Month: January 2010

Categories
Miscellaneous

Etch security support discontinued by Debian on Feb. 15th…

The Debian security team announced that Debian 4.0 “Etch” security support  will be ended on February 15th, 2010 :

Security Support for Debian GNU/Linux 4.0 to be discontinued on
February 15th

One year after the release of Debian GNU/Linux 5.0 alias 'lenny' and
nearly three years after the release of Debian GNU/Linux 4.0 alias
'etch' the security support for the old distribution (4.0 alias
'etch') is coming to an end next month.  The Debian project is proud
to be able to support its old distribution for such a long time and
even for one year after a new version has been released.

The Debian project has released Debian GNU/Linux 5.0 alias 'lenny' on
the 14th of February 2009.  Users and Distributors have been given a
one-year timeframe to upgrade their old installations to the current
stable release.  Hence, the security support for the old release of
4.0 is going to end in February 2010 as previously announced.

Previously announced security updates for the old release will continue
to be available on security.debian.org.

Then, Dotdeb will follow the Debian project and all the Etch packages will be moved to http://archives.dotdeb.org/ on Feb. 15th.

It is now time for you to upgrade your last servers from Etch to Lenny…

What’s next?

I’ll have to prepare the Squeeze release (planned on August 2010). The (early) plans ?

  • Focus on high quality PHP 5.3 and MySQL 5.1+ packages
  • More useful tools for your LAMP platforms : Gearman, Maatkit… MariaDB? Drizzle? Wait & see
  • No more mail-realated packages (Qmail, Vpopmail, Courier, Dovecot, Vqadmin)
Categories
MySQL

MySQL 5.1.41 has been updated to fix a security issue

I just uploaded new MySQL 5.1.41 packages that fix a remote buffer overflow in MySQL servers that use the embedded YaSSL library :

Since Debian and Dotdeb are impacted, you are strongly encouraged to upgrade your servers.

Categories
Miscellaneous

Dotdeb interviewed by PHP TV

Just for fun : I’ve been interviewed about Dotdeb by PHP TV, a french-speaking webTV.

Categories
PHP

PHP 5.2.12 packages are here!

On December 17th 2009, the PHP Group released PHP 5.2.12 :

The PHP development team would like to announce the immediate availability of PHP 5.2.12. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.12:

  • Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
  • Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
  • Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion, identified by Bogdan Calin. (CVE-2009-4017, Ilia)
  • Added protection for $_SESSION from interrupt corruption and improved “session.save_path” check, identified by Stefan Esser. (CVE-2009-4143, Stas)
  • Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com)

(Please read the full announcement for more details)

Dotdeb packages of PHP 5.2.12 are now (finally) available for Debian “Lenny” and “Etch”, amd64 and i386.

Upgrading your servers is strongly encouraged because of several security issue, especially a multipart/form-data DoS (CVE-2009-4017). Please set the max_file_uploads parameter carefully.