Posted by & filed under PHP.

On December 17th 2009, the PHP Group released PHP 5.2.12 :

The PHP development team would like to announce the immediate availability of PHP 5.2.12. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.12:

  • Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
  • Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
  • Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion, identified by Bogdan Calin. (CVE-2009-4017, Ilia)
  • Added protection for $_SESSION from interrupt corruption and improved “session.save_path” check, identified by Stefan Esser. (CVE-2009-4143, Stas)
  • Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com)

(Please read the full announcement for more details)

Dotdeb packages of PHP 5.2.12 are now (finally) available for Debian “Lenny” and “Etch”, amd64 and i386.

Upgrading your servers is strongly encouraged because of several security issue, especially a multipart/form-data DoS (CVE-2009-4017). Please set the max_file_uploads parameter carefully.

19 Responses to “PHP 5.2.12 packages are here!”

  1. canyonbreeze

    I installed your PHP 5.3.1 packages. Unfortunately many scripts don’t work well with 5.3 (Drupal, Gallery2, etc).

    How to downgrade to 5.2.12?

  2. The BLION Corp.

    Hello,

    serveur:/var/log# unset LANG ; apt-get install php5-http ; dpkg –list libevent1
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Some packages could not be installed. This may mean that you have
    requested an impossible situation or if you are using the unstable
    distribution that some required packages have not yet been created
    or been moved out of Incoming.
    The following information may help to resolve the situation:

    The following packages have unmet dependencies:
    php5-http: Depends: libevent-1.4-2 (>= 1.4.13-stable) but it is not installable
    E: Broken packages
    Desired=Unknown/Install/Remove/Purge/Hold
    | Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
    |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
    ||/ Name Version Description
    +++-================================-================================-================================================================================
    ii libevent1 1.3e-3 An asynchronous event notification library

  3. Laurent Chardin

    Any chance to get a fix for this issue :
    https://bugs.launchpad.net/ubuntu/+source/php5/+bug/359062

    Or at least an little explanation so somebody could handle it ? i don’t actually quite get what is going wrong.

    Example of what i got :

    $pecl install uploadprogress
    downloading uploadprogress-1.0.1.tgz …
    Starting to download uploadprogress-1.0.1.tgz (8,536 bytes)
    …..done: 8,536 bytes
    4 source files, building
    running: phpize
    Configuring for:
    PHP Api Version: 20041225
    Zend Module Api No: 20060613
    Zend Extension Api No: 220060519
    cp: ne peut évaluer `libtool.m4′: Aucun fichier ou dossier de ce type
    cp: ne peut évaluer `ltmain.sh’: Aucun fichier ou dossier de ce type
    cat: ./build/libtool.m4: Aucun fichier ou dossier de ce type
    configure.in:8: warning: LT_AC_PROG_SED is m4_require’d but not m4_defun’d
    aclocal.m4:2631: PHP_CONFIG_NICE is expanded from…
    configure.in:8: the top level
    configure.in:151: error: possibly undefined macro: AC_PROG_LIBTOOL
    If this token and others are legitimate, please use m4_pattern_allow.
    See the Autoconf documentation.
    configure:2291: error: possibly undefined macro: LT_AC_PROG_SED
    ERROR: `phpize’ failed

    Otherwise everything works fine, just can’t compile any new extensions.

  4. Guillaume Plessis

    @Laurent Chardin : The problem is that libtool.m4 and ltmain.sh are not in the same location between libtool from Debian Lenny and libtool from Ubuntu :

    Debian :
    /usr/share/libtool/ltmain.sh
    /usr/share/libtool/libtool.m4 or /usr/share/aclocal/libtool.m4

    Ubuntu :
    /usr/share/libtool/config/ltmain.sh
    /usr/share/aclocal/libtool.m4

    Perhaps you can solve this issue with symlinks

  5. Laurent Chardin

    Thanks Guillaume,

    Got it fixed with:
    > adding symlinks
    > concatenating some more files into libtool.m4

    cd /usr/share/aclocal
    cat lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4 >> libtool.m4)

    (https://bugs.launchpad.net/ubuntu/+bug/262251)

    Now it compiles without a glich. thanks

  6. Chris Gooding

    Hi,

    Having trouble updating php5-imap on php5.2.12. Getting the following message: –

    apt-get install php5=5.2.12-0.dotdeb.1 php5-imap
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    php5 is already the newest version.
    Some packages could not be installed. This may mean that you have
    requested an impossible situation or if you are using the unstable
    distribution that some required packages have not yet been created
    or been moved out of Incoming.
    The following information may help to resolve the situation:

    The following packages have unmet dependencies.
    php5-imap: Depends: libc-client2007b but it is not installable
    E: Broken packages

  7. Mr.Dros

    Is there somewhere an archive of dotdeb? I need php 5.2.6 for Etch and can’t find it. I have 5.2.0, which is to low and 5.2.12 seems to be to advanced (got a lot of errors in the code). The programmer says I need 5.2.6, any chance to get it here?

    thx
    Dros

  8. Neo

    Bonjour 🙂

    J’utilise depuis pas mal de temps dotdeb (sur Debian) : le dépot indispensable 🙂

    Mais depuis la version 5.2.12, je tombe sur ce cas particulier : http://bugs.php.net/bug.php?id=49521

    il existe un patch, mais hélàs il n’est pas sur le dépot…

    Est-il possible qu’il y soit, ou du moins qu’elle solution me préconisez vous pour remédier à ce problème, le plus facilement possible

    Merci d’avance 🙂

  9. Erik

    I tried to run pecl install pecl_http and received
    phpize libtool.m4 problems on Ubuntu 9.04

    cannot stat ‘libtool.m4’ ….

    libtool.m4 is a broken link under /usr/lib/php5/build . Therefore, I edited /usr/bin/phpize and made these 2 simple changes:

    Change line:

    FILES_BUILD=”mkdep.awk scan_makefile_in.awk shtool libtool.m4″

    To:

    FILES_BUILD=”mkdep.awk scan_makefile_in.awk shtool libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversi
    on.m4″

    and

    Change line:

    (cd “$builddir” && cat acinclude.m4 ./build/libtool.m4 > aclocal.m4)

    To:

    (cd “$builddir” && cat acinclude.m4 ./build/{libtool,lt~obsolete,ltoptions,ltsugar,ltversion}.m4 > aclocal
    .m4)

    then I ran

    pecl install pecl_http

    It works! Hallelujah!

  10. Erik

    Wait, I also changed the shell in /usr/bin/phpize

    from
    #!/bin/sh

    to

    #!/bin/bash

  11. mdhuset

    Generally I don’t read article on blogs, however I wish to say that
    this write-up very pressured me to try and do so!
    Your writing taste has been amazed me. Thanks, very nice post.