You really should upgrade to PHP 5.3.5 or 5.2.17

A few days after releasing PHP 5.3.4 and PHP 5.2.16, the PHP group announced an important security update with PHP 5.3.5 and PHP 5.2.17 :

This release resolves a critical issue, reported as PHP bug #53632 and CVE-2010-4645, where conversions from string to double might cause the PHP interpreter to hang on systems using x87 FPU registers.

The problem is known to only affect x86 32-bit PHP processes, regardless of whether the system hosting PHP is 32-bit or 64-bit. You can test whether your system is affected by running this script from the command line.

All users of PHP are strongly advised to update to these versions immediately.

The Dotdeb packages for Debian “Lenny” 5.0 are now available. You really should upgrade.

30 replies on “You really should upgrade to PHP 5.3.5 or 5.2.17”


package contains some error, probably it updated /etc/init.d/php-fpm then I could not restart/kill/start php-fpm coz it did not see pid file
Having dug up a bit I found out that 24th line in /etc/init.d/php-fpm should be changed from




Issue was replicated on several boxes.


Thank you eugene for the quick fix to this. That init script being broken extended by boot time by 20 seconds on top of the obvious problems associated with this script not working.

Hi Guillaume,

Thank you for your quick reactivity! You show that the whole PHP community reacts quickly when vulnerabilities are discovered.

Jean-Michel (andras)

I have one server where I would need 5.3.2 specifically, since php introduced changes in language semantics between two micro versions. Does dotdeb archive packages? I’d like to download the source packages and patch them myself with the fix to the security problem described above.

After an apt-get dist-upgrade, the following packages were removed : libapache2-mod-php5 mysql-client-5.1 mysql-server-5.1 mysql-server-core-5.1 php-pear php5 php5-cgi php5-cli php5-common php5-curl php5-dbg php5-dev
php5-gd php5-geoip php5-imagick php5-imap php5-mcrypt php5-mysql php5-suhosin php5-xcache.
The following packages were kept back : mysql-client-5.1 php5-dev.
The following packages were upgraded : mysql-server-core-5.1 php5-common php5-suhosin php5-xcache .
Like you can imagine, my server is now instable (can’t start php etc.). How can I restore the removed packages without losing databases content/config?

@Faith : use a real package manager (such as dselect, aptitude or synaptic) to resolve the conlicts that prevent php5, mysql-server-5.1 and so on… to be installed.

Debian Squeeze was released last night. Don’t forget to update your sources.list :
– Lenny is now known as “oldstable”
– Squeeze is now known as “stable”


if i try apt-get install php5-curl i get:

Reading package lists… Done
Building dependency tree
Reading state information… Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
php5-curl: Depends: phpapi-20090626
E: Broken packages

in my /etc/apt/sources.list i have add:

deb stable all
deb-src stable all

deb stable all
deb-src stable all

apt-get upgrade (after apt-get update) tells me:

Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages have been kept back:
libapache2-mod-php5 mysql-client-5.1 mysql-server-5.1 mysql-server-core-5.1 php-pear php5 php5-cgi php5-cli php5-common php5-gd php5-imagick php5-imap php5-mcrypt
php5-mysql php5-suhosin
0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.

Why do i cant install php5-curl ???


@andy : are you sure that php5-curl comes from Dotdeb? Dotdeb’s php5-curl depends on phpapi-20090626+lfs

My advices :

1/ Squeeze is now stable and Lenny is oldstable. Check your sources.list as described in this note : http://localhost:8080/2011/02/06/debian-6-0-squeeze-has-been-released/
2/ run “apt-get update”
3/ be sure to install one of php5-cli, php5-cgi, php5-fpm or libapache2-mod-php5 that brings “phpapi-20090626+lfs” (not “phpapi-20090626”)

Man, this post saved my life — literally. The same problem that happened to @Faith happened on our shared hosting server. I simply removed all those packages, switch the dotdeb from stable to oldstable, did an apt-get update, and re-installed the packages. Back up now.

libapache2-mod-php5 package require apache2-mpm-prefork or apache2-mpm-itk.

Others mpm modules use mod-php5 such as mpm-peruser ( .

Can you add apache2-mpm-peruser and others mpm modules in the requirement of libapache2-mod-php5 package ?


Hello Guillaume Plessis, Whether there will be a person ready to undertake and adjust VDS? on beer of money I give: ) there is ISPManager Lite the license which on it will be necessary to force to work… I try to put already whole evening necessary packages, but leaves nothing. Sorry for my bad english, i’m from russia!!
Apache 2.2.22;
Php – 5.2.17(integrated module of MSSQL);
Zend Optimizer;
ICQ: 444420005. Big thanks for you!

Comments are closed.