On April 30th 2014, the PHP group has released PHP 5.5.12 :
This release fixes several bugs against PHP 5.5.11, as well as CVE-2014-0185 regarding PHP-FPM. All PHP users are encouraged to upgrade to this new version.
As a consequence, PHP 5.5.12 packages are now available on Dotdeb for Debian 7.4 “Wheezy”, on both amd64 and i386 architectures.
Please read the Changelog and the migration guide (be aware of the backward incompatible changes) before upgrading.
Please note that if you’re using an Unix socket to make PHP-FPM talk to your web server, you’ll have to set the listen.owner and listen.group directive to the right user/group (usually www-data), for each of your pool. Don’t change the permissions on the socket from 0660 to 0666 (too permissive), it would avoid the CVE-2014-0185 fix.
And don’t forget: if you find Dotdeb useful, you may want to show your support.
17 replies on “PHP 5.5.12 for Debian Wheezy”
After upgrade i have a problem with permissions to sock file. I erlier versions /var/run/php5-fpm.sock has permission srw-rw-rw-, after upgrade srw-rw—-. This makes errors in nginx (502) if You use sock file.
– chmow o+rw /var/run/php5-fpm.sock
– or use port
nginx + php5-fpm
Uncommet the listen.owner and listen.group
listen.group = www-data
Thanks a lot for the new PHP version!
Same problem with socket permissions here, too.
As an emergency measure, I had to switch to address php-fpm via TCP/IP instead of unix socket.
Guillaume, please don’t get me wrong: I appreciate Dotdeb and all your work a lot.
I am using your repo with any of my Debian systems, and I love it.
But the packages should be tested thoroughly before releasing them. Otherwise, they easily destroy Debian’s concept of an extraordinary stable server system.
Recently, a redis update did not work: apt suggested to remove (!) redis-server.
You immediately compiled again, and within minutes, everything was fine again. I appreciate that a lot, Guillaume!
But we need very stable solutions, please. 🙂
I would be ready to pay on a regular basis for a plus of testing before releasing.
The FPM listening socket permission change was introduced by PHP team in the PHP code itself as a part of CVE-2014-0185 mitigation. Don’t blame Guillaume on any problems you have due to this. You should have read the PHP changelog and tested the new version in your environment anyway, before blindly installing it on any production servers;)
I did not blame anybody. I think this is obvious when reading my comment.
I just wanted to line out that a certain testing would be appreciated in general.
As stated above, Guillaume is doing a great job.
Only sometimes, there are certain risks which are, of course, higher compared to “original” Debian repositories.
I’m sure these risks could be minimized with a certain amount of testing. I can only speak for myself, but at least I would be willing to pay for extra testing.
@JCG : I totally get your point. I usually do my best to backport most of the changes from Sid to Wheezy/Squeeze. But sometimes my tests are not enough. I’ll make some more in the future.
About this PHP release, I added a note about permissions/ower/group to help people upgrading without avoid the CVE fix.
Keep up the good work. I’m a big debain fan when it comes to servers and your packages have been helping me convert others for sometime now. Love all that you do. Thank you.
Thank you very much, Guillaume!
My postings were NOT meant as a critisism. In contrary, I love and appreciate your work a lot.
After reading the changelogs and after testing myself, everything would have gone smoothly in case one would have overwritten his conf files.
But I always deny that, since it would overwrite all my custom tweaks and modifications.
I already had listen.owner and listen.group set to www-data but I can’t get to work.
Changed to port 9000 until I get some time to solve this!
after upgrading i get the following error on logrotate:
Cron test -x /usr/sbin/anacron || ( cd / && run-parts –report /etc/cron.daily )
initctl: invalid command: reopen-logs
Try `initctl –help’ for more information.
invoke-rc.d: initscript php5-fpm, action “reopen-logs” failed.
error: error running non-shared postrotate script for /var/log/php5-fpm.log of ‘/var/log/php5-fpm.log ‘
run-parts: /etc/cron.daily/logrotate exited with return code 1
Will there be a hotfix?
Or does somebody knows a version where this is not happening?
PHP 5.5.10 switched to PCRE 8.34 which brings one high-priority bug (http://bugs.exim.org/show_bug.cgi?id=1451) already fixed in 8.35.
Actually, I don’t know dotdeb policy but would be nice to compile PHP against the newer PCRE lib.
Thank you and thank you for dotdeb at all, Milo
I’m using your packages in debian 7, for install php 5.5.12 and memcached mod.
All is ok, thanks for your work but i need to know what version is the memcached mod, in wheeze standar package is 2.0.1 but in jessie is 2.2.0.
@JuanDN : php5-memcached from Dotdeb is the 2.2.0 version
thanks!! 🙂 and for feedback, phpversion() function accept extension as parameter,it returning extension’s version http://es1.php.net/manual/en/function.phpversion.php