Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

PEAR 1.3.X Graves security holes

Discussion in 'Security' started by speckados, Aug 4, 2006.

  1. speckados

    speckados Well-Known Member

    Joined:
    May 21, 2003
    Messages:
    325
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Pastrana :: Guadalajara :: España
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    PEAR 1.4.6 was just released at pear.php.net (http://pear.php.net/PEAR). This is a minor bugfix release and complete details are available at pear.php.net, but I must stress two points with extreme seriousness:

    1. PEAR 1.4.6 fixes make install-pear INSTALL_ROOT=/rpm/packaging and introduces the --packagingroot option to install, which works like --installroot worked in PEAR 1.3.x
    2. PEAR 1.3.x has several serious bugs and at least 2 serious security vulnerabilities. Using PEAR 1.3.x on a production machine is EXTREMELY dangerous

    The second point applies to all people who think that the latest vulnerability in PEAR can be fixed in 1.3.5 with a simple patch. There are several unpublished serious bugs. A few days back, I was contacted by a diligent developer of a linux distribution who was wondering how serious the vulnerability in PEAR 1.4.2 and earlier is, and whether it would be possible to get a patch for PEAR 1.3.5. After reflection on the serious bugs in PEAR 1.3.x that were fixed in PEAR 1.4.x with unit testing, I came to realize that there is yet another serious security vulnerability in PEAR 1.3.x. I will publish the details shortly.pear.php

    Don't hesitate, upgrade to PEAR 1.4.6 at your earliest convenience.​

    From http://greg.chiaraquartet.net/archives/107-Why-it-is-very-important-to-upgrade-to-PEAR-1.4.6-from-PEAR-1.3.x.html

    Also, several errors from /scripts/easyapache & php 4.4.2

    Error and PEAR broken.

    Try to manual pear update fails.

    Code:
    pear list-upgrades
    pear.php.net Available Upgrades (stable):
    =========================================
    Channel      Package              Local          Remote          Size
    pear.php.net Mail                 1.1.3 (stable) 1.1.10 (stable) 16.5kB
    pear.php.net Net_SMTP             1.2.6 (stable) 1.2.8 (stable)  11.1kB
    pear.php.net Net_Socket           1.0.1 (stable) 1.0.6 (stable)  4.5kB
    pear.php.net Net_UserAgent_Detect 2.0.1 (stable) 2.2.0 (stable)  9.8kB
    pear.php.net XML_Parser           1.0.1 (stable) 1.2.7 (stable)  12.7kB
    
    /scripts/easyapache
    ......
    pear/PEAR dependency package "pear/Archive_Tar" installed version 1.1 is not the recommended version 1.3.1, but may be compatible, use --force to install
    
    Notice: Only variables should be assigned by reference in /home/cpapachebuild/buildapache/php-4.4.2/pear/PEAR/Installer.php on line 982
    [PEAR] PEAR: Installation failed: invalid package file
    
    Ufff. very broken panel and securty issues. All user that uses pear, broken his service.

    A bad day.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. speckados

    speckados Well-Known Member

    Joined:
    May 21, 2003
    Messages:
    325
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Pastrana :: Guadalajara :: España
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    For update PEAR manually before Cpanel TEAM update backend scripts:

    Code:
    root#pear list-upgrades
    
    // Example of screen
    Available Upgrades (stable):
    ============================
    Package              Local          Remote          Size
    Archive_Tar          1.1 (stable)   1.3.1 (stable)  14.8kB
    HTML_Template_IT     1.1 (stable)   1.1.4 (stable)  19.7kB
    Net_UserAgent_Detect 2.0.1 (stable) 2.2.0 (stable)  9.8kB
    PEAR                 1.3.5 (stable) 1.4.10 (stable) 279kB
    XML_RPC              1.4.8 (stable) 1.5.0 (stable)  31kB
    
    root#pear upgrade -f PEAR 
    root#pear upgrade -f Archive_Tar HTML_Template_IT Net_UserAgent_Detect  XML_RPC
    
    Several root#pear list-upgrades for verify all correct.
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice