PHP 5.2.8

Kain114 · Unread post by **Kain114** » Wed Dec 17, 2008 9:42 pm

Nothing worked...

Still have three that I need to pass.

TCP Port 8443 - OpenSSL which is older than 0.9.6m or 0.9.7d
TCP Port 8443 - The remote service accepts connections encrypted using SSL 2.0

TCP Port 80 - Apache Tomcat (prior to 3.3.1a) is prone to a directory listing

Port blocking / changing didn't work, 8443 still responds as a Plesk panel.

Any suggestions?

Unread post by **scott** » Thu Dec 18, 2008 9:57 am

You're assuming that those 3 vulnerabilities are actually true, which odds are high they arent if you're up to date with the latest packages from the vendor.

Kain114 · Unread post by **Kain114** » Fri Dec 19, 2008 12:29 am

I'm using the art channel. Stat's that everything is up-to-date.

I think I'm down to one issue now, the so called tomcat one that got added when I ran the yum update using the art channel.

We believe we figured out disabling plesk and keeping everything online that is needed during the scan. (Can no longer access the control panel via 8443 / 8800, load's as page cannot be found when I issue the "service psa stop" command!!!)

Unread post by **scott** » Mon Dec 29, 2008 9:46 am

So it looks like there is still an unresolved bug in PHP 5.2.8/5.2.9-dev that results in a very bad memory leak. The first one was in strtotime(), which I was able to fix, the other one is unknown at this time. I'm still digging through the php bug list and snapshots to sort it out.

aus-city · Unread post by **aus-city** » Sun Jan 04, 2009 10:45 pm

Scott,

Checkout fedora koji as Remi just built php-5.2.8 for F10 and F9.

I took the 10 srpm and rpmbuilt a f8 version and put it on.

The intermittent segfaults are now gone completely!

Also you can make a F10 php now.

Cheers,

Unread post by **scott** » Sun Jan 04, 2009 11:38 pm

Thats the one I used, and it had at least 2 separate memory leak issues. One was resolved in the -dev (pre-5.2.9) tree. The latter takes a few days to manifest on my systems here and is not related to the strtotime() leak.

The following is some test code to show the strtotime leak.

Code: Select all

<?php

// Run with the PHP CLI on the Linux shell...
// WARNING: If this bug affects you as well, your machine
// might start swapping within just a few seconds!

while (true)
    strtotime('2008-12-16 19:48:27');

?>

octet · Unread post by **octet** » Sun Jan 11, 2009 4:02 pm

Hello,

This memory leak is killing me, once a day! Server freezes and can be resolved only by a Reboot from the serial console.

Scot, what would be the best approach until it has been eradicated? Could I downgrade to 5.2.7? Are the packages still available somewhere in your repositories for CentOS 5.2?

Regards,
Adrian

hostingguy · Unread post by **hostingguy** » Sun Jan 11, 2009 8:15 pm

This was fixed in their 5.2.8-3 build I believe - at least the strtotime part.

Kain114 · Unread post by **Kain114** » Tue Jan 13, 2009 1:06 am

I think I'm down to one issue now, the so called tomcat one that got added when I ran the yum update using the art channel.

I think I "might" have it figured out.

When I just ran the httpd -M command I noticed that it was running the module " proxy_ajp_module (shared)" so I went into the conf.d folder and found a module load file for it and commented out every line. Now when I run httpd -M it does not display this module.

I hope this is the issue, it's running a PCI compliance scan now.

Kain114 · Unread post by **Kain114** » Tue Jan 13, 2009 2:47 am

Nope, still says its using Tomcat...

SecurityMetrics support is useless, they wont even answer a general false positive request, let alone any question.

Unread post by **scott** » Tue Jan 13, 2009 9:35 am

Thanks for following up at least! I actually make more notes on the things that don't work for me when I'm debugging than the things that do. Have you looked for all the installed tomcat packages (rpm -qa) and tried removing them?

In regard to PCI compliance testers... if they're not doing local checks you're always going to have high rates of false positives like that. It has to do with the limited way they use their (otherwise fantastic) vulnerability scanners.

Highland · Unread post by **Highland** » Tue Jan 13, 2009 12:50 pm

So 5.2.8-3 is stable enough for production now?

hostingguy · Unread post by **hostingguy** » Tue Jan 13, 2009 12:50 pm

I'm using it in production, no major problems but I do see some segfaults every so often although not sure why exactly.

Kain114 · Unread post by **Kain114** » Tue Jan 13, 2009 5:36 pm

scott wrote:Thanks for following up at least! I actually make more notes on the things that don't work for me when I'm debugging than the things that do. Have you looked for all the installed tomcat packages (rpm -qa) and tried removing them?

In regard to PCI compliance testers... if they're not doing local checks you're always going to have high rates of false positives like that. It has to do with the limited way they use their (otherwise fantastic) vulnerability scanners.

-bash-3.2# locate tomc
/usr/local/psa/admin/bin/tomcatmng
/usr/local/psa/admin/plib/tomcatmng.php
/usr/local/psa/admin/plib/api-cli/tomcat.php
/usr/local/psa/admin/sbin/tomcatmng
/usr/local/psa/bin/tomcat
/usr/local/psa/bin/tomcat.sh
/usr/local/psa/etc/logrotate.d/tomcat
/usr/local/psa/etc/service/tomcat.xml
/usr/local/psa/etc/service/stdmode/tomcat.xml
/usr/local/psa/etc/service/vzmode/tomcat.xml

-bash-3.2# rpm -qa | grep tomc
-bash-3.2#