Many developers are quick to upgrade to the latest PHP releases in order to take advantage of the latest functionality, or protect themselves and their users from potential security issues. The folks who create the PHP scripting language this week, however, are urging PHP users to avoid updating to last week’s release, due to a serious but that affects cryptographic functions.
The release with the problem, version 5.3.7, contains a flaw that deals with the crypt() function that is utilized for cryptographically hashing a text string. If a developer uses the command along with the MD5 algorithm and what is called salt characters (which are typically used to aid in randomizing the resulting hash value) PHP responds by returning the salt, but not the salted hash.
Although they were aware of the issue, they released the update anyway because it fixed several other security issues. That said, they still informed users about the problem, and asked them to hold off, stating that “Due to unfortunate issues with 5.3.7 users should wait with upgrading until 5.3.8 will be released (expected in few days)”.
Read the original article here.