PHP 4.4.3 Released

[Bulent Tekcan]

PHP 4.4.3 Released

[03-Aug-2006] The PHP development team is proud to announce the release of PHP 4.4.3. This release combines small number of bug fixes and resolves a number of security issues. Some of the key changes of PHP 4.4.3 include:

Disallow certain characters in session names.
Fixed a buffer overflow inside the wordwrap() function.
Prevent jumps to parent directory via the 2nd parameter of the tempnam() function.
Improved safe_mode check for the error_log() function.
Fixed cross-site scripting inside the phpinfo() function.
Fixed offset/length parameter validation inside the substr_compare() function.
Upgraded bundled PCRE library to version 6.6
Over 20 various bug fixes.
Further details about this release can be found in the release announcement and the full list of changes is available in the PHP 4 ChangeLog.

 

[bornonline]

Vote please

http://bugzilla.cpanel.net/show_bug.cgi?id=4447

 

[aww]

I take it that "easy apache" is how cpanel auto-updates on a server?
My host always responds that cpanel will update itself as soon as "so and so" is available when I ask about a security upgrade to "so and so"

Currently waiting for apache 1.3.37 and now php 4.4.3

Is there somewhere I can view what the latest auto-updates are available for cpanel to make sure my host is not slacking (or the auto-update failed) ? (I realize I won't be able to download, just want to see the most recent numbers)

If my server auto-updates why is it still running php 4.4.1 ? Is that all cpanel is up to and not 4.4.2?

Here's what's on there now:
Apache 1.3.36
PHP 4.4.1
mysql API 4.1.19

Thanks for any ideas/help/etc.

 

[chirpy]

The cPanel update does not auto-update apache or PHP, you have to do that yourself by initiating a rebuild through easyapache. Apache v1.3.37 has been available for some days now. PHP v4.4.3 isn't available at time of writing. You can only see what is available through WHM.

 

[lorio]

Interesting description of exploit is in the wild:
http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html

 

[reggie]

PHP 4.4.3 Released ?

PHP 4.4.3 Released

[03-Aug-2006] The PHP development team is proud to announce the release of PHP 4.4.3. This release combines small number of bug fixes and resolves a number of security issues. Some of the key changes of PHP 4.4.3 include:

Disallow certain characters in session names.
Fixed a buffer overflow inside the wordwrap() function.
Prevent jumps to parent directory via the 2nd parameter of the tempnam() function.
Improved safe_mode check for the error_log() function.
Fixed cross-site scripting inside the phpinfo() function.
Fixed offset/length parameter validation inside the substr_compare() function.
Upgraded bundled PCRE library to version 6.6
Over 20 various bug fixes.
Further details about this release can be found in the release announcement and the full list of changes is available in the PHP 4 ChangeLog.

I just did a cpanel update, but I still do not get an option to build apache with php.4.4.3 the latest version of php 4 still shows 4.4.2 .
So when will this update get out into the field?

Regards, Reg.

 

[SageBrian]

Is there somewhere I can view what the latest auto-updates are available for cpanel to make sure my host is not slacking (or the auto-update failed) ?

Just note that some hosts don't jump at the very first minute the update is available. That might not be 'slacking'. They could be 'cautious' of bugs, and they might wait a couple days/weeks to see what happens with the guinea pigs.

Of course, security patches should be installed as quick as possible. But sequential upgrades might require some review to ensure they won't break important scripts. Note how many servers don't have Apache 2.0 or mySQL 5.

Patient Vigilance is required.

 

[lorio]

Of course, security patches should be installed as quick as possible. But sequential upgrades might require some review to ensure they won't break important scripts. Note how many servers don't have Apache 2.0 or mySQL 5.

The branches concept of Cpanel is just made for that. To balance between security and stability . But as long as you compare an update from PHP 4.4.2 to 4.4.3 with an upgrade to MySQL5 and Apache2 we won't find a common sense.

 

[SageBrian]

sorry about that. wasn't comparing 4.4.3 to 5.0.
And, writing it quickly, mixed up PHP with mySQL and my thumb with my butt, and my foot with my mouth.

Instead was addressing not upgrading right away just because "the number is higher".

Your "balance between security and stability" was exactly the words I was looking for.

 

[aww]

The security issues are fairly serious, so a minor update like this should not be postponed. Not upgrading could cause FAR more work (and loss) than not doing the patch. I would bet there are bots out there now just trolling for unpatched servers and there are thousands of cpanel servers just waiting.

(and yes, comparing this kind of update to apache2 and mysql5 is silly)

My host gave the excuse that they run the "release branch" so updates may take longer to be available? I would hope these updates are flagged "release" and not beta, etc.

 

[pjman]

4.4.3 is Available, I think?

http://bugzilla.cpanel.net/show_bug.cgi?id=4447

By the looks of the last comments on the ticket, the changes are available. I'm not sure if they are available under release yet?

 

[sparek-3]

Maybe I'm wrong, but didn't some vulnerabilities in PHP 4.4.2 come out back in April or May? Granted, the new undisclosed vulnerabilities may be more serious, but if 4.4.2 was vulnerable back in April or May and you are still running 4.4.2, then you have been vulnerable since then. And I may be wrong completely in that regard, I thought there were some vulnerabilities back in the spring regarding the PHP4 tree.

Of course, this isn't really a knock against CPanel, its more of a knock against the PHP developers. If vulnerabilities were found in April or May and they are just now releasing a new version.

 

[pjman]

Right on- sparek-3

I did read about those weaknesses that were found and fixed and PHP 5, present in PHP 4, but never fixed until now.

Pretty bad job by the PHP Devs.

 

[aww]

This kinda brings me back full circle to an original question I had.

Since I am not a host (just a reseller) is there somewhere where I can at least read what the most currently versions are in the "release" for cpanel updates? I don't expect to be able to download them but I would like to stay on top of it since my host doesn't seem to care. Is there a (semi)public status page of some kind?

Thanks for any advice.

 

[chirpy]

No, there isn't - there's the changelog and that's it. You need access to WHM and the root functions to delve deeper into cPanel.

 

[arhs]

PHP 4.4.3 is now available in easyapache.

 

[dropby23]

there is no zend optimiser version anyone having problerms with zend or 3.0.1 is working fine with php 4.4.3

 

[fleksi]

php4.4.3 works fine with zendopt 3.0.1

#php -v
PHP 4.4.3 (cli) (built: Aug  8 2006 08:54:07)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
    with Zend Extension Manager v1.0.10, Copyright (c) 2003-2006, by Zend Technologies
    with Zend Optimizer v3.0.1, Copyright (c) 1998-2006, by Zend Technologies

 

[ffeingol]

My guess is dropby23 is asking becuase a bunch of us got burnt with the 3.0.0 Zend. It installed and ran fine initially, then crashed and brought down Apache during the 4:00 am cron jobs. Not a plesant thing.

Anyone know if their is eAccelerator support for 4.4.3 yet?

Frank

 

[rikgarner]

Anyone know if their is eAccelerator support for 4.4.3 yet?

Another good reason not to jump straight in - dependancies.

We run a "development" server, which is running the Current tree, and our other servers run the Stable tree. Any updates like this always get pushed onto the devel box way before they are run across to the production systems.

Rich