Categories
PHP

PHP 5.4.1

On april 26th 2012, the PHP group has released PHP 5.4.1 too, that brings over 60 bug fixes, some of which are security related :

Security Enhancements and Fixes in PHP 5.4.1:

  • Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).
  • Add open_basedir checks to readline_write_history and readline_read_history.

Key enhancements in PHP 5.4.1 include:

  • Added debug info handler to DOM objects.
  • Fixed bug #61172 (Add Apache 2.4 support).

Packages of PHP 5.4.1 and of all its related extensions are now available on Dotdeb for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. Please note that :

  • php5-xcache is now available in its 2.0 version,
  • the Suhosin patch is still absent from this build.

As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.

Categories
PHP

PHP 5.3.11

On april 26th 2012, the PHP group has released PHP 5.3.11, that brings over 60 bug fixes, some of which are security related :

Security Enhancements and Fixes in PHP 5.3.11:

  • Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).
  • Add open_basedir checks to readline_write_history and readline_read_history.
  • Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831).

Key enhancements in PHP 5.3.11 include:

  • Added debug info handler to DOM objects.
  • Fixed bug #61172 (Add Apache 2.4 support).

Packages of PHP 5.3.11 are now available on Dotdeb for Debian 6.0 “Squeeze” on both amd64 and i386 architectures.

As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.

Categories
PHP

Packages of PHP 5.4.0 have been updated

Now that PHP 5.4.0 packages have been published as preview, issues have to be fixed. That’s why these packages have been updated with the following changes :

  • gzopen64() has been wrongly introduced on the i386 architecture, instead of the regular gzopen(). It is now fixed.
  • PCRE functions did not support Unicode. That’s ok now.
  • APC has been packaged as php5-apc against its svn/trunk version. It should now work well. Still waiting for an official release.
  • Xdebug should appear very soon is now available in 2.2.0RC1 version.
Thanks for your useful reports.
Categories
PHP

PHP 5.4.0 preview packages

After many months of active development, PHP 5.4.0 is now generally available :

The PHP development team is proud to announce the immediate release of PHP 5.4.0. This release is a major improvement in the 5.x series, which includes a large number of new features and bug fixes.
Some of the key new features include: traitsa shortened array syntaxa built-in webserver for testing purposes and more. PHP 5.4.0 significantly improves performance, memory footprint and fixes over 100 bugs.
For users upgrading from PHP 5.3 there is a migration guide available here, detailing the changes between those releases and PHP 5.4.0.
Further details about the PHP 5.4.0 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.

On the Dotdeb side (thanks to Debian developers’ preliminary work), I’m proud to announce that preview packages of PHP 5.4.0 are now available for Debian 6.0 “Squeeze” on amd64 and i386 architectures. You are invited to test them on development servers, but please don’t install them on production servers yet : the Suhosin patch has not been applied, some extensions are not fully compatible and the following ones are missing…

  • php5-ffmpeg
  • php5-pinba
  • php5-suhosin
  • php5-xcache
  • php5-xdebug
  • php5-xhprof

Don’t worry, production-ready PHP 5.4 packages will be available in some few weeks, after the Suhosin patch and the missing extensions are published.

To avoid your servers to be accidentally upgraded from PHP 5.3 to PHP 5.4 without compatibility validation, the PHP 5.4 packages are available on a separate path. To install them, you’ll have to add this line to your /etc/apt/sources.list first (you can also use any Dotdeb mirror once they’re synchronized) :

deb http://packages.dotdeb.org/ squeeze-php54 all

The main changes in the packages :

  • if you need MySQL-related functions, you can now choose between the (libmysqlclient-linked) php5-mysql package and the (MySQL native – and better – driver-linked) php5-mysqlnd one
  • PHP extensions config files are now migrated to /etc/php5/mods-available/. Files in /etc/php5/conf.d/ are now just symlinks to them. Therefore, you can activate PHP extensions by using php5enmod/php5dismod.

I hope you’ll enjoy this new packages. Any feedback or donation is highly appreciated.

Categories
PHP

Security update : PHP 5.3.10

A few hours ago, PHP 5.3.10 has been released by the PHP Group. It’s an important security update for PHP 5.3.9 users : Stefan Esser discovered a remotely exploitable bug, introduced with PHP 5.3.9’s max_input_vars directive (CVE-2012-0830). You really should upgrade as soon as possible.

Packages of PHP 5.3.10 are now available for :

  • both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”,
  • both amd64 and i386 architectures.

(Lenny packages will be available on php53.dotdeb.org during two weeks before being migrated to archives.dotdeb.org because of the end of Lenny’s security support)

Categories
PHP

Advisory : buffer overflow in php5-suhosin

A few days ago, Stefan Esser discovered a buffer overflow in the “transparent cookie encryption stack” of the Suhosin extension. Here is the full advisory.

If you previously installed the php5-suhosin package, you should upgrade to its fixed new version (0.9.33) by running :

apt-get update
apt-get install --reinstall php5-suhosin
Categories
PHP

PHP 5.3.9

On january 10th 2012, the PHP group has released PHP 5.3.9, that brings over 90 bug fixes, some of which are security related :

Security Enhancements and Fixes in PHP 5.3.9:

  • Added max_input_vars directive to prevent attacks based on hash collisions. (CVE-2011-4885)
  • Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (CVE-2011-4566)

Key enhancements in PHP 5.3.9 include:

  • Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).
  • Fixed bug #55609 (mysqlnd cannot be built shared)
  • Many changes to the FPM SAPI module

PHP 5.3.9 is now available on Dotdeb for :

  • both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”
  • both amd64 and i386 architectures

As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.

[edit] the packages have been updated to fix some Suhosin- and strtotime()-related issues. You really should upgrade at least :

  • to 5.3.9-0~dotdeb.3 if you’re running Squeeze
  • to 5.3.9-0~dotdeb.2 if you’re running Lenny
Categories
PHP

PHP 5.3.8 is available

On August 18th, the PHP Group released PHP 5.3.7 with many security enhancements and many bugfixes. Sadly, it suffered from an issue with the crypt() function , forcing the PHP Group to publish PHP 5.3.8 (that fixes a mysqlnd issue with SSL connections too).

I’m glad too announce that PHP 5.3.8 packages are now available on Dotdeb for both amd64 and i386 architectures :

  • for Debian 6.0 Squeeze : on the main Dotdeb repository
  • for Debian 5.0 “Lenny” : on php53.dotdeb.org

Ugrading to PHP 5.3.8 is strongly recommended, but please read the Changelog before.

Categories
PHP

PHP 5.3.6 is available

On March 17th, the PHP Group released PHP 5.3.6. This maintainance release, that focuses on security, is now available on Dotdeb for Debian 6.0 “Squeeze” in amd64 and i386 flavours.
The compatibility with the official Debian packages has been improved and you (especially the FPM users) should really take care of some important changes that I made :
  • the intl extension is now built in a separate package : php5-intl
  • the FPM binary is now /usr/sbin/php5-fpm (previously /usr/bin/php5-fpm)
  • the FPM configuration file is now /etc/php5/fpm/php-fpm.conf (previously /etc/php5/fpm/php5-fpm.conf)
  • the FPM pools have to be moved to /etc/php5/fpm/pool.d/ (previously /etc/php5/fpm/pools/)

As usual, please read the Changelog before upgrading.

Note : The PHP 5.3.6 packages for Debian 5.0 “Lenny” should be released soon.
Update : the PHP 5.3.6 packages for Debian 5.0 “Lenny” are now available on http://php53.dotdeb.org/

Categories
PHP

Let’s monitor your PHP applications with Pinba

Do you know Pinba? It’s a great tool and you really should use it on your LAMP platform.

Pinba is a realtime monitoring/statistics server for PHP using MySQL as a read-only interface.

It accumulates and processes data sent over UDP by multiple PHP processes and displays statistics in a nice human-readable form of simple “reports“, also providing read-only interface to the raw data in order to make possible generation of more sophisticated reports and stats.

With Pinba extension users also can measure particular parts of the code using timers with arbitrary tags.

Pinba is not a debugging tool in a common sense, since you’re not supposed to do debugging on production servers, but its main goal is to help developers to monitor performance of PHP scripts, locate bottlenecks in realtime and direct developers’ attention to the code that really needs it.

Here is a sample graph :

Pinba graphs

I’m proud to announce that Pinba is now available on Dotdeb for Debian 6.0 “Squeeze”. Once you read the Pinba features and usage, you’ll want to install those two packages :

  • pinba-mysql-engine : a custom MySQL engine to store all the gathered data efficiently. It has to be installed with the latest mysql-server packages.
  • php5-pinba : the PHP extension you’ll use to accumulate data and timers directly from your PHP scripts.

I hope you enjoy it.