5.2.142010-07-22stableThe PHP development team would like to announce the immediate availability of PHP 5.2.14. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related.
**Security Enhancements and Fixes in PHP 5.2.14:**
- Rewrote var_export() to use smart_str rather than output buffering, prevents data disclosure if a fatal error occurs.
- Fixed a possible interruption array leak in strrchr().(CVE-2010-2484)
- Fixed a possible interruption array leak in strchr(), strstr(), substr(), chunk_split(), strtok(), addcslashes(), str_repeat(), trim().
- Fixed a possible memory corruption in substr_replace().
- Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
- Fixed a possible stack exaustion inside fnmatch().
- Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288).
- Fixed handling of session variable serialization on certain prefix characters.
- Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz Kocielski.
**Key enhancements in PHP 5.2.14 include:**
- Upgraded bundled PCRE to version 8.02.
- Updated timezone database to version 2010.5.
- Fixed bug #52238 (Crash when an Exception occured in iterator_to_array).
- Fixed bug #52237 (Crash when passing the reference of the property of a non-object).
- Fixed bug #52041 (Memory leak when writing on uninitialized variable returned from function).
- Fixed bug #51822 (Segfault with strange __destruct() for static class variables).
- Fixed bug #51552 (debug_backtrace() causes segmentation fault and/or memory issues).
- Fixed bug #49267 (Linking fails for iconv on MacOS: "Undefined symbols: _libiconv").
To prepare for upgrading to PHP 5.3, now that PHP 5.2's support ended, a migration guide available on [http://php.net/migration53](/migration53), details the changes between PHP 5.2 and PHP 5.3.
For a full list of changes in PHP 5.2.14 see the ChangeLog at .