What’s coming in PHP 5.3.22 and PHP 5.3 end-of-life
PHP 5.3.21 was just released on January 17th but it was relatively minor with only a few fixes.
PHP 5.3.22 will be branched on January 30th and released on February 14th. It contains twice the fixes that look a bit more serious.
It should also be noted that PHP 5.2.23 in March 2013 will most likely be the FINAL release of PHP 5.3 as it goes into end-of-life with the release of PHP 5.5 This means that 5.3 will only receive security related bug fixes for one more year and then it’s over.
The really bad thing about this is that suhosin does not exist for the current PHP 5.4 and may likely never happen. To a lesser extent, magic-quotes no longer exists in PHP 5.4 and while it’s the subject of some mockery because of the mess it creates, it does make life a little harder for attackers.
On the plus side PHP 5.4 is measurably faster (10-20%) than PHP 5.3 and uses half the memory in many cases. The often-used silence operator (@) in PHP 5.3 has much better performance in PHP 5.4
The biggest problem most people will face changing from 5.3 to 5.4 is relatively trivial – you will receive many more warnings and deprecation notices but you can solve that for the short term by changing the error_log setting in php.ini to
error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT
Just don’t ignore them forever because those things will certainly break under 5.5
- Zend Engine: . Fixed bug #63899 (Use after scope error in zend_compile). (Laruence) . Fixed bug #63762 (Sigsegv when Exception::$trace is changed by user). (Johannes) . Fixed bug #63462 (Magic methods called twice for unset protected properties). (Stas) - Core . Fixed bug #63943 (Bad warning text from strpos() on empty needle). (Laruence) - cURL extension: . Fixed bug (segfault due to libcurl connection caching). (Pierrick) . Fixed bug #63795 (CURL >= 7.28.0 no longer support value 1 for CURLOPT_SSL_VERIFYHOST). (Pierrick) . Fixed bug #63352 (Can't enable hostname validation when using curl stream wrappers). (Pierrick) . Fixed bug #55438 (Curlwapper is not sending http header randomly). (firstname.lastname@example.org, Pierrick) - Date: . Fixed bug #55397 (comparsion of incomplete DateTime causes SIGSEGV). (Laruence, Derick) - FPM: . Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11). (Adam)