[security] php 5.2.0 update (remote code execution)

mhakali · 2006-11-04 01:44:03

Hi!

I just throw together an updated PHP package for those of you who want to patch your web servers against the advisory released yesterday.

The package is available here:

http://adiza.nexticom.net/files/package … pkg.tar.gz

The advisory is available here:

http://www.frsirt.com/english/advisories/2006/4317

Note that it is without IMAP and ODBC support since i did not have these packages installed.

Greets.

Pierre · 2006-11-04 10:01:26

It would be nice if you could post the PKGBUILD here. I did not manage to build pear on Arch64.

n00b.tux · 2006-11-06 20:12:37

Somehow this release disabled session support: I do not have tested it well but when playing around with drupal I noticed I couldnt log in anymore. So checked the settings and everything looked ok until I realized that in the /tmp folder no session files were created. I switched back to 5.1.6-4 and it worked again. I am sorry for not being able to give further info but could somebody test if session data is created correctly?

mallow005 · 2006-11-07 08:44:45

Also, upgrading to php 5.2.0 will break php-cgi (needed for fcgi under lighttpd) since the latest php-cgi available in the repositories is 5.1.6! Please fix!

Pierre · 2006-11-07 16:29:25

If you use this an a webserver you should compile from abs; using old php-versions is a security-risk.

kth5 · 2006-11-07 17:29:32

Upgrading to PHP 5.2.0 is the fix already and we have that in current as you can see.

Pierre · 2006-11-07 17:35:23

No, there is still no update for php-cgi. See http://www.archlinux.org/packages/8635/

Prieto · 2006-11-07 21:16:08

php and php-cgi should always be updated at once. Currently they have different maintainers, maybe one maintainer should take care of both.

Romashka · 2006-11-07 21:44:49

Prieto wrote:

php and php-cgi should always be updated at once. Currently they have different maintainers, maybe one maintainer should take care of both.

Agree completely. There's no point in updating php and php-cgi by different maintainers at different time.
Also eaccelerator and php-apc should be updated at the same time with php.

enr1x · 2006-11-09 03:37:35

Well, just upgraded my installation and, as you can guess, my php+mysql app (gallery2) is not working. If upgrading means problems, i don't think much people which depends on such apps would be attracted to this distro. Fortunately we will get this problem solved soon...

Thank you for your help,

Enric
(http://enr1x.info http://enr1x.info/gallery (DEAD)

Pierre · 2006-11-09 07:16:32

Gallery2 works just fine with new PHP.

n00b.tux · 2006-11-09 15:49:57

did somebody test server-side session data creation (/tmp folder)?

Arch Linux

#1 2006-11-04 01:44:03

[security] php 5.2.0 update (remote code execution)

#2 2006-11-04 10:01:26

Re: [security] php 5.2.0 update (remote code execution)

#3 2006-11-06 20:12:37

Re: [security] php 5.2.0 update (remote code execution)

#4 2006-11-07 08:44:45

Re: [security] php 5.2.0 update (remote code execution)

#5 2006-11-07 16:29:25

Re: [security] php 5.2.0 update (remote code execution)

#6 2006-11-07 17:29:32

Re: [security] php 5.2.0 update (remote code execution)

#7 2006-11-07 17:35:23

Re: [security] php 5.2.0 update (remote code execution)

#8 2006-11-07 21:16:08

Re: [security] php 5.2.0 update (remote code execution)

#9 2006-11-07 21:44:49

Re: [security] php 5.2.0 update (remote code execution)

#10 2006-11-09 03:37:35

Re: [security] php 5.2.0 update (remote code execution)

#11 2006-11-09 07:16:32

Re: [security] php 5.2.0 update (remote code execution)

#12 2006-11-09 15:49:57

Re: [security] php 5.2.0 update (remote code execution)

Board footer