If you write your own PHP scripts that allow file uploads, we’ve discovered an unusual issue that might affect you. The “permissions” PHP gives to newly uploaded files aren’t always the same — and a recent change to our servers may have altered the permissions your script sees.
We’ve installed several security updates recently. We’ve updated PHP 4, PHP 5, the ClamAV antivirus scanner, and some XFree86 libraries. In addition, we’ve updated our own blog to use WordPress 2.2 — if you use WordPress, make sure you’ve done the same.
We’ve updated PHP 5 on our servers to cover sixteen recently identified security issues. This only affects customers who have chosen to use PHP 5 — but since this upgrade only fixes security bugs, even those customers shouldn’t notice any changes.
We’ve updated PHP 4 on our servers to cover six recently identified security issues. Users shouldn’t notice any changes.
An upgrade for PHP 5 is also in progress. After testing, we actually rolled out the update onto our servers for a short time, until a customer reported an unusual problem with vBulletin posts getting cut off when they contain an odd number of apostrophes shortly afterward. This problem appears to be related to the update, so we have rolled back to the previous version of PHP 5 while we investigate this. (This kind of thing is very rare: this is the first security update in over year that has caused a problem. We have a suite of “regression tests” that we use to test PHP upgrades, and there wasn’t a general problem with it. We’ll follow up with more details when we know more.)
By the way, if you’re unfamiliar with what we mean by a “security update”, this page will help.
