Posted by & filed under PHP.

A few days after releasing PHP 5.3.4 and PHP 5.2.16, the PHP group announced an important security update with PHP 5.3.5 and PHP 5.2.17 :

This release resolves a critical issue, reported as PHP bug #53632 and CVE-2010-4645, where conversions from string to double might cause the PHP interpreter to hang on systems using x87 FPU registers.

The problem is known to only affect x86 32-bit PHP processes, regardless of whether the system hosting PHP is 32-bit or 64-bit. You can test whether your system is affected by running this script from the command line.

All users of PHP are strongly advised to update to these versions immediately.

The Dotdeb packages for Debian “Lenny” 5.0 are now available. You really should upgrade.

30 Responses to “You really should upgrade to PHP 5.3.5 or 5.2.17”

  1. eugene

    Hi

    package contains some error, probably it updated /etc/init.d/php-fpm then I could not restart/kill/start php-fpm coz it did not see pid file
    Having dug up a bit I found out that 24th line in /etc/init.d/php-fpm should be changed from

    php_fpm_PID=/var/$php_fpm_PID

    to

    php_fpm_PID=$php_fpm_PID

    Issue was replicated on several boxes.

    Thanks

  2. Robert

    Thank you eugene for the quick fix to this. That init script being broken extended by boot time by 20 seconds on top of the obvious problems associated with this script not working.

  3. andras

    Hi Guillaume,

    Thank you for your quick reactivity! You show that the whole PHP community reacts quickly when vulnerabilities are discovered.

    Jean-Michel (andras)

  4. Frank Van Damme

    I have one server where I would need 5.3.2 specifically, since php introduced changes in language semantics between two micro versions. Does dotdeb archive packages? I’d like to download the source packages and patch them myself with the fix to the security problem described above.

  5. Faith

    Hi
    After an apt-get dist-upgrade, the following packages were removed : libapache2-mod-php5 mysql-client-5.1 mysql-server-5.1 mysql-server-core-5.1 php-pear php5 php5-cgi php5-cli php5-common php5-curl php5-dbg php5-dev
    php5-gd php5-geoip php5-imagick php5-imap php5-mcrypt php5-mysql php5-suhosin php5-xcache.
    The following packages were kept back : mysql-client-5.1 php5-dev.
    The following packages were upgraded : mysql-server-core-5.1 php5-common php5-suhosin php5-xcache .
    Like you can imagine, my server is now instable (can’t start php etc.). How can I restore the removed packages without losing databases content/config?
    Regards

  6. Guillaume Plessis

    @Faith : use a real package manager (such as dselect, aptitude or synaptic) to resolve the conlicts that prevent php5, mysql-server-5.1 and so on… to be installed.

    Debian Squeeze was released last night. Don’t forget to update your sources.list :
    – Lenny is now known as “oldstable”
    – Squeeze is now known as “stable”

  7. Faith

    Thanks for your reply.
    The problem came from the non-update of sources.list

  8. andy

    hi.

    if i try apt-get install php5-curl i get:


    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Some packages could not be installed. This may mean that you have
    requested an impossible situation or if you are using the unstable
    distribution that some required packages have not yet been created
    or been moved out of Incoming.
    The following information may help to resolve the situation:

    The following packages have unmet dependencies:
    php5-curl: Depends: phpapi-20090626
    E: Broken packages

    in my /etc/apt/sources.list i have add:


    deb http://packages.dotdeb.org stable all
    deb-src http://packages.dotdeb.org stable all

    deb http://php53.dotdeb.org stable all
    deb-src http://php53.dotdeb.org stable all

    apt-get upgrade (after apt-get update) tells me:


    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    The following packages have been kept back:
    libapache2-mod-php5 mysql-client-5.1 mysql-server-5.1 mysql-server-core-5.1 php-pear php5 php5-cgi php5-cli php5-common php5-gd php5-imagick php5-imap php5-mcrypt
    php5-mysql php5-suhosin
    0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.

    Why do i cant install php5-curl ???

    regards,
    andy

  9. Guillaume Plessis

    @andy : are you sure that php5-curl comes from Dotdeb? Dotdeb’s php5-curl depends on phpapi-20090626+lfs

    My advices :

    1/ Squeeze is now stable and Lenny is oldstable. Check your sources.list as described in this note : http://www.dotdeb.org/2011/02/06/debian-6-0-squeeze-has-been-released/
    2/ run “apt-get update”
    3/ be sure to install one of php5-cli, php5-cgi, php5-fpm or libapache2-mod-php5 that brings “phpapi-20090626+lfs” (not “phpapi-20090626″)

  10. Matt Sawyer

    Man, this post saved my life — literally. The same problem that happened to @Faith happened on our shared hosting server. I simply removed all those packages, switch the dotdeb from stable to oldstable, did an apt-get update, and re-installed the packages. Back up now.

  11. Eric Gillette

    I wonder, does the same apply for 5.3.x versions of PHP or will apt-get realize this once I switch the sources list file to squeeze/stable??

  12. vincent

    libapache2-mod-php5 package require apache2-mpm-prefork or apache2-mpm-itk.

    Others mpm modules use mod-php5 such as mpm-peruser (http://www.peruser.org/trac/peruser) .

    Can you add apache2-mpm-peruser and others mpm modules in the requirement of libapache2-mod-php5 package ?

    Thanks

  13. adminko

    Thank you very much !
    I have downloaded and upgraded php to 5.2.17

    full day i am searching in google )
    Thanks again!

  14. Maxim.Efremov

    Hello Guillaume Plessis, Whether there will be a person ready to undertake and adjust VDS? on beer of money I give: ) there is ISPManager Lite the license which on it will be necessary to force to work… I try to put already whole evening necessary packages, but leaves nothing. Sorry for my bad english, i’m from russia!!
    Apache 2.2.22;
    Php – 5.2.17(integrated module of MSSQL);
    Zend Optimizer;
    IonCube;
    MySQL;
    ICQ: 444420005. Big thanks for you!