PHP 4.4.1 has been released

**AlexAT** · 10-31-2005 11:53 AM

PHP 4.4.1 is now available for download [1]. This version is a maintenance release, that contains numerous bug fixes, including a number of security fixes related to the overwriting of the GLOBALS array. All users of PHP 4.3 and 4.4 are encouraged to upgrade to this version.

Wondering - when it will be in easyapache?

**mesranet** · 10-31-2005 11:56 PM

TITLE:
PHP Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA17371

VERIFY ADVISORY:
http://secunia.com/advisories/17371/

CRITICAL:
Moderately critical

IMPACT:
Security Bypass, Cross Site Scripting, DoS, System access

WHERE:
>From remote

SOFTWARE:
PHP 4.0.x
http://secunia.com/product/1655/
PHP 4.1.x
http://secunia.com/product/1654/
PHP 4.2.x
http://secunia.com/product/105/
PHP 4.3.x
http://secunia.com/product/922/
PHP 4.4.x
http://secunia.com/product/5768/
PHP 5.0.x
http://secunia.com/product/3919/

DESCRIPTION:
Some vulnerabilities have been reported in PHP, which can be
exploited by malicious people to conduct cross-site scripting
attacks, bypass certain security restrictions, and potentially
compromise a vulnerable system.

1) An error where the "GLOBALS" array is not properly protected, can
be exploited to define global variables by sending a
"multipart/form-data" POST request with a specially crafted file
upload field, or via a script calling the PHP function "extract()" or
"import_request_variables()".

Successful exploitation may open up for vulnerabilities in various
applications, but requires that "register_globals" is enabled.

The vulnerability has been reported in versions 4.4.0 and 5.0.5, and
prior.

2) An error in the handling of an unexpected termination in the
"parse_str()" PHP function, can be exploited to enable the
"register_globals" directive for the current execution by e.g.
triggering a memory_limit request shutdown in a script calling
"parse_str()".

The vulnerability has been reported in versions 4.4.0 and 5.0.5, and
prior.

3) Some unspecified input passed to the "phpinfo()" PHP function
isn't properly sanitised before being returned to the user. This can
be exploited via a script calling "phpinfo()" to execute arbitrary
HTML and script code in a user's browser session in context of an
affected site.

The vulnerability has been reported in versions 4.4.0 and 5.0.5, and
prior.

4) An integer overflow error in pcrelib may be exploited to cause a
memory corruption via a script calling a PHP function using the PCRE
library where the regular expression can be controlled by the
attacker.

For more information:
SA16502

Successful exploitation may allow execution of arbitrary code.

5) The problem is that it is possible to bypass the "safe_mode" and
"open_basedir" protection mechanisms via the "ext/curl" and "ext/gd"
modules.

6) An unspecified error in calling "virtual()" on Apache 2 can be
exploited to bypass certain configuration directives (e.g.
"safe_mode" and "open_basedir").

Other bugs have also been reported where some may be security
related.

SOLUTION:
Update to version 4.4.1.
http://www.php.net/downloads.php

**Olate** · 11-01-2005 02:16 AM

http://bugzilla.cpanel.net/show_bug.cgi?id=3442

**Bulent Tekcan** · 11-01-2005 03:47 AM

How do I update ?

Thanks

**dropby23** · 11-01-2005 05:11 AM

with easy apache but you must wait for the zend optimizer which will work with php 4.4.1

**Rubas** · 11-01-2005 05:14 AM

Originally Posted by dropby23

with easy apache but you must wait for the zend optimizer which will work with php 4.4.1

Edit /scripts/installzendopt and change
http://downloads.zend.com/optimizer/...imizer-2.5.10-..
to
http://downloads.zend.com/optimizer/...timizer-2.5.10a-..

**AlexAT** · 11-01-2005 05:27 AM

Originally Posted by Olate

http://bugzilla.cpanel.net/show_bug.cgi?id=3442

I'm there.
+1.

**Bulent Tekcan** · 11-01-2005 10:40 AM

Originally Posted by dropby23

with easy apache but you must wait for the zend optimizer which will work with php 4.4.1

I didn't use /scripts/easyapache include php 4.4.1 ?

**dropby23** · 11-01-2005 12:25 PM

it will include soon but as i said before you must reinstall the zend which includes your php version

**arhs** · 11-01-2005 09:55 PM

I see PHP 4.4.1 is now available... via '/scripts/easyapache' and WHM, has any one upgraded to 4.4.1 yet?

**kalnet4u** · 11-02-2005 02:50 AM

I have just upgraded via whm and have had no problems so far, also updates Zend with the info from Rubas (thanks Rubas).

**maxwell_hung** · 11-02-2005 05:02 AM

Hi

Can the update be done via Update Apache in WHM?
I see 4.4.1 in there but am concerned about the above comments re: Zend.

Thanks

**dropby23** · 11-02-2005 05:07 AM

this will work with this if u are using linux
http://downloads.zend.com/optimizer/...21-i386.tar.gz

**maxwell_hung** · 11-02-2005 05:21 AM

Thanks dropby23

What am I meant to do with it though? Do I run the install script from the archive or put it somewhere then run apache update?

Sorry for the numpty questions, I'm not used to doing stuff from within WHM.

**elix** · 11-02-2005 05:48 AM

just run /scripts/installzendopt once you make the changes and do this after you install php 4.4.1

LinkBack

Thread Tools

PHP 4.4.1 has been released

PHP 5.2.11 Released

PHP 5.2.10 Released!

PHP 4.4.9 Released

PHP 5.2.1 Released

PHP 4.3.3 Released