297399 – dev-lang/php-5.2.12 version bump request

Bug 297399 - dev-lang/php-5.2.12 version bump request

Summary: dev-lang/php-5.2.12 version bump request

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Development (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	PHP Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	293888
	Show dependency tree

Reported:	2009-12-18 09:30 UTC by Janos Pasztor
Modified:	2009-12-30 15:43 UTC (History)
CC List:	9 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Janos Pasztor 2009-12-18 09:30:29 UTC

Requestion version bump for dev-lang/php to version 5.2.12 ASAP since it fixes several vulnerabilities.

Reproducible: Always

Steps to Reproduce:

Comment 1 Janos Pasztor 2009-12-18 09:30:49 UTC

Sorry for the typo.

Comment 2 Janos Pasztor 2009-12-21 09:20:26 UTC

Is someone working on this? PHP 5.2.12 works perfecly with the old ebuild, just bump the version and upload the new patchset.

Comment 3 Christian Hoffmann (RETIRED) gentoo-dev

2009-12-21 14:41:50 UTC

(In reply to comment #2)
> Is someone working on this?
Yes, I am.

> PHP 5.2.12 works perfecly with the old ebuild, just
> bump the version and upload the new patchset.
No, it does not, at least not on ~amd64. I'm getting ld errors related to the tag PHP_5, most likely related to concurrentmodphp. I'll have to investigate.
If it was working without problems, it would already be in the tree.

Comment 4 Janos Pasztor 2009-12-21 14:50:50 UTC

(In reply to comment #3)
> No, it does not, at least not on ~amd64. I'm getting ld errors related to the
> tag PHP_5, most likely related to concurrentmodphp. I'll have to investigate.
> If it was working without problems, it would already be in the tree.

I'm truly sorry, I didn't mean to be impatient. If you need any help testing, please say so.

(Anyway, I was wondering why concurrentmodphp is still being kept around while FastCGI has evolved a lot and is in fact the only upstream supported way of running multiple PHP versions, but I guess, that belongs in an other thread.)

Comment 5 Tobias Heinlein (RETIRED) gentoo-dev

2009-12-21 15:34:32 UTC

CVE-2008-7002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7002):
  PHP 5.2.5 does not enforce (a) open_basedir and (b)
  safe_mode_exec_dir restrictions for certain functions, which might
  allow local users to bypass intended access restrictions and call
  programs outside of the intended directory via the (1) exec, (2)
  system, (3) shell_exec, (4) passthru, or (5) popen functions,
  possibly involving pathnames such as "C:" drive notation.

Comment 6 oc666 2009-12-23 17:01:25 UTC

release announcements: 
http://www.php.net/archive/2009.php#id2009-12-17-1
http://www.php.net/releases/5_2_12.php

Comment 7 Christian Hoffmann (RETIRED) gentoo-dev

2009-12-30 13:35:01 UTC

In the tree, but USE=concurrentmodphp is broken (compile failure), see bug 298969. It's not a big problem per se, because it should not be needed at the moment (noone should be using php-4 and php-6 isn't there yet).

If you want you can go for stable. I will work on fixing the problem, but I cannot promise when. Certainly not this year ;)

Comment 8 Tobias Heinlein (RETIRED) gentoo-dev

2009-12-30 15:43:28 UTC

Thank you, Christian.

The bump is done, so this bug can be closed. Stabilization due to security issues is handled on the appropriate security bug (bug #293888).