diff --git a/reference/strings/functions/crypt.xml b/reference/strings/functions/crypt.xml
index 2de7be4b81..9f517d62d8 100644
--- a/reference/strings/functions/crypt.xml
+++ b/reference/strings/functions/crypt.xml
@@ -66,12 +66,19 @@
- CRYPT_BLOWFISH - Blowfish hashing with a salt as follows:
- "$2a$", a two digit cost parameter, "$", and 22 digits from the alphabet
- "./0-9A-Za-z". Using characters outside of this range in the salt will cause crypt() to
- return a zero-length string. The two digit cost parameter is the base-2 logarithm of the
- iteration count for the underlying Blowfish-based hashing algorithmeter and must be in
- range 04-31, values outside this range will cause crypt() to fail.
+ CRYPT_BLOWFISH - Blowfish hashing with a salt as
+ follows: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and
+ 22 digits from the alphabet "./0-9A-Za-z". Using characters outside of
+ this range in the salt will cause crypt() to return a zero-length string.
+ The two digit cost parameter is the base-2 logarithm of the iteration
+ count for the underlying Blowfish-based hashing algorithmeter and must be
+ in range 04-31, values outside this range will cause crypt() to fail.
+ Versions of PHP before 5.3.7 only support "$2a$" as the salt prefix: PHP
+ 5.3.7 introduced the new prefixes to fix a security weakness in the
+ Blowfish implementation. Please refer to
+ this document for full
+ details of the security fix, but to summarise, developers targeting only
+ PHP 5.3.7 and later should use "$2y$" in preference to "$2a$".
@@ -149,6 +156,13 @@
+
+ 5.3.7
+
+ Added $2x$ and $2y$ Blowfish
+ modes to deal with potential high-bit attacks.
+
+ 5.3.2