Posted by & filed under PHP.

A few hours ago, PHP 5.3.10 has been released by the PHP Group. It’s an important security update for PHP 5.3.9 users : Stefan Esser discovered a remotely exploitable bug, introduced with PHP 5.3.9′s max_input_vars directive (CVE-2012-0830). You really should upgrade as soon as possible.

Packages of PHP 5.3.10 are now available for :

  • both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”,
  • both amd64 and i386 architectures.

(Lenny packages will be available on php53.dotdeb.org during two weeks before being migrated to archives.dotdeb.org because of the end of Lenny’s security support)

72 Responses to “Security update : PHP 5.3.10”

  1. Matt

    Really impressed – I only discovered dotdeb yesterday, and just rebuilt some machines using it… then spotted this new release expecting to be out of luck for a few days at least. Thanks!

    Reply
  2. Guillaume Plessis

    @Patrick : they’ll be ready this week, as soon as I get back a decent internet connection. But if you’re really concerned about security, you should upgrade to Squeeze. Its security support ends today

    Reply
  3. Piotr Stolc

    Hi,

    Guillaume, I can’t find any contact on this site so I post this report here. There is a bug in php5-fpm init script. The reload function is broken. It sends SIGHUP to the master process instead of SIGUSR2. Instead of graceful reload the master process dies leaving childs working and even not removing pidfile (at least on 5.3.6).

    Also IMO the stop function should do graceful shutdown and send SIGQUIT instead of the default SIGTERM.

    Solution is simple – just change –signal parameter of start-stop-daemon from “1″ to “USR2″ in reload function and add “–signal QUIT” parameter in stop funcion.

    It would be nice to see this bug corrected in dotdeb repo :)

    From the php5-fpm manual:
    Once started, php-fpm then responds to several POSIX signals:

    SIGINT,SIGTERM immediate termination
    SIGQUIT graceful stop
    SIGUSR1 re-open log file
    SIGUSR2 graceful reload of all workers + reload of fpm conf/binary

    Reply
  4. steven

    Hello,

    are their packages without suhosin? I getting much trouble. It seems that suhosin cannot be deactivated, even in simulation mode.

    thanks

    Reply
  5. Guillaume Plessis

    @steven : the PHP packages from Dotdeb are patched with the suhosin *patch*, that change few portions of code. The best you can do is to make sure to uninstall the php5-suhosin package to get rid of the Suhosin *extension*.

    Reply
  6. Denis

    @Guillaume Plessis: how i can remove Suhosin from PHP?

    I did ‘aptitude remove php5-suhosin’. Restart Apache

    But output of php -v is ‘PHP 5.3.3-7+squeeze3 with Suhosin Path (cli)’

    How i can remove Suhosin from PHP?

    Thanks

    Reply
  7. Denis

    @Guillaume Plessis:
    Thanks for answer.

    Is it right if i rebuild php i lose possibility update php by ‘aptitude upgrade’ in future?

    Reply
  8. Dave

    I’ve noticed a large increase in “Unable to allocate memory for pool.” errors since I upgraded to

    PHP 5.3.10-1~dotdeb.1 with Suhosin-Patch (cli) (built: Feb 2 2012 23:28:08)

    Has anyone else experienced something similar ?

    Reply
  9. Guillaume Plessis

    Just thinking : did you try to play with the catch_workers_output setting of each pool and set it explicitly to yes?

    ; Redirect worker stdout and stderr into main error log. If not set, stdout and
    ; stderr will be redirected to /dev/null according to FastCGI specs.
    ; Note: on highloaded environement, this can cause some delay in the page
    ; process time (several ms).
    ; Default Value: no
    catch_workers_output = yes

    Reply
  10. Eric

    Does this include any patches like suPHP, Suosin or Hardened PHP? I’ve not used these installs before but I’m wondering if there’s a pre-made package for Debian out there, for example from dotdeb.

    Reply
  11. Simon

    I seem to be too stupid for installing php5.3 on lenny. Can give me anyone an advice?

    I added this to my sources.list:
    deb http://packages.dotdeb.org oldstable all
    deb http://php53.dotdeb.org/ oldstable all

    and did a aptitude update (which successfully gets all new updates)

    but when doing an aptitude show php5 it still shows php 5.2 from the Debian PHP Maintainers list.

    It’s a fresh system, PHP hasn’t been installed so far.

    Reply
  12. Simon

    @Guillaume: thanks – I need to use lenny for testing purposes. I’ll try installing them manually.

    Reply
  13. Sameer

    Hi,

    We have installed php 5.3.10 on squeeze and since this morning have been receiving this error in messages.log

    kernel: [2333582.323706] php5[18808]: segfault at 29 ip 00000000006e5272 sp 00007fffa71b4448 error 4 in php5[400000+78e000]

    The site seems to be running fine and no errors in apache logs, but was curious as to what this means and how can this be fixed?

    Cheers

    Reply
  14. Guillaume Plessis

    @Sameer : could you please try to isolate the guilty portion of code?
    Do you use a stock Debian Squeeze with just Dotdeb as third party repository? Which php5 extensions did you install? All of these come from Dotdeb? If you’ve installed php5-suhosin, try to uninstall it and retry.

    Reply
  15. ^Rooker

    It looks like the PHP 5.3.x packages are missing/broken for Lenny:

    “http://php53.dotdeb.org/dists/lenny/” looks quite empty :(

    The packages do exist on “http://archives.dotdeb.org/dists/lenny/php5/”.

    Is that on purpose, or is something broken?
    Thanks!

    Reply
  16. colamensch

    Thanks, everything works fine on vserver with debian 6.0

    root@lola:~# php -v
    PHP 5.3.10-1~dotdeb.1 with Suhosin-Patch (cli) (built: Feb 2 2012 23:28:08)
    Copyright (c) 1997-2012 The PHP Group
    Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
    with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH

    Reply
  17. Tom

    Does dotdeb work for 10.04 LTS? I have LAMP installed from Ubuntu repo.

    When I tried your repo and then try upgrade my PHP (apt-get upgrade). It ask if if I want to keep current mysql config files. I typed Y and then nothing happen.

    Reply
  18. Guillaume Plessis

    @Tom : Dotdeb is built for Debian stable (Squeeze). It should work on Ubuntu (packages dependencies may occur), but no additional support will be provided.

    It’s strange that apt-get ask about your mysql config file if you upgrade PHP :) Be sure to restart all the upgraded services (apache, php-fpm, MySQL…), check your log files.

    Reply
  19. Tom Haupt

    I subscribe to a VPS with Debian 5.0. Apparently my hosting service does not have plans to update their VPS products to Debian 6.0 anytime soon but I have need to install at least PHP 5.3. I read your comment above: “If you want Lenny packages, you can fetch them and install them manually from http://archives.dotdeb.org/dists/lenny/“. I have some limited experience with ‘apt-get install’ but it sounds like that option is gone now for PHP5.3.10. Could you please point me in the right direction for learning how to properly do such a manual install?

    Reply
  20. Patrick Li

    I’m not sure where to do bug report so I’ll do it here.

    In /etc/init.d/php5-fpm script, the do_reload() function sends signal 1(?) to php to order a reload. But the signal should really be USR2 according to the man page.

    Reply
  21. Brian Mercer

    Hi Guillaume. Why no source for php5-pecl? I was hoping to recompile your phpredis work for Ubuntu. Thanks.

    Reply
  22. buliyo

    Hi! this method is safley?
    I have installed:
    ii libapache2-mod-php5 5.2.6.dfsg.1-1+lenny8 server-side, HTML-embedded scripting languag
    ii php5 5.2.6.dfsg.1-1+lenny8 server-side, HTML-embedded scripting languag
    ii php5-cli 5.2.6.dfsg.1-1+lenny8 command-line interpreter for the php5 script
    ii php5-common 5.2.6.dfsg.1-1+lenny8 Common files for packages built from the php
    ii php5-gd 5.2.6.dfsg.1-1+lenny8 GD module for php5
    ii php5-imap 5.2.6.dfsg.1-1+lenny8 IMAP module for php5
    ii php5-mcrypt 5.2.6.dfsg.1-1+lenny8 MCrypt module for php5
    ii php5-mysql 5.2.6.dfsg.1-1+lenny8 MySQL module for php5
    ii php5-sqlite 5.2.6.dfsg.1-1+lenny8 SQLite module for php5
    ii php5-xsl 5.2.6.dfsg.1-1+lenny8 XSL module for php5

    Reply
  23. Guillaume Plessis

    @buliyo : the dpkg error messages say that libonig2 is missing.

    Try to run “apt-get -f install”, see what APT will install/uninstall, then relaunch “dpkg -i *.deb”.

    Reply
  24. buliyo

    and what with:
    Package libapache2-mod-php5filter is not installed.
    Package php5-cgi is not installed.
    Package php5-fpm is not installed.
    Package libonig2 is not installed.
    Package phpapi-20090626+lfs is not installed.
    how add this manual?
    where i can find this in good version?
    I restore 5.2.6:
    dpkg -i *.deb
    libapache2-mod-php5_5.2.6.dfsg.1-1+lenny16_i386.deb
    php5-gd_5.2.6.dfsg.1-1+lenny16_i386.deb
    php5-sqlite_5.2.6.dfsg.1-1+lenny16_i386.deb
    php5_5.2.6.dfsg.1-1+lenny16_all.deb
    php5-imap_5.2.6.dfsg.1-1+lenny16_i386.deb
    php5-xsl_5.2.6.dfsg.1-1+lenny16_i386.deb
    php5-cli_5.2.6.dfsg.1-1+lenny16_i386.deb
    php5-mcrypt_5.2.6.dfsg.1-1+lenny16_i386.deb
    php5-common_5.2.6.dfsg.1-1+lenny16_i386.deb
    php5-mysql_5.2.6.dfsg.1-1+lenny16_i386.deb

    Reply
  25. Guillaume Plessis

    @buliyo : once you have installed libapache2-mod-php5, there will be no more error message about libapache2-mod-php5filter, php5-cgi or php5-fpm “is not installed”. Relaunch you dpkg -i *.deb

    And what about upgrading to a security-maintained distribution, such as Squeeze?

    Reply
  26. buliyo

    What sources i should have before run:
    apt-get -f install?
    cat /etc/debian_version
    5.0.4

    Reply
  27. buliyo

    My old lenny sources are unavaible.. :<
    I should try install only:
    dpkg -i libapache2-mod-php5_5.3.10-1~dotdeb.0_i386.deb

    and after this:
    dpkg -i *.deb ?

    Reply
  28. buliyo

    I can’t upgrade today linux to stable today because this is working machine with 40 webpages..
    If I do something bad…. Oughhhhhhh..

    Reply
  29. Guillaume Plessis

    Update your sources.list with only the above line! Then “apt-get update && apt-get -f install”. Then dpkg -i *5.3.10*deb

    Read the error messages, read the man pages. The comments here are not a support forum. And please consider using an actual distribution!

    Reply
  30. André

    Hi Guillaume,
    thank you for your work.
    I noticed that upon installing 5310 on Oneiric session.save_path has no value (/tmp is commented out in both apache and cli). Unless I set it explicitly in either ini files, session support is off.
    On the other hand if I setup php 536 from Ubuntu’s repo I get session support by default in /var/lib/php5 ALTHOUGH it is commented out in ini files.
    If I run php -n -i 5310@dotdeb shows no value for session.save_path while 536@ubunturepo shows /var/lib/php5.
    It is not a big deal but I was wondering if any compile options used in dotdeb might be responsible for the difference? Is it –disable-session ?
    Thank you for any feedback.

    Reply
  31. Guillaume Plessis

    @André : take a look at a phpinfo() or play with ini_get to know which is the current value of a configuration directive to to know if an extension is enabled : even if a directive has been commented in php.ini, it could have a default value.
    About the sessions, they’re enabled (a phpinfo() will tell you so) and can be stored in any existing and writable directory (/tmp and /var/lib/php5 should work). Please check that.

    Reply
  32. André

    @Guillaume.
    Thank you for your answer. I believe I was not clear about my question : I’ve looked everywhere and couldn’t find why Ubuntu’s repo have session directory set while dotdeb doesn’t.
    That is what lead me to think it had to do with compile time setup since no ini or conf file had anything pointing at session.save_path.
    Bah anyway…thanks.

    Reply
  33. Andreas

    Hi Guillaume,

    i’m using php-fpm with dotdeb’s 5.3 packages and i’m trying to log the error_log to syslog. It works basically but there are two caveats:

    1) pool name “pool mypool:” is inserted but the first character is cut off, so only “ool mypool:” is written to syslog.

    2) how to define the syslog facility to use? right now i have log entries in 3 files /var/log/syslog|user.log|messages.

    Thank you

    Reply
  34. Andreas

    Oh, thanks, i thought that the setting in php-fpm.conf is only related to FPM itself and not the error_log command for its children. This works now!

    Is there any way to fix the truncated “p” of “pool” in the programname logged to syslog?

    I know, it’s just cosmetics but :-)

    Reply
  35. gavin

    I am getting the following errors
    Operating System – ubuntu 12.04 64 bit
    Issue: Certain php packages like php5-xdebug can install from the dotdeb repository throws errors below.

    root@m4500ubuntu:/home/gavin# apt-get install php5-xdebug php5-dbg php5-dev
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    php5-dev is already the newest version.
    php5-dev set to manually installed.
    Some packages could not be installed. This may mean that you have
    requested an impossible situation or if you are using the unstable
    distribution that some required packages have not yet been created
    or been moved out of Incoming.
    The following information may help to resolve the situation:

    The following packages have unmet dependencies:
    php5-xdebug : Depends: php5-common (= 5.3.10-1~dotdeb.1) but 5.3.10-1ubuntu3 is to be installed
    E: Unable to correct problems, you have held broken packages.

    Reply
  36. Guillaume Plessis

    @gavin : Dotdeb is made for Debian, not for Ubuntu. Such dependency problem can occur, especially with the latest 12.04 release.

    My advice : stick to the PHP 5.3.10 Ubuntu packages. Remove Dotdeb from your sources.list.

    Reply
  37. Bapxido

    I am a newbie to PHP, i’m trying to go through a Zend framework tutorial and every time i try to execute a php script, the content of the script is printed on the terminal. I’m using Debian with PHP 5.3.13-1~dotdeb.0 with Suhosin-Patch (cli) (built: May 8 2012 21:47:56)
    Copyright (c) 1997-2012 The PHP Group
    Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH

    Reply
  38. Bapxido

    I have short_open_tags set to “Off” in php.ini, and changed it to “On” and now works thanks.

    Reply

Leave a Reply

  • (will not be published)


× three = 24