http://www.php.net/ChangeLog-5.php#5.1.2
We know that these new versions of PHP have been released and are working on getting them into portage. Thank you for your patience.
When will 5.1.2 probably arrive in portage? I just want to avoid that it happens to appear a few minutes after I try to modify (rename + try & error) the 5.1.1 ebuild myself. :-/
An ebuild for PHP 5.1.2 is already available in the PHP Overlay (http://svn.gnqs.org/projects/gentoo-php-overlay/).
upstream bug to see re PHP5.1.2 potentially breaking existing code: http://bugs.php.net/bug.php?id=35995 Code in the following form === function test(&$text) { $text = "Prefix " . $text; } test($x="A"); echo $x; === Note the assignment in the function call. Pre-5.1.2 code of this form worked.
But it's quite necessary to get this version quickly into portage because of the hardened fix for header()-splitting attacks. Example: In former versions it was possible to do something like this: <?php header ( "Foobar: barfoo \nBazfoo: foobaz" ); ?> Some projects are using code like <?php header ( "Location: http://example.com/$_GET ['location']" ); ?> This could be attacked by special crafted URLs like http://example.com/test.php?location="index.php\n\n<script>alert('test');</script>" Hardened PHP strips out newlines to prevent attacks like this.
Now, PHP 5.1.2 will get soon into Portage, don't worry, and anyway that header() security fix is not in any way I can see it critical, it was kinda like a "feature" before that you could send more headers, now it's seen as security issue and changed to only send one header... Wrt the BC break, as I can see in the bug there, upstream has no intention of fixing it as how it "breaks" now is correct following language specifications, so we'll not change 5.1.2 around for this, we may keep 5.1.1 and 4.4.1 for a week more in dev-lang/php to give users time to fix their code if it really breaks that often, but I then plan on removing 5.1.1 soon and use 5.1.2 as candidate for stabling in the 5.1 series, 5.0.5 for the 5.0 series and 4.3.11 and 4.4.1 for the 4.X series, 4.4.2 will be stabled at a later point within the normal 30 days timeframe.
I'm using the ebuild from the overlay on http://schokokeks.org. There is a lot of commonly used software like WordPress, MediaWiki, Mantis, Serendipity, Gallery, etc. and nothing breaks. So I think you can update without any fear. And yes you're right, in the past, the header-thingy has been issued as a feature but: bad enough.
Update: ebuilds for both 5.1.2 and 4.4.2 are available now at the PHP Overlay [1], they still need some very minor work and will then officially enter Portage during the next week. Best regards, CHTEKK. [1] http://svn.gnqs.org/projects/gentoo-php-overlay/
dev-lang/php-4.4.2 and dev-lang/php-5.1.2 were just added to the tree, emerge --sync in a couple of hours to get them. Best regards, CHTEKK.