News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP.net:
New Supported Versions Timeline Page
October 29, 2014 @ 11:18:40

The PHP.net website has introduced a new feature to help make it a bit clearer which versions of PHP are supported and which have reached their end-of-life mark. This new Supported versions page off the main site provides listings of currently supported versions and graphical timelines of past (and future) support milestones.

Each release branch of PHP is fully supported for two years from its initial stable release. During this period, bugs and security issues that have been reported are fixed and are released in regular point releases. After this two year period of active support, each branch is then supported for an additional year for critical security issues only. Releases during this period are made on an as-needed basis: there may be multiple point releases, or none, depending on the number of reports.

The page includes information on when the initial release in a series was made (like the 5.4.x or 5.5.x series), when active support did/will end and how long the timeline is for security fixes and support. As of the time of this post, PHP 5.3.x is the only series that has reached end-of-life, but the 5.4.x series is coming close being in security fix only mode now and EOL-ing completely in ten months.

0 comments voice your opinion now!
version support timeline page phpnet release bugfix security

Link: http://php.net/supported-versions.php

Fabien Potencier:
The PHP Security Advisories Database
October 27, 2014 @ 11:54:48

Fabien Pontencier has made an official announcement about a move to make the PHP Security Database the Symfony project started over a year ago. In the announcement he talks about the move to (hopefully) make it more widely adopted - pulling it out from under the Symfony namespace and into the FriendsOfPHP organization.

A year and a half ago, I was very proud to announce a new initiative to create a database of known security vulnerabilities for projects using Composer. It has been a great success so far; many people extended the database with their own advisories. As of today, we have vulnerabilities for Doctrine, DomPdf, Laravel, SabreDav, Swiftmailer, Twig, Yii, Zend Framework, and of course Symfony (we also have entries for some Symfony bundles like UserBundle, RestBundle, and JsTranslationBundle.)

[...] Today, I've decided to get one step further and to clarify my intent with this database: I don't want the database to be controlled by me or SensioLabs, I want to help people find libraries they must upgrade now. That's the reason why I've added a LICENSE for the database, which is now into the public domain.

The database has already been moved over to the FriendsOfSymfony organization and is still functioning with the SensioLabs security checker. You can find more on the database and its contents in this GitHub project.

0 comments voice your opinion now!
security advisories database public domain friendsofphp

Link: http://fabien.potencier.org/article/74/the-php-security-advisories-database

NetTuts.com:
Securing Your Server Login
October 22, 2014 @ 10:43:27

While PHP developers usually pay more attention to the code level of things, it's good to know something about managing the servers their applications live on too. In this most recent tutorial from NetTuts.com they introduce you to some of the basic things you can do to help secure your server against potential attacks, more specifically around the logins.

Thanks to the growing abundance of useful self-hosted apps such as WordPress and the affordable growth of cloud hosting providers, running your own server is becoming increasingly compelling to a broader audience. But securing these servers properly requires a fairly broad knowledge of Linux system administration; this task is not always suitable for newbies.

They provide a list of seven things to look at (not a comprehensive list, but good none the less) to protect your system logins:

  • Update Your System Components
  • Change Your SSH Port From the Default
  • Activate a Firewall
  • Change Your Root Login Name
  • Activate Google Two-Factor Authentication
  • Switch to Using SSH Keys for Login
  • Manage Your Application Security

Each item includes a summary of the "why" and commands or links to other resources with more information.

0 comments voice your opinion now!
server login security top7 list tips hosting

Link: http://code.tutsplus.com/tutorials/securing-your-server-login--cms-22001

Joshua Thijssen:
Deepdive into the symfony2 security component part 1
October 20, 2014 @ 10:26:33

On the latest post on his site Joshua Thijssen has kicked off a series taking a deep dive into the Symfony security component, a key piece in the security of Symfony-based applications. In this first part of the series he introduces the component and starts in on some of the features it offers.

Once in a while I like diving into code and see how things work under the hood. And as the symfony2 framework consists of many different components, bundles and bridges, there is a lot to discover. But ultimately, the code itself mostly isn't really as complex as it might seem from the outside world: just like a good magic trick, once unraveled, it all seems very simple and makes sense.

However, this is not true for one of those components: the security component. This black box full of dark magic doesn't like to give up its secrets, and after some (miserably) failed attempts, I am trying to unravel it once more in a few blog posts. Either we achieve complete victory, or fail yet again.. At this point, I will give both fair odds.

He starts off with an overview of the component, pointing out the two main things is handles: authentication and authorization. He also pulls in a few other things to do with security in Symfony to give a more complete, well rounded picture - the component itself, the security bundle and security bridges. He gets into a bit more detail about this last one and describes their specific use.

0 comments voice your opinion now!
symfony security bundle component overview deepdive series part1

Link: https://www.adayinthelifeof.nl/2014/10/19/deepdive-into-the-symfony2-security-component-part-1/

PHP.net:
PHP 5.4.34 & 5.6.2 Released
October 17, 2014 @ 10:14:07

On the main PHP.net site an announcement has been posted about the release of the two latest versions in the PHP 5.4.x and 5.6.x series - PHP 5.4.34 and 5.6.2

These releases fix several bugs in both versions including several security-related issues including CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670. In the 5.4.34 release there was also a fix put in to correct a regression issue in the OpenSSL functionality.

As both of these contain security-related fixes, it's strongly recommended that you upgrade as soon as possible. As always, you can find the latest downloads on the main downloads page or windows.php.net for the Windows users. The full list of changes in each of the versions can be found in the Changelog.

0 comments voice your opinion now!
language release bugfix security update openssl

Link: http://php.net/archive/2014.php#id2014-10-16-3

Joshua Thijssen:
Symfony2 logging out
October 10, 2014 @ 10:51:03

In this new post to his site Joshua Thijssen talks about something that's usually considered a common task and might be overlooked when it comes to security: logging out (specifically in Symfony-based applications).

One of the "golden rules" of symfony2 is to never hardcode urls or paths inside your code or templates. And letting symfony deal with the generation of your urls and paths makes your life a lot easier as a developer. But one of the things I see regularly is that people are still hardcoding their logout urls like using "/logout". But logging out is actually a bit more complex than it might seem, and using a simple /logout might work for most cases, but there are better ways to deal with this.

To give some context, he starts with an overview of the Security component of the Symfony framework, mentioning how it can be configured with different "secure" areas and how they handle the user authentication. He includes an example configuration of one of these "firewalls" in a YAML document with three different sections: "dev", "superadminstuff" and "main". He explains what each of these sections are configuring and how they will react when the user visits them. He talks some about the "logout: true" handling and what kind of defaults are also included when it's called. He suggests that, instead of a hard-coded "logout" URL in your application, you make use of the "logout_url" and "logout_path" functions to create the link for you, making it consistent across the application and easier to configure.

0 comments voice your opinion now!
symfony logout security user login component link

Link: https://www.adayinthelifeof.nl/2014/10/06/symfony2-logging-out/

Matthew Weier O'Phinney:
Deployment with Zend Server (Part 4 of 8)
September 05, 2014 @ 09:22:38

Matthew Weier O'Phinney has posted the latest tip in his Zend Server deployment series, part 4 related to securing the scripts you use for your jobs (like cron, but run through Zend Server).

This is the fourth in a series of eight posts detailing tips on deploying to Zend Server. The previous post in the series detailed a trick I learned about when to execute a chmod statement during deployment. Today, I'm sharing a tip about securing your Job Queue job scripts.

He talks about the security concerns around the scripts you use for your jobs and how to protect them since they're exposed to the world as public scripts (if their URL can be tracked down, that is). He shares a few lines of code that can help prevent that, though - a check to see if it's running as a job (via getCurrentJobId) and returning a "403 Forbidden" if not.

0 comments voice your opinion now!
zendserver deployment tips series part3 security jobid

Link: https://mwop.net/blog/2014-09-04-zend-server-deployment-part-4.html

PHP.net:
PHP 5.4.32 Released
August 22, 2014 @ 12:48:52

The PHP development team has officially announced the release of the latest version in the PHP 5.4.x series that fixes several security issues: PHP 5.4.32.

The PHP development team announces the immediate availability of PHP 5.4.32. 16 bugs were fixed in this release, including the following security-related issues: CVE-2014-2497, CVE-2014-3538, CVE-2014-3587, CVE-2014-3597, CVE-2014-4670, CVE-2014-4698, CVE-2014-5120. All PHP 5.4 users are encouraged to upgrade to this version.

You can view the full list of changes and what part of the language they effect in the changelog. To download this latest version, you can get the source from the downloads page or windows.php.net for Windows users.

0 comments voice your opinion now!
release language php54 security bugfix upgrade

Link: http://php.net/index.php#id2014-08-21-1

PHP.net:
PHP 5.3.29 is available, PHP 5.3 reaching end of life
August 14, 2014 @ 08:50:12

The PHP.net site has announced both the release of PHP 5.3.29 and a reminder that the PHP 5.3.x series is coming close to its "end of life" date.

The PHP development team announces the immediate availability of PHP 5.3.29. This release marks the end of life of the PHP 5.3 series. Future releases of this series are not planned. All PHP 5.3 users are encouraged to upgrade to the current stable version of PHP 5.5 or previous stable version of PHP 5.4, which are supported till at least 2016 and 2015 respectively. PHP 5.3.29 contains about 25 potentially security related fixes backported from PHP 5.4 and 5.5

If you're using any release in the PHP 5.3.x series, it's highly recommended you either update to this latest version or you make the jump up to something in the PHP 5.4 or 5.5 series. You can get this latest release either from the main downloads page or for Windows users the windows.php.net site. The full change log can be found here.

0 comments voice your opinion now!
php53 endoflife release php5329 security fixes

Link: http://php.net/archive/2014.php#id2014-08-14-1

PHPClasses.org:
Lately in PHP Podcast #48 - To TDD or Not TDD?
June 27, 2014 @ 11:38:37

On the PHPClasses.org site today Manuel Lemos has released the latest episode in their "Lately in PHP" podcast series: Episode #48 - To TDD or Not TDD?.

Lately the debate about whether you should use TDD or not in all software projects all the time has been very intense. [...] They also talked about the upcoming end of life release of PHP 5.3, getting information of parameter type hinting with reflection, using object methods on native data types, security problems of OAuth implementations, and the built-in support of Composer to access password protected repositories.

You can listen to this latest episode either through the in-page audio player, by downloading the mp3 or you can watch the live recording over on the PHPClasses YouTube playlist. A transcription of the recording is also provided as well as links to some of the topics mentioned.

0 comments voice your opinion now!
phpclasses latelyinphp ep48 podcast tdd typehint oauth security composer

Link: http://www.phpclasses.org/blog/post/239-To-TDD-or-Not-TDD--Lately-in-PHP-podcast-episode-48.html


Community Events





Don't see your event here?
Let us know!


introduction voicesoftheelephpant community install series bugfix language interview tips framework release list package symfony podcast api opinion library laravel deployment

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework