Posted by & filed under PHP.

On january 10th 2012, the PHP group has released PHP 5.3.9, that brings over 90 bug fixes, some of which are security related :

Security Enhancements and Fixes in PHP 5.3.9:

  • Added max_input_vars directive to prevent attacks based on hash collisions. (CVE-2011-4885)
  • Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (CVE-2011-4566)

Key enhancements in PHP 5.3.9 include:

  • Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).
  • Fixed bug #55609 (mysqlnd cannot be built shared)
  • Many changes to the FPM SAPI module

PHP 5.3.9 is now available on Dotdeb for :

  • both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”
  • both amd64 and i386 architectures

As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.

[edit] the packages have been updated to fix some Suhosin- and strtotime()-related issues. You really should upgrade at least :

  • to 5.3.9-0~dotdeb.3 if you’re running Squeeze
  • to 5.3.9-0~dotdeb.2 if you’re running Lenny

71 Responses to “PHP 5.3.9”

  1. Matic

    I also have one application that is crashing since the upgrade to 5.3.9 and my friend reproduced it on another VM, but same software.

    Reply
  2. Matic

    @Dave
    Replicated on my crashing system.

    Interactive shell
    php > strtotime(’2012-01-12 21:13:28 UTC’);
    Crashes with: Segmentation fault

    Reply
  3. mptsnj

    I know this doesn’t help the people running this service but just stating here for the users:

    I also have problems with this specific version and I didn’t yet find anything useful in the logs.. rolled back to 5.3.8-1~dotdeb.2 until I have some time to look into this

    Reply
  4. Guillaume Plessis

    @mptsnj : an update (5.3.9-0~dotdeb.3 for Squeeze and 5.3.9-0~dotdeb.2 for Lenny) is coming. Please upgrade as soon as it’s available, the problem will be fixed.

    Reply
  5. Matic

    The update solved the problem. My application is working now.

    @Guillaume Plessis, what was the cause of the segmentation fault? What can we learn from this?

    On a related note, my suhosin.ini file still gets overwritten everytime I update PHP packages, could the file be added to the list of config files in php5-suhosin debian package so it asks before overwriting?

    Reply
  6. mptsnj

    @Guillaume Plessis yep everything works as desired now … tanks for the ultra-fast response/update :)

    Reply
  7. Scott

    Uhh I got a question about these packages and the mirrors.

    At least for my mirror I host for dotdeb the lenny packages don’t seem to be there. All I see is 5.2.17-0.dotdeb.0 still. And yes I made sure the rsync ran.

    Reply
  8. Scott

    Actually I think you did this by design.

    I do have some clients that can’t use 5.3 yet and my accounting/billing software can’t use 5.3 just yet. So better to not put it in the main repo just yet.

    Reply
  9. Guillaume Plessis

    @Scott : packages.dotdeb.org contains :
    * PHP 5.3.9 packages for Squeeze
    * PHP 5.2.17 packages for Lenny

    Packages of PHP 5.3.9 for Lenny are on php53.dotdeb.org (that has its own “php53″ module on rsync.dotdeb.org)

    Reply
  10. Jools

    any chance you could put 5.3.8 back online please. thought it would be on your repository but it doesn’t seem to be :/

    Reply
  11. Laph

    Hint:
    If you’re using php5-fpm and another File extension than .php, add “security.limit_extensions = no” to all your fpm pool (!) definitions, or files with extensions other than .php will no be parsed and you’ll see just a “Access Denied” as output.

    I really dislike changes of this kind in a minor release – and the lack of documentation also!

    *grrrr*

    Reply
  12. jools

    I thought I had posted this but now i cant see it, so in case i didnt – apc.ini is being overwritten still with new updates. when making pecl packages locally, it doesnt happen, so I assume your perl helper needs an upgrade or something.

    Reply
  13. Vasiliy Toporov

    Is it ok? I see 5.3.9-1~dotdeb.2 in phpinfo,but repo is for Squeeze (stable). Upgrade packs just right now. My system is Ubuntu 11.10 64-bit.

    Reply
  14. Guillaume Plessis

    @jools : this behavior will be fixed in future release.

    @Vasiliy Toporov : run “apt-get update && apt-get dist-upgrade”, then be sure to restart Apache or PHP-FPM.

    Reply
  15. Joe Siegrist

    It appears that php5-fpm has lost all warnings from 5.3.8 to 5.3.9 in the dotdeb build.

    Verified that the warnings are not sent over the network on the fpm port. Example script that spits warnings in 5.3.8 and won’t in 5.3.9 (with E_ALL | E_STRICT ):

    <?php
    $a[a];

    Thanks for maintaining this!

    Reply
  16. Anthony Somerset

    Hi Guillaume

    i’ve noticed this bug on quite a few upgrades of php now

    whenever i update PHP and its plugins (like APC etc)

    all my configs in my plugins ini files get reset back to default

    eg i have custom APC settings and every update i have to manually backup and recopy the config settings back into place

    the upgrader asks about the fpm and cli php.ini files what i want to do but not the plugins, any chance of rectifying this?

    Reply
  17. Anthony Somerset

    @jools, thanks i missed that, its not strictly isolated to apc, i think a few of the plugins have issues but because APC is the only one i really tweak its the only one i noticed

    Reply
  18. Scott

    Same thing with suhosin.ini — so what I did was chattr +i all my ini files, that will stop the over writing.

    Reply
  19. Kevin

    php5-curl and several others are having dependency issues:

    php5-curl : Depends: php5-common (= 5.3.3-7+squeeze3) but 5.3.9-1~dotdeb.3 is going to be installed.
    E: Broken Packages

    On the other hand, installing libmysqlclient15-dev (required to build sphinx search engine is also broken).

    Any hints on this one? I have to install everything prior to enabling the dotdeb repos, but that way I lose updates on one of the two repos..

    Reply
  20. Pierre-Henry

    Bonjour Guillaume,

    Pour ma part je reviens sur ce billet pour chercher pourquoi certains wordpress faisaient des pages blanches en code 200.

    A priori tous les wordpress qui étaient configuré avec un php_admin_value[memory_limit]=32M ont aléatoirement des crash de mémoire non disponible. Bizarrement tout allait bien en 5.3.8 je me demande si la v9 aurait pas des soucis de consommation de mémoire.
    J’ai tenté d’enlever APC mais sans succès.

    Autre point plus important, au moins une variable des fichiers de conf n’est plus prise en compte. Sur mes configs fpm chaque vhost a ses propres fichiers de logs et je m’étonnais de rien voir dedans concernant une éventuelle erreur.

    Je me suis rendu compte que depuis la mise à jour la valeur php_admin_value[error_log] dans le fichier de conf du vhost n’écrase plus la valeur déclarée dans le php5-fpm.conf.

    Je ne vois pas à quoi cela est du, j’ai tenté de la déclarer en php_value sans succès.
    Actuellement c’est l’entrée error_log = /var/log/php5-fpm.conf dans /etc/php5/fpm/php5-fpm.conf qui est pris en compte par tous les vhost.

    Une idée?

    Reply
  21. Scott

    @Kevin I’m not having that issue on any server. It sound like somethingdidn’t upgrade like it should have. Have you tried reinstalling the 5.3 packages again ?

    Reply
  22. Rémi SAUVAT

    There is still a bug with your package.
    This is related only to the /etc/init.d/php5-fpm file.

    On reload command the script send a SIGHUP instead of SIGUSR2 as documented in php-fmp. The current behavior kills the master process. This has been corrected in latest releases of php-fpm for debian sid and unstable as stated here http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=645934

    It would be nice to have it corrected in dotdeb packages too.

    Reply
  23. Rémi SAUVAT

    @Guillaume Plessis : Thanks for the quick reply. I am waiting for the next update.

    Reply
  24. Pierre-Henry

    Yes I have php5-suhosin 5.3.9-1~dotdeb.3 installed and enabled with default config :

    ; configuration for php suhosin module
    extension=suhosin.so
    suhosin.executor.include.whitelist=”phar”

    Reply
  25. Joe

    Hi,

    Thanks for the update!
    Just wondering: what is the preferred approach for handling php.ini changes when one has customisations in the existing php.ini?

    Is it a case of using diff/merge? Or is there a better way?

    Thanks!

    Reply
  26. Scott

    You can’t even guess how pissed off I am about all the ini’s getting written over.

    33 servers I have to fix because of this.

    Reply
  27. Jools

    I still get crashes with php-fpm on this version. am using 5.4.8 for now. crashes occur regularl/yconstantly with small apc cache and with large apc cache, less often but enough to make it an issue.

    couldnt see any major issues on php bugtracker though which is strange. Also I am not using php5-suhosin module.

    Appreciate the efforts here though. I wonder if it might be a useful idea to have a dotdeb stable and testing or so, and push packages to testing first, and to stable later. might help upgrade woes. cheers

    Reply
  28. Guillaume Plessis

    @Scott & Jools : I’d really like to spend as much time as needed to make everyone’s good ideas real (such as yours). Dotdeb is getting more and more popular, I’m proud of that. But people always have more and more expectations and support requests, and no one is planning any major donation or sponsor.

    I’d just like people to keep in mind that Dotdeb is a one-person project. As a freelance worker, my time is getting precious. I’ll keep on focusing on the existing packages, on fixing them and so on, but I can’t afford spending too much time on it.

    I’ll do my best. I know you’ll understand.

    Reply
  29. Jools

    guillaume – I totally understand your point. I have similar problems with “wants” on some of my projects.

    I am of course happy to contribute a small amount financially, but might be more useful if I could contribute patches etc. Maybe some sort of github style repo?

    we do understand and thanks.

    Funnily enough before you were managing nginx, I was maintaining my own packages and there must be others, so perhaps some “pooling” of skills could help?

    Reply
  30. Jools

    donation made. To add: I already have some changes I could commit to nginx packages if on a public repo, such as more types for the default mime types, and scripts to enable/disable sites like a2dissite etc (which I believe has been in older debian builds).

    If it already is somewhere apologies, and ill go and submit some diffs.

    Reply
  31. JD

    By Guillaume Plessis on Jan 13, 2012 | Reply

    @Joe Siegrist : partial syslog support has been implemented in FPM. It may have led to the warnings loss.

    Can you please tell me what config setting controls this? I have lost all warnings like simple syntax errors in my lightttpd error.log
    btw i kept the old config from 5.3.8

    Reply
  32. Guillaume Plessis

    @JD : as mentioned in the new configuration file the error logging directives are : error_log, syslog.facility, syslog.ident and log_level.

    Be also sure to set the appropriate error_reporting level in your scripts and that your worker has the permissions to write into your log files if you’ve overwritten the error_log directive for each of your process pools.

    Reply
  33. Gator

    Thanks for the up to date packages! As mentioned, a public repository on Github would be the next great step.

    Reply
  34. Free

    Hello guys.

    Could you please disalbe posix in your builds?

    # php -m | grep posix
    posix
    #
    # php –version
    PHP 5.3.8-1~dotdeb.2 with Suhosin-Patch (cli) (built: Aug 25 2011 13:30:46)
    Copyright (c) 1997-2011 The PHP Group
    Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
    with the ionCube PHP Loader v4.0.7, Copyright (c) 2002-2011, by ionCube Ltd.
    with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH

    Reply
  35. Free

    http://php.net/manual/en/intro.posix.php

    “Sensitive data can be retrieved with the POSIX functions, e.g. posix_getpwnam() and friends. None of the POSIX function perform any kind of access checking when safe mode is enabled. It’s therefore strongly advised to disable the POSIX extension at all (use –disable-posix in your configure line) if you’re operating in such an environment.”

    Reply
  36. Jools

    @Free: surely you can just disable the functions you dont want with suhosin for example?

    removing the posix functions would remove functionality from those who need them. debian for example also ships with them enabled.

    Reply
  37. Stéphane Cottin

    Hi,

    https://bugs.php.net/bug.php?id=55475 breaks a LOT of websites

    plz apply the following workaround in php-pear package:

    — /usr/share/php/PEAR.old.php 2012-01-31 21:15:00.000000000 +0000
    +++ /usr/share/php/PEAR.php 2012-01-31 20:53:13.000000000 +0000
    @@ -249,7 +249,7 @@
    */
    function isError($data, $code = null)
    {
    - if (!is_a($data, ‘PEAR_Error’)) {
    + if (!is_object($data) || !is_a($data, ‘PEAR_Error’)) {
    return false;
    }

    thx

    Reply
  38. Scott

    @Stéphane That should be reported upstream to Debian instead of here so that the Debian team and can send out a update.

    Reply
  39. Stéphane Cottin

    @Scott official debian php5 versions are 5.2 for lenny and 5.3.3 for squeeze , these version does not have this bug.

    @Guillaume hope the next package update will include the upstream fix, thx.

    Reply

Trackbacks/Pingbacks

  1.  Actualizar PHP, repositorios | El Blog de Juan José Boyano

Leave a Reply

  • (will not be published)


two × = 2