Posted by & filed under PHP.

PHP 5.4.3 and PHP 5.3.13 have been released by the PHP development team to fix some critical security issues :

  • Source code disclosure with a trivial request (CVE-2012-1823 and CVE-2012-2311) –  PHP 5.4 and 5.3 are vulnerable
  • buffer overflow in apache_request_headers() (CVE-2012-2329) – only PHP 5.4 is vulnerable.

If you’re using the CGI flavor of PHP, upgrading is highly recommended. You can see more info on PHP’s website and on this useful blog post.

Packages of PHP 5.4.3 and PHP 5.3.13 are available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. Please also note that they fix the error logging features of PHP-FPM.

As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.

40 Responses to “Security : PHP 5.4.3 and PHP 5.3.13”

  1. Myst

    L’affichage du code source fonctionne avec le patch Suhosin activé ? Car sur mon site ça ne fonctionne pas, pourtant je suis bien en php cgi.

    Reply
    • Guillaume Plessis

      @Myst : Suhosin (inclus uniquement dans les paquets PHP 5.3) empêche l’exploitation d’une partie des attaques. Mettre à jour est cependant fortement conseillé.

      Reply
  2. Vivien Pouchard

    Merci Guillaume !

    A propos d’apache2, pourquoi ne pas essayer de proposer la version 2.4 sur dotdeb ? PHP 5.4 + Apache 2.4 seraient fantastiques pour les performances et la sécurité.

    Reply
    • Guillaume Plessis

      @Vivien : je n’ai pas l’usage de Apache 2.4, le backporter me demandera un effort supplémentaire et pas forcément de retour d’utilisation apte à garantir une qualité correcte. Nginx peut être une bonne alternative (d’autant que mod_php ne marche correctement qu’en prefork). Sinon Apache 2.2 worker + FPM marche bien également).

      Reply
  3. Roger

    Hey Guys, thanks for the great work.

    Suhosin still isn’t installable btw.

    Depends: php5-common (= 5.3.13-1~dotdeb.0) but 5.4.3-1~dotdeb.0 is to be installed

    Reply
  4. Myst

    @Guillaume : Ce que je demandais, c’était de savoir si cette attaque était déjà sécurisé de base par Suhosin. Mon serveur est déjà a jour, mais c’est pour savoir si des personnes ont pu accéder à mes sources pendant le laps de temps. :)

    Reply
  5. Myst

    @Guillaume : Merci beaucoup pour ces infos. Une dernière petite question, j’ai essayé d’utiliser le bug (?-s) sur différente pages de mon site, mais ça n’a jamais fonctionné. Je ne sait pas si tu as eu l’occasion de le tester, mais est-ce que tu sait si le bug fonctionnait à coup sur, ou si il fallait des conditions particulières (à part le faite d’utiliser php cgi) ?

    Reply
  6. Guillaume Plessis

    @Myst : aucune idée, je n’utilise pas PHP en CGI avec Apache. Les articles cités plus haut t’aideront certainement à trouver les conditions exactes d’exploitation de la faille. Un exploit metasploit est sorti, notamment.

    Reply
  7. Myst

    @Guillaume : Merci, mais le problème c’est que j’ai déjà mis à jour mon serveur :) difficile de faire des tests maintenant. Merci quand même, je vais continuer a chercher de mon côté, tout en croisant les doigts.

    Reply
  8. ghantoos

    It seems the source packages of php-pecl aren’t available. Is there a legal (or other) reason for this?

    Thanks for the great work you guys do!

    Reply
  9. Jockl

    Thank you very much Guillaume for updating. Your work is very much appreciated!

    Reply
  10. webmaster eddie

    Thank you for the update.

    A heads up for anyone using APC – you’ll need to upgrade to 3.1.10 – otherwise apache2 will crash php when re-starting.

    Reply
  11. webmaster eddie

    After upgrading to the latest dotdeb php 5.4, I encountered some debian squeeze server errors, which I have addressed in a post at:
    http://drupal.org/node/1578840

    I wish I would have read this BEFORE upgrading, but it is still very helpful info after the upgrade to PHP 5.4, and should save many people lots of time.

    Thanks for the upgrade, it’s great to be on the right path to PHP 6.

    Reply
  12. Guillaume Plessis

    @webmaster eddie : thanks for this useful report.

    Once again, upgrading to a new major version of PHP should b done with great care, after reading the change logs and after ensuring that all the applications are fully compatible.

    That’s also why I’ve published PHP 5.4 in squeeze-php54 instead of squeeze.

    Reply
  13. Nico

    What’s up for mod_APC ? he work now whith PHP 5.4.x ?

    Pour ce qui est d’Apache, la version mpm event avec PHP-FPM chargé par mod_proxy_fcgi semble quand même super intéressante.

    Reply
    • Guillaume Plessis

      @Nico : APC 3.1.10 is compatible with PHP 5.4 (see its changelog). The package is available on Dotdeb squeeze-php54. Just note that its version number has not been incremented in the source, it’s still displayed as 3.1.9 in phpinfo().

      I have no plan for Apache 2.4 without a major sponsor. If you’re looking for an event-driven web server, Nginx should do the trick.

      Reply
  14. midal

    I am running dotdebs php 5.3.13 packages with APC, but it comes with APC 3.1.3p.

    What would be the best method to upgrade APC to 3.1.9 or 3.1.10?

    Reply
    • Guillaume Plessis

      @midal : apt-get install php5-apc

      PHP 3.1.9 will be displayed in phpinfo() but in fact it’s 3.1.10 (version number hasn’t been raised in the source code)

      Reply
  15. midal

    Thx for the fast reply, Guillaume! I already tried this before, but get this:

    error processing /var/cache/apt/archives/php5-apc_5.3.13-1~dotdeb.0_amd64.deb (–unpack):
    trying to overwrite ‘/etc/php5/conf.d/apc.ini’, which is also in package php-apc 3.1.3p1-2
    configured to not write apport reports
    Errors were encountered while processing:
    /var/cache/apt/archives/php5-apc_5.3.13-1~dotdeb.0_amd64.deb
    E: Sub-process /usr/bin/dpkg returned an error code (1)

    we use these sources:

    deb http://packages.dotdeb.org stable all
    deb-src http://packages.dotdeb.org stable all

    (its a debian squeeze)

    Could you give me some hints about that? Thanks a lot in advance!

    Reply
  16. Friendbg

    Hello guys, I’m using debian wheezy and I’m having problems with update on php5-memcache and php5-xcache. It’s says that they will be removed because the the latest relese on dotdeb is php5-memcache_5.4.3-1~dotdeb.0_amd64.deb but it need 5.4.4. Can u help me? Thanks

    Reply

Leave a Reply

  • (will not be published)


− 3 = one