PHP 5.4.5 and PHP 5.3.15 released!

[Ivan A]

PHP 5.4.5 and PHP 5.3.15 released!
19-Jul-2012

The PHP development team would like to announce the immediate availability of PHP 5.4.5 and PHP 5.3.15. This release fixes over 30 bugs and includes a fix for a security related overflow issue in the stream implementation. All users of PHP are encouraged to upgrade to PHP 5.4.5 or PHP 5.3.15.

For source downloads of PHP 5.4.5 and PHP 5.3.15 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes are recorded in the ChangeLog.

PHP: News Archive - 2012

[ehudal]

Any news on this?

[Infopro]

From the Change Log:

2012-07-11
case 59995: Include experimental support for PHP 5.4.4

There is an internal case, created on the date of this announcement from php.net to add 5.4.5 and drop 5.4.4 (available now) but this will still be marked as Experimental.

There is also an internal case for 5.3.15 release which is imminent. I can't give you an exact release date when these will be available but it shouldn't be much longer.

The best way to stay on top of updates to EasyApache is by monitoring the Change Log:
EasyApache < AllDocumentation/ChangeLog < TWiki

HTH!

[nospa]

It is over 7 days after PHP published 5.3.15! And still no update for cPanel users, while there is critical hole in streams.c for 5.3 and 5.2 users and bypass of open_basedir protection:

CVE-2012-2688 : Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4. (score 10/10)

CVE-2012-3365 : The SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism vi (score 5/10)

This should be also backported into 5.2.

While I know cPanel leazy developers, they will be doing extra-super-hiper-mega-double-max tests to check if 5.3.15 is working. I can tell you that it is working and we compiled it on July 20 on all our cPanel servers. And we succesfuly backported those patches into PHP 5.2.

We pay for software which is unpatched! You should protect your users, and help them. I'm tired about listening about your statement for PHP 5.2. This is very simple to backport all critical/important patches from 5.3 into 5.2! And you should do this! ASAP!

[LDHosting]

It is over 7 days after PHP published 5.3.15! And still no update for cPanel users, while there is critical hole in streams.c for 5.3 and 5.2 users and bypass of open_basedir protection:

7 days is nothing. mod_security 2.6.6 was released on 14th June (1.5 months ago) to patch a flaw that allows you to bypass mod_security. We're still waiting on a patch from cPanel.

[Archmactrix]

7 days is nothing. mod_security 2.6.6 was released on 14th June (1.5 months ago) to patch a flaw that allows you to bypass mod_security. We're still waiting on a patch from cPanel.

Mod_security was updated to 2.6.6 on June 28 in easyapache.

[LDHosting]

Mod_security was updated to 2.6.6 on June 28 in easyapache.

It looks like it was upgraded in EA 3.13.5 as the changelog states, but it was silently downgraded again in EA 3.14.1 or 3.14.3

Code:

# grep "ModSecurity for Apache" /usr/local/apache/logs/error_log
[Sun Jul 01 13:17:45 2012] [notice] ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/) configured.
[Fri Jul 13 16:48:24 2012] [notice] ModSecurity for Apache/2.6.5 (http://www.modsecurity.org/) configured.

There is a case open (case 60353 - ticket 2936910) but I don't believe that it's made it through QA yet.

[cpanelnick]

It looks like it was upgraded in EA 3.13.5 as the changelog states, but it was silently downgraded again in EA 3.14.1 or 3.14.3

This has been worked out.

EasyApache < AllDocumentation/ChangeLog < TWiki


3.14.5
2012-07-28
Fixed case 60279: Fix build of PHP CGI binary with PHP 5.4.
Fixed case 60278: Disable PHP Magic Quotes with PHP 5.4.
Implemented case 60345: Add PHP version 5.3.15 and remove PHP version 5.3.13.
Implemented case 58963: Update XCache PHP extension to version 2.0.1.
Implemented case 60072: Update mod_security to version 2.6.6.
Implemented case 59379: Update IonCube loader to version 4.2.2.
Fixed case 60257: EasyApache disables Xcache and Eaccelerator for all PHP versions