After months of testing, PHP 5.3.7 was released last week. While PHP 5.3.7 fixed over 60 bugs it introduced one new one. The new bug was a crypto flaw.
That crypto flaw led a warning that I have never before seen from php.
“Due to unfortunate issues with 5.3.7 (see bug#55439) users should wait with upgrading until 5.3.8 will be released,” PHP.net warned.
Well it has only been a few days and 5.3.8 is now available, fixing the crypto flaw.
There is a lesson here in all of this, both for PHP users as well as software in general. For developers, no matter how well you think something has been tested during beta and release cycles, it’s never perfect. There is always a use case and a user that won’t try a release until it’s generally available.
For users, if you’re risk averse, wait a day (or two) after a new release when you can, especially with infrastructure software like PHP. It might save you some grief. Then again, I know full well that plenty of users (myself included) often upgrade to the latest and greatest as soon as it’s available, just to get the latest security fixes.
NO, there isn’t an easy answer to this paradox. But just be cautious when you can, bugs have a way of creeping up in the first hours/days after release, time and again.