This document summarizes notable PHP news from last month. It discusses recent security releases for PHP, Drupal, WordPress, and other frameworks. It also mentions an upcoming Argon2 password hashing feature in PHP 7.2 and several PHP conferences happening in the coming months. Security vulnerabilities are noted in ImageMagick and CMS platforms, and users are encouraged to upgrade. The PHP right way documentation was also updated on several topics. Finally, the document advertises the Hactoberfest event and upcoming Nomad PHP online talks.

1. Last Month in PHP
September 2016
Kansas City PHP User Group

2. PHP Patch Releases
PHP 7.0.11 - Upgrade!
● Security fixes
● php.net/ChangeLog-7.php#7.0.1
1
PHP 5.6.26 - Upgrade!
● Security fixes
● php.net/ChangeLog-5.php#5.6.2
6

3. Security Bulletin...
ImageMagick
● Remote Code Execution
● Mitigation recommendation:
○ Sandbox ImageMagick
■ If you find a good way to do this, it might make a good KCPUG talk!
○ Update your policy.xml file.
■ imagetragick.com

4. Upcoming Features via PHP RFC
Argon2i Password Hash
● Target: PHP 7.2
● tl;dr: Introduces Argon2i password
hashing algorithm, PASSWORD_ARGON2I ,
which has 3 cost factors, to password_*
functions
● Note: PASSWORD_DEFAULT will still be an
alias for PASSWORD_BCRYPT for now.
● See:
wiki.php.net/rfc/argon2_password_hash

5. CMSes: Drupal
Drupal 8.1.[9,10]
● Drupal 8: Security & Patch Releases - Upgrade!
○ Users without "Administer comments" can set comment visibility on nodes
they can edit: CVE-2016-7570
○ Cross-site Scripting in http exceptions: CVE-2016-7571
○ Full config export can be downloaded without administrative permissions: CVE-2016-7572
○ drupal.org/SA-CORE-2016-004

6. CMSes: WordPress
WordPress 4.6.1 - “Pepper”
● Security Release - Upgrade!
○ XSS via image filename
○ Path traversal vulnerability in image uploader
● wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-rele
ase

7. Frameworks - CakePHP
CakePHP 3.3.[4,5], 2.9.0, & 2.8.[7,9]
● 3.3.x - bugfixes
○ bakery.cakephp.org/2016/09/24/cakephp_334_released.html
○ bakery.cakephp.org/2016/09/29/cakephp_335_released.html
● 2.9.0 - Feature release
○ Backwards-compatible feature release with 2.8.x
○ bakery.cakephp.org/2016/09/18/cakephp_290_289_released.html
● 2.8.x - bugfixes:
○ The last bugfix release of 2.8
○ bakery.cakephp.org/2016/09/09/cakephp_287_released.html
○ bakery.cakephp.org/2016/09/18/cakephp_290_289_released.html

8. Frameworks - Laravel
Laravel 5.3.[6,7,8,9,10,11,(12,13,14,15)]
● Laravel 5.3
○ A lot of queue work
○ Final release of the month reverted the prior 3’s DaemonCommand updates
○ github.com/laravel/framework/blob/5.3/CHANGELOG-5.3.md
● Vue 2.0 Released
○ Laravel 5.3 uses Vue on the front-end
○ medium.com/the-vue-point/vue-2-0-is-here-ef1f26acf4b8

9. Frameworks - Symfony
Symfony 3.1.4, 2.8.[10,11], 2.7.[17, 18]
● Maintenance Releases
○ symfony.com/blog/symfony-2-7-17-released
○ symfony.com/blog/symfony-2-7-18-released
○ symfony.com/blog/symfony-2-8-10-released
○ symfony.com/blog/symfony-2-8-11-released
○ symfony.com/blog/symfony-3-1-4-released
● SymfonyLive Chicago - Moved to php[world] :)
○ world.phparch.com/symfonylive-at-phpworld

10. Frameworks - Zend
ZF 1.12.20
● Security patch - Upgrade!
○ framework.zend.com/blog/2016-09-08-ZF-1.12.20-Released.html
● ZF1 End Of Life was 28 September
○ framework.zend.com/blog/2016-06-28-zf1-eol.html

11. PHP: The Right Way
● Code Style Guide
○ Under FIG heading, changed wording and
added Laravel as a project
● Current Stable Version
○ Added EOL to PHP 5.6
● Mac Setup
○ Updated currently installed version of PHP
with Sierra
● Namespaces
○ Simplified wording
● Date and Time
○ Added info about Carbon
● Note: Every open-source project can use
your help with documentation. What are
you waiting for?

12. Hactoberfest 2016
Submit Pull Requests to Open Source Projects this month
● Help out the dev community!
● Submit 4 PRs and earn a t-shirt
● Must sign up first
● Cosponsored by Digital Ocean and Github
● Hacktoberfest.digitalocean.com
○ Check your status via 3rd-party: hacktoberfestchecker.herokuapp.com

13. PHP Conferences
Bulgaria PHP 2016
● Oct 7-9 - Sofia, Bulgaria
● bgphp.org
True North PHP
● Nov 3-5 - Toronto, Canada
● truenorthphp.ca
PHP[WORLD] 2016
● Nov 14-18 - Washington, D.C.
● 10% KCPUG Discount: REDACTED
● world.phparch.com/
ZendCon
● Nov 18-21 - Las Vegas, NV
● zendcon.com

14. PHP Conferences - Continued
SunshinePHP 2017
● Feb 2-4 - Miami, FL
● 2017.sunshinephp.com
PHP UK 2017
● Feb 16-17 - London, UK
● phpconference.co.uk
● Call For Papers due Oct 17
○ phpconference.co.uk/speakers
Confoo.CA 2017
● Mar 8-10 - Montreal, CAN
● confoo.ca/en/yul2017
Lonestar PHP 2017
● Apr 20-22 - Dallas, TX
● lonestarphp.com

15. Nomad PHP (Online) - October 13
Nomad PHP EU - 01:00 PM CDT
“New” is Not Your Enemy!
● Stephan Hochdörfer (@shochdoerfer)
● nomadphp.com/new-not-enemy
Nomad PHP US - 08:00 PM CDT
How the 3rd Normal Form Destroyed a
Family
● Chuck Reeves (@manchuck)
● nomadphp.com/3rd-normal-form-destroye
d-family

16. Next Month in KCPHPUG
● Eric Poe: “Iterating Strings -- Iterating Things”