The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PHP 4.4.1 has been released

Discussion in 'General Discussion' started by AlexAT, Oct 31, 2005.

  1. AlexAT

    AlexAT Well-Known Member
    PartnerNOC

    Joined:
    May 23, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ukraine
    cPanel Access Level:
    Root Administrator
    PHP 4.4.1 is now available for download [1]. This version is a maintenance release, that contains numerous bug fixes, including a number of security fixes related to the overwriting of the GLOBALS array. All users of PHP 4.3 and 4.4 are encouraged to upgrade to this version.


    Wondering - when it will be in easyapache?
     
  2. mesranet

    mesranet Well-Known Member

    Joined:
    May 6, 2002
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    TITLE:
    PHP Multiple Vulnerabilities

    SECUNIA ADVISORY ID:
    SA17371

    VERIFY ADVISORY:
    http://secunia.com/advisories/17371/

    CRITICAL:
    Moderately critical

    IMPACT:
    Security Bypass, Cross Site Scripting, DoS, System access

    WHERE:
    >From remote

    SOFTWARE:
    PHP 4.0.x
    http://secunia.com/product/1655/
    PHP 4.1.x
    http://secunia.com/product/1654/
    PHP 4.2.x
    http://secunia.com/product/105/
    PHP 4.3.x
    http://secunia.com/product/922/
    PHP 4.4.x
    http://secunia.com/product/5768/
    PHP 5.0.x
    http://secunia.com/product/3919/

    DESCRIPTION:
    Some vulnerabilities have been reported in PHP, which can be
    exploited by malicious people to conduct cross-site scripting
    attacks, bypass certain security restrictions, and potentially
    compromise a vulnerable system.

    1) An error where the "GLOBALS" array is not properly protected, can
    be exploited to define global variables by sending a
    "multipart/form-data" POST request with a specially crafted file
    upload field, or via a script calling the PHP function "extract()" or
    "import_request_variables()".

    Successful exploitation may open up for vulnerabilities in various
    applications, but requires that "register_globals" is enabled.

    The vulnerability has been reported in versions 4.4.0 and 5.0.5, and
    prior.

    2) An error in the handling of an unexpected termination in the
    "parse_str()" PHP function, can be exploited to enable the
    "register_globals" directive for the current execution by e.g.
    triggering a memory_limit request shutdown in a script calling
    "parse_str()".

    The vulnerability has been reported in versions 4.4.0 and 5.0.5, and
    prior.

    3) Some unspecified input passed to the "phpinfo()" PHP function
    isn't properly sanitised before being returned to the user. This can
    be exploited via a script calling "phpinfo()" to execute arbitrary
    HTML and script code in a user's browser session in context of an
    affected site.

    The vulnerability has been reported in versions 4.4.0 and 5.0.5, and
    prior.

    4) An integer overflow error in pcrelib may be exploited to cause a
    memory corruption via a script calling a PHP function using the PCRE
    library where the regular expression can be controlled by the
    attacker.

    For more information:
    SA16502

    Successful exploitation may allow execution of arbitrary code.

    5) The problem is that it is possible to bypass the "safe_mode" and
    "open_basedir" protection mechanisms via the "ext/curl" and "ext/gd"
    modules.

    6) An unspecified error in calling "virtual()" on Apache 2 can be
    exploited to bypass certain configuration directives (e.g.
    "safe_mode" and "open_basedir").

    Other bugs have also been reported where some may be security
    related.

    SOLUTION:
    Update to version 4.4.1.
    http://www.php.net/downloads.php
     
  3. Bulent Tekcan

    Bulent Tekcan Well-Known Member

    Joined:
    May 11, 2004
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    How do I update ?

    Thanks
     
  4. dropby23

    dropby23 Well-Known Member

    Joined:
    Jan 16, 2005
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    with easy apache but you must wait for the zend optimizer which will work with php 4.4.1
     
  5. Rubas

    Rubas Well-Known Member

    Joined:
    Sep 15, 2003
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
  6. AlexAT

    AlexAT Well-Known Member
    PartnerNOC

    Joined:
    May 23, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ukraine
    cPanel Access Level:
    Root Administrator
  7. Bulent Tekcan

    Bulent Tekcan Well-Known Member

    Joined:
    May 11, 2004
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    I didn't use /scripts/easyapache include php 4.4.1 ?
     
  8. dropby23

    dropby23 Well-Known Member

    Joined:
    Jan 16, 2005
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    it will include soon but as i said before you must reinstall the zend which includes your php version
     
  9. arhs

    arhs Well-Known Member

    Joined:
    Jul 4, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    I see PHP 4.4.1 is now available... via '/scripts/easyapache' and WHM, has any one upgraded to 4.4.1 yet?
     
  10. kalnet4u

    kalnet4u Member

    Joined:
    Jul 8, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Plymouth, UK
    I have just upgraded via whm and have had no problems so far, also updates Zend with the info from Rubas (thanks Rubas).
     
  11. maxwell_hung

    maxwell_hung Registered

    Joined:
    Feb 24, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Hi

    Can the update be done via Update Apache in WHM?
    I see 4.4.1 in there but am concerned about the above comments re: Zend.

    Thanks
     
  12. dropby23

    dropby23 Well-Known Member

    Joined:
    Jan 16, 2005
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
  13. maxwell_hung

    maxwell_hung Registered

    Joined:
    Feb 24, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Thanks dropby23

    What am I meant to do with it though? Do I run the install script from the archive or put it somewhere then run apache update?

    Sorry for the numpty questions, I'm not used to doing stuff from within WHM.
     
  14. elix

    elix Well-Known Member

    Joined:
    Jan 18, 2005
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    just run /scripts/installzendopt once you make the changes and do this after you install php 4.4.1
     
  15. flash7

    flash7 Well-Known Member

    Joined:
    Feb 16, 2004
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Updated apache to 1.3.4 and php to 4.4.1 and Zend to v2.5.10a

    but

    phpinfo(); // apache version 1.3.3

    and

    # php -v
    PHP 4.4.0 (cli) (built: Jul 13 2005 01:31:05)
    Copyright (c) 1997-2004 The PHP Group
    Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
    with Zend Extension Manager v1.0.8, Copyright (c) 2003-2005, by Zend Technologies
    with Zend Optimizer v2.5.10, Copyright (c) 1998-2005, by Zend Technologies


    :D
     
  16. ezztro

    ezztro Well-Known Member

    Joined:
    Nov 11, 2003
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16

    http://bugs.php.net/search.php?sear...&phpver=4.4.1&assign=&author_email=&bug_age=0
     
  17. fleksi

    fleksi Well-Known Member

    Joined:
    Sep 17, 2003
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    update zend 2.5.10a & php 4.4.1 via /scripts/easyapache

    # php -v
    PHP 4.4.0 (cli) (built: Sep 17 2005 14:33:20)
    Copyright (c) 1997-2004 The PHP Group
    Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
    with Zend Extension Manager v1.0.8, Copyright (c) 2003-2005, by Zend Technologies
    with Zend Optimizer v2.5.10, Copyright (c) 1998-2005, by Zend Technologies


    # /usr/bin/php -v
    PHP 4.4.1 (cgi) (built: Nov 2 2005 10:42:45)
    Copyright (c) 1997-2004 The PHP Group
    Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
    with Zend Extension Manager v1.0.8, Copyright (c) 2003-2005, by Zend Technologies
    with Zend Optimizer v2.5.10, Copyright (c) 1998-2005, by Zend Technologies

    what wrong?
     
  18. nisse

    nisse Well-Known Member

    Joined:
    Nov 11, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Probably because there are three different copies of PHP; at least there are on my server:

    /usr/bin/php
    /usr/local/bin/php
    /usr/local/cpanel/3rdparty/bin/php
     
  19. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Yes, this is a clue. But how to correct this? Copy over new version of PHP to the old ones?
     
Loading...

Share This Page