Suhosin 0.9.6 released




02. October 2006

                          _               _       
                ___ _   _| |__   ___  ___(_)_ __  
               / __| | | | '_ \ / _ \/ __| | '_ \ 
               \__ \ |_| | | | | (_) \__ \ | | | |
               |___/\__,_|_| |_|\___/|___/_|_| |_|
                                          v0.9.6                                   

                Suhosin v0.9.6 - October 2, 2006
                ================================

  Announcement
  ============
  
  The Hardened-PHP Project is proud to announce the immediate
  availability of the first stable releases of Suhosin-Patch
  and Suhosin-Extension.
  
  Suhosin is our advanced PHP protection system installations.
  It was designed to and has already proved to be successful in
  protecting servers and users from known and unknown flaws in 
  PHP applications and the PHP core.
  
  Suhosin consists of two independent parts that can be used
  separately or in combination. The first part is a small patch
  against the PHP core that implements a few low-level protections
  against buffer-overflows or format string vulnerabilities and the
  second part is a feature-rich PHP extension that implements
  a lot of security safeguards for your PHP installations.
  
  Unlike our Hardening-Patch Suhosin is binary compatible to
  normal PHP installations, which means it is compatible to 3rd
  party binary extensions like ZendOptimizer or ZendPlatform.
  
  With this first official stable release of Suhosin the 
  Hardening-Patch is declared deprecated and replaced by Suhosin.
  
  
  Availability
  ============
  
  This extension is available under the PHP License.
  
  You can get the newest version at http://www.suhosin.org
  
  Additionally Suhosin is available in the FreeBSD ports system
  and soon in the Gentoo portage. The upcoming OpenSuSE version
  most probably contains binary packages of Suhosin, too.
  
  
  Support and Documentation
  =========================
  
  The installation how-to, the documentation and the FAQ for 
  Suhosin are available on the website:
  
    http://www.suhosin.org
    
  A users support forum is available under:
  
    http://forum.hardened-php.net
  

  Featurelist
  ===========

  Engine Protection (only with patch)
  -----------------------------------
  * Protects the internal memory manager against buffer-overflows 
    with Canary and Safe-Unlink Protection
  * Protects Destructors of Zend Hashtables
  * Protects Destructors of Zend Linked-Lists
  * Protects the PHP core and extensions against 
    format string vulnerabilities
  * Protects against errors in certain libc realpath() 
    implementations

  Misc Features
  -------------
  * Protection Simulation mode
  * Adds the functions sha256() and sha256_file() to the PHP core
  * Adds support for CRYPT_BLOWFISH to crypt() on all platforms
  *	EXPERIMENTAL SQL database user protection

  Runtime Protection
  ------------------
  * Transparent Cookie Encryption
  * Protects against different (Remote-)Include Vulnerabilities
    - disallows Remote URL inclusion (optional: black-/whitelisting)
    - disallows inclusiong of uploaded files
    - optionally stops directory traversal attacks
  * Allows disabling the preg_replace() /e modifier
  * Allows disabling eval()
  * Protects against infinite recursion through a configurable
    maximum execution depth
  * Supports per Virtual Host / Directory configurable function 
    black- and whitelists
  * Supports a separated function black- and whitelist for 
    evaluated code
  * Protects against HTTP Response Splitting Vulnerabilities
  * Protects against scripts manipulating the memory_limit
  * Protects PHP's superglobals against extract() 
    and import_request_vars()
  * Adds protection against newline attacks to mail()
  * Adds protection against \0 attack on preg_replace()

  Session Protection
  ------------------
  * Transparent encryption of session data
  * Transparent session hijacking protection
  * Protection against overlong session identifiers
  * Protection against malicious chars in session identifiers
 
  Filtering Features
  ------------------
  * Filters ASCIIZ characters from user input
  * Ignores GET, POST, COOKIE variables with the following names:
    - GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST
    - _SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS
    - HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES
    - HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS
  * Allows enforcing limits on REQUEST variables or separated by 
    type (GET, POST, COOKIE)
  * Supports a number of variables per request limit
  * Supports a maximum length of variable names 
    [with and without indicies]
  * Supports a maximum length of array indicies
  * Supports a maximum length of variable values
  * Supports a maximum depth of arrays
  * Allows only a configurable number of uploaded files
  * Supports verification of uploaded files through an external script
  * Supports automatic banning of uploaded ELF executables
  * Supports automatic banning of uploaded binary files
  * Supports automatic stripping of binary content in uploaded files
  * Configurable action on violation
    - just block violating variables
    - send HTTP response code
    - redirect the browser
    - execute another PHP script
  
  Logging Features
  ----------------
  * Supports multiple log devices 
    (syslog, SAPI module error log, external logging script)
  * Supports freely configurable syslog facility and priority
  * Supports log device separated selection of alert types to log
  * Alerts contain filename and linenumber that triggered it
  * Alerts contain the IP address of the user triggering it
  * The IP Address can also be extracted from X-Forwarded-For 
    HTTP headers (f.e. for reverse proxy setups)


  Copyright
  =========
  
  (C) Copyright 2006 Hardened-PHP Project
  
  
  Stefan Esser / 2006-10-02
© Hardened PHP Project