Be careful Upgrading PHP!

The PHP development team is advising users to avoid updating to version 5.3.7, released last week, after a serious bug was found in one of the cryptographic functions.

The issue effects the crypt function, used to encrypt and decrypt a text string – specifically when it is used in conjunction with the MD5 algorithm. Normally you would pass a string to crypt (a password, for example) and allow it to automatically generate a 12-bit salt (to help randomise the result). It would then output a hashed string – the encrypted password – if we use our previous example. The bug causes crypt to just output the salt, rather than the hashed string. It does not appear to effect the DES and Blowfish algorithms.

Users are advised to skip this update in favour of the 5.3.8 release, which was released on 23rd August.

The release notice can be found at:

The full bug report is posted at:

This entry was posted in Managed Hosting. Bookmark the permalink.

Comments are closed.