cPanel - Release security fixes first, enhancements later...

Why hasn't PHP 5.3.14 been released yet in an EasyApache update? It's been over 3 weeks since the update was made available on PHP.net and despite the security fixes it introduces, it's still not available!

 

It's blantently obvious to me that cPanel simply doesn't prioritise security updates over enhancements. The latest EA release is a great example:

Fixed case 59437: MPM Event and mod_perl are incompatible with non-threaded perl
Fixed case 59540: mod_qos requires non-default MaxClients in httpd.conf
Fixed case 59731: Correct ZendOpt/ZendLoader version in EasyApache UI
Fixed case 59784: Exhaustive Options page is blank when no PHP version selected (HTML interface only)
Fixed case 59952: PHP 5.3.14 released to resolve CVE-2012-2386 and CVE-2012-2143
Fixed case 59971: Patch Apache 2.x for CVE-2012-0883
Fixed case 59995: Include experimental support for PHP 5.4.4
Implemented case 57536: EasyApache: Remove PHP4 (all versions)
Implemented case 59127: Update EasyApache to mod_perl 2.0.6
Implemented case 59635: Block EA when PHP4 is configured with mod_php

There are 3 security updates and 8 enhancements. This EA release has been delayed numerous times, which in turn has delayed the release of the Apache and PHP security updates. I'm not bothered about the enhancements above - a secure server is my biggest concern.

cPanel - I really want to know why it's taken so long for these updates to be released!

 

I know - thanks, but still doesn't explain why it's taken them so long.

 

You're missing the point - you've bundled security updates and enhancements together instead of releasing the security updates first and the enhancements afterwards. No one has explained yet why this was done.

 

Please also mention in your meeting that the release of EA 3.14 is the worst release ever. Today I have been in constant contact with cPanel support pointing out bugs in EA that shouldn't have allowed it to pass QA.

For example, cPanel support suggested I used APC with PHP 5.4. APC 3.1.10 is showing as available on the PHP PECL page, but when you install it, APC 3.1.9 is installed instead. Then, at the end of the build, PHP PECL says the extension has been added to php.ini (when in fact it has not!) and then complains the APC.so file is not installed, which is correct because it's actually "apc.so" (lowercase)! When you refresh the PHP PECL page, it says APC is installed, but when you try to update it to 3.1.10, it says it's not installed!

When you re-run EA 3.14 with PHP 5.4 already installed and selected, part way through the process EA removes ALL PECL extensions because they "do not exist", but still says the build has completed successfully, instead of rolling back to the backup. So this leaves me with a broken installation. By remove, I mean the PHP PECL page says no extensions are installed!

I have requested to be rolled back to EA 3.13 so I can restore my server environment to a stable state as I don't believe EA 3.14 is doing anything good to my servers. It is not production-ready and should never have been released.

 

Found another EA 3.14 bug. Magic Quotes has been removed as of PHP 5.4, but you have not removed the option if PHP 5.4 is selected. In my test case, I selected PHP 5.4 but not Magic Quotes. After the build, I ran "php -v" and the following happened:

root@web3 [~]# php -v

Fatal error: Directive 'magic_quotes_gpc' is no longer available in PHP in Unknown on line 0
root@web3 [~]#