Stefan Esser has released a new update (really two, but one is the latest) to his Suhosin patch for PHP - version 0.9.27.

The previous update (0.9.26) updated the utility with an improved randomness fixing a few issues with an ini setting and the uploadprogress extension as well as adding in a few new settings and updates to the randomizing functions that come included in PHP.

The 0.9.27 update (the most current) updates the patch with a lazy loading change that allows it to work correctly on systems that have it disabled by default (causing the previous patch to not work).

You can grab this latest release, 0.9.27, from the suhosin website.

PHPFreaks.com has a new tutorial posted that looks to help you protect you and your application with an even greater level of security by using the Suhosin patch.

Suhosin is a great and simple way of increasing your security without having a large impact on overall performance. In this tutorial I will cover the installation and configuration of Suhosin on both debian etch and centos 5. I may cover mod_security in a later tutorial.

They apt-get the packages needed for the patch in examples for two different distributions - Debian (etch) and CentOS. They also show how to set up some basic configuration to get the patch installed and working with your PHP installation.

Stefan Esser has posted about the release of the latest version of the Suhosin security patch for PHP - version 0.9.21.

It has been a very long time since the last Suhosin extension has been released, but today this has changed with the release of Suhosin 0.9.21. Among the changes are two new features that will protect applications that put to much trust into the SERVER variables from several XSS (and SQL injection) attacks. These features are suhosin.server.strip and suhosin.server.encode.

He details these two features and gives examples of what they protect from. You can find out more about the Suhosin patch on its website.

The HowTo Forge site has a new tutorial posted today for Fedora 7 users looking to keep their PHP installations a bit safer by installing the Suhosin patch from the Hardened-PHP Project.

I will install both Suhosin parts in this tutorial, the Suhosin patch (for which we need to recompile PHP5) and the Suhosin PHP extension. To see what Suhosin can do, please refer to http://www.hardened-php.net/suhosin/a_feature_list.html. The features of the Suhosin patch are listed under Engine Protection (only with patch); all the other features come with the Suhosin extension.

It's (technically) a three step process, but there's lots of smaller steps under each one. There's also some screenshots of a phpinfo() page to show the results of each of the steps.

Stefan Esser points out the latest release of his PHP security enhancement patch, Suhosin 0.9.20, and some of the features it adds, a major one specifically.

The most important addition is that a mutex is placed around the call to the system's crypt() function to ensure thread safety. This mutex is necessary to close a bunch of possible attacks on the libc crypt() function on multi threaded systems.

He goes on to explain why it's so important - correcting a possible race condition between competing threads looking to use the crypt() function at the same time. They use the same shared memory space and, because of this, can return possible invalid data. The patch changes this behavior and replaces it with a blowfish implementation to make things more thread-safe.

On the HowTo Forge website, there's a new tutorial all set to walk you through hardening your PHP5 setup on Debian Etch/Ubuntu with the help of the Suhosin patch.

This tutorial shows how to harden PHP5 with Suhosin on Debian Etch and Ubuntu servers. [...] This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

They start with the initial install of Apache2 and PHP5 (via apt-get) to get the stage set. Building on that is simple - making another apt-get call to pull in the PHP binaries, a wget to grab the latest Suhosin patch, and you're just a few dpkg-buildpackage commands away from having a working setup. Check out the project's configuration page to get more details on tweaking the setup.

Stefan Esser has released the latest version of his Suhosin security patch for PHP:

Yesterday I released Suhosin 0.9.17 in response to a bug report by Ilia Alshanetsky and some crash problems with PHP 4 that were reported during the last weeks.

The issue dealt with a method to "bypass the hard_memory_limit of Suhosin due to a bug in PHP" that could result in memory consumption up into the gigabyte range for a single script. The patch takes care of the issue by not allowing negative memory_limit settings, preventing the problem from happening.

Since the recent release of a new tool from Yahoo! - Yahoo! Pipes - developers have been working with it and creating their own "pipes" of functionality, already exploring the boundaries of the application. Clay Loveless is one PHP developer that has already created his own pipe to monitor feeds from several PHP extensions.

The first pipe I've created and published is the PHP Extension Monitor. It's an aggregated feed that pulls in release information on several cool extensions that aren't announced in the PECL feed, such as Suhosin, XCache and DBXML.

Check out his pipe here or you can go create your own by logging in with a Yahoo! ID here.

Over on the SecurityFocus website, there's an interview posted with Stefan Esser of the Hardened-PHP Project (as interviewed by Federico Biancuzzi.

Federico Biancuzzi discussed with him how the PHP Security Response Team works, why he resigned from it, what features he plans to add to his own hardening patch, the interaction between Apache and PHP, the upcoming "Month of PHP bugs" initiative, and common mistakes in the design of well-known applications such as WordPress.

Some of the topics discussed include

• the Hardened-PHP Project
• Suhosin
• the PHP Security Response Team (his role in it and why he left)
• PHP5's security focus versus PHP4's
• and more...

On the PHP Security Blog, there's two new posts concerning their Suhosin patch for PHP - one talking about a remote code execution vulnerability found in the uploadprogressmeter extension (which as already been corrected) and the other dealing with the "stealth mode" of the patch to find compatibility problems.

As mentioned, the issue with the uploadprogress extension has been fixed and as been introduced into the PECL repository. The other post just mentions what the patch is doing to try to keep compatibility problems from happening due to back extensions and/or modules being loaded in an application.

More details about the Suhosin patch can be found here.