Yum list PHP security updates?

Hi guys, I just wondered if there was an ETA on an update to the PHP libraries on the interworx Yum lists?

In light of the latest security updates we are keen to get things up to date on our Sago/Interworx combo:


http://www.hardened-php.net/advisory_202005.79.html
http://www.hardened-php.net/advisory_192005.78.html
http://www.hardened-php.net/advisory_182005.77.html
http://www.hardened-php.net/index.76.html

I’ve checked the YUM lists and there’s no updates yet. I know we can download and update manually, but I prefer to keep to the Interworx sanctioned releases as per the yum lists for core software to avoid any possible compatibility issues.

I’d post this on Sago, but every time we ask about anything like this (yum/interworx) they defer to you guys :wink:

Checking the lists now all that is available is 4.3.11-100.rht90.iworx. 4.4.1 is the newest release of 4.x PHP so it’d be great to see it there in the update lists.

Ivery,

We are not going to release updates to PHP that are yum-able since the 4.4.x series will break many existing scripts on client boxes. We will put up an SRPM so you may build / install the PHP on your box if you like. We may put up binaries as well for a few distros as well but they won’t be available via YUM directly.

Chris

I’ve put up the SRPM at:

http://updates.interworx.com/iworx/SRPMS/experimental/php-4.4.1-100.iworx.src.rpm

I’ve also built RPMs for CentOS 3 (32 bit) and RedHat 9 (32 bit) available (via yum :)) at the following repository locations:

http://updates.interworx.com/iworx/RPMS/rht90/experimental/i386
http://updates.interworx.com/iworx/RPMS/cos3x/experimental/i386

Let me know how the upgrade goes Ivery.

Also, I would not leave the experimental repositories in your yum.conf longer than needed as things flow in and out of there that you may not want/need etc.

Chris

Thanks I’ve just tried that on one of our servers and the upgrade looks to have worked fine. I’ll do some more tests and then run the same update on our larger system. Sadly I’ve got to locate an rpm version of php-eaccelerator that works for php 4.4.1. Chris I know you’re a really kind chap, is there any chance you could stick an rpm for that in the development/test URL you gave me? (I ask as it’d most likely take you 3mins to do/sort, and for me it’d take hours to find the right version). :slight_smile:

You mention that 4.4.x can break client scripts. I’m not aware of the compatibility issues, so can you let me know what sort of things to look for?

Also, what’s the prognosis/outlook for this issue? Natrually it makes sense to run the latest version of PHP. 5 might not be the best, but at least the best version of 4 that’s out. I haven’t seen any exploit scripts out yet that take advantage of the recently found flaws but it’s only a matter of time.

…needless to say Sago for one will most certainly be handing out clean/new servers to folks with Interworx on them updated only to the version that is on your yum lists. :wink: Surely it can’t be realistic to leave the standard yum lists frozen at php 4.3.x?

Cheers,

Ivery

Ahhhh!

Chris, any chance you can give me simple instructions to roll back? That version of php is bitching all over the place.

It’s not throwing errors like “cannot redeclare” in relation to functions, it’s also decided that it is going to throw session errors (in login routines).

4.4.x “looks” like it works on the face of it, but when you delve a bit deeper varous scripts throw wobblies that worked fine for years previously.

Gallery is one script that we’ve had working fine for ages, and the change of PHP causes problems all over the shop.

rpm -Uvh --force the 4.3.x rpms

To anyone reading this, never ever EVER do ask yum to uninstall php on an interworx machine unless you want to bring upon yourself doom and destruction. (Like I did).

Yum links interworx/nodeworx as dependants and if you don’t spot it and press ‘y’ it’ll go and uninstall the core admin interface.

Chris has very kindly sorted out my screw up… but please do beware and don’t do the silly I did.

I shouldn’t try to do tech work at a weekend, I just make a mess of things! :frowning:

I did the same thing with qmail when I first started almost two years ago, yeah you need to be VERY carefull what you remove. You are very lucky you didn’t need an OS reinstall like I did, a very expensive lesson I learned with the $100 reinstall fee :frowning: