On May 1st 2014, the PHP group has released PHP 5.4.28. 9 bugs were fixed in this release, including CVE-2014-0185. All PHP 5.4 users are encouraged to upgrade to this version.
The corresponding packages are now available on Dotdeb :
- for Debian 7.0 “Wheezy” and Debian 6.0 “Squeeze”,
- on both amd64 and i386 architectures.
As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.
Please note that if you’re using an Unix socket to make PHP-FPM talk to your web server, you’ll have to set the listen.owner and listen.group directive to the right user/group (usually www-data), for each of your pool. Don’t change the permissions on the socket from 0660 to 0666 (too permissive), it would avoid the CVE-2014-0185 fix.
And if you find Dotdeb useful, feel free to show your support.
6 replies on “PHP 5.4.28, for Wheezy and Squeeze”
[…] vais donc consulter le site qui gère les repositories et effectivement […]
with PHP 5.4.28 there is an important change in the session file handling:
Fixed bug #66171 (Symlinks and session handler allow open_basedir bypass).
What you cannot see in the headline you will see in the Bugreport. The author also claims to “prevent opening other users’ sessions”.
So now the file owner of the session has to be always the user, that tries to use it or root.
Some of my websites broke after the Upgrade with the following error message:
“PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/xxxxxxxxxxxx) in Unknown on line 0”
Because of project reasons a Cronjob changed regulary the owner of the sessions to another user, but the group was still the Webserver user with write access right.
If anyone gets into the same trouble just do not change the file owner of the sessions anymore.
In my opinion this patch was not wise. It will effect a lot of websites, that will get unaccessible.
If a sysadmin wants, that a session file shall be readable/writable by the webserver through group permissions and not owner permissions PHP should not restrict that.
Only my few thoughts on that topic…
I’ve had major problem with php5-curl in this release. I was experiencing multiple GnuTLS recv errors. I’ve tracked the reason down to php5-curl being complied to use GnuTLS rather than OpenSSL. Is this a recent change with the Dotdeb package?
I’ve changed php5-curl back to a release than uses OpenSSL and everything is working correctly.
@Ben : actually, it’s a problem with the latest i386 build. I’ll fix it in the next release. Sorry
I still miss apache_request_headers() running as php5-fpm 🙁
Unfortunately, there is no workaround available so far, i have testet many of them, but it seems they all don’t pass authentication headers…
I just had a look at your github repository, especially the script for the pecl extensions. Is there any record of which versions of the respective pecl extension source was used to build the package?