Koozali.org: home of the SME Server

PHP Security Update 4.3.10

Offline jackl

  • ***
  • 136
  • +0/-0
PHP Security Update 4.3.10
« on: December 19, 2004, 02:26:11 PM »
Does any one know what effect PHP security vulnerabilities (versions <=4.3.9) have on SME Server
and if so does anyone know of an RPM for PHP 4.3.10 to overcome the security issues of the current versions <=4.3.9
Or the whereabouts of a patch to fix existing SME PHP packages.

This appears to be a serious security issue or am I wrong and panicking about nothing?

Regards
Jackl
......

finchwizard

PHP Security Update 4.3.10
« Reply #1 on: December 20, 2004, 01:38:01 AM »
I dunno, but I noticed it as well, I'm hoping for a security update pretty soon for SME if anyone can provide it.

I'm also working on other servers to upgrade it ASAP.


Offline jackl

  • ***
  • 136
  • +0/-0
PHP Security Update 4.3.10
« Reply #3 on: December 20, 2004, 08:53:49 PM »
Chris,

Thanks a million that worked a treat, my servers are now running PHP 4.3.10. I upgraded by downloading the RPM's you indicated and used the last half of Jesper Knudsens upgrade script for pHP 4.3.8 to install the RPM's looks good so far.

Chris thanks again and also to Jesper for the fantastic scripts he has created.

Kind Regards

Jack
......

Offline girkers

  • *
  • 296
  • +0/-0
    • gk computer services
PHP Security Update 4.3.10
« Reply #4 on: December 21, 2004, 03:48:52 AM »
I tried updating these rpms, but found it failed dependancies and then I just got on a wild goose chase, chasing this rpm, then that one.

jackl you mention a script, where do you find this.

chrisparker

PHP Security Update 4.3.10
« Reply #5 on: December 21, 2004, 04:08:54 AM »
girkers,

You most likely failed dependancy on unixODBC. This can be obtained here:

ftp://ftp.rediris.es/sites/ftp.redhat.com/pub/redhat/linux/7.3/en/os/i386/RedHat/RPMS/unixODBC-2.2.0-5.i386.rpm

The other source of dependacy failure could relate to if you downloaded the postgres (pgsql) rpm from the site mentioned in my first post. This is not required.

The script jackl would be refering to is http://mirror.contribs.org/smeserver/contribs/ergozd/scripts/php4.3.9-3upgrade.sh (or equivilent)

Hope this helps

Offline girkers

  • *
  • 296
  • +0/-0
    • gk computer services
PHP Security Update 4.3.10
« Reply #6 on: December 21, 2004, 07:07:54 AM »
Hey Chris,

Thanks for that, worked a treat once I got the unixODBC, d/l only the files I need and hey bang presto it worked.

I only used the last part of the script you stated, but the pear thing didn't seem to work, but everything else seems fine.

Now if only I could get my to phpAdmin page I will be right. :-?

Offline jackl

  • ***
  • 136
  • +0/-0
PHP Security Update 4.3.10
« Reply #7 on: December 21, 2004, 09:33:48 AM »
My apologies to everyone I forgot to mention that I had already upgraded to PHP 4.3.8 using Jespers script at http://sme.swerts-knudsen.dk
This script loaded the unixODBC rpm for me.
I then dowmloaded the RPM's Chris kindly pointed out to me and ran this script from the same directory:

rpm -Uvh --nodeps php*.rpm

mkdir -p /etc/e-smith/templates-custom/etc/php.ini
touch /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'include_path        = ".:/usr/share/pear"' > /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'doc_root            =' >> /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'user_dir            =' >> /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'extension_dir       = /usr/lib/php4' >> /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories
echo 'enable_dl           = On' >> /etc/e-smith/templates-custom/etc/php.ini/50PathsDirectories

pear upgrade Log
pear upgrade Date

/sbin/e-smith/expand-template /etc/php.ini

service httpd restart

echo " DONE........"

Hope this is of help to somebody
Sorry for the confusion

regards
Jack
......

Offline NickR

  • *
  • 283
  • +0/-0
    • http://www.witzendcs.co.uk/
PHP Security Update 4.3.10
« Reply #8 on: December 21, 2004, 10:00:17 PM »
Just so that people don't panic unneccessarily, this page http://isc.sans.org/diary.php?date=2004-12-21 would appear to indicate that the problem lies with phpBB specifically.  
There's also a good advisory available here http://www.hardened-php.net/advisories/012004.txt

That said, it's still a good idea to update PHP.  Unless you're running phpBB, it seems less urgent.
--
Nick......

Offline SoundSailor

  • *
  • 22
  • +0/-0
    • http://www.mincocorp.com
PHP Security Update 4.3.10
« Reply #9 on: December 21, 2004, 10:52:08 PM »
Will these updates work for SME 5.6 or are they just for 6+?

Offline girkers

  • *
  • 296
  • +0/-0
    • gk computer services
PHP Security Update 4.3.10
« Reply #10 on: December 22, 2004, 02:33:06 AM »
I did the pear upgrades by hand and they no longer went "pear" shaped.  It did the Log upgrade, but the Date one had apparently already been done.

gpin75

FYI
« Reply #11 on: December 22, 2004, 06:10:52 AM »
This worked for me running SME 6.01, previously upgraded to PHP4.3.9 using Jespers script.

rport

PHP and phpBB Security Precautions
« Reply #12 on: December 23, 2004, 12:32:53 AM »
Thanks for the advice

I had already upgraded to PHP 4.3.9 using the script.

So all i did is download the RPM's (listed below) to a new directory ./php4.3.10/ and then typed;

rpm -Uvh --nodeps php*.rpm

then 1 minute later...

service httpd restart

Woosh.... PHP 4.3.10

I also upgraded phpBB to 2.0.11 in order to help prevent the effect of the Santy.A worm..

More Info:

New Worm Spreads Via Google
Google Smacks Down Santy Worm


Quote from: "chrisparker"
I installed the following RPM's from http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/

http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-devel-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-imap-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-mysql-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-ldap-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-odbc-4.3.10-0.i386.rpm
http://open.rhx.it/apt/redhat/7.3/i386/RPMS.rhx/php-snmp-4.3.10-0.i386.rpm


I think these will only work IF you have previously upgraded to php 4.3.9 using the sme upgrade script.

ergozd

PHP Security Update 4.3.10
« Reply #13 on: December 23, 2004, 09:01:41 AM »
Hi there!

I've updated php-upgrade script with RPMS from rhx as mentioned here. I've not yet tried it myself (due lack of time to test things)...

ONLY AT YOUR OWN RISK
download and run the script... Good luck...  
(Read this bug-thread if you have Zend Optimizer enabled http://bugs.php.net/bug.php?id=31116 OR Important notice from Zend http://www.zend.com/store/products/zend-optimizer.php )
- you will have to upgrade your ZO to v2.5.7 to get PEAR work correct...

http://ergin.dyndns.org/download/php4.3.10-upgrade_rhx.sh

Pls give feedback how it goes for you system so I can make "necessary changes" when/if needed... Only after a few feedbacks I will upload the script to my contrib area.


PS: Make sure you don't loose any functionality based on compile options...

Best rgds, Ergin

Offline gregswallow

  • *
  • 651
  • +1/-0
PHP Security Update 4.3.10
« Reply #14 on: December 23, 2004, 07:58:57 PM »
Ergin,

I had been wondering if the script is wrong....shouldn't:
Code: [Select]
if [ $IS_ODBC -eq 0 ]
then
    wget ftp://

be changed to:
Code: [Select]
if [ $IS_ODBC -eq 0 ]
then
    rpm -Uvh ftp://

...otherwise unixODBC-2.2.0-5.i386.rpm never gets installed.  Also I think that link is dead.  Maybe link to unixodbc on download.fedoralegacy.org

I am also wondering if these are the best php rpm's to use.  Weren't the php 4.3.9 rpms from http://mirror.contribs.org/smeserver/contribs/ldinclaux/SME6.x/Contribs/RPMS/ complied with more options or made specially for SME?  and who is rhx?  I guess if you are running a vulnerable phpbb website then you need these right away though.