The PHP development team announces the immediate availability of PHP 5.6.6. This release fixes several bugs and addresses CVE-2015-0235 and CVE-2015-0273. All PHP 5.6 users are encouraged to upgrade to this version.
The PHP development team announces the immediate availability of PHP 5.5.22. This release fixes several bugs and addresses CVE-2015-0235 and CVE-2015-0273. All PHP 5.5 users are encouraged to upgrade to this version.
The PHP development team announces the immediate availability of PHP 5.4.38. Seven security-related bugs were fixed in this release, including CVE-2015-0273 and mitigation for CVE-2015-0235. All PHP 5.4 users are encouraged to upgrade to this version.
The PHP development team announces the immediate availability of PHP 5.4.37. Six security-related bugs were fixed in this release, including CVE-2015-0231, CVE-2014-9427 and CVE-2015-0232. All PHP 5.4 users are encouraged to upgrade to this version.
The PHP development team announces the immediate availability of PHP 5.6.5. This release fixes several bugs as well as CVE-2015-0231, CVE-2014-9427 and CVE-2015-0232. All PHP 5.6 users are encouraged to upgrade to this version.
The PHP development team announces the immediate availability of PHP 5.5.21. This release fixes several bugs as well as CVE-2015-0231, CVE-2014-9427 and CVE-2015-0232. All PHP 5.5 users are encouraged to upgrade to this version.
The PHP web team are delighted to announce the launch of the new web theme that has been in beta for many months. Lots of hard work has gone into this release and we will be continually improving things over time now that we have migrated away from the legacy theme.
From an aesthetics point of view the general color scheme of the website has been lightened from the older dark purple. Lots of borders and links use a similar purple color to attain consistency. Fonts are smoother, and colors, contrast and highlighting have significantly improved; especially on function reference pages. Code examples should now be much more readable.
The theme is marked up using HTML5 and is generally much more modern. We are using Google Fonts and Bootstrap for our theme base.
To provide valuable feedback, you can use the 'Feedback' widget on the side of the page (not visible on smartphones) and to report bugs, you can make use of the bugs.php.net tracker. Despite our extensive multi-device/multi-browser testing, we may have missed something. So, if you spot any issues please do get in touch.
Special thanks to the guys who helped make this happen, you know who you are!
All affected services have been migrated off those servers. We have verified that our Git repository was not compromised, and it remains in read only mode as services are brought back up in full.
As it's possible that the attackers may have accessed the private key of the php.net SSL certificate, we have revoked it immediately. We are in the process of getting a new certificate, and expect to restore access to php.net sites that require SSL (including bugs.php.net and wiki.php.net) in the next few hours.
To summarise, the situation right now is that:
Over the next few days, we will be taking further action:
We will provide a full post mortem in due course, most likely next week. You can also get updates from the official php.net Twitter: @official_php.
It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted. Google's crawler caught one of these small windows where the wrong file was being served, but of course, when we looked at it manually it looked fine. So more confusion.
We are still investigating how someone caused that file to be changed, but in the meantime we have migrated www/static to new clean servers. The highest priority is obviously the source code integrity and after a quick:
git fsck --no-reflog --full --strict
on all our repos plus manually checking the md5sums of the PHP distribution files we see no evidence that the PHP code has been compromised. We have a mirror of our git repos on github.com and we will manually check git commits as well and have a full post-mortem on the intrusion when we have a clearer picture of what happened.