Categories
PHP

PHP 5.3.9

On january 10th 2012, the PHP group has released PHP 5.3.9, that brings over 90 bug fixes, some of which are security related :

Security Enhancements and Fixes in PHP 5.3.9:

  • Added max_input_vars directive to prevent attacks based on hash collisions. (CVE-2011-4885)
  • Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (CVE-2011-4566)

Key enhancements in PHP 5.3.9 include:

  • Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).
  • Fixed bug #55609 (mysqlnd cannot be built shared)
  • Many changes to the FPM SAPI module

PHP 5.3.9 is now available on Dotdeb for :

  • both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”
  • both amd64 and i386 architectures

As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.

[edit] the packages have been updated to fix some Suhosin- and strtotime()-related issues. You really should upgrade at least :

  • to 5.3.9-0~dotdeb.3 if you’re running Squeeze
  • to 5.3.9-0~dotdeb.2 if you’re running Lenny

72 replies on “PHP 5.3.9”

I also have one application that is crashing since the upgrade to 5.3.9 and my friend reproduced it on another VM, but same software.

@Dave
Replicated on my crashing system.

Interactive shell
php > strtotime(‘2012-01-12 21:13:28 UTC’);
Crashes with: Segmentation fault

I know this doesn’t help the people running this service but just stating here for the users:

I also have problems with this specific version and I didn’t yet find anything useful in the logs.. rolled back to 5.3.8-1~dotdeb.2 until I have some time to look into this

The update solved the problem. My application is working now.

@Guillaume Plessis, what was the cause of the segmentation fault? What can we learn from this?

On a related note, my suhosin.ini file still gets overwritten everytime I update PHP packages, could the file be added to the list of config files in php5-suhosin debian package so it asks before overwriting?

@Guillaume Plessis yep everything works as desired now … tanks for the ultra-fast response/update 🙂

Uhh I got a question about these packages and the mirrors.

At least for my mirror I host for dotdeb the lenny packages don’t seem to be there. All I see is 5.2.17-0.dotdeb.0 still. And yes I made sure the rsync ran.

Actually I think you did this by design.

I do have some clients that can’t use 5.3 yet and my accounting/billing software can’t use 5.3 just yet. So better to not put it in the main repo just yet.

@Scott : packages.dotdeb.org contains :
* PHP 5.3.9 packages for Squeeze
* PHP 5.2.17 packages for Lenny

Packages of PHP 5.3.9 for Lenny are on php53.dotdeb.org (that has its own “php53” module on rsync.dotdeb.org)

any chance you could put 5.3.8 back online please. thought it would be on your repository but it doesn’t seem to be :/

Hint:
If you’re using php5-fpm and another File extension than .php, add “security.limit_extensions = no” to all your fpm pool (!) definitions, or files with extensions other than .php will no be parsed and you’ll see just a “Access Denied” as output.

I really dislike changes of this kind in a minor release – and the lack of documentation also!

*grrrr*

I thought I had posted this but now i cant see it, so in case i didnt – apc.ini is being overwritten still with new updates. when making pecl packages locally, it doesnt happen, so I assume your perl helper needs an upgrade or something.

Is it ok? I see 5.3.9-1~dotdeb.2 in phpinfo,but repo is for Squeeze (stable). Upgrade packs just right now. My system is Ubuntu 11.10 64-bit.

It appears that php5-fpm has lost all warnings from 5.3.8 to 5.3.9 in the dotdeb build.

Verified that the warnings are not sent over the network on the fpm port. Example script that spits warnings in 5.3.8 and won’t in 5.3.9 (with E_ALL | E_STRICT ):

<?php
$a[a];

Thanks for maintaining this!

Hi Guillaume

i’ve noticed this bug on quite a few upgrades of php now

whenever i update PHP and its plugins (like APC etc)

all my configs in my plugins ini files get reset back to default

eg i have custom APC settings and every update i have to manually backup and recopy the config settings back into place

the upgrader asks about the fpm and cli php.ini files what i want to do but not the plugins, any chance of rectifying this?

Same thing with suhosin.ini — so what I did was chattr +i all my ini files, that will stop the over writing.

php5-curl and several others are having dependency issues:

php5-curl : Depends: php5-common (= 5.3.3-7+squeeze3) but 5.3.9-1~dotdeb.3 is going to be installed.
E: Broken Packages

On the other hand, installing libmysqlclient15-dev (required to build sphinx search engine is also broken).

Any hints on this one? I have to install everything prior to enabling the dotdeb repos, but that way I lose updates on one of the two repos..

Bonjour Guillaume,

Pour ma part je reviens sur ce billet pour chercher pourquoi certains wordpress faisaient des pages blanches en code 200.

A priori tous les wordpress qui étaient configuré avec un php_admin_value[memory_limit]=32M ont aléatoirement des crash de mémoire non disponible. Bizarrement tout allait bien en 5.3.8 je me demande si la v9 aurait pas des soucis de consommation de mémoire.
J’ai tenté d’enlever APC mais sans succès.

Autre point plus important, au moins une variable des fichiers de conf n’est plus prise en compte. Sur mes configs fpm chaque vhost a ses propres fichiers de logs et je m’étonnais de rien voir dedans concernant une éventuelle erreur.

Je me suis rendu compte que depuis la mise à jour la valeur php_admin_value[error_log] dans le fichier de conf du vhost n’écrase plus la valeur déclarée dans le php5-fpm.conf.

Je ne vois pas à quoi cela est du, j’ai tenté de la déclarer en php_value sans succès.
Actuellement c’est l’entrée error_log = /var/log/php5-fpm.conf dans /etc/php5/fpm/php5-fpm.conf qui est pris en compte par tous les vhost.

Une idée?

@Kevin I’m not having that issue on any server. It sound like somethingdidn’t upgrade like it should have. Have you tried reinstalling the 5.3 packages again ?

There is still a bug with your package.
This is related only to the /etc/init.d/php5-fpm file.

On reload command the script send a SIGHUP instead of SIGUSR2 as documented in php-fmp. The current behavior kills the master process. This has been corrected in latest releases of php-fpm for debian sid and unstable as stated here http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=645934

It would be nice to have it corrected in dotdeb packages too.

Yes I have php5-suhosin 5.3.9-1~dotdeb.3 installed and enabled with default config :

; configuration for php suhosin module
extension=suhosin.so
suhosin.executor.include.whitelist=”phar”

Hi,

Thanks for the update!
Just wondering: what is the preferred approach for handling php.ini changes when one has customisations in the existing php.ini?

Is it a case of using diff/merge? Or is there a better way?

Thanks!

You can’t even guess how pissed off I am about all the ini’s getting written over.

33 servers I have to fix because of this.

I still get crashes with php-fpm on this version. am using 5.4.8 for now. crashes occur regularl/yconstantly with small apc cache and with large apc cache, less often but enough to make it an issue.

couldnt see any major issues on php bugtracker though which is strange. Also I am not using php5-suhosin module.

Appreciate the efforts here though. I wonder if it might be a useful idea to have a dotdeb stable and testing or so, and push packages to testing first, and to stable later. might help upgrade woes. cheers

@Scott & Jools : I’d really like to spend as much time as needed to make everyone’s good ideas real (such as yours). Dotdeb is getting more and more popular, I’m proud of that. But people always have more and more expectations and support requests, and no one is planning any major donation or sponsor.

I’d just like people to keep in mind that Dotdeb is a one-person project. As a freelance worker, my time is getting precious. I’ll keep on focusing on the existing packages, on fixing them and so on, but I can’t afford spending too much time on it.

I’ll do my best. I know you’ll understand.

guillaume – I totally understand your point. I have similar problems with “wants” on some of my projects.

I am of course happy to contribute a small amount financially, but might be more useful if I could contribute patches etc. Maybe some sort of github style repo?

we do understand and thanks.

Funnily enough before you were managing nginx, I was maintaining my own packages and there must be others, so perhaps some “pooling” of skills could help?

donation made. To add: I already have some changes I could commit to nginx packages if on a public repo, such as more types for the default mime types, and scripts to enable/disable sites like a2dissite etc (which I believe has been in older debian builds).

If it already is somewhere apologies, and ill go and submit some diffs.

By Guillaume Plessis on Jan 13, 2012 | Reply

@Joe Siegrist : partial syslog support has been implemented in FPM. It may have led to the warnings loss.

Can you please tell me what config setting controls this? I have lost all warnings like simple syntax errors in my lightttpd error.log
btw i kept the old config from 5.3.8

@JD : as mentioned in the new configuration file the error logging directives are : error_log, syslog.facility, syslog.ident and log_level.

Be also sure to set the appropriate error_reporting level in your scripts and that your worker has the permissions to write into your log files if you’ve overwritten the error_log directive for each of your process pools.

Thanks for the up to date packages! As mentioned, a public repository on Github would be the next great step.

Hello guys.

Could you please disalbe posix in your builds?

# php -m | grep posix
posix
#
# php –version
PHP 5.3.8-1~dotdeb.2 with Suhosin-Patch (cli) (built: Aug 25 2011 13:30:46)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
with the ionCube PHP Loader v4.0.7, Copyright (c) 2002-2011, by ionCube Ltd.
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH

http://php.net/manual/en/intro.posix.php

“Sensitive data can be retrieved with the POSIX functions, e.g. posix_getpwnam() and friends. None of the POSIX function perform any kind of access checking when safe mode is enabled. It’s therefore strongly advised to disable the POSIX extension at all (use –disable-posix in your configure line) if you’re operating in such an environment.”

@Free: surely you can just disable the functions you dont want with suhosin for example?

removing the posix functions would remove functionality from those who need them. debian for example also ships with them enabled.

Hi,

https://bugs.php.net/bug.php?id=55475 breaks a LOT of websites

plz apply the following workaround in php-pear package:

— /usr/share/php/PEAR.old.php 2012-01-31 21:15:00.000000000 +0000
+++ /usr/share/php/PEAR.php 2012-01-31 20:53:13.000000000 +0000
@@ -249,7 +249,7 @@
*/
function isError($data, $code = null)
{
– if (!is_a($data, ‘PEAR_Error’)) {
+ if (!is_object($data) || !is_a($data, ‘PEAR_Error’)) {
return false;
}

thx

@Stéphane That should be reported upstream to Debian instead of here so that the Debian team and can send out a update.

@Scott official debian php5 versions are 5.2 for lenny and 5.3.3 for squeeze , these version does not have this bug.

@Guillaume hope the next package update will include the upstream fix, thx.

Comments are closed.