A few days after releasing PHP 5.3.4 and PHP 5.2.16, the PHP group announced an important security update with PHP 5.3.5 and PHP 5.2.17 :
This release resolves a critical issue, reported as PHP bug #53632 and CVE-2010-4645, where conversions from string to double might cause the PHP interpreter to hang on systems using x87 FPU registers.
The problem is known to only affect x86 32-bit PHP processes, regardless of whether the system hosting PHP is 32-bit or 64-bit. You can test whether your system is affected by running this script from the command line.
All users of PHP are strongly advised to update to these versions immediately.
The Dotdeb packages for Debian “Lenny” 5.0 are now available. You really should upgrade.
30 replies on “You really should upgrade to PHP 5.3.5 or 5.2.17”
Thanks for the guick release 😉
Yep, thanks for the quick update. 🙂
Thanks a lot!
Hi
package contains some error, probably it updated /etc/init.d/php-fpm then I could not restart/kill/start php-fpm coz it did not see pid file
Having dug up a bit I found out that 24th line in /etc/init.d/php-fpm should be changed from
php_fpm_PID=/var/$php_fpm_PID
to
php_fpm_PID=$php_fpm_PID
Issue was replicated on several boxes.
Thanks
Thank you eugene for the quick fix to this. That init script being broken extended by boot time by 20 seconds on top of the obvious problems associated with this script not working.
Hi Guillaume,
Thank you for your quick reactivity! You show that the whole PHP community reacts quickly when vulnerabilities are discovered.
Jean-Michel (andras)
I have one server where I would need 5.3.2 specifically, since php introduced changes in language semantics between two micro versions. Does dotdeb archive packages? I’d like to download the source packages and patch them myself with the fix to the security problem described above.
@Frank Van Damme : take a look at http://archives-php53.dotdeb.org/
Whether there will be a php-fpm 5.2.17 package?
@Halfi : no it won’t. Sorry
Will there be a 5.3.5 mhash package available?
@Aaron : no, mhash is deprecated. Use hash instead (bundled in the PHP core) : http://www.php.net/manual/en/intro.mhash.php
Hi
After an apt-get dist-upgrade, the following packages were removed : libapache2-mod-php5 mysql-client-5.1 mysql-server-5.1 mysql-server-core-5.1 php-pear php5 php5-cgi php5-cli php5-common php5-curl php5-dbg php5-dev
php5-gd php5-geoip php5-imagick php5-imap php5-mcrypt php5-mysql php5-suhosin php5-xcache.
The following packages were kept back : mysql-client-5.1 php5-dev.
The following packages were upgraded : mysql-server-core-5.1 php5-common php5-suhosin php5-xcache .
Like you can imagine, my server is now instable (can’t start php etc.). How can I restore the removed packages without losing databases content/config?
Regards
@Faith : use a real package manager (such as dselect, aptitude or synaptic) to resolve the conlicts that prevent php5, mysql-server-5.1 and so on… to be installed.
Debian Squeeze was released last night. Don’t forget to update your sources.list :
– Lenny is now known as “oldstable”
– Squeeze is now known as “stable”
Thanks for your reply.
The problem came from the non-update of sources.list
hi.
if i try apt-get install php5-curl i get:
—
Reading package lists… Done
Building dependency tree
Reading state information… Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
php5-curl: Depends: phpapi-20090626
E: Broken packages
—
in my /etc/apt/sources.list i have add:
—
deb http://packages.dotdeb.org stable all
deb-src http://packages.dotdeb.org stable all
deb http://php53.dotdeb.org stable all
deb-src http://php53.dotdeb.org stable all
—
apt-get upgrade (after apt-get update) tells me:
—
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages have been kept back:
libapache2-mod-php5 mysql-client-5.1 mysql-server-5.1 mysql-server-core-5.1 php-pear php5 php5-cgi php5-cli php5-common php5-gd php5-imagick php5-imap php5-mcrypt
php5-mysql php5-suhosin
0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.
—
Why do i cant install php5-curl ???
regards,
andy
@andy : are you sure that php5-curl comes from Dotdeb? Dotdeb’s php5-curl depends on phpapi-20090626+lfs
My advices :
1/ Squeeze is now stable and Lenny is oldstable. Check your sources.list as described in this note : http://localhost:8080/2011/02/06/debian-6-0-squeeze-has-been-released/
2/ run “apt-get update”
3/ be sure to install one of php5-cli, php5-cgi, php5-fpm or libapache2-mod-php5 that brings “phpapi-20090626+lfs” (not “phpapi-20090626”)
Man, this post saved my life — literally. The same problem that happened to @Faith happened on our shared hosting server. I simply removed all those packages, switch the dotdeb from stable to oldstable, did an apt-get update, and re-installed the packages. Back up now.
How can i get 5.2.17 for squeeze?
@named : insert this line in your sources.list, ruen “apt-get update” then the 5.2.17 packages for Lenny should be available for Squeeze :
deb http://packages.dotdeb.org lenny all
You may have to specify the wanted version : apt-get install php5=5.2.17
I wonder, does the same apply for 5.3.x versions of PHP or will apt-get realize this once I switch the sources list file to squeeze/stable??
libapache2-mod-php5 package require apache2-mpm-prefork or apache2-mpm-itk.
Others mpm modules use mod-php5 such as mpm-peruser (http://www.peruser.org/trac/peruser) .
Can you add apache2-mpm-peruser and others mpm modules in the requirement of libapache2-mod-php5 package ?
Thanks
@vincent : I’ll see what I can do in the next PHP 5.3 packages.
Hello!
Can you provide link for current old lenny repo to install php 5.2.17 on debian 5 ?
do you have links to old versions as http://archive.debian.org ?
thank you
@adminko : as written on this page (http://localhost:8080/instructions/), old packages are kept on http://archives.dotdeb.org/
i have already found thanks 😉
W: Failed to fetch http://archives.dotdeb.org/dists/lenny/php5/5.2.17/binary-i386/Packages 404 Not Found
can you help me with the link how to install php 5.2.17 to debian 5 ?
why Packages directiry doesn’t exist for old version, is this error?
@adminko : archives.dotdeb.org is not a repository, fetch and install the packages manually
Thank you very much !
I have downloaded and upgraded php to 5.2.17
full day i am searching in google )
Thanks again!
Hello Guillaume Plessis, Whether there will be a person ready to undertake and adjust VDS? on beer of money I give: ) there is ISPManager Lite the license which on it will be necessary to force to work… I try to put already whole evening necessary packages, but leaves nothing. Sorry for my bad english, i’m from russia!!
Apache 2.2.22;
Php – 5.2.17(integrated module of MSSQL);
Zend Optimizer;
IonCube;
MySQL;
ICQ: 444420005. Big thanks for you!