Topic: PHP Security Update 4.3.10

[jackl]

Does any one know what effect PHP security vulnerabilities (versions <=4.3.9) have on SME Server
and if so does anyone know of an RPM for PHP 4.3.10 to overcome the security issues of the current versions <=4.3.9
Or the whereabouts of a patch to fix existing SME PHP packages.

This appears to be a serious security issue or am I wrong and panicking about nothing?

Regards
Jackl

[finchwizard]

I dunno, but I noticed it as well, I'm hoping for a security update pretty soon for SME if anyone can provide it.

I'm also working on other servers to upgrade it ASAP.

[chrisparker]

I installed the following RPM's from http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/

http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-devel-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-imap-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-mysql-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-ldap-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-odbc-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-snmp-4.3.10-0.i386.rpm


I think these will only work IF you have previously upgraded to php 4.3.9 using the sme upgrade script.

[jackl]

Chris,

Thanks a million that worked a treat, my servers are now running PHP 4.3.10. I upgraded by downloading the RPM's you indicated and used the last half of Jesper Knudsens upgrade script for pHP 4.3.8 to install the RPM's looks good so far.

Chris thanks again and also to Jesper for the fantastic scripts he has created.

Kind Regards

Jack

[girkers]

I tried updating these rpms, but found it failed dependancies and then I just got on a wild goose chase, chasing this rpm, then that one.

jackl you mention a script, where do you find this.

[chrisparker]

girkers,

You most likely failed dependancy on unixODBC. This can be obtained here:

ftp://ftp.rediris.es/sites/ftp.redhat.com/pub/redhat/linux/7.3/en/os/i386/RedHat/RPMS/unixODBC-2.2.0-5.i386.rpm

The other source of dependacy failure could relate to if you downloaded the postgres (pgsql) rpm from the site mentioned in my first post. This is not required.

The script jackl would be refering to is http://mirror.contribs.org/smeserver/contribs/ergozd/scripts/php4.3.9-3upgrade.sh (or equivilent)

Hope this helps

[girkers]

Hey Chris,

Thanks for that, worked a treat once I got the unixODBC, d/l only the files I need and hey bang presto it worked.

I only used the last part of the script you stated, but the pear thing didn't seem to work, but everything else seems fine.

Now if only I could get my to phpAdmin page I will be right.

[jackl]

My apologies to everyone I forgot to mention that I had already upgraded to PHP 4.3.8 using Jespers script at http://sme.swerts-knudsen.dk
This script loaded the unixODBC rpm for me.
I then dowmloaded the RPM's Chris kindly pointed out to me and ran this script from the same directory:

rpm -Uvh --nodeps php*.rpm

mkdir -p /etc/e-smith/templates-custom/etc/php.ini
touch /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'include_path        = ".:/usr/share/pear"' > /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'doc_root            =' >> /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'user_dir            =' >> /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'extension_dir       = /usr/lib/php4' >> /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'enable_dl           = On' >> /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories

pear upgrade Log
pear upgrade Date

/sbin/e-smith/expand-template /etc/php.ini

service httpd restart

echo " DONE........"

Hope this is of help to somebody
Sorry for the confusion

regards
Jack

[NickR]

Just so that people don't panic unneccessarily, this page http://isc.sans.org/diary.php?date=2004-12-21 would appear to indicate that the problem lies with phpBB specifically.  
There's also a good advisory available here http://www.hardened-php.net/advisories/012004.txt

That said, it's still a good idea to update PHP.  Unless you're running phpBB, it seems less urgent.

[SoundSailor]

Will these updates work for SME 5.6 or are they just for 6+?

[girkers]

I did the pear upgrades by hand and they no longer went "pear" shaped.  It did the Log upgrade, but the Date one had apparently already been done.

[gpin75]

This worked for me running SME 6.01, previously upgraded to PHP4.3.9 using Jespers script.

[rport]

Thanks for the advice

I had already upgraded to PHP 4.3.9 using the script.

So all i did is download the RPM's (listed below) to a new directory ./php4.3.10/ and then typed;

rpm -Uvh --nodeps php*.rpm

then 1 minute later...

service httpd restart

Woosh.... PHP 4.3.10

I also upgraded phpBB to 2.0.11 in order to help prevent the effect of the Santy.A worm..

More Info:

New Worm Spreads Via Google
Google Smacks Down Santy Worm

I installed the following RPM's from http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/

http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-devel-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-imap-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-mysql-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-ldap-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-odbc-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-snmp-4.3.10-0.i386.rpm


I think these will only work IF you have previously upgraded to php 4.3.9 using the sme upgrade script.

[ergozd]

Hi there!

I've updated php-upgrade script with RPMS from rhx as mentioned here. I've not yet tried it myself (due lack of time to test things)...

ONLY AT YOUR OWN RISK download and run the script... Good luck...  
(Read this bug-thread if you have Zend Optimizer enabled http://bugs.php.net/bug.php?id=31116 OR Important notice from Zend http://www.zend.com/store/products/zend-optimizer.php )
- you will have to upgrade your ZO to v2.5.7 to get PEAR work correct...
http://ergin.dyndns.org/download/php4.3.10-upgrade_rhx.sh

Pls give feedback how it goes for you system so I can make "necessary changes" when/if needed... Only after a few feedbacks I will upload the script to my contrib area.


PS: Make sure you don't loose any functionality based on compile options...

Best rgds, Ergin

[gregswallow]

Ergin,

I had been wondering if the script is wrong....shouldn't:

Code: [Select]

if [ $IS_ODBC -eq 0 ]
then
    wget ftp://
be changed to:

Code: [Select]

if [ $IS_ODBC -eq 0 ]
then
    rpm -Uvh ftp://
...otherwise unixODBC-2.2.0-5.i386.rpm never gets installed.  Also I think that link is dead.  Maybe link to unixodbc on download.fedoralegacy.org

I am also wondering if these are the best php rpm's to use.  Weren't the php 4.3.9 rpms from http://mirror.contribs.org/smeserver/contribs/ldinclaux/SME6.x/Contribs/RPMS/ complied with more options or made specially for SME?  and who is rhx?  I guess if you are running a vulnerable phpbb website then you need these right away though.

[egerards]

I also tried the php upgrade script. As Greg pointed out, the unixODBC rpm will never be installed. As we like all rpm files in the temporary 'phpupgrade' subdir to be installed, 'rpm -Uvh --nodeps php*.rpm' could be changed to 'rpm -Uvh --nodeps *.rpm' and that should do the job.

Here the link to the unixODBC rpm seems to work fine...

And so far all my PHP applications seem to work fine, so thanks for the efforts!

[ergozd]

Hello Greg!

I modified the script so

Code: [Select]

if [ $IS_ODBC -eq 0 ]
then
    rpm -Uvh http://download.fedoralegacy.org/redhat/7.3/os/i386/unixODBC-2.2.0-5.i386.rpm
else
    echo "unixODBC installed skipping download"
fi


As for if these are the best php-rpms to use, there are two options as of now, either these RHX releases or NORLUG releases.

Neither Laurent Dinclaux nor Dan Brown has not yet compiled any newer RPMS yet so I simply scripted one which exist. (I try to check their contrib areas as often as I can).

As soon as newer RPMS is release by any of above mentioned contributors I'll update the script.

I personally think no need to rush for an upgrade unless you have a phpbb forum running, therefore I've not announced the script.

[Normando]

Thanks Ergin, the script run OK!!!!

[Rigger]

The script downloads all the rpm's before installing them. Either will work but it was just easier at the time cutting and pasting similar lines and editing the minor changes.

As far as better if the 4.3.9 have a know security bug then it doesn't matter the compile. Upgrade and then wait to see if the author of the 4.3.9 does another special build.


php4.3.10-upgrade.sh

#!/bin/sh
# Ergin ™zdemir ergin@ergin.net
#
# 2004-12-24 Rigger
# Udated for php release 4.3.10
# There are NO builds for postgre-sql or the manual for 4.3.10 at the known download location
# so uncommenting to install packages will not work.
#
# 2004-09-29 Laurent Dinclaux relased php-4.3.9
# I have released PHP 4.3.9 RPMs. In addition of Dan Brown releases:
# - Curl extension
# - Compiled with options
#     --enable-sockets --enable-pcntl --enable-sigchild
#
# Based on Rigger's (Doug Musty <doug@musty.us>) script & Dan Brown's RPMS
# 2004-07-23 Latest update from Rigger   
# Recognize that the unixODBC package is already installed and skip downloading it...
# Also changed the pear install commands to pear upgrade. This will stop the failure
# notice if already installed and will still install the package if not installed already.

mkdir phpupgrade
cd phpupgrade

wget http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-4.3.10-0.i386.rpm
wget http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-devel-4.3.10-0.i386.rpm
wget http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-imap-4.3.10-0.i386.rpm
wget http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-mysql-4.3.10-0.i386.rpm
wget http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-ldap-4.3.10-0.i386.rpm
wget http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-odbc-4.3.10-0.i386.rpm
wget http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-snmp-4.3.10-0.i386.rpm


# Uncomment next line if you are using postgre sql
# wget http://www.ibiblio.org/pub/Linux/distributions/smeserver/contribs/ldinclaux/SME6.x/Contribs/RPMS/php-pgsql-4.3.9-3ld.i386.rpm

# Uncomment next line if you want to install the manual.
# wget http://www.ibiblio.org/pub/Linux/distributions/smeserver/contribs/ldinclaux/SME6.x/Contribs/RPMS/php-manual-4.3.9-3ld.i386.rpm

# Install unixOBDC if not installed.
rpm -qa > rpmlist

IS_ODBC=pic rpmlist | grep -c unixODBC

if [ $IS_ODBC -eq 0 ]
then
   wget ftp://ftp.rediris.es/sites/ftp.redhat.com/pub/redhat/linux/7.3/en/os/i386/RedHat/RPMS/unixODBC-2.2.0-5.i386.rpm
else
   echo "unixODBC installed skipping download"
fi

rpm -Uvh *.rpm

mkdir -p /etc/e-smith/templates-custom/etc/php.ini
touch /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'include_path        = ".:/usr/share/pear"' > /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'doc_root            =' >> /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'user_dir            =' >> /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'extension_dir       = /usr/lib/php4' >> /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'enable_dl           = On' >> /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories

pear upgrade Log
pear upgrade Date

/sbin/e-smith/expand-template /etc/php.ini

service httpd restart

rm * -f
cd ..
rmdir phpupgrade

echo " DONE........"

[/quote]

[smeghead]

Ergin, the perms on the 4.3.10 script files on your ftp site are wrong so people can't d/l them.  Could you fix this please.

[ergozd]

DL should work now.

http://ergin.dyndns.org/download/php4.3.10-upgrade.sh
OR
http://mirror.contribs.org/smeserver/contribs/ergozd/scripts/php4.3.10-upgrade.sh

Best rgds, Ergin

[Snoopyski]

Thats what I get when I try to run the script...


unixODBC installed skipping download
error: failed dependencies:
        libsnmp.so.0   is needed by php-snmp-4.3.10-0


Help ...  

Thanks,

Snoopyski

[gregswallow]

Help ...  

try this:

Code: [Select]

rpm -Uvh --force http://www.ibiblio.org/pub/linux/distributions/smeserver/releases/6.0.1/os/e-smith/RPMS/ucd-snmp-4.2.5-7.73.0.i386.rpm

http://rpm.pbone.net has a search function that lets you search for what rpm contains libsnmp.so.0 for example.  Maybe you deleted ucd-snmp?

[Snoopyski]

Thanks,

OK Now the script goes fine BUT My PHP still stay at 4.3.9 !!!!!!!!!!!

Snoopyski

[Snoopyski]

THATS WATH i GET NOW !!!

Warning: Illegal offset type in Common.php on line 91

Warning: Illegal offset type in Common.php on line 108

after I removed the snmp package and run the script again !!!!!

Now I'm to PHP 4.3.10 BUT My Apache server doesn't work fine !

Any idea ?

Thanks

Snoopyski

[Snoopyski]

Any Idea My web site is DOWN now !!!

Thanks !

Snoopyski

[Snoopyski]

OK now I removed the uc**-snmp-***.rpm...

AND I be able to DOWNGRADE to 4.3.9 !!! with a --oldpackages and --force..

My web site is UP and running now with PHP 4.3.9...

Any Idea to upgrade to the last version ?

thanks,

Snoopyski

[smeghead]

You were probably using the rpms built by Laurent Dinclaux that had some extra stuff compiled in; the standard 4.3.10 rpms do not have these extensions.

You site may have broken with the 4.3.10 upgrade due to the loss of these extensions.

Did you read the scripts BEFORE running them to check to see what they did & to read the notes inside?

[ergozd]

Hi!

smeghead is on right track here. The latest I heard from Laurent that he complied newer version BUT he had problem with his DSL so he has NOT yet uploaded those RPMS.

The latest PHP RPMS used in php-upgrade script uses RPMS from RHX and they are NOT complied with --enable-sockets --enable-pcntl --enable-sigchild


If your applications need those option(-s) either you build your own RPMS or wait until Laurent can upload his files.

Best rgds, Ergin

[guest22]

YFYI,

Dan Brown (Long time PHP/Horde enthousiast and contribs.org memeber) has put out his RPM's. You will find them in 'dbrown' contribs area.

[smeghead]

Hi Hsing Foo

Is there any info about how Dans rpms have been built; there are no docs in his d/l area.

His site seesm to be down at the mo!

Also, for the unwary, make sure you get the rh73 ones & not the centos ones.

[ergozd]

Hi smeghead!

Check thread http://forums.contribs.org/index.php?topic=25582.0

You can see the configuration options.

Best rgds, Ergin