A few hours ago, PHP 5.3.10 has been released by the PHP Group. It’s an important security update for PHP 5.3.9 users : Stefan Esser discovered a remotely exploitable bug, introduced with PHP 5.3.9′s max_input_vars directive (CVE-2012-0830). You really should upgrade as soon as possible.
Packages of PHP 5.3.10 are now available for :
- both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”,
- both amd64 and i386 architectures.
(Lenny packages will be available on php53.dotdeb.org during two weeks before being migrated to archives.dotdeb.org because of the end of Lenny’s security support)
Stef
Thanks for the quick turnaround on this update, Guillaume!
thomas
that was quick, thanks alot for your efforts!
Chris
Thanks for this quick update!
David Goodwin
Hi – ditto the above – thanks for the quick turnaround! Much appreciated.
Marco
Thanks for the instant update
Debianroot
Thanks for the fast update. Much appreciated!
RichieB
An interesting fact is that this bug was reported on January 11th, 1 day after the release of php 5.3.9, see http://bugs.php.net/60708
Matt
Really impressed – I only discovered dotdeb yesterday, and just rebuilt some machines using it… then spotted this new release expecting to be out of luck for a few days at least. Thanks!
Patrick
Thanks for your quick response. Are the lenny packages ready? So far I can’t see them on php53/oldstable (http://php53.dotdeb.org/dists/oldstable/php5/binary-amd64/)
Guillaume Plessis
@Patrick : packages for Lenny are available on http://php53.dotdeb.org/
Guillaume Plessis
@Patrick : they’ll be ready this week, as soon as I get back a decent internet connection. But if you’re really concerned about security, you should upgrade to Squeeze. Its security support ends today
Piotr Stolc
Hi,
Guillaume, I can’t find any contact on this site so I post this report here. There is a bug in php5-fpm init script. The reload function is broken. It sends SIGHUP to the master process instead of SIGUSR2. Instead of graceful reload the master process dies leaving childs working and even not removing pidfile (at least on 5.3.6).
Also IMO the stop function should do graceful shutdown and send SIGQUIT instead of the default SIGTERM.
Solution is simple – just change –signal parameter of start-stop-daemon from “1″ to “USR2″ in reload function and add “–signal QUIT” parameter in stop funcion.
It would be nice to see this bug corrected in dotdeb repo
From the php5-fpm manual:
Once started, php-fpm then responds to several POSIX signals:
SIGINT,SIGTERM immediate termination
SIGQUIT graceful stop
SIGUSR1 re-open log file
SIGUSR2 graceful reload of all workers + reload of fpm conf/binary
Guillaume Plessis
@Piotr Stolc : I filled a bug report here : https://github.com/gplessis/dotdeb-php5/issues/2
It will be fixed with the next PHP5 releases.
Nicholas Robinson
Bug filed concerning SAPI error log functionality from php5-fpm_5.3.10-1~dotdeb.1
https://github.com/gplessis/dotdeb-php5/issues/3
Patrick
@Guillaume : Thank you very much! Working great. I will update to Squeeze in the next months
Piotr Stolc
@Guillaume – thank you very much
aa
did anyone noticed that X-PHP-Script is not added anymore?
steven
Hello,
are their packages without suhosin? I getting much trouble. It seems that suhosin cannot be deactivated, even in simulation mode.
thanks
Guillaume Plessis
@steven : the PHP packages from Dotdeb are patched with the suhosin *patch*, that change few portions of code. The best you can do is to make sure to uninstall the php5-suhosin package to get rid of the Suhosin *extension*.
aa
@Guillaume Plessis : what about SMTP header X-PHP-Script? Was it removed from 5.3?
Guillaume Plessis
@aa : are you sure that your “mail.add_x_header” setting is set to “On”?
http://www.php.net/manual/fr/mail.configuration.php#ini.mail.add-x-header
aa
@Guillaume Plessis : sorry, it was off
thank you very much!
Denis
@Guillaume Plessis: how i can remove Suhosin from PHP?
I did ‘aptitude remove php5-suhosin’. Restart Apache
But output of php -v is ‘PHP 5.3.3-7+squeeze3 with Suhosin Path (cli)’
How i can remove Suhosin from PHP?
Thanks
Guillaume Plessis
@Denis : Uninstalling php5-suhosin will remove the Suhosin *extension*.
To get rid of the Suhosin *patch*, you’ll have to rebuild php without this patch.
More info : http://www.suhosin.org/
Denis
@Guillaume Plessis:
Thanks for answer.
Is it right if i rebuild php i lose possibility update php by ‘aptitude upgrade’ in future?
Guillaume Plessis
@Denis : yes, unless you rebuild PHP by yourself at each release
Dave
I’ve noticed a large increase in “Unable to allocate memory for pool.” errors since I upgraded to
PHP 5.3.10-1~dotdeb.1 with Suhosin-Patch (cli) (built: Feb 2 2012 23:28:08)
Has anyone else experienced something similar ?
loadaverage
@Nicholas Robinson: this is a very annoying bug indeed :[
please upvote it
https://bugs.php.net/bug.php?id=61045
Guillaume Plessis
Just thinking : did you try to play with the catch_workers_output setting of each pool and set it explicitly to yes?
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
catch_workers_output = yes
Eric
Does this include any patches like suPHP, Suosin or Hardened PHP? I’ve not used these installs before but I’m wondering if there’s a pre-made package for Debian out there, for example from dotdeb.
Guillaume Plessis
@Eric : PHP packages from Dotdeb include the Suhosin patch.
Simon
I seem to be too stupid for installing php5.3 on lenny. Can give me anyone an advice?
I added this to my sources.list:
deb http://packages.dotdeb.org oldstable all
deb http://php53.dotdeb.org/ oldstable all
and did a aptitude update (which successfully gets all new updates)
but when doing an aptitude show php5 it still shows php 5.2 from the Debian PHP Maintainers list.
It’s a fresh system, PHP hasn’t been installed so far.
Guillaume Plessis
@Simon : Lenny’s security support has been ended and the php53.dotdeb.org repository has been redirected to the regular packages.dotdeb.org.
Lenny’s packages have been moved to http://archives.dotdeb.org/dists/lenny/php5/5.3.10/ . You can fetch them and install them manually.
Please consider upgrading to Squeeze for security reasons.
Simon
@Guillaume: thanks – I need to use lenny for testing purposes. I’ll try installing them manually.
Sameer
Hi,
We have installed php 5.3.10 on squeeze and since this morning have been receiving this error in messages.log
kernel: [2333582.323706] php5[18808]: segfault at 29 ip 00000000006e5272 sp 00007fffa71b4448 error 4 in php5[400000+78e000]
The site seems to be running fine and no errors in apache logs, but was curious as to what this means and how can this be fixed?
Cheers
Guillaume Plessis
@Sameer : could you please try to isolate the guilty portion of code?
Do you use a stock Debian Squeeze with just Dotdeb as third party repository? Which php5 extensions did you install? All of these come from Dotdeb? If you’ve installed php5-suhosin, try to uninstall it and retry.
^Rooker
It looks like the PHP 5.3.x packages are missing/broken for Lenny:
“http://php53.dotdeb.org/dists/lenny/” looks quite empty
The packages do exist on “http://archives.dotdeb.org/dists/lenny/php5/”.
Is that on purpose, or is something broken?
Thanks!
Guillaume Plessis
@Rooker : Since Lenny’s security support has been ended on Feb 6th, Lenny packages are not present on packages.dotdeb.org anymore, and php53.dotdeb.org redirects to packages.dotdeb.org.
If you want Lenny packages, you can fetch them and install them manually from http://archives.dotdeb.org/dists/lenny/
colamensch
Thanks, everything works fine on vserver with debian 6.0
root@lola:~# php -v
PHP 5.3.10-1~dotdeb.1 with Suhosin-Patch (cli) (built: Feb 2 2012 23:28:08)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH
Tom
Does dotdeb work for 10.04 LTS? I have LAMP installed from Ubuntu repo.
When I tried your repo and then try upgrade my PHP (apt-get upgrade). It ask if if I want to keep current mysql config files. I typed Y and then nothing happen.
Guillaume Plessis
@Tom : Dotdeb is built for Debian stable (Squeeze). It should work on Ubuntu (packages dependencies may occur), but no additional support will be provided.
It’s strange that apt-get ask about your mysql config file if you upgrade PHP
Be sure to restart all the upgraded services (apache, php-fpm, MySQL…), check your log files.
Tom Haupt
I subscribe to a VPS with Debian 5.0. Apparently my hosting service does not have plans to update their VPS products to Debian 6.0 anytime soon but I have need to install at least PHP 5.3. I read your comment above: “If you want Lenny packages, you can fetch them and install them manually from http://archives.dotdeb.org/dists/lenny/“. I have some limited experience with ‘apt-get install’ but it sounds like that option is gone now for PHP5.3.10. Could you please point me in the right direction for learning how to properly do such a manual install?
Guillaume Plessis
@Tom Haupt : download all the packages that you need from http://archives.dotdeb.org/dists/lenny/php5/5.3.10/ and http://archives.dotdeb.org/dists/lenny/php5-pecl/5.3.10/
Then, install them using “dpkg -i *.deb”
Patrick Li
I’m not sure where to do bug report so I’ll do it here.
In /etc/init.d/php5-fpm script, the do_reload() function sends signal 1(?) to php to order a reload. But the signal should really be USR2 according to the man page.
Guillaume Plessis
@Patrick Li : thanks for this feedback. The issue has always been reported and will be fixed in future releases :
https://github.com/gplessis/dotdeb-php5/issues/2
Brian Mercer
Hi Guillaume. Why no source for php5-pecl? I was hoping to recompile your phpredis work for Ubuntu. Thanks.
Guillaume Plessis
@Brian Mercer : php5-pecl packages are a bit special, they’re built from the upstream sources using this script : https://github.com/gplessis/dotdeb-php5-pecl
buliyo
Hi! this method is safley?
I have installed:
ii libapache2-mod-php5 5.2.6.dfsg.1-1+lenny8 server-side, HTML-embedded scripting languag
ii php5 5.2.6.dfsg.1-1+lenny8 server-side, HTML-embedded scripting languag
ii php5-cli 5.2.6.dfsg.1-1+lenny8 command-line interpreter for the php5 script
ii php5-common 5.2.6.dfsg.1-1+lenny8 Common files for packages built from the php
ii php5-gd 5.2.6.dfsg.1-1+lenny8 GD module for php5
ii php5-imap 5.2.6.dfsg.1-1+lenny8 IMAP module for php5
ii php5-mcrypt 5.2.6.dfsg.1-1+lenny8 MCrypt module for php5
ii php5-mysql 5.2.6.dfsg.1-1+lenny8 MySQL module for php5
ii php5-sqlite 5.2.6.dfsg.1-1+lenny8 SQLite module for php5
ii php5-xsl 5.2.6.dfsg.1-1+lenny8 XSL module for php5
Guillaume Plessis
@buliyo : what’s the point? You’re using PHP packages from Debian, not from Dotdeb
buliyo
i tried dpkg -i *.deb
http://pastebin.com/ZFn0ZSFZ
What i should add too?
what first shoud be installed?
Guillaume Plessis
@buliyo : the dpkg error messages say that libonig2 is missing.
Try to run “apt-get -f install”, see what APT will install/uninstall, then relaunch “dpkg -i *.deb”.
buliyo
and what with:
Package libapache2-mod-php5filter is not installed.
Package php5-cgi is not installed.
Package php5-fpm is not installed.
Package libonig2 is not installed.
Package phpapi-20090626+lfs is not installed.
how add this manual?
where i can find this in good version?
I restore 5.2.6:
dpkg -i *.deb
libapache2-mod-php5_5.2.6.dfsg.1-1+lenny16_i386.deb
php5-gd_5.2.6.dfsg.1-1+lenny16_i386.deb
php5-sqlite_5.2.6.dfsg.1-1+lenny16_i386.deb
php5_5.2.6.dfsg.1-1+lenny16_all.deb
php5-imap_5.2.6.dfsg.1-1+lenny16_i386.deb
php5-xsl_5.2.6.dfsg.1-1+lenny16_i386.deb
php5-cli_5.2.6.dfsg.1-1+lenny16_i386.deb
php5-mcrypt_5.2.6.dfsg.1-1+lenny16_i386.deb
php5-common_5.2.6.dfsg.1-1+lenny16_i386.deb
php5-mysql_5.2.6.dfsg.1-1+lenny16_i386.deb
Guillaume Plessis
@buliyo : once you have installed libapache2-mod-php5, there will be no more error message about libapache2-mod-php5filter, php5-cgi or php5-fpm “is not installed”. Relaunch you dpkg -i *.deb
And what about upgrading to a security-maintained distribution, such as Squeeze?
buliyo
What sources i should have before run:
apt-get -f install?
cat /etc/debian_version
5.0.4
Guillaume Plessis
@buliyo : This line should fit :
deb http://archive.debian.org/debian/ lenny contrib main non-free
But, once again, upgrading to Squeeze should be a better idea.
buliyo
My old lenny sources are unavaible.. :<
I should try install only:
dpkg -i libapache2-mod-php5_5.3.10-1~dotdeb.0_i386.deb
and after this:
dpkg -i *.deb ?
buliyo
I can’t upgrade today linux to stable today because this is working machine with 40 webpages..
If I do something bad…. Oughhhhhhh..
Guillaume Plessis
Update your sources.list with only the above line! Then “apt-get update && apt-get -f install”. Then dpkg -i *5.3.10*deb
Read the error messages, read the man pages. The comments here are not a support forum. And please consider using an actual distribution!
Guillaume Plessis
If it has to work “as is”, don’t upgrade to PHP 5.3 neither.
buliyo
I need 5.3.6
Guillaume Plessis
Then, why are you trying to install 5.3.10?
buliyo
I think that this is better..
André
Hi Guillaume,
thank you for your work.
I noticed that upon installing 5310 on Oneiric session.save_path has no value (/tmp is commented out in both apache and cli). Unless I set it explicitly in either ini files, session support is off.
On the other hand if I setup php 536 from Ubuntu’s repo I get session support by default in /var/lib/php5 ALTHOUGH it is commented out in ini files.
If I run php -n -i 5310@dotdeb shows no value for session.save_path while 536@ubunturepo shows /var/lib/php5.
It is not a big deal but I was wondering if any compile options used in dotdeb might be responsible for the difference? Is it –disable-session ?
Thank you for any feedback.
Guillaume Plessis
@André : take a look at a phpinfo() or play with ini_get to know which is the current value of a configuration directive to to know if an extension is enabled : even if a directive has been commented in php.ini, it could have a default value.
About the sessions, they’re enabled (a phpinfo() will tell you so) and can be stored in any existing and writable directory (/tmp and /var/lib/php5 should work). Please check that.
André
@Guillaume.
Thank you for your answer. I believe I was not clear about my question : I’ve looked everywhere and couldn’t find why Ubuntu’s repo have session directory set while dotdeb doesn’t.
That is what lead me to think it had to do with compile time setup since no ini or conf file had anything pointing at session.save_path.
Bah anyway…thanks.
Andreas
Hi Guillaume,
i’m using php-fpm with dotdeb’s 5.3 packages and i’m trying to log the error_log to syslog. It works basically but there are two caveats:
1) pool name “pool mypool:” is inserted but the first character is cut off, so only “ool mypool:” is written to syslog.
2) how to define the syslog facility to use? right now i have log entries in 3 files /var/log/syslog|user.log|messages.
Thank you
Guillaume Plessis
@Andreas : syslog.facility should do the trick.
http://git.php.net/?p=php-src.git;a=blob_plain;f=sapi/fpm/php-fpm.conf.in;hb=HEAD
Andreas
Oh, thanks, i thought that the setting in php-fpm.conf is only related to FPM itself and not the error_log command for its children. This works now!
Is there any way to fix the truncated “p” of “pool” in the programname logged to syslog?
I know, it’s just cosmetics but
gavin
I am getting the following errors
Operating System – ubuntu 12.04 64 bit
Issue: Certain php packages like php5-xdebug can install from the dotdeb repository throws errors below.
root@m4500ubuntu:/home/gavin# apt-get install php5-xdebug php5-dbg php5-dev
Reading package lists… Done
Building dependency tree
Reading state information… Done
php5-dev is already the newest version.
php5-dev set to manually installed.
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
php5-xdebug : Depends: php5-common (= 5.3.10-1~dotdeb.1) but 5.3.10-1ubuntu3 is to be installed
E: Unable to correct problems, you have held broken packages.
Guillaume Plessis
@gavin : Dotdeb is made for Debian, not for Ubuntu. Such dependency problem can occur, especially with the latest 12.04 release.
My advice : stick to the PHP 5.3.10 Ubuntu packages. Remove Dotdeb from your sources.list.
Bapxido
I am a newbie to PHP, i’m trying to go through a Zend framework tutorial and every time i try to execute a php script, the content of the script is printed on the terminal. I’m using Debian with PHP 5.3.13-1~dotdeb.0 with Suhosin-Patch (cli) (built: May 8 2012 21:47:56)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH
Bapxido
I have short_open_tags set to “Off” in php.ini, and changed it to “On” and now works thanks.