Page 1 of 2
Suhosin
Posted: Thu Sep 17, 2015 2:01 pm
by Imaging
The Suhosin extension is up to version 0.9.38:
http://www.suhosin.org/stories/download.html
Mentioning for consideration for an update for the php-suhosin-0.9.37.1-5 package.
Thanks.
Re: Suhosin
Posted: Mon Oct 12, 2015 4:05 pm
by scott
Got it, thanks for the heads up. This is going out to the mirrors right now
Re: Suhosin
Posted: Tue Oct 13, 2015 12:05 pm
by Imaging
Thanks!
Re: Suhosin
Posted: Tue Oct 13, 2015 1:00 pm
by Imaging
We're seeing an error:
error: rpmts_HdrFromFdno: Header V4 RSA/SHA1 signature BAD, key ID 4520afa9
Problem opening package php-suhosin-0.9.38-6.el5.art.x86_64.rpm
on our CentOS 5.x boxes.
Is header v4 versus v3 compatible with CentOS 5.x?
On our CentOS 6.x boxes, the update installs but the suhosin version is still showing 0.9.36 on the commandline and in phpinfo.
Re: Suhosin
Posted: Thu Oct 22, 2015 4:19 pm
by Imaging
Any update on the signatures?
Seeing the same error on the mysqltuner package now in the asl repo.
The update to the CentOS 6.x package shows the correct version now so the CentOS 5.x signatures appear to be the only remaining issue.
Thanks.
Re: Suhosin
Posted: Wed Oct 28, 2015 8:58 am
by Imaging
Any update?
Can you please resign the php-suhosin (and the recent mysqltuner package) with V3 sigs for the CentOS 5.x packages?
Thanks!
Re: Suhosin
Posted: Wed Nov 04, 2015 4:36 pm
by scott
How about now? Im not seeing any problems with the suhosin packages on el5-64. I did re-export the php & mysqltuner packages earlier
Re: Suhosin
Posted: Wed Nov 04, 2015 4:57 pm
by Imaging
Thank you. On a quick check with the mysqltuner package, all is working properly now.
Re: Suhosin
Posted: Mon Dec 21, 2015 3:48 pm
by Imaging
Scott:
Could you check the suhosin EL5 package again?
On an install attempt for:
php-suhosin-0.9.38-7.el5.art.x86_64.rpm via yum, we are again getting:
error: rpmts_HdrFromFdno: Header V4 RSA/SHA1 signature BAD, key ID 4520afa9
Thanks.
Re: Suhosin
Posted: Wed Dec 23, 2015 3:38 pm
by scott
That means you're missing the newer GPG key, which is in the atomic-release package. Another way to install it is to run the atomic installer again
Re: Suhosin
Posted: Wed Dec 23, 2015 5:13 pm
by Imaging
Scott:
Thanks.
As best we can see we have the latest version of the atomic-release package so perhaps not the issue. It appears to be related to the V4 sig versus the V3 on other packages.
To double-check, we did a clean all and we reinstalled atomic-release from the repos which pulled down:
atomic-release-1.0-19.el5.art.noarch.rpm
After that install we tried updating and the packages are still giving the error.
Re: Suhosin
Posted: Wed Dec 30, 2015 3:32 pm
by Imaging
Per the other thread about resolving the issue, was the php-suhosin package redone? Looking through the wwwX atomic mirrors shows a mod date of October for the latest standalone php-suhosin. The only package of the ones reported that I'm seeing a new mod date is mysql.
Re: Suhosin
Posted: Fri Jan 01, 2016 6:03 pm
by Imaging
Thanks for posting updated clam packages. Once the php-suhosin packages are updated, we should be good to go.
Thanks.
Re: Suhosin
Posted: Thu Jan 07, 2016 1:34 pm
by Imaging
Can someone please update the sigs on:
php-suhosin-0.9.38-7.el5.art.i386.rpm
php-suhosin-0.9.38-7.el5.art.x86_64.rpm
for CentOS 5.x so we can hopefully put these sig related issues to bed?
Each is showing:
rpm --checksig php-suhosin-0.9.38-7.el5.art.i386.rpm
RSA sha1 MD5 PGP md5 NOT OK
rpm --checksig php-suhosin-0.9.38-7.el5.art.x86_64.rpm
RSA sha1 MD5 PGP md5 NOT OK
Thank you.
Re: Suhosin
Posted: Mon Jan 11, 2016 4:02 pm
by scott
Re-importing along with the other PHP updates addressing the vulnerabilities in:
http://securitytracker.com/id/1034608