Dotdeb

Security : PHP 5.4.3 and PHP 5.3.13

Guillaume Plessis — Tue, 08 May 2012 22:52:22 +0000

PHP 5.4.3 and PHP 5.3.13 have been released by the PHP development team to fix some critical security issues :

Source code disclosure with a trivial request (CVE-2012-1823 and CVE-2012-2311) – PHP 5.4 and 5.3 are vulnerable
buffer overflow in apache_request_headers() (CVE-2012-2329) – only PHP 5.4 is vulnerable.

If you’re using the CGI flavor of PHP, upgrading is highly recommended. You can see more info on PHP’s website and on this useful blog post.

Packages of PHP 5.4.3 and PHP 5.3.13 are available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. Please also note that they fix the error logging features of PHP-FPM.

As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.

MySQL 5.5.24

Guillaume Plessis — Tue, 08 May 2012 15:09:50 +0000

The packages of MySQL 5.5.24 are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. It fixes an undisclosed security issue (thanks Oracle) and some other bugs as well.

As usual, please read carefully the full Changelog before upgrading.

Note : the packages have been updated to include a missing init script. Sorry for the mess.

Security update : MySQL 5.1.62

Guillaume Plessis — Sat, 05 May 2012 11:03:05 +0000

MySQL 5.1.62 packages are now available for Debian 6.0 “Squeeze” on amd64 and i386 architectures.

This is a important security update that fixes unspecified vulnerabilities identified by Oracle in all versions of MySQL 5.1 earlier than 5.1.62. If you did not upgrade to MySQL 5.5, please consider upgrading your MySQL server (at least) to 5.1.62.

FYI, CVE list is as follows :

The corresponding Pinba storage engine has also been rebuilt.

And, as usual, please read the Changelog before upgrading.

Redis 2.4.13

Guillaume Plessis — Wed, 02 May 2012 10:54:23 +0000

Redis 2.4.13 has been released to fix a critical bug in KEYS command :

[BUGFIX] Fix for KEYS command: if the DB contains keys with expires the KEYS command may return the wrong output, having duplicated or missing keys. See issue #487 and #488 on github for details.

The packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. Upgrading is strongly advised.

PHP 5.4.1

Guillaume Plessis — Mon, 30 Apr 2012 21:17:38 +0000

On april 26th 2012, the PHP group has released PHP 5.4.1 too, that brings over 60 bug fixes, some of which are security related :

Security Enhancements and Fixes in PHP 5.4.1:

Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).

Add open_basedir checks to readline_write_history and readline_read_history.

Key enhancements in PHP 5.4.1 include:

Added debug info handler to DOM objects.

Fixed bug #61172 (Add Apache 2.4 support).

Packages of PHP 5.4.1 and of all its related extensions are now available on Dotdeb for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. Please note that :

php5-xcache is now available in its 2.0 version,
the Suhosin patch is still absent from this build.

As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.

PHP 5.3.11

Guillaume Plessis — Mon, 30 Apr 2012 11:57:34 +0000

On april 26th 2012, the PHP group has released PHP 5.3.11, that brings over 60 bug fixes, some of which are security related :

Security Enhancements and Fixes in PHP 5.3.11:

Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).

Add open_basedir checks to readline_write_history and readline_read_history.

Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831).

Key enhancements in PHP 5.3.11 include:

Added debug info handler to DOM objects.

Fixed bug #61172 (Add Apache 2.4 support).

Packages of PHP 5.3.11 are now available on Dotdeb for Debian 6.0 “Squeeze” on both amd64 and i386 architectures.

As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.

Redis 2.4.12

Guillaume Plessis — Mon, 30 Apr 2012 10:51:07 +0000

Redis 2.4.12 has been released with these changes :

[BUGFIX] Limit the amount of memory consumed by the slow log.
[BUGFIX] --test-memory option fixes.
[BUGFIX] Less false positives in tests.

The upgrade urgency is low if you don’t experience any of the fixed problems.

The packages of Redis 2.4.12 are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures.

Nginx 1.2.0 with Naxsi 0.45 and Passenger 3.0.12

Guillaume Plessis — Sun, 29 Apr 2012 16:59:10 +0000

Dotdeb’s packages of the long-awaited Nginx 1.2.0 are now available for Debian 6.0 “Squeeze” (amd64/i386) in five flavors : nginx-light, nginx-naxsi, nginx-full, nginx-passenger and nginx-extras.

This is a major release with a lot of improvements since the former 1.0 branch. Please take a look at Nginx’ official Changelog before upgrading.

On the Dotdeb side :

Naxsi, a high performance, low rules maintenance, Web Application Firewall module, has been upgraded to its 0.45 version. Please read its documentation fore more info.
Passenger has been upgraded to its 3.0.12 version.
Because nginx-passenger is now dedicated to Passenger, nginx-extras does not contain it anymore. Don’t forget to backup your configuration files when switching from nginx-extras to nginx-passenger.

If you want to know which module has been included in each Nginx flavor, you just have to look at this useful document.

Passenger 3.0.12

Guillaume Plessis — Sun, 29 Apr 2012 16:38:07 +0000

Packages of Passenger 3.0.12 are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures.

Here is the announcement from Phusion’s blog :

Phusion Passenger is an Apache and Nginx module for deploying Ruby web applications. It has a strong focus on ease of use, stability and performance. Phusion Passenger is built on top of tried-and-true, battle-hardened Unix technologies, yet at the same time introduces innovations not found in most traditional Unix servers. Since version 3.0 it can also run standalone without an external web server, making it not only easier for first-time users but also ideal on development environments.

Recent changes

Phusion Passenger is under constant maintenance and development. We are pleased to announce Phusion Passenger version 3.0.12. This is a bug fix release.

[Apache] Support Apache 2.4. The event MPM is now also supported.
[Nginx] Preferred Nginx version upgraded to 1.0.15.
[Nginx] Preferred PCRE version upgraded to 8.30.
[Nginx] Fixed compatibility with Nginx < 1.0.10.
[Nginx] Nginx is now installed with http_gzip_static_module by default.
[Nginx] Fixed a memory disclosure security problem.
The issue is documented at http://www.nginx.org/en/security_advisories.html and affects more modules than just Phusion Passenger. Users are advised to upgrade as soon as possible. Patch submitted by Gregory Potamianos.
[Nginx] passenger_show_version_in_header now hides the Phusion Passenger version number from the ‘Server:’ header too.Patch submitted by Gregory Potamianos.
Fixed a /proc deprecation warning on Linux kernel >= 3.0.

Redis 2.4.11

Guillaume Plessis — Thu, 19 Apr 2012 14:27:48 +0000

Redis 2.4.11 has been released with these changes :

[BUGFIX] Fixed a problem with aeWait() implementation. May cause a crash under non easy to replicate condiitons. See issue #267 on github.
[BUGFIX] SORT with GET/BY option fetching expiring keys fixed. Issue #460.
[BUGFIX] INFO field master_link_down_since_seconds initialized correctly.
[FEATURE] redis-cli back ported from Redis unstable. Now has support for --bigkeys (to sample the DB for very large keys), --slave to simulate a slave instance.

The upgrade urgency is moderate if you don’t experience any of the fixed problems.

The packages of Redis 2.4.11 are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures.