EasyApache 3.9.1 problem with suhosin

chrismfz

Well-Known Member
Jul 4, 2007
127
1
68
Greece
cPanel Access Level
DataCenter Provider
Except the PCRE issue with vBulletin and the curlSSL issue,
is there a case about this:

Code:
PHP Startup: Suhosin Extension does not officially support PHP 5.2
and below anymore, because it is discontinued. Use it at your own
risk.
Every error_log in every single site is filling up with this if I compile php 5.2 with suhosin.

Shouldn't somehow suhosin "vanish/disappear" from the exhaustive option list if I choose PHP 5.2.17 ?
 

mtindor

Well-Known Member
Sep 14, 2004
1,417
82
178
inside a catfish
cPanel Access Level
Root Administrator
In the Suhosin changelog it talks about support for crypt() being removed. What will that break / cause problems with is for you to determine.

Suhosin 0.9.33 also addresses CVE-2012-0807

So running 0.9.33 on PHP 5.2.x may be problematic, and reverting back to 0.9.31 (manually fetching / compiling / installing) carries some level of risk.

With that said, you could try this:

  • run /scripts/phpextensionmgr install PHPSuHosin
  • cd /home/cpeasyapache/phpextensions/suhosin/suhosin-0.9.33
  • edit suhosin.c to comment out the warning:

    before:
    Code:
    #endif
    #if PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION <= 2
            php_error_docref(NULL TSRMLS_CC, E_WARNING, "Suhosin Extension does not officially support PHP 5.2 and below anymore, becau$
    #endif
    
            return SUCCESS;

    after:
    Code:
    #endif
    /*
    #if PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION <= 2
            php_error_docref(NULL TSRMLS_CC, E_WARNING, "Suhosin Extension does not officially support PHP 5.2 and below anymore, becau$
    #endif
    */
    
            return SUCCESS;
  • run make install
  • make sure Suhosin is installed

    [email protected] [/home/cpeasyapache/phpextensions/suhosin/suhosin-0.9.33]# php -v
    PHP 5.2.17 (cli) (built: Feb 11 2012 14:59:57)
    Copyright (c) 1997-2010 The PHP Group
    Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies
    with the ionCube PHP Loader v4.0.12, Copyright (c) 2002-2011, by ionCube Ltd., and
    with Zend Optimizer v3.3.9, Copyright (c) 1998-2009, by Zend Technologies
    with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH

Then test some sites and hope for the best. I'd really have to question the viability of this solution [using Suhosin 0.9.33 on PHP 5.2.17).

Another option would be to uninstall Suhosin 0.9.33 and then install Suhosin 0.9.31 from source (if you can find it) with the understanding that if Suhosin 0.9.31 is configured in a certain way, it is vulnerable. You'd want to make sure that your Suhosin 0.9.31 installation isn't prone to the vulnerability -- more info on that here:

http://archives.neohapsis.com/archives/fulldisclosure/2012-01/0296.html

Good luck
 
Last edited: