Though I forgot to write because of hooked on WOFF, I updated to PHP5.5.10 on Mar. 10.
According to ChangeLog, this includes the fixes for CVE-2014-1943, CVE-2014-2270 and CVE-2013-7327.
The php.ini-production loses the next 31 lines. My server had nothing affected by them, though.
———————————————
; session.bug_compat_42
; Default Value: On
; Development Value: On
; Production Value: Off
———————————————
; session.bug_compat_warn
; Default Value: On
; Development Value: On
; Production Value: Off
———————————————
; PHP 4.2 and less have an undocumented feature/bug that allows you to
; to initialize a session variable in the global scope.
; PHP 4.3 and later will warn you, if this feature is used.
; You can disable the feature and the warning separately. At this time,
; the warning is only displayed, if bug_compat_42 is enabled. This feature
; introduces some serious security problems if not handled correctly. It’s
; recommended that you do not use this feature on production servers. But you
; should enable this on development servers and enable the warning as well. If you
; do not enable the feature on development servers, you won’t be warned when it’s
; used and debugging errors caused by this can be difficult to track down.
; Default Value: On
; Development Value: On
; Production Value: Off
; http://php.net/session.bug-compat-42
session.bug_compat_42 = Off
———————————————
; This setting controls whether or not you are warned by PHP when initializing a
; session value into the global space. session.bug_compat_42 must be enabled before
; these warnings can be issued by PHP. See the directive above for more information.
; Default Value: On
; Development Value: On
; Production Value: Off
; http://php.net/session.bug-compat-warn
session.bug_compat_warn = Off
———————————————
As the official PHP binary includes php5apache2_4.dll, I extract the zip archive and replace all PHP5.5.9 files with all PHP5.5.10 files except my php.ini. Then, I restart my Apache. That’s it.
If you need how to configure PHP5.5, please see the post. It is for a mbstrings user, but the information gives some help for you.
I use this opportunity to update to phpMyAdmin 4.1.9. If you need its configuration, see “phpMyAdmin 4.1.0 is released”.