Posted by & filed under PHP.

On April 30th 2014, the PHP group has released PHP 5.5.12 :

This release fixes several bugs against PHP 5.5.11, as well as CVE-2014-0185 regarding PHP-FPM. All PHP users are encouraged to upgrade to this new version.

As a consequence, PHP 5.5.12 packages are now available on Dotdeb for Debian 7.4 “Wheezy”, on both amd64 and i386 architectures.

Please read the Changelog and the migration guide (be aware of the backward incompatible changes) before upgrading.

Please note that if you’re using an Unix socket to make PHP-FPM talk to your web server, you’ll have to set the listen.owner and listen.group directive to the right user/group (usually www-data), for each of your pool. Don’t change the permissions on the socket from 0660 to 0666 (too permissive), it would avoid the CVE-2014-0185 fix.

And don’t forget: if you find Dotdeb useful, you may want to show your support.

17 Responses to “PHP 5.5.12 for Debian Wheezy”

  1. r3b3l

    After upgrade i have a problem with permissions to sock file. I erlier versions /var/run/php5-fpm.sock has permission srw-rw-rw-, after upgrade srw-rw—-. This makes errors in nginx (502) if You use sock file.

    Reply
  2. XAD

    temporary solution:
    - chmow o+rw /var/run/php5-fpm.sock
    - or use port

    Reply
  3. XAD

    nginx + php5-fpm
    Uncommet the listen.owner and listen.group
    /etc/php5/fpm/pool.d/www.conf

    listen.group = www-data

    and restart.

    Reply
  4. JCG

    Thanks a lot for the new PHP version!

    Same problem with socket permissions here, too.

    As an emergency measure, I had to switch to address php-fpm via TCP/IP instead of unix socket.

    Reply
  5. JCG

    Guillaume, please don’t get me wrong: I appreciate Dotdeb and all your work a lot.

    I am using your repo with any of my Debian systems, and I love it.

    But the packages should be tested thoroughly before releasing them. Otherwise, they easily destroy Debian’s concept of an extraordinary stable server system.

    Recently, a redis update did not work: apt suggested to remove (!) redis-server.

    You immediately compiled again, and within minutes, everything was fine again. I appreciate that a lot, Guillaume!

    But we need very stable solutions, please. :-)

    I would be ready to pay on a regular basis for a plus of testing before releasing.

    Reply
  6. rraptorr

    The FPM listening socket permission change was introduced by PHP team in the PHP code itself as a part of CVE-2014-0185 mitigation. Don’t blame Guillaume on any problems you have due to this. You should have read the PHP changelog and tested the new version in your environment anyway, before blindly installing it on any production servers;)

    Reply
  7. JCG

    I did not blame anybody. I think this is obvious when reading my comment.

    I just wanted to line out that a certain testing would be appreciated in general.

    As stated above, Guillaume is doing a great job.

    Only sometimes, there are certain risks which are, of course, higher compared to “original” Debian repositories.

    I’m sure these risks could be minimized with a certain amount of testing. I can only speak for myself, but at least I would be willing to pay for extra testing.

    Reply
    • Guillaume Plessis

      @JCG : I totally get your point. I usually do my best to backport most of the changes from Sid to Wheezy/Squeeze. But sometimes my tests are not enough. I’ll make some more in the future.

      About this PHP release, I added a note about permissions/ower/group to help people upgrading without avoid the CVE fix.

      Reply
  8. JCG

    Thank you very much, Guillaume!

    My postings were NOT meant as a critisism. In contrary, I love and appreciate your work a lot.

    After reading the changelogs and after testing myself, everything would have gone smoothly in case one would have overwritten his conf files.

    But I always deny that, since it would overwrite all my custom tweaks and modifications.

    Amicalement,
    JCG

    Reply
  9. Nuno

    Hi,

    I already had listen.owner and listen.group set to www-data but I can’t get to work.
    Changed to port 9000 until I get some time to solve this!

    Thanks

    Reply
  10. Sairahcaz

    after upgrading i get the following error on logrotate:

    —-
    Cron test -x /usr/sbin/anacron || ( cd / && run-parts –report /etc/cron.daily )

    /etc/cron.daily/logrotate:
    initctl: invalid command: reopen-logs
    Try `initctl –help’ for more information.
    invoke-rc.d: initscript php5-fpm, action “reopen-logs” failed.
    error: error running non-shared postrotate script for /var/log/php5-fpm.log of ‘/var/log/php5-fpm.log ‘
    run-parts: /etc/cron.daily/logrotate exited with return code 1
    —–

    Will there be a hotfix?

    Reply
  11. Milo

    Hi,
    PHP 5.5.10 switched to PCRE 8.34 which brings one high-priority bug (http://bugs.exim.org/show_bug.cgi?id=1451) already fixed in 8.35.

    Actually, I don’t know dotdeb policy but would be nice to compile PHP against the newer PCRE lib.

    Thank you and thank you for dotdeb at all, Milo

    Reply
  12. JuanDN

    Hi,
    I’m using your packages in debian 7, for install php 5.5.12 and memcached mod.
    All is ok, thanks for your work but i need to know what version is the memcached mod, in wheeze standar package is 2.0.1 but in jessie is 2.2.0.

    Thx :)

    Reply

Leave a Reply

  • (will not be published)


8 + one =