Categories
PHP

PHP 5.2.13 is available

A few days ago, the PHP Group released PHP 5.2.13. It fixes severe security issues and some other bugs :

The PHP development team would like to announce the immediate availability of PHP 5.2.13. This release focuses on improving the stability of the PHP 5.2.x branch with over 40 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.13:

  • Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
  • Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia)
  • Improved LCG entropy. (Rasmus, Samy Kamkar)

(…)

On the Dotdeb side

As usual, please read the release announcement and the full Changelog before upgrading.

Categories
PHP

PHP 5.2.12 packages are here!

On December 17th 2009, the PHP Group released PHP 5.2.12 :

The PHP development team would like to announce the immediate availability of PHP 5.2.12. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.12:

  • Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
  • Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
  • Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion, identified by Bogdan Calin. (CVE-2009-4017, Ilia)
  • Added protection for $_SESSION from interrupt corruption and improved “session.save_path” check, identified by Stefan Esser. (CVE-2009-4143, Stas)
  • Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com)

(Please read the full announcement for more details)

Dotdeb packages of PHP 5.2.12 are now (finally) available for Debian “Lenny” and “Etch”, amd64 and i386.

Upgrading your servers is strongly encouraged because of several security issue, especially a multipart/form-data DoS (CVE-2009-4017). Please set the max_file_uploads parameter carefully.

Categories
PHP

The PHP 5.3.1 packages have been updated

The PHP 5.3.1 packages for Debian “Lenny” have been updated to fix :

  • the php5-fpm binary
  • the /etc/init.d/php5-fpm script

All should work fine now.

Categories
PHP

PHP 5.3.1 packages for Debian “Lenny” : they’re here!

The official announcement

A few days ago, the PHP Group released PHP 5.3.1 :

The PHP development team would like to announce the immediate availability of PHP 5.3.1. This release focuses on improving the stability of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. All users of PHP are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.3.1:

  • Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
  • Added missing sanity checks around exif processing.
  • Fixed a safe_mode bypass in tempnam().
  • Fixed a open_basedir bypass in posix_mkfifo().
  • Fixed failing safe_mode_include_dir.

Further details about the PHP 5.3.1 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.

SpeedHog

The Dotdeb changes

On the Debian side, some changes were made :

  • the packages are now patched with the official Suhosin patch.
  • beside the apache2, apache2filter, CGI and CLI flavours, the FPM one has now its own dedicated package, named “php5-fpm”. It will allow you to have greater performances and a lot of more features on a CGI-style installation (FYI, an init script, a config file and a nginx config sample are provided).

How to install?

Because migrating from PHP 5.2. to PHP 5.3 can break some applications, here is the Dotdeb release policy :

  • PHP 5.2 is still the default branch for Debian Lenny for some weeks/months. PHP 5.3 packages are kept on a separate repository.
  • PHP 5.3 will be the default branch for the upcoming Debian Squeeze (mid-2010)

Then , to install PHP 5.3 on your Debian “Lenny” box, just add these two entries in your /etc/apt/sources.list :

deb http://php53.dotdeb.org stable all
deb-src http://php53.dotdeb.org stable all

Now launch your favorite commands (apt-get update && apt-get upgrade) to upgrade your box.

In case you enjoy this new release, feel free to donate or to take a look at my whishlist… Xmas is coming 😉

Categories
PHP

PHP 5.2.11 packages are available for Etch and Lenny

PHP 5.2.11 has been published a few days ago by the PHP Group and its packages are now available for Debian Etch and Lenny, amd64 and i386. It fixes a lot of bugs and some security issues :

  • Fixed certificate validation inside php_openssl_apply_verification_policy. (Ryan Sleevi, Ilia)
  • Fixed sanity check for the color index in imagecolortransparent(). (Pierre)
  • Added missing sanity checks around exif processing. (Ilia)
  • Fixed bug #44683 (popen crashes when an invalid mode is passed). (Pierre)

To avoid the same negative feedbacks as about PHP 5.2.10, a lot of debug and changes has been made :

  • The embedded_timezone patch has been disabled. You now have to set date.timezone manually in your /etc/php5/*/php.ini files, depending on your machine.

date.timezone

  • If you encounter problems with some applications and the CGI flavour, remember to set cgi.fix_pathinfo=1 in your php.ini (thanks Scott for reporting this)

As usual, read the full Changelog before upgrading.

Categories
PHP

PHP 5.3.0-final preview packages available for Debian Lenny

The official announce of PHP 5.3.0

Read carefully this announce from PHP.net and its links :

The PHP development team is proud to announce the immediate release of PHP 5.3.0. This release is a major improvement in the 5.X series, which includes a large number of new features and bug fixes.

Some of the key new features include: namespaceslate static bindingclosures, optional garbage collection for cyclic references, new extensions (like ext/phar,ext/intl and ext/fileinfo), over 140 bug fixes and much more.

For users upgrading from PHP 5.2 there is a migration guide available here, detailing the changes between those releases and PHP 5.3.0.

Further details about the PHP 5.3.0 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.

This is a great news and a big step for PHP, that gets cleaner and speedier (for example, read this benchmark of ezPublish performance boost with PHP 5.3.0).

In my (sysadmin) opinion, the best features are :

  • ext/phar to bundle complete application in an archive
  • MySQL native driver that avoid the libmysqlclient dependency, increases the overall performances and adds great features (real persistance, asynchronous queries)
  • dirty and unsafe features (register_globals, safe_mode, magic_quotes*) removal

The elePHPants march
The elePHPants march (credit : DragonBe)

Be careful!

Depending of your applications, PHP 5.3 may not be fully compatible with 5.2 out of the box :

  • many and many fonctions and features are deprecated or changed
  • some extensions (ming, ncurses…) moved to PECL, others (mime_magic, mhash) are just emulated
  • some bugs still exists and should be fixed with PHP 5.3.1

For example, I experienced some strange behaviour with WordPress, Sweetcron or Roundcube and I had to patch them.

Please read the migration guide very carefully before going further!

What are the changes from Dotdeb?

Ok, now that you read the Changelog and the migration guide, now that you know how to modify your script to migrate to PHP 5.3, you have to be aware of some changes introduced by Dotdeb and their consequences :

  • The migration from libmysqlclient to MySQL native driver is great in terms of performance and memory but have one restriction : it necessitates the use of MySQL 4.1’s newer 41-byte password format. Continued use of the old 16-byte passwords will cause mysql_connect() and similar functions to emit the error, “mysqlnd cannot connect to MySQL 4.1+ using old authentication.”. Please check your MySQL passwords in mysql.user before upgrading!
  • The mail_extra_headers that allowed to insert the script’s name in the sent mails has been included in the core of PHP and the ini variable is now mail.x_header
  • php5-mhash, since its functions are emulated by ext/hash , disappeared and is now included in the core of PHP.
  • php5-ming moved to PECL and is not packaged anymore
  • The Suhosin patch and the associated extension are not available yet (that’s what justifies the preview status)
  • All the PECL extension are not built yet. They will be as soon as the preview phase is over.
  • Enchant support has been included as bonus feature 🙂

How to install?

As they’re just preview packages, the PHP 5.3.0-final ones are still on a separate repository. To install them, just add these temporary entries in your /etc/apt/sources.list.

deb http://php53.dotdeb.org stable all
deb-src http://php53.dotdeb.org stable all

Now launch your favorite commands (apt-get update && apt-get upgrade) to upgrade your box and enjoy!

For your information, I do NOT intend to publish PHP>=5.3.0 packages for Debian Etch, it would mean too much work to get clean packages… PHP 5.2.10 (once fixed) will be last version available for Etch from Dotdeb. Then, you’re strongly encouraged to migrate to Debian Lenny if you want to take profit from 5.3.0.

Last but not least : thank you!

Thanks for using Dotdeb, for your useful reports and for your suggestions. Altough I’m doing my best to bring you the best new features of PHP the stable way, my work is not perfect and your help is really appreciated when things go bad.

Categories
PHP

PHP 5.2.10 packages for Lenny/Etch are now available!

A few days ago, the PHP development team announced the availability of PHP 5.2.10 with many improvements and 100+ bug fixes. Here is the Changelog.

Now that the corresponding Suhosin patch is alive, the PHP 5.2.10 packages are available on Dotdeb :

  • for Debian Lenny and Etch
  • for the amd64 and i386 architectures

Upgrading your servers is highly recommanded.

Update : The PHP 5.2.10 packages seem to be buggy under (un)certain conditions : (f)CGI + Suhosin.
Then I decided to rollback to 5.2.9 to avoid a flood a users’ requests and to give me time to investigate. If your PHP 5.2.10 does not encounter problems, keep it, you’re lucky :)

Categories
PHP

PHP 5.3.0 RC4 available

From PHP.net :

The PHP development team is proud to announce the fourth release candidate of PHP 5.3.0 (PHP 5.3.0RC4). This RC focuses on bug fixes and stability improvements, and we hope only minimal changes are required for the next candidate or final stable releases. PHP 5.3.0 is a newly developed version of PHP featuring long-awaited features like namespaceslate static bindingclosures and much more.

Please download and test these release candidates, and report any issues found. A stable release is expected next week . In case of critical issues we will continue producing weekly RCs. Downloads and further information is available at qa.php.net. See also the work in progress 5.3 upgrade guide.

The preview packages for Debian GNU/Linux 5.0 “Lenny” on amd64 and i386 has been updated. Just apt-get upgrade.

Categories
PHP

PHP 5.3.0 RC3 packages for Lenny

The third (and probably the last) release candidate of PHP 5.3.0 has been published by the PHP Group a few days ago. Then I updated the preview packages for Debian GNU/Linux 5.0 “Lenny” on amd64 and i386.

To fetch them, just add these temporary entries in your /etc/apt/sources.list and upgrade your boxes :

deb http://php53.dotdeb.org stable all
deb-src http://php53.dotdeb.org stable all

Please note that an upgrade guide is being written. You also may want to visit this page.

Categories
PHP

PHP 5.3.0 RC2 packages for Lenny

A few days ago, the second release candidate of PHP 5.3.0 has been published by the PHP Group.

I just updated the preview packages for Debian GNU/Linux 5.0 “Lenny” on amd64 and i386. Have fun!