com)
o Fixed an open_basedir bypass inside glob() function (Reported by dr at 
peytz dot dk)
o Fixed a possible open_basedir bypass inside session extension when the 
session file is a symlink (Reported by c dot i dot morris at durham dot ac 
dot uk)
o Improved fix for MOPB-03-2007.
o Corrected fix for CVE-2007-2872.
* Key enhancements in PHP 5.2.4 include:
o Upgraded PCRE to version 7.2
o Added persistent connection status checker to pdo_pgsql.
o Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g 
client libraries.
o Fixed bug #41831 (pdo_sqlite prepared statements convert resources to 
strings).
o Fixed bug #41770 (SSL: fatal protocol error due to buffer issues)
o Fixed bug #41713 (Persistent memory consumption on win32 since 5.2)
o Over 120 bug fixes.

But, i got empty pages with strange errors, e.G.
syntax error line 1: <!DOCTYPE html \n

so no way to use it.

Now the big question is: Which version is best to use and has less 
bugs/security lacks ?

vg  Steffen

More information about the TYPO3-dev mailing list