nion's blog

Stefan Esser announced a new extension for Suhosin.

There is a new suhosin.server.strip extension which will replace all < < ' " and `characters by ? in PHP_SELF, PATH_INFO and PATH_TRANSLATED and thus preventing XSS attacks.

The second new neat feature is suhosin.server.encode which scan for the above characters in REQUEST_URI and QUERY_STRING because not every browser (IE for example) will encode the characters before sending them.

Both are enabled by default in Suhosin in version 0.9.21. This is really neat!

[via Stefan Esser]

php 5.2.5 was just released.
Fefe makes fun of this release because of:
Key enhancements in PHP 5.2.5 include:
Upgraded PCRE to version 7.3

while Heise says that these vulnerabilities are fixed in pcre 7.4.

These vulnerabilities are namely CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767 and CVE-2007-4768

While I agree with him that PHP is crap, his blog post is wrong or let's say the information provided by Heise is not precise.
All those issues were fixed in the 7.3 release so there is no reason to worry about those vulnerabilities being open in the new php release, however the 7.4 release fixes some regressions introduced with 7.3 but those are (from what I see) not security relevant. So Heise is not wrong, the issues are fixed in 7.4 however they are also in 7.3