A few days ago, the PHP Group released PHP 5.2.13. It fixes severe security issues and some other bugs :
The PHP development team would like to announce the immediate availability of PHP 5.2.13. This release focuses on improving the stability of the PHP 5.2.x branch with over 40 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.
Security Enhancements and Fixes in PHP 5.2.13:
Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen)
Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia)
Improved LCG entropy. (Rasmus, Samy Kamkar)
(…)
On the Dotdeb side
geoip, id3 and mailparse PECL extensions have been removed from the repository. If some of them were useful to you, please let me know. Don’t forget that there”s an easy way to package PECL extensions by yourself
On December 17th 2009, the PHP Group released PHP 5.2.12 :
The PHP development team would like to announce the immediate availability of PHP 5.2.12. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.
Security Enhancements and Fixes in PHP 5.2.12:
Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion, identified by Bogdan Calin. (CVE-2009-4017, Ilia)
Added protection for $_SESSION from interrupt corruption and improved “session.save_path” check, identified by Stefan Esser. (CVE-2009-4143, Stas)
Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com)
A few days ago, the PHP Group released PHP 5.3.1 :
The PHP development team would like to announce the immediate availability of PHP 5.3.1. This release focuses on improving the stability of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. All users of PHP are encouraged to upgrade to this release.
Security Enhancements and Fixes in PHP 5.3.1:
Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
Added missing sanity checks around exif processing.
Fixed a safe_mode bypass in tempnam().
Fixed a open_basedir bypass in posix_mkfifo().
Fixed failing safe_mode_include_dir.
Further details about the PHP 5.3.1 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.
The Dotdeb changes
On the Debian side, some changes were made :
the packages are now patched with the official Suhosin patch.
beside the apache2, apache2filter, CGI and CLI flavours, the FPM one has now its own dedicated package, named “php5-fpm”. It will allow you to have greater performances and a lot of more features on a CGI-style installation (FYI, an init script, a config file and a nginx config sample are provided).
PHP 5.2.11 has been published a few days ago by the PHP Group and its packages are now available for Debian Etch and Lenny, amd64 and i386. It fixes a lot of bugs and some security issues :
Fixed sanity check for the color index in imagecolortransparent(). (Pierre)
Added missing sanity checks around exif processing. (Ilia)
Fixed bug #44683 (popen crashes when an invalid mode is passed). (Pierre)
To avoid the same negative feedbacks as about PHP 5.2.10, a lot of debug and changes has been made :
The embedded_timezone patch has been disabled. You now have to set date.timezone manually in your /etc/php5/*/php.ini files, depending on your machine.
If you encounter problems with some applications and the CGI flavour, remember to set cgi.fix_pathinfo=1 in your php.ini (thanks Scott for reporting this)
As usual, read the full Changelog before upgrading.
Read carefully this announce from PHP.net and its links :
The PHP development team is proud to announce the immediate release of PHP 5.3.0. This release is a major improvement in the 5.X series, which includes a large number of new features and bug fixes.
This is a great news and a big step for PHP, that gets cleaner and speedier (for example, read this benchmark of ezPublish performance boost with PHP 5.3.0).
In my (sysadmin) opinion, the best features are :
ext/phar to bundle complete application in an archive
MySQL native driver that avoid the libmysqlclient dependency, increases the overall performances and adds great features (real persistance, asynchronous queries)
dirty and unsafe features (register_globals, safe_mode, magic_quotes*) removal
The elePHPants march (credit : DragonBe)
Be careful!
Depending of your applications, PHP 5.3 may not be fully compatible with 5.2 out of the box :
many and many fonctions and features are deprecated or changed
some extensions (ming, ncurses…) moved to PECL, others (mime_magic, mhash) are just emulated
some bugs still exists and should be fixed with PHP 5.3.1
For example, I experienced some strange behaviour with WordPress, Sweetcron or Roundcube and I had to patch them.
Please read the migration guide very carefully before going further!
What are the changes from Dotdeb?
Ok, now that you read the Changelog and the migration guide, now that you know how to modify your script to migrate to PHP 5.3, you have to be aware of some changes introduced by Dotdeb and their consequences :
The migration from libmysqlclient to MySQL native driver is great in terms of performance and memory but have one restriction : it necessitates the use of MySQL 4.1’s newer 41-byte password format. Continued use of the old 16-byte passwords will cause mysql_connect() and similar functions to emit the error, “mysqlnd cannot connect to MySQL 4.1+ using old authentication.”. Please check your MySQL passwords in mysql.user before upgrading!
The mail_extra_headers that allowed to insert the script’s name in the sent mails has been included in the core of PHP and the ini variable is now mail.x_header
php5-mhash, since its functions are emulated by ext/hash , disappeared and is now included in the core of PHP.
php5-ming moved to PECL and is not packaged anymore
The Suhosin patch and the associated extension are not available yet (that’s what justifies the preview status)
All the PECL extension are not built yet. They will be as soon as the preview phase is over.
Enchant support has been included as bonus feature 🙂
How to install?
As they’re just preview packages, the PHP 5.3.0-final ones are still on a separate repository. To install them, just add these temporary entries in your /etc/apt/sources.list.
deb http://php53.dotdeb.org stable all
deb-src http://php53.dotdeb.org stable all
Now launch your favorite commands (apt-get update && apt-get upgrade) to upgrade your box and enjoy!
For your information, I do NOT intend to publish PHP>=5.3.0 packages for Debian Etch, it would mean too much work to get clean packages… PHP 5.2.10 (once fixed) will be last version available for Etch from Dotdeb. Then, you’re strongly encouraged to migrate to Debian Lenny if you want to take profit from 5.3.0.
Last but not least : thank you!
Thanks for using Dotdeb, for your useful reports and for your suggestions. Altough I’m doing my best to bring you the best new features of PHP the stable way, my work is not perfect and your help is really appreciated when things go bad.
A few days ago, the PHP development team announced the availability of PHP 5.2.10 with many improvements and 100+ bug fixes. Here is the Changelog.
Now that the corresponding Suhosin patch is alive, the PHP 5.2.10 packages are available on Dotdeb :
for Debian Lenny and Etch
for the amd64 and i386 architectures
Upgrading your servers is highly recommanded.
Update : The PHP 5.2.10 packages seem to be buggy under (un)certain conditions : (f)CGI + Suhosin.
Then I decided to rollback to 5.2.9 to avoid a flood a users’ requests and to give me time to investigate. If your PHP 5.2.10 does not encounter problems, keep it, you’re lucky
The PHP development team is proud to announce the fourth release candidate of PHP 5.3.0 (PHP 5.3.0RC4). This RC focuses on bug fixes and stability improvements, and we hope only minimal changes are required for the next candidate or final stable releases. PHP 5.3.0 is a newly developed version of PHP featuring long-awaited features like namespaces, late static binding, closures and much more.
Please download and test these release candidates, and report any issues found. A stable release is expected next week . In case of critical issues we will continue producing weekly RCs. Downloads and further information is available at qa.php.net. See also the work in progress 5.3 upgrade guide.
The preview packages for Debian GNU/Linux 5.0 “Lenny” on amd64 and i386 has been updated. Just apt-get upgrade.
The third (and probably the last) release candidate of PHP 5.3.0 has been published by the PHP Group a few days ago. Then I updated the preview packages for Debian GNU/Linux 5.0 “Lenny” on amd64 and i386.
To fetch them, just add these temporary entries in your /etc/apt/sources.list and upgrade your boxes :
deb http://php53.dotdeb.org stable all
deb-src http://php53.dotdeb.org stable all
Please note that an upgrade guide is being written. You also may want to visit this page.
