4.4.1 beware! Bug

Brent · Unread post by **Brent** » Tue Nov 08, 2005 2:16 am

If you use phpadsnew please read this http://forum.phpadsnew.com/index.php?showtopic=9493

There is a bug that prevents it from working in 4.4.1

Unread post by **scott** » Wed Nov 09, 2005 7:55 pm

cool, thanks for the report!

faris · Unread post by **faris** » Thu Nov 17, 2005 10:35 am

Could the phpadsnew problem be responsible for a problem I'm having?

Basically every day for the past day or so I've found an httpd and mysql process together using 100% cpu on my dual processor machine.

This seems to have started after I upgraded to the latest ART php and mysql two weeks go (RH9).

I was going to ask for advice on how to trace the problem - top just shows the processes and pids, and ps doesn't show anything new about the offending processes.

But I know for a fact that one of my users uses phpadsnew.

Faris.

Unread post by **scott** » Thu Nov 17, 2005 1:28 pm

Can you try disabling phpadsnew for a day? If it happens again you'd know thats not the problem.

breun · Unread post by **breun** » Sat Nov 19, 2005 8:26 am

Is this bug already fixed in the current php art packages (4.4.1-1.rhfc3)? Or is it safe/advisable to upgrade from 4.4.0-3.rhfc3 which I'm running now.

faris · Unread post by **faris** » Mon Nov 21, 2005 1:07 pm

Hmm.. Well, I asked the user to get rid of it and they did, and all seems to be well again. So I think it was very likely that it was the culprit.

It doesn't make sense for things to be so difficult to trace though. I hope to God that PSA 8 will see a change and apache will be run as the actual account user instead of just as httpd/apache.

Or is there something very complicated about doing it?

Breun - I'll be upgrading to the 4.4.1-1 shortly on my test machine. I'll let you know if I have any problems.

Faris.

Unread post by **scott** » Mon Nov 21, 2005 3:59 pm

You can do that with suphp (psa does this with cgi's now), which is handy for at least finding the user with the exploitable scripts faster.

breun · Unread post by **breun** » Mon Nov 21, 2005 4:12 pm

How can you do what exactly with suphp?

Unread post by **scott** » Tue Nov 22, 2005 8:57 am

It works just like suexec, php scripts would run as the user rather than as apache.

breun · Unread post by **breun** » Tue Nov 22, 2005 9:36 am

Ok, so if I'm not running phpAdsNew it should be safe to upgrade to 4.4.1-1 from art?

breun · Unread post by **breun** » Sun Nov 27, 2005 4:38 pm

Can anyone confirm it's ok to upgrade to 4.4.1-1?

jamster · Unread post by **jamster** » Sun Nov 27, 2005 10:57 pm

ditto. Am keen to apply latest update but if our developers have used this code anywhere and I go ahead and break it then they'll strangle me!

Do I have to wait for php 4.4.2?

tabacco · Unread post by **tabacco** » Sun Nov 27, 2005 11:51 pm

The newest version of phpadsnew is compatible with 4.4.1, so just update that and you're set.

jamster · Unread post by **jamster** » Wed Nov 30, 2005 8:07 am

tabacco wrote:The newest version of phpadsnew is compatible with 4.4.1, so just update that and you're set.

As I understand it it's not just phpadsnew but any php script that has this particular coding. We don't run phpadsnew but we do have a large amount of custom code, and I'm not keen on breaking live sites

Anyone got any ideas if the 4.4.1 from Art is still broken (not blaming scott for this by the way, I know it's a php release issue, just wondered if it's been fixed yet).

Unread post by **scott** » Wed Nov 30, 2005 3:10 pm

Yeah I always worry about that when I make a big update. Thats one reason I've been holding off on the php5 series. I just know that its going to cause all kinds of weird little tertiary apps to break. It happened with the php 4.3 package all over the place and I learned my lesson that time. Maybe its time to create an [atomic-bleeding] channel like the other maintainers do, so those bolder types can test these things out in advance.

Atomicorp

4.4.1 beware! Bug

4.4.1 beware! Bug

httpd and mysql hanging