Categories
PHP

Security update : PHP 5.3.10

A few hours ago, PHP 5.3.10 has been released by the PHP Group. It’s an important security update for PHP 5.3.9 users : Stefan Esser discovered a remotely exploitable bug, introduced with PHP 5.3.9’s max_input_vars directive (CVE-2012-0830). You really should upgrade as soon as possible.

Packages of PHP 5.3.10 are now available for :

  • both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”,
  • both amd64 and i386 architectures.

(Lenny packages will be available on php53.dotdeb.org during two weeks before being migrated to archives.dotdeb.org because of the end of Lenny’s security support)

72 replies on “Security update : PHP 5.3.10”

Really impressed – I only discovered dotdeb yesterday, and just rebuilt some machines using it… then spotted this new release expecting to be out of luck for a few days at least. Thanks!

@Patrick : they’ll be ready this week, as soon as I get back a decent internet connection. But if you’re really concerned about security, you should upgrade to Squeeze. Its security support ends today

Hi,

Guillaume, I can’t find any contact on this site so I post this report here. There is a bug in php5-fpm init script. The reload function is broken. It sends SIGHUP to the master process instead of SIGUSR2. Instead of graceful reload the master process dies leaving childs working and even not removing pidfile (at least on 5.3.6).

Also IMO the stop function should do graceful shutdown and send SIGQUIT instead of the default SIGTERM.

Solution is simple – just change –signal parameter of start-stop-daemon from “1” to “USR2” in reload function and add “–signal QUIT” parameter in stop funcion.

It would be nice to see this bug corrected in dotdeb repo 🙂

From the php5-fpm manual:
Once started, php-fpm then responds to several POSIX signals:

SIGINT,SIGTERM immediate termination
SIGQUIT graceful stop
SIGUSR1 re-open log file
SIGUSR2 graceful reload of all workers + reload of fpm conf/binary

Hello,

are their packages without suhosin? I getting much trouble. It seems that suhosin cannot be deactivated, even in simulation mode.

thanks

@steven : the PHP packages from Dotdeb are patched with the suhosin *patch*, that change few portions of code. The best you can do is to make sure to uninstall the php5-suhosin package to get rid of the Suhosin *extension*.

@Guillaume Plessis: how i can remove Suhosin from PHP?

I did ‘aptitude remove php5-suhosin’. Restart Apache

But output of php -v is ‘PHP 5.3.3-7+squeeze3 with Suhosin Path (cli)’

How i can remove Suhosin from PHP?

Thanks

@Guillaume Plessis:
Thanks for answer.

Is it right if i rebuild php i lose possibility update php by ‘aptitude upgrade’ in future?

I’ve noticed a large increase in “Unable to allocate memory for pool.” errors since I upgraded to

PHP 5.3.10-1~dotdeb.1 with Suhosin-Patch (cli) (built: Feb 2 2012 23:28:08)

Has anyone else experienced something similar ?

Just thinking : did you try to play with the catch_workers_output setting of each pool and set it explicitly to yes?

; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
catch_workers_output = yes

Does this include any patches like suPHP, Suosin or Hardened PHP? I’ve not used these installs before but I’m wondering if there’s a pre-made package for Debian out there, for example from dotdeb.

I seem to be too stupid for installing php5.3 on lenny. Can give me anyone an advice?

I added this to my sources.list:
deb http://packages.dotdeb.org oldstable all
deb http://php53.dotdeb.org/ oldstable all

and did a aptitude update (which successfully gets all new updates)

but when doing an aptitude show php5 it still shows php 5.2 from the Debian PHP Maintainers list.

It’s a fresh system, PHP hasn’t been installed so far.

Hi,

We have installed php 5.3.10 on squeeze and since this morning have been receiving this error in messages.log

kernel: [2333582.323706] php5[18808]: segfault at 29 ip 00000000006e5272 sp 00007fffa71b4448 error 4 in php5[400000+78e000]

The site seems to be running fine and no errors in apache logs, but was curious as to what this means and how can this be fixed?

Cheers

@Sameer : could you please try to isolate the guilty portion of code?
Do you use a stock Debian Squeeze with just Dotdeb as third party repository? Which php5 extensions did you install? All of these come from Dotdeb? If you’ve installed php5-suhosin, try to uninstall it and retry.

It looks like the PHP 5.3.x packages are missing/broken for Lenny:

“http://php53.dotdeb.org/dists/lenny/” looks quite empty 🙁

The packages do exist on “http://archives.dotdeb.org/dists/lenny/php5/”.

Is that on purpose, or is something broken?
Thanks!

Thanks, everything works fine on vserver with debian 6.0

root@lola:~# php -v
PHP 5.3.10-1~dotdeb.1 with Suhosin-Patch (cli) (built: Feb 2 2012 23:28:08)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH

Does dotdeb work for 10.04 LTS? I have LAMP installed from Ubuntu repo.

When I tried your repo and then try upgrade my PHP (apt-get upgrade). It ask if if I want to keep current mysql config files. I typed Y and then nothing happen.

@Tom : Dotdeb is built for Debian stable (Squeeze). It should work on Ubuntu (packages dependencies may occur), but no additional support will be provided.

It’s strange that apt-get ask about your mysql config file if you upgrade PHP 🙂 Be sure to restart all the upgraded services (apache, php-fpm, MySQL…), check your log files.

I subscribe to a VPS with Debian 5.0. Apparently my hosting service does not have plans to update their VPS products to Debian 6.0 anytime soon but I have need to install at least PHP 5.3. I read your comment above: “If you want Lenny packages, you can fetch them and install them manually from http://archives.dotdeb.org/dists/lenny/“. I have some limited experience with ‘apt-get install’ but it sounds like that option is gone now for PHP5.3.10. Could you please point me in the right direction for learning how to properly do such a manual install?

I’m not sure where to do bug report so I’ll do it here.

In /etc/init.d/php5-fpm script, the do_reload() function sends signal 1(?) to php to order a reload. But the signal should really be USR2 according to the man page.

Hi Guillaume. Why no source for php5-pecl? I was hoping to recompile your phpredis work for Ubuntu. Thanks.

Hi! this method is safley?
I have installed:
ii libapache2-mod-php5 5.2.6.dfsg.1-1+lenny8 server-side, HTML-embedded scripting languag
ii php5 5.2.6.dfsg.1-1+lenny8 server-side, HTML-embedded scripting languag
ii php5-cli 5.2.6.dfsg.1-1+lenny8 command-line interpreter for the php5 script
ii php5-common 5.2.6.dfsg.1-1+lenny8 Common files for packages built from the php
ii php5-gd 5.2.6.dfsg.1-1+lenny8 GD module for php5
ii php5-imap 5.2.6.dfsg.1-1+lenny8 IMAP module for php5
ii php5-mcrypt 5.2.6.dfsg.1-1+lenny8 MCrypt module for php5
ii php5-mysql 5.2.6.dfsg.1-1+lenny8 MySQL module for php5
ii php5-sqlite 5.2.6.dfsg.1-1+lenny8 SQLite module for php5
ii php5-xsl 5.2.6.dfsg.1-1+lenny8 XSL module for php5

@buliyo : the dpkg error messages say that libonig2 is missing.

Try to run “apt-get -f install”, see what APT will install/uninstall, then relaunch “dpkg -i *.deb”.

and what with:
Package libapache2-mod-php5filter is not installed.
Package php5-cgi is not installed.
Package php5-fpm is not installed.
Package libonig2 is not installed.
Package phpapi-20090626+lfs is not installed.
how add this manual?
where i can find this in good version?
I restore 5.2.6:
dpkg -i *.deb
libapache2-mod-php5_5.2.6.dfsg.1-1+lenny16_i386.deb
php5-gd_5.2.6.dfsg.1-1+lenny16_i386.deb
php5-sqlite_5.2.6.dfsg.1-1+lenny16_i386.deb
php5_5.2.6.dfsg.1-1+lenny16_all.deb
php5-imap_5.2.6.dfsg.1-1+lenny16_i386.deb
php5-xsl_5.2.6.dfsg.1-1+lenny16_i386.deb
php5-cli_5.2.6.dfsg.1-1+lenny16_i386.deb
php5-mcrypt_5.2.6.dfsg.1-1+lenny16_i386.deb
php5-common_5.2.6.dfsg.1-1+lenny16_i386.deb
php5-mysql_5.2.6.dfsg.1-1+lenny16_i386.deb

@buliyo : once you have installed libapache2-mod-php5, there will be no more error message about libapache2-mod-php5filter, php5-cgi or php5-fpm “is not installed”. Relaunch you dpkg -i *.deb

And what about upgrading to a security-maintained distribution, such as Squeeze?

What sources i should have before run:
apt-get -f install?
cat /etc/debian_version
5.0.4

My old lenny sources are unavaible.. :<
I should try install only:
dpkg -i libapache2-mod-php5_5.3.10-1~dotdeb.0_i386.deb

and after this:
dpkg -i *.deb ?

I can’t upgrade today linux to stable today because this is working machine with 40 webpages..
If I do something bad…. Oughhhhhhh..

Update your sources.list with only the above line! Then “apt-get update && apt-get -f install”. Then dpkg -i *5.3.10*deb

Read the error messages, read the man pages. The comments here are not a support forum. And please consider using an actual distribution!

Hi Guillaume,
thank you for your work.
I noticed that upon installing 5310 on Oneiric session.save_path has no value (/tmp is commented out in both apache and cli). Unless I set it explicitly in either ini files, session support is off.
On the other hand if I setup php 536 from Ubuntu’s repo I get session support by default in /var/lib/php5 ALTHOUGH it is commented out in ini files.
If I run php -n -i 5310@dotdeb shows no value for session.save_path while 536@ubunturepo shows /var/lib/php5.
It is not a big deal but I was wondering if any compile options used in dotdeb might be responsible for the difference? Is it –disable-session ?
Thank you for any feedback.

@André : take a look at a phpinfo() or play with ini_get to know which is the current value of a configuration directive to to know if an extension is enabled : even if a directive has been commented in php.ini, it could have a default value.
About the sessions, they’re enabled (a phpinfo() will tell you so) and can be stored in any existing and writable directory (/tmp and /var/lib/php5 should work). Please check that.

@Guillaume.
Thank you for your answer. I believe I was not clear about my question : I’ve looked everywhere and couldn’t find why Ubuntu’s repo have session directory set while dotdeb doesn’t.
That is what lead me to think it had to do with compile time setup since no ini or conf file had anything pointing at session.save_path.
Bah anyway…thanks.

Hi Guillaume,

i’m using php-fpm with dotdeb’s 5.3 packages and i’m trying to log the error_log to syslog. It works basically but there are two caveats:

1) pool name “pool mypool:” is inserted but the first character is cut off, so only “ool mypool:” is written to syslog.

2) how to define the syslog facility to use? right now i have log entries in 3 files /var/log/syslog|user.log|messages.

Thank you

Oh, thanks, i thought that the setting in php-fpm.conf is only related to FPM itself and not the error_log command for its children. This works now!

Is there any way to fix the truncated “p” of “pool” in the programname logged to syslog?

I know, it’s just cosmetics but 🙂

I am getting the following errors
Operating System – ubuntu 12.04 64 bit
Issue: Certain php packages like php5-xdebug can install from the dotdeb repository throws errors below.

root@m4500ubuntu:/home/gavin# apt-get install php5-xdebug php5-dbg php5-dev
Reading package lists… Done
Building dependency tree
Reading state information… Done
php5-dev is already the newest version.
php5-dev set to manually installed.
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
php5-xdebug : Depends: php5-common (= 5.3.10-1~dotdeb.1) but 5.3.10-1ubuntu3 is to be installed
E: Unable to correct problems, you have held broken packages.

@gavin : Dotdeb is made for Debian, not for Ubuntu. Such dependency problem can occur, especially with the latest 12.04 release.

My advice : stick to the PHP 5.3.10 Ubuntu packages. Remove Dotdeb from your sources.list.

I am a newbie to PHP, i’m trying to go through a Zend framework tutorial and every time i try to execute a php script, the content of the script is printed on the terminal. I’m using Debian with PHP 5.3.13-1~dotdeb.0 with Suhosin-Patch (cli) (built: May 8 2012 21:47:56)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH

I have short_open_tags set to “Off” in php.ini, and changed it to “On” and now works thanks.

Comments are closed.