A day after warning users about a serious bug in the cryptographic function in PHP 5.3.7 and telling them not to upgrade to that release, the maintainers of the scripting language pushed out version 5.3.8, which fixes the crypto problem as well as another security related issue.
PHP 5.3.7, which was released by The PHP Group on Aug.18, contained a serious error in the way that it handled certain inputs to the crypt() function. When it was supplied with an MD5 salt, the function would return only the salt value rather than the salted hash value as it should have. As a result, the group warned users on Monday not to upgrade to 5.3.7 and to wait until the bug could be fixed.
“If crypt() is executed with MD5 salts, the return value consists of the
salt only.
DES and BLOWFISH salts work as expected.
I tested with php from openSUSE PHP5 repository,” the bug report said. Other PHP users were able to reproduce the problem later on other platforms, as well.
On Tuesday the group released a new version of the language, PHP 5.3.8, which fixes the crypt() problem and also rolls back a function introduced in 5.3.7 that was causing some SSL sessions to hang. The PHP Group recommended that all users upgrade to 5.3.8 as soon as possible, as the older 5.2 chain is no longer supported.