PHP 5.3.11

On april 26th 2012, the PHP group has released PHP 5.3.11, that brings over 60 bug fixes, some of which are security related :

Security Enhancements and Fixes in PHP 5.3.11:

  • Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).
  • Add open_basedir checks to readline_write_history and readline_read_history.
  • Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831).

Key enhancements in PHP 5.3.11 include:

  • Added debug info handler to DOM objects.
  • Fixed bug #61172 (Add Apache 2.4 support).

Packages of PHP 5.3.11 are now available on Dotdeb for Debian 6.0 “Squeeze” on both amd64 and i386 architectures.

As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.


Packages of PHP 5.4.0 have been updated

Now that PHP 5.4.0 packages have been published as preview, issues have to be fixed. That’s why these packages have been updated with the following changes :

  • gzopen64() has been wrongly introduced on the i386 architecture, instead of the regular gzopen(). It is now fixed.
  • PCRE functions did not support Unicode. That’s ok now.
  • APC has been packaged as php5-apc against its svn/trunk version. It should now work well. Still waiting for an official release.
  • Xdebug should appear very soon is now available in 2.2.0RC1 version.
Thanks for your useful reports.

PHP 5.4.0 preview packages

After many months of active development, PHP 5.4.0 is now generally available :

The PHP development team is proud to announce the immediate release of PHP 5.4.0. This release is a major improvement in the 5.x series, which includes a large number of new features and bug fixes.
Some of the key new features include: traitsa shortened array syntaxa built-in webserver for testing purposes and more. PHP 5.4.0 significantly improves performance, memory footprint and fixes over 100 bugs.
For users upgrading from PHP 5.3 there is a migration guide available here, detailing the changes between those releases and PHP 5.4.0.
Further details about the PHP 5.4.0 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.

On the Dotdeb side (thanks to Debian developers’ preliminary work), I’m proud to announce that preview packages of PHP 5.4.0 are now available for Debian 6.0 “Squeeze” on amd64 and i386 architectures. You are invited to test them on development servers, but please don’t install them on production servers yet : the Suhosin patch has not been applied, some extensions are not fully compatible and the following ones are missing…

  • php5-ffmpeg
  • php5-pinba
  • php5-suhosin
  • php5-xcache
  • php5-xdebug
  • php5-xhprof

Don’t worry, production-ready PHP 5.4 packages will be available in some few weeks, after the Suhosin patch and the missing extensions are published.

To avoid your servers to be accidentally upgraded from PHP 5.3 to PHP 5.4 without compatibility validation, the PHP 5.4 packages are available on a separate path. To install them, you’ll have to add this line to your /etc/apt/sources.list first (you can also use any Dotdeb mirror once they’re synchronized) :

deb squeeze-php54 all

The main changes in the packages :

  • if you need MySQL-related functions, you can now choose between the (libmysqlclient-linked) php5-mysql package and the (MySQL native – and better – driver-linked) php5-mysqlnd one
  • PHP extensions config files are now migrated to /etc/php5/mods-available/. Files in /etc/php5/conf.d/ are now just symlinks to them. Therefore, you can activate PHP extensions by using php5enmod/php5dismod.

I hope you’ll enjoy this new packages. Any feedback or donation is highly appreciated.


Security update : PHP 5.3.10

A few hours ago, PHP 5.3.10 has been released by the PHP Group. It’s an important security update for PHP 5.3.9 users : Stefan Esser discovered a remotely exploitable bug, introduced with PHP 5.3.9’s max_input_vars directive (CVE-2012-0830). You really should upgrade as soon as possible.

Packages of PHP 5.3.10 are now available for :

  • both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”,
  • both amd64 and i386 architectures.

(Lenny packages will be available on during two weeks before being migrated to because of the end of Lenny’s security support)


Advisory : buffer overflow in php5-suhosin

A few days ago, Stefan Esser discovered a buffer overflow in the “transparent cookie encryption stack” of the Suhosin extension. Here is the full advisory.

If you previously installed the php5-suhosin package, you should upgrade to its fixed new version (0.9.33) by running :

apt-get update
apt-get install --reinstall php5-suhosin

PHP 5.3.9

On january 10th 2012, the PHP group has released PHP 5.3.9, that brings over 90 bug fixes, some of which are security related :

Security Enhancements and Fixes in PHP 5.3.9:

  • Added max_input_vars directive to prevent attacks based on hash collisions. (CVE-2011-4885)
  • Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (CVE-2011-4566)

Key enhancements in PHP 5.3.9 include:

  • Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).
  • Fixed bug #55609 (mysqlnd cannot be built shared)
  • Many changes to the FPM SAPI module

PHP 5.3.9 is now available on Dotdeb for :

  • both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”
  • both amd64 and i386 architectures

As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.

[edit] the packages have been updated to fix some Suhosin- and strtotime()-related issues. You really should upgrade at least :

  • to 5.3.9-0~dotdeb.3 if you’re running Squeeze
  • to 5.3.9-0~dotdeb.2 if you’re running Lenny

PHP 5.3.8 is available

On August 18th, the PHP Group released PHP 5.3.7 with many security enhancements and many bugfixes. Sadly, it suffered from an issue with the crypt() function , forcing the PHP Group to publish PHP 5.3.8 (that fixes a mysqlnd issue with SSL connections too).

I’m glad too announce that PHP 5.3.8 packages are now available on Dotdeb for both amd64 and i386 architectures :

  • for Debian 6.0 Squeeze : on the main Dotdeb repository
  • for Debian 5.0 “Lenny” : on

Ugrading to PHP 5.3.8 is strongly recommended, but please read the Changelog before.


PHP 5.3.6 is available

On March 17th, the PHP Group released PHP 5.3.6. This maintainance release, that focuses on security, is now available on Dotdeb for Debian 6.0 “Squeeze” in amd64 and i386 flavours.
The compatibility with the official Debian packages has been improved and you (especially the FPM users) should really take care of some important changes that I made :
  • the intl extension is now built in a separate package : php5-intl
  • the FPM binary is now /usr/sbin/php5-fpm (previously /usr/bin/php5-fpm)
  • the FPM configuration file is now /etc/php5/fpm/php-fpm.conf (previously /etc/php5/fpm/php5-fpm.conf)
  • the FPM pools have to be moved to /etc/php5/fpm/pool.d/ (previously /etc/php5/fpm/pools/)

As usual, please read the Changelog before upgrading.

Note : The PHP 5.3.6 packages for Debian 5.0 “Lenny” should be released soon.
Update : the PHP 5.3.6 packages for Debian 5.0 “Lenny” are now available on


PHP 5.3.5, now for Squeeze

I just released PHP 5.3.5 packages for Debian 6.0 (a.k.a “Squeeze”), with some changes against the Lenny’s ones :

  • the packaging process has been improved : dependencies were cleaned up, PHP tests are now displayed, libtool 2.2 is now supported (thanks to the Debian team for their precious work)
  • 3 new useful extensions have been packaged : gearman, phpredis and xhprof (without its interface files)

With these new packages, Dotdeb’s support for Squeeze is still experimental, but almost complete. Some more packages could be added in a near future :

  • MySQL (or Percona) Server 5.5 will replace MySQL Server 5.1. More info here and here.
  • a Nginx backport

The installation instructions did not change : just add Dotdeb’s GnuPG key to your keyring, pick a mirror near you and add squeeze-related lines to your sources.list. For example :

deb squeeze all
deb-src squeeze all

And, of course, feel free to donate if you find Dotdeb useful.


You really should upgrade to PHP 5.3.5 or 5.2.17

A few days after releasing PHP 5.3.4 and PHP 5.2.16, the PHP group announced an important security update with PHP 5.3.5 and PHP 5.2.17 :

This release resolves a critical issue, reported as PHP bug #53632 and CVE-2010-4645, where conversions from string to double might cause the PHP interpreter to hang on systems using x87 FPU registers.

The problem is known to only affect x86 32-bit PHP processes, regardless of whether the system hosting PHP is 32-bit or 64-bit. You can test whether your system is affected by running this script from the command line.

All users of PHP are strongly advised to update to these versions immediately.

The Dotdeb packages for Debian “Lenny” 5.0 are now available. You really should upgrade.