Tag: security

Categories
Miscellaneous

No more Debian 5.0 “Lenny” support after february 2012

The Debian project has announced in a security advisory (DSA-2360-1) that the security support for Debian GNU/Linux 5.0 “Lenny” will be terminated in february 2012 :

This is an advance notice that security support for Debian GNU/Linux 5.0 
(code name "lenny") will be terminated in two months.

The Debian project released Debian GNU/Linux 6.0 alias "squeeze" on the 
6th of February 2011. Users and distributors have been given a one-year 
timeframe to upgrade their old installations to the current stable 
release. Hence, the security support for the old release of 5.0 is going 
to end on the 6th of February 2012 as previously announced.

Previously announced security updates for the old release will continue 
to be available on security.debian.org.

FYI, Dotdeb will follow this decision and no new packages will be available for Debian 5.0 after february 2012. Don’t be sad, this will give me some free time to focus on PHP 5.4 packages and some more cool tools.

It’s now time to upgrade your last Lenny boxes…

Categories
PHP

PHP 5.3.6 is available

On March 17th, the PHP Group released PHP 5.3.6. This maintainance release, that focuses on security, is now available on Dotdeb for Debian 6.0 “Squeeze” in amd64 and i386 flavours.
The compatibility with the official Debian packages has been improved and you (especially the FPM users) should really take care of some important changes that I made :
  • the intl extension is now built in a separate package : php5-intl
  • the FPM binary is now /usr/sbin/php5-fpm (previously /usr/bin/php5-fpm)
  • the FPM configuration file is now /etc/php5/fpm/php-fpm.conf (previously /etc/php5/fpm/php5-fpm.conf)
  • the FPM pools have to be moved to /etc/php5/fpm/pool.d/ (previously /etc/php5/fpm/pools/)

As usual, please read the Changelog before upgrading.

Note : The PHP 5.3.6 packages for Debian 5.0 “Lenny” should be released soon.
Update : the PHP 5.3.6 packages for Debian 5.0 “Lenny” are now available on http://php53.dotdeb.org/

Categories
PHP

You really should upgrade to PHP 5.3.5 or 5.2.17

A few days after releasing PHP 5.3.4 and PHP 5.2.16, the PHP group announced an important security update with PHP 5.3.5 and PHP 5.2.17 :

This release resolves a critical issue, reported as PHP bug #53632 and CVE-2010-4645, where conversions from string to double might cause the PHP interpreter to hang on systems using x87 FPU registers.

The problem is known to only affect x86 32-bit PHP processes, regardless of whether the system hosting PHP is 32-bit or 64-bit. You can test whether your system is affected by running this script from the command line.

All users of PHP are strongly advised to update to these versions immediately.

The Dotdeb packages for Debian “Lenny” 5.0 are now available. You really should upgrade.

Categories
MySQL

Packages of MySQL 5.1.53 are available for Lenny… and Squeeze!

MySQL 5.1.53 packages for Debian 5.0 « Lenny » are now available on Dotdeb in amd64/i386 flavours. Please note that they’re available as preview for Squeeze too.

This maintainance release fixes many bugs and security issues. Upgrading is strongly recommended after having read the Changelogs here and here.

Categories
MySQL

Upgrade to MySQL 5.1.51! It fixes a DoS vulnerability

MySQL versions prior to 5.1.51 (including 5.1.50) suffer from a vulnerability in the processing of arguments passed to the LEAST()or GREATEST() functions. This issue could be exploited by a malicious user to cause a server crash, leading to a DoS condition.

You really should upgrade your Lenny servers (amd64 or i386) with the new packages of MySQL 5.1.51 from Dotdeb. As usual, don’t forget to read the Changelog before upgrading.

Categories
Miscellaneous

Dotdeb packages are now signed!

After many requests from several users and after many months of promise, the Dotdeb repositories are GPG-signed. Yes, you can now get rid of the annoying “WARNING: The following packages cannot be authenticated!” message!

Waiting for a dotdeb-keyring package, you just have to get the key and add it to your trusted keys’ keyring :

gpg --keyserver keys.gnupg.net --recv-key 89DF5277
gpg -a --export 89DF5277 | sudo apt-key add -

I hope you’ll enjoy it.

Categories
MySQL

MySQL 5.1.47, a security-focused release, is available

MySQL 5.1.47 is now available on Dotdeb for your Lenny servers, in amd64 and i386 flavours.

This is a security-oriented release that fixes some serious flaws… Please read full changelog for more information.

Please also note that the InnoDB plugin has been upgraded to version 1.0.8 and is now considered of General Availability quality. Feel free to use it for a performance boost.

Categories
PHP

May is the month of PHP security

According to Stefan Esser, author of the Suhosin patch, May 2010 will be the “Month of PHP Security” :

This initiative continues the effort of Hardened-PHP’s Month of PHP Bugs in 2007 to improve the security of PHP and the PHP ecosystem by disclosing vulnerabilities in PHP and PHP applications on the one hand and on the other hand by publishing articles and tools that help PHP application developers to develop more secure PHP applications.

You’ll find more information on the MoPS website and you can follow its twitter account to discover each vulnerability as soon as it’s reported.

Categories
Miscellaneous

Etch security support discontinued by Debian on Feb. 15th…

The Debian security team announced that Debian 4.0 “Etch” security support  will be ended on February 15th, 2010 :

Security Support for Debian GNU/Linux 4.0 to be discontinued on
February 15th

One year after the release of Debian GNU/Linux 5.0 alias 'lenny' and
nearly three years after the release of Debian GNU/Linux 4.0 alias
'etch' the security support for the old distribution (4.0 alias
'etch') is coming to an end next month.  The Debian project is proud
to be able to support its old distribution for such a long time and
even for one year after a new version has been released.

The Debian project has released Debian GNU/Linux 5.0 alias 'lenny' on
the 14th of February 2009.  Users and Distributors have been given a
one-year timeframe to upgrade their old installations to the current
stable release.  Hence, the security support for the old release of
4.0 is going to end in February 2010 as previously announced.

Previously announced security updates for the old release will continue
to be available on security.debian.org.

Then, Dotdeb will follow the Debian project and all the Etch packages will be moved to http://archives.dotdeb.org/ on Feb. 15th.

It is now time for you to upgrade your last servers from Etch to Lenny…

What’s next?

I’ll have to prepare the Squeeze release (planned on August 2010). The (early) plans ?

  • Focus on high quality PHP 5.3 and MySQL 5.1+ packages
  • More useful tools for your LAMP platforms : Gearman, Maatkit… MariaDB? Drizzle? Wait & see
  • No more mail-realated packages (Qmail, Vpopmail, Courier, Dovecot, Vqadmin)
Categories
MySQL

MySQL 5.1.41 has been updated to fix a security issue

I just uploaded new MySQL 5.1.41 packages that fix a remote buffer overflow in MySQL servers that use the embedded YaSSL library :

Since Debian and Dotdeb are impacted, you are strongly encouraged to upgrade your servers.