• Fixed typo in replacement rand() / mt_rand() that was hidden by LAZY symbol loading

• Fixed problem with suhosin.perdir
  Thanks to Hosteurope for tracking this down
• Fixed problems with ext/uploadprogress
  Reported by: Christian Stocker
• Added suhosin.srand.ignore and suhosin.mt_srand.ignore (default: on)
• Modified rand()/srand() to use the Mersenne Twister algorithm with separate state
• Added better internal seeding of rand() and mt_rand()

• Fixed PHP 4 compilation problem introduced in 0.9.24
• Fixed PHP 5.3 compilation problem
• Changed PHP default POST handler to PHP's current handler

• Added support for method-calls to function handling
• This fixes white- and blacklist affecting methods with the same name

• Fixed suhosin extension now compiles with snapshots of PHP 5.3
• Fixed crypt() behaves like normal again when there is no salt supplied

• Removed LFS warning message because it crashed on several systems

• Fixed function_exists() now checks the Suhosin permissions
• Fixed crypt() salt no longer uses Blowfish by default
• Fixed .htaccess/perdir support
• Fixed compilation problem on OS/X
• Added protection against some attacks through _SERVER variables
• Added suhosin.server.strip and suhosin.server.encode
• Added error message that warns about the LFS binary incompatibility

• Added protection flags against whitespace at variable start
• Added mutex around crypt() to close the PHP crypt() thread safety vulnerability class
• Improved HTTP Response Splitting Protection
• Changed default maximum array depth to 50 for GPCR
• Fixed possible endless loop in file logging
• Fixed file locking in file logging

• Fixed typo in HTTP header protection (only during simulation mode) - Reported by: Ilia Alshanetsky
• Fixed wrong \0 termination in cookie decryptor
• Fixed possible crash in SERVER variables protection when SAPI=embedded - Fix provided by: Olivier Blin/Mandriva Linux
• Added possibility to en-/disable INI_PERDIR - Reported by: Ilia Alshanetsky
• Added PHP Warning when disabled function is called
• Added examples for new configuration option in suhosin.ini

• Fixed session double hooking in edge case
• Added additional crash protection for PHP‘s session module

• Added a suhosin.ini example configuration. Thanks to Mandriva Linux for supplying us with one
• Added new logging device: file
• Fixed that suhosin.filter.action did not affect POST limits
• Fixed behaviour of request variable limit to be an upper limit
• for the other settings instead of being additive limit
• Fixed hard_memory_limit bypass due to casting bug in PHP. Problem was found by: Ilia Alshanetsky
• Fixed some sql prefix/postfix problems
• Added experimental SQL injection heuristic

• Added suhosin.stealth which controls if suhosin loads in stealth mode when it is not the only zend_extension (Required for full compatibility with certain encoders that consider open source untrusted. e.g. ionCube, Zend)
• Activate suhosin.stealth by default
• Fixed that Suhosin tries handling functions disabled by disable_function. In v0.9.15 it was impossible to disable phpinfo() with disable_function. Problem was found by: Thorsten Schifferdecker

• Added a transparent protection for open phpinfo() pages by adding an HTML META ROBOTS tag to the output that forbids indexing and archiving

• Drop wrongly decrypted cookies instead of leaving them empty
• Fix another problem with urlencoded cookie names
• Fix compilation problem with PHP4
• Added better regression to the release process to stop compilation and missing symbol problems

• More compatible ap_php_snprintf() support for old PHP versions
• Changed phpinfo() output to put the suhosin logo into a data: URL when

Opera or a Gecko based browser is used and expose_php=off

• Adding ap_php_snprintf() when compiling against PHP 4.3.9
• Added suhosin.protectkey to remove cryptkeys from phpinfo() output
• Disabled suhosin.cookie.encrypt in default install
• Fixed static compilation against PHP 5.2.0

• Fixed input filter in simulation mode

• Fixed ZTS compile problem in new code
• Fixed PHP4 compile problem in new code

• Fixed mail() protection that failed to detect some injected headers
• Fixed cookie decryption to not potentially trash apache memory
• Fixed cookie enctyption to handle url encoded names correctly
• Added suhosin.cookie/session.checkraddr
• Added suhosin.cookie.cryptlist
• Added suhosin.cookie.plainlist
• Added suhosin_encrypt_cookie function for JS
• Added suhosin_get_raw_cookies function
• Changed dropped variable error messages

• Fixed the PHP4 compile problem in ZTS mode correctly

• Moved input handler hooking to a later place to ensure better compatibility with 3rd party extensions
• Fixed a problem with overlong mail headers in mail protection
• Fixed a problem with empty log/verification script names
• Fixed a PHP4 compile problem with old gcc/in ZTS mode
• Added mbregex.h from PHP4 to solve compile problems on systesm with broken header installations

• Added fixes for various platform compilation problems
• Disables symlink() when open_basedir is used

• Added missing logo file
• Added suhosin.apc_bug_workaround flag to work around a bug in APC 3.0.12x

• Added version number and logo to phpinfo() output
• Fixed that all uploaded files are dropped after a single one was disallowed
• Added undocumented suhosin.coredump flag to tell suhosin to dump core instead of logging S_MEMORY events
• Disable handling of rfc1867 mbstring decoding

• Added protection against directory traversal include attacks
• Added protection against endless recursion to phpscript logging
• Added possibility to disable safe_mode, open_basedir for phpscript logging

• Fixed the fileupload hook (binary data now excludes whitespace)
• Added phpscript as logdevice

• A bunch of changes to compile and work on Windows
• First stable release

• Added decryption of HTTP_COOKIE
• Fixed a last problem in suhosin_strcasestr() helper function

• Fixed a problem within suhosin_strcasestr() because it broke URL checks

• CVS version of PHP 5.2.0 was changed to support incasesensitive URLs, support for this in suhosin added
• Fixed a problem when preg_replace() was called with more than 4 parameters

• Added a little bit more realpath() hardening. However PHP's realpath() handling still needs more fixes.

• Fixed non aligned memory access in memory manager canary protection. Affects architectures like sparc or arm

• Fixed another problem with new PHP 5.2.0 memory manager

• Removed forgetten debug code in zend_alloc.c for PHP 5.2.0
• Fixed problem with zend_alloc.c in debug compiled PHP 5.2.0

• Fixed changes in PHP5 header files that caused problems with C++ extensions

• phpinfo(): be more verbose about presence of Suhosin-Patch
• Fixes the Win32 compile failure

• Changes to be compatible with Win32
• Added phpscript as logdevice