The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PEAR 1.3.X Graves security holes

Discussion in 'Security' started by speckados, Aug 4, 2006.

  1. speckados

    speckados Well-Known Member

    Joined:
    May 21, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Acequias :: Granada :: España
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    PEAR 1.4.6 was just released at pear.php.net (http://pear.php.net/PEAR). This is a minor bugfix release and complete details are available at pear.php.net, but I must stress two points with extreme seriousness:

    1. PEAR 1.4.6 fixes make install-pear INSTALL_ROOT=/rpm/packaging and introduces the --packagingroot option to install, which works like --installroot worked in PEAR 1.3.x
    2. PEAR 1.3.x has several serious bugs and at least 2 serious security vulnerabilities. Using PEAR 1.3.x on a production machine is EXTREMELY dangerous

    The second point applies to all people who think that the latest vulnerability in PEAR can be fixed in 1.3.5 with a simple patch. There are several unpublished serious bugs. A few days back, I was contacted by a diligent developer of a linux distribution who was wondering how serious the vulnerability in PEAR 1.4.2 and earlier is, and whether it would be possible to get a patch for PEAR 1.3.5. After reflection on the serious bugs in PEAR 1.3.x that were fixed in PEAR 1.4.x with unit testing, I came to realize that there is yet another serious security vulnerability in PEAR 1.3.x. I will publish the details shortly.pear.php

    Don't hesitate, upgrade to PEAR 1.4.6 at your earliest convenience.​

    From http://greg.chiaraquartet.net/archi...to-upgrade-to-PEAR-1.4.6-from-PEAR-1.3.x.html

    Also, several errors from /scripts/easyapache & php 4.4.2

    Error and PEAR broken.

    Try to manual pear update fails.

    Code:
    pear list-upgrades
    pear.php.net Available Upgrades (stable):
    =========================================
    Channel      Package              Local          Remote          Size
    pear.php.net Mail                 1.1.3 (stable) 1.1.10 (stable) 16.5kB
    pear.php.net Net_SMTP             1.2.6 (stable) 1.2.8 (stable)  11.1kB
    pear.php.net Net_Socket           1.0.1 (stable) 1.0.6 (stable)  4.5kB
    pear.php.net Net_UserAgent_Detect 2.0.1 (stable) 2.2.0 (stable)  9.8kB
    pear.php.net XML_Parser           1.0.1 (stable) 1.2.7 (stable)  12.7kB
    
    /scripts/easyapache
    ......
    pear/PEAR dependency package "pear/Archive_Tar" installed version 1.1 is not the recommended version 1.3.1, but may be compatible, use --force to install
    
    Notice: Only variables should be assigned by reference in /home/cpapachebuild/buildapache/php-4.4.2/pear/PEAR/Installer.php on line 982
    [PEAR] PEAR: Installation failed: invalid package file
    
    Ufff. very broken panel and securty issues. All user that uses pear, broken his service.

    A bad day.
     
  2. speckados

    speckados Well-Known Member

    Joined:
    May 21, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Acequias :: Granada :: España
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    For update PEAR manually before Cpanel TEAM update backend scripts:

    Code:
    root#pear list-upgrades
    
    // Example of screen
    Available Upgrades (stable):
    ============================
    Package              Local          Remote          Size
    Archive_Tar          1.1 (stable)   1.3.1 (stable)  14.8kB
    HTML_Template_IT     1.1 (stable)   1.1.4 (stable)  19.7kB
    Net_UserAgent_Detect 2.0.1 (stable) 2.2.0 (stable)  9.8kB
    PEAR                 1.3.5 (stable) 1.4.10 (stable) 279kB
    XML_RPC              1.4.8 (stable) 1.5.0 (stable)  31kB
    
    root#pear upgrade -f PEAR 
    root#pear upgrade -f Archive_Tar HTML_Template_IT Net_UserAgent_Detect  XML_RPC
    
    Several root#pear list-upgrades for verify all correct.
    
     
Loading...

Share This Page