[atomic] php 5.3.9

Atomic repository announcements, new release notifications and other news regarding the atomic yum repository.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8330
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

[atomic] php 5.3.9

Unread post by scott »

This is a High Impact security update to correct the recently announce hash collision vulnerability. It is highly recommended for all platforms running PHP to upgrade to this release.

This update also includes a new mysqlnd sub package. This is a native mysql client module that replaces dependencies on external mysql client libraries.

Changelog:

Core:
Added max_input_vars directive to prevent attacks based on hash collisions (Dmitry).
Fixed bug #60205 (possible integer overflow in content_length). (Laruence)
Fixed bug #60139 (Anonymous functions create cycles not detected by the GC). (Dmitry)
Fixed bug #60138 (GC crash with referenced array in RecursiveArrayIterator) (Dmitry).
Fixed bug #60120 (proc_open's streams may hang with stdin/out/err when the data exceeds or is equal to 2048 bytes). (Pierre, Pascal Borreli)
Fixed bug #60099 (__halt_compiler() works in braced namespaces). (Felipe)
Fixed bug #60019 (Function time_nanosleep() is undefined on OS X). (Ilia)
Fixed bug #55874 (GCC does not provide __sync_fetch_and_add on some archs). (klightspeed at netspace dot net dot au)
Fixed bug #55798 (serialize followed by unserialize with numeric object prop. gives integer prop). (Gustavo)
Fixed bug #55749 (TOCTOU issue in getenv() on Windows builds). (Pierre)
Fixed bug #55707 (undefined reference to `__sync_fetch_and_add_4' on Linux parisc). (Felipe)
Fixed bug #55674 (fgetcsv & str_getcsv skip empty fields in some tab-separated records). (Laruence)
Fixed bug #55649 (Undefined function Bug()). (Laruence)
Fixed bug #55622 (memory corruption in parse_ini_string). (Pierre)
Fixed bug #55576 (Cannot conditionally move uploaded file without race condition). (Gustavo)
Fixed bug #55510: $_FILES 'name' missing first character after upload. (Arpad)
Fixed bug #55509 (segfault on x86_64 using more than 2G memory). (Laruence)
Fixed bug #55504 (Content-Type header is not parsed correctly on HTTP POST request). (Hannes)
Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of). (alan_k)
Fixed bug #52461 (Incomplete doctype and missing xmlns). (virsacer at web dot de, Pierre)
Fixed bug #55366 (keys lost when using substr_replace an array). (Arpad)
Fixed bug #55273 (base64_decode() with strict rejects whitespace after pad). (Ilia)
Fixed bug #52624 (tempnam() by-pass open_basedir with nonnexistent directory). (Felipe)
Fixed bug #50982 (incorrect assumption of PAGE_SIZE size). (Dmitry)
Fixed invalid free in call_user_method() function. (Felipe)
Fixed bug #43200 (Interface implementation / inheritence not possible in abstract classes). (Felipe)
BCmath:
Fixed bug #60377 (bcscale related crashes on 64bits platforms). (shm)
Calendar:
Fixed bug #55797 (Integer overflow in SdnToGregorian leads to segfault (in optimized builds). (Gustavo)
cURL:
Fixed bug #60439 (curl_copy_handle segfault when used with CURLOPT_PROGRESSFUNCTION). (Pierrick)
Fixed bug #54798 (Segfault when CURLOPT_STDERR file pointer is closed before calling curl_exec). (Hannes)
Fixed issues were curl_copy_handle() would sometimes lose copied preferences. (Hannes)
DateTime:
Fixed bug #60373 (Startup errors with log_errors on cause segfault). (Derick)
Fixed bug #60236 (TLA timezone dates are not converted properly from timestamp). (Derick)
Fixed bug #55253 (DateTime::add() and sub() result -1 hour on objects with time zone type 2). (Derick)
Fixed bug #54851 (DateTime::createFromFormat() doesn't interpret "D"). (Derick)
Fixed bug #53502 (strtotime with timezone memory leak). (Derick)
Fixed bug #52062 (large timestamps with DateTime::getTimestamp and DateTime::setTimestamp). (Derick)
Fixed bug #51994 (date_parse_from_format is parsing invalid date using 'yz' format). (Derick)
Fixed bug #52113 (Seg fault while creating (by unserialization) DatePeriod). (Derick)
Fixed bug #48476 (cloning extended DateTime class without calling parent::__constr crashed PHP). (Hannes)
EXIF:
Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (Stas, flolechaud at gmail dot com)
Fileinfo:
Fixed bug #60094 (C++ comment fails in c89). (Laruence)
Fixed possible memory leak in finfo_open(). (Felipe)
Fixed memory leak when calling the Finfo constructor twice. (Felipe)
Filter:
Fixed Bug #55478 (FILTER_VALIDATE_EMAIL fails with internationalized domain name addresses containing >1 -). (Ilia)
FTP:
Fixed bug #60183 (out of sync ftp responses). (bram at ebskamp dot me, rasmus)
Gd:
Fixed bug #60160 (imagefill() doesn't work correctly for small images). (Florian)
Intl:
Fixed bug #60192 (SegFault when Collator not constructed properly). (Florian)
Fixed memory leak in several Intl locale functions. (Felipe)
JSON:
Fixed bug #55543 (json_encode() with JSON_NUMERIC_CHECK fails on objects with numeric string properties). (Ilia, dchurch at sciencelogic dot com)
mbstring:
Fixed possible crash in mb_ereg_search_init() using empty pattern. (Felipe)
MS SQL:
Fixed bug #60267 (Compile failure with freetds 0.91). (Felipe)
MySQL:
Fixed bug #55550 (mysql.trace_mode miscounts result sets). (Johannes)
MySQLi extension:
Fixed bug #55859 (mysqli->stat property access gives error). (Andrey)
Fixed bug #55582 (mysqli_num_rows() returns always 0 for unbuffered, when mysqlnd is used). (Andrey)
Fixed bug #55703 (PHP crash when calling mysqli_fetch_fields). (eran at zend dot com, Laruence)
mysqlnd:
Fixed bug #55609 (mysqlnd cannot be built shared). (Johannes)
Fixed bug #55067 (MySQL doesn't support compression - wrong config option). (Andrey)
NSAPI SAPI:
Don't set $_SERVER['HTTPS'] on unsecure connection (bug #55403). (Uwe Schindler)
OpenSSL:
Fixed bug #60279 (Fixed NULL pointer dereference in stream_socket_enable_crypto, case when ssl_handle of session_stream is not initialized.) (shm)
Fix segfault with older versions of OpenSSL. (Scott)
Oracle Database extension (OCI8):
Fixed bug #59985 (show normal warning text for OCI_NO_DATA). (Chris Jones)
Increased maximum Oracle error message buffer length for new 11.2.0.3 size. (Chris Jones)
Improve internal initalization failure error messages. (Chris Jones)
PDO
Fixed bug #55776 (PDORow to session bug). (Johannes)
PDO Firebird:
Fixed bug #48877 ("bindValue" and "bindParam" do not work for PDO Firebird). (Mariuz)
Fixed bug #47415 (PDO_Firebird segfaults when passing lowercased column name to bindColumn).
Fixed bug #53280 (PDO_Firebird segfaults if query column count less than param count). (Mariuz)
PDO MySQL driver:
Fixed bug #60155 (pdo_mysql.default_socket ignored). (Johannes)
Fixed bug #55870 (PDO ignores all SSL parameters when used with mysql native driver). (Pierre)
Fixed bug #54158 (MYSQLND+PDO MySQL requires #define MYSQL_OPT_LOCAL_INFILE). (Andrey)
PDO OCI driver:
Fixed bug #55768 (PDO_OCI can't resume Oracle session after it's been killed). (mikhail dot v dot gavrilov at gmail dot com, Chris Jones, Tony)
Phar:
Fixed bug #60261 (NULL pointer dereference in phar). (Felipe)
Fixed bug #60164 (Stubs of a specific length break phar_open_from_fp scanning for __HALT_COMPILER). (Ralph Schindler)
Fixed bug #53872 (internal corruption of phar). (Hannes)
Fixed bug #52013 (Unable to decompress files in a compressed phar). (Hannes)
PHP-FPM SAPI:
Fixed bug #60659 (FPM does not clear auth_user on request accept). (bonbons at linux-vserver dot org)
Fixed bug #60629 (memory corruption when web server closed the fcgi fd). (fat)
Fixed bug #60179 (php_flag and php_value does not work properly). (fat)
Fixed bug #55526 (Heartbeat causes a lot of unnecessary events). (fat)
Fixed bug #55533 (The -d parameter doesn't work). (fat)
Implemented FR #52569 (Add the "ondemand" process-manager to allow zero children). (fat)
Fixed bug #55486 (status show BIG processes number). (fat)
Fixed bug #55577 (status.html does not install). (fat)
Backported from 5.4 branch (Dropped restriction of not setting the same value multiple times, the last one holds). (giovanni at giacobbi dot net, fat)
Backported FR #55166 from 5.4 branch (Added process.max to control the number of process FPM can fork). (fat)
Backported FR #55181 from 5.4 branch (Enhance security by limiting access to user defined extensions). (fat)
Backported FR #54098 from 5.4 branch (Lowered process manager default value). (fat)
Backported FR #52052 from 5.4 branch (Added partial syslog support). (fat)
Implemented FR #54577 (Enhanced status page with full status and details about each processes. Also provide a web page (status.html) for real-time FPM status. (fat)
Enhance error log when the primary script can't be open. FR #60199. (fat)
Added .phar to default authorized extensions. (fat)
Postgres:
Fixed bug #60244 (pg_fetch_* functions do not validate that row param is >0). (Ilia)
Reflection:
Fixed bug #60367 (Reflection and Late Static Binding). (Laruence)
Session:
Fixed bug #55267 (session_regenerate_id fails after header sent). (Hannes)
SimpleXML:
Reverted the SimpleXML->query() behaviour to returning empty arrays instead of false when no nodes are found as it was since 5.3.3 (bug #48601). (chregu, rrichards)
SOAP
Fixed bug #54911 (Access to a undefined member in inherit SoapClient may cause Segmentation Fault). (Dmitry)
Fixed bug #48216 (PHP Fatal error: SOAP-ERROR: Parsing WSDL: Extra content at the end of the doc, when server uses chunked transfer encoding with spaces after chunk size). (Dmitry)
Fixed bug #44686 (SOAP-ERROR: Parsing WSDL with references). (Dmitry)
Sockets:
Fixed bug #60048 (sa_len a #define on IRIX). (china at thewrittenword dot com)
SPL:
Fixed bug #60082 (Crash in ArrayObject() when using recursive references). (Tony)
Fixed bug #55807 (Wrong value for splFileObject::SKIP_EMPTY). (jgotti at modedemploi dot fr, Hannes)
Fixed bug #54304 (RegexIterator::accept() doesn't work with scalar values). (Hannes)
Streams:
Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together with the last read). (Gustavo)
Tidy:
Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference). (Maksymilian Arciemowicz, Felipe)
XSL:
Added xsl.security_prefs ini option to define forbidden operations within XSLT stylesheets, default is not to enable write operations. This option won't be in 5.4, since there's a new method. Fixes Bug #54446. (Chregu, Nicolas Gregoire)

To Upgrade:

yum upgrade php
DarkF@der
Forum Regular
Forum Regular
Posts: 313
Joined: Thu May 07, 2009 12:46 pm

Re: [atomic] php 5.3.9

Unread post by DarkF@der »

Helle scott,

Can i upgrade to this new php version and still using mysql-5.1.59-1.el5.art?
My php version is atm:

php-5.3.8-1.el5.art


Thanx in advanced
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: [atomic] php 5.3.9

Unread post by breun »

No, 5.3.8-2 and up in Atomic have dependencies on MySQL 5.5.
Lemonbit Internet Dedicated Server Management
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: [atomic] php 5.3.9

Unread post by faris »

Is there any particular reason why you want to stick with the earlier version?

I've not noticed any incompatibilities between older scripts and 5.5.x *so far*. Plesk 8.6 is very happy with it as well, which is vital for me for the next few weeks (10.4.4 upgrade coming soon!).
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8330
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] php 5.3.9

Unread post by scott »

There is a mysql 5.5 client package you can install that would let you run it with 5.0 or 5.1 environments. Its called mysqlclient18

Also there is now the mysqlnd (Native Driver) subpackage in 5.3.9 that eliminates the need for using php-mysql all together.
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: [atomic] php 5.3.9

Unread post by breun »

scott wrote:There is a mysql 5.5 client package you can install that would let you run it with 5.0 or 5.1 environments. Its called mysqlclient18
Ah, that's really good to know.
Lemonbit Internet Dedicated Server Management
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: [atomic] php 5.3.9

Unread post by breun »

It looks like mysqlclient18 wasn't built for EL4. Any chance you could add that one, Scott?

(Yes, I know EL4 will be EOL in a month, but some clients like to squeeze every day out of the supported lifetime of their OS.)
Lemonbit Internet Dedicated Server Management
Highland
Forum Regular
Forum Regular
Posts: 674
Joined: Mon Apr 10, 2006 12:55 pm

Re: [atomic] php 5.3.9

Unread post by Highland »

Also there is now the mysqlnd (Native Driver) subpackage in 5.3.9 that eliminates the need for using php-mysql all together.
That might be the most awesome thing about this release. To give you an idea why, take breun's post
It looks like mysqlclient18 wasn't built for EL4.
I don't think you need the whole mysqlclient mess (which contains libmysql) when using mysqlnd. Instead, mysqlnd uses code entirely written by Zend and works natively with MySQL to eliminate the need for any other libraries.
Also, in the past, you needed to build the MySQL database extensions against a copy of the MySQL Client Library. This typically meant you needed to have MySQL installed on a machine where you were building the PHP source code. Also, when your PHP application was running, the MySQL database extensions would call down to the MySQL Client library file at run time, so the file needed to be installed on your system. With MySQL Native Driver that is no longer the case as it is included as part of the standard distribution. So you do not need MySQL installed in order to build PHP or run PHP database applications.
http://www.php.net/manual/en/mysqlnd.overview.php

If you're going to install it, be sure to check out this PECL project for query caching that compliments it
http://pecl.php.net/package/mysqlnd_qc
http://blog.ulf-wendel.de/2012/php-mysq ... is-online/

The easiest way to get mysqlnd (until Scott makes one obsolete the other)

Code: Select all

yum remove php-mysql
yum install php-mysqlnd
Been monkeying with it on my local servers and it works great so far.
"Its not a mac. I run linux... I'm actually cool." - scott
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: [atomic] php 5.3.9

Unread post by breun »

Please note that 'yum remove php-mysql' will also uninstall Plesk. I suggest using the following instead:

Code: Select all

rpm -e --nodeps php-mysql && yum install php-mysqlnd && service httpd reload
Just tried this on a test server and it seems to work fine so far. Cool stuff.
Lemonbit Internet Dedicated Server Management
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: [atomic] php 5.3.9

Unread post by breun »

scott wrote:Added max_input_vars directive to prevent attacks based on hash collisions (Dmitry).
Does ASL protect against the PHP hash collision attacks?

A client on EL4 won't to upgrade to MySQL 5.5 yet, so upgrading PHP 5.3.8-1 to 5.3.9 using the Atomic repository is also not possible yet. A mysqlclient18 package for EL4 would make this problem easy. Could mysqlclient18 be built for EL4?

I guess the only other option for staying on MySQL 5.1 for now would be switching from php-mysql to php-mysqlnd, but I haven't found out yet if that's really 100% backwards compatible. Does anyone know?
Lemonbit Internet Dedicated Server Management
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8330
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] php 5.3.9

Unread post by scott »

Doesnt look like the 5.5 compat package wants to build for el4 environments. You're welcome to take a crack at it to see if you can sort out whats going on there. Unfortunately I wont have the time to look into it for a bit.

Blows up here:

In file included from /builddir/build/BUILD/mysql-5.5.17/sql/lex_hash.h:17,
from /builddir/build/BUILD/mysql-5.5.17/sql/sql_lex.cc:113:
/builddir/build/BUILD/mysql-5.5.17/sql/lex.h:114: error: `CLIENT_STATS_SYM' was not declared in this scope
/builddir/build/BUILD/mysql-5.5.17/sql/lex.h:261: error: `INDEX_STATS_SYM' was not declared in this scope
/builddir/build/BUILD/mysql-5.5.17/sql/lex.h:552: error: `TABLE_STATS_SYM' was not declared in this scope
/builddir/build/BUILD/mysql-5.5.17/sql/lex.h:559: error: `THREAD_STATS_SYM' was not declared in this scope
/builddir/build/BUILD/mysql-5.5.17/sql/lex.h:595: error: `USER_STATS_SYM' was not declared in this scope
make[2]: *** [sql/CMakeFiles/sql.dir/sql_lex.cc.o] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: Leaving directory `/builddir/build/BUILD/mysql-5.5.17'
make[1]: *** [sql/CMakeFiles/sql.dir/all] Error 2
make[1]: Leaving directory `/builddir/build/BUILD/mysql-5.5.17'
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: [atomic] php 5.3.9

Unread post by mikeshinn »

Does ASL protect against the PHP hash collision attacks?
Yes, by limiting the maximum number of arguments and/or cookies in a request to 1000 (thats the default). If your application needs to use more than 1000 for either in a request, and you disable either or both of those limits in ASL, then no it can't. You will need to upgrade PHP. If your customer isn't experiencing any issues with the default limits, then you are protected.
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: [atomic] php 5.3.9

Unread post by breun »

breun wrote:I guess the only other option for staying on MySQL 5.1 for now would be switching from php-mysql to php-mysqlnd, but I haven't found out yet if that's really 100% backwards compatible. Does anyone know?
The only incompatibility I've run into so far is that mysqlnd doesn't support the old style of MySQL auth: http://stackoverflow.com/questions/1575 ... entication
Lemonbit Internet Dedicated Server Management
Post Reply