I'm filing this bug mainly just to keep track of things while I'm busy (3 weeks of university left, so I'm too occupied to deal with it more myself), but I also want the opinion of the security team. PHP-4.3.11 is out now, and upstream claims it fixes some security issues. from looking at the detailed changelog, it seems that they are very minor, or are already dealt with (eg CURL will now respect open_basedir, which we print a warning about because upstream refused to fix it in the past). I'm also concerned at some of the other bugfixes in this release, as to how they will affect the current state of PHP (it's not great, I know that). With the agreement of the security team, I'd basically like to hold off on this update for 4 weeks (when I have more time) or until at least one of the other PHP maintainers has a lot more time on their hands (I believe Stuart is busy at the moment as well). This would enable more through checking of the changes. Security: additionally, are you aware on any advisories for PHP?
It
It´s still your decision, but I think quiet a few people are looking forward to 4.3.11 because it fixes the unserialize() slowdown which has been introduced in 4.3.10. In some cases unserialize() is said to be 20x slower in 4.3.10 than in other versions and some bulletin boards seem to heavily rely upon that function. References: http://bugs.php.net/bug.php?id=31332 http://www.vbulletin.com/forum/showthread.php?t=127027
"... addresses several security issues inside the exif and fbsql extensions as well as the unserialize(), swf_definepoly() and getimagesize() functions." Not much details. Without more (or a PHP advisory) I guess you can take your time. But I suspect the nature of the security fixes will surface soon, in which case 4 weeks will probably be a little too long delay.
Relevant security advisory: http://www.idefense.com/application/poi/display?id=222&type=vulnerabilities&flashstatus=true
*** Bug 87574 has been marked as a duplicate of this bug. ***
*** Bug 88217 has been marked as a duplicate of this bug. ***
Anyone else from PHP herd feel like taking this one while Robin is not available ?
Stuart said he'd have a look at it.
*** Bug 88625 has been marked as a duplicate of this bug. ***
These fixes have also been applied to 5.0.4
All php5 packages are masked, so upgrading those isn't an urgent issue for us. I've bumped the following packages, and marked them stable on x86: - dev-php/php-4.3.11 - dev-php/mod_php-4.3.11 - dev-php/php-cgi-4.3.11 Best regards, Stu
Thx super-Stu Arches: please test and mark stable. Security: please look if a GLSA is needed. This is essentially denial of service things coupled with a (better) curl basedir enforcement.
stable on ppc64
mod_php pukes on a patch; Calculating dependencies ...done! >>> emerge (1 of 2) dev-php/mod_php-4.3.11 to / >>> md5 src_uri ;-) php-4.3.11.tar.bz2 >>> md5 src_uri ;-) php-4.3.2-fopen-url-secure.patch >>> md5 src_uri ;-) php-4.3.6-includepath.diff >>> Unpacking source... * Due to some previous bloopers with PHP and slotting, you may have * multiple instances of mod_php installed. Please look at the autoclean * output at the end of the emerge and unmerge all but relevant * instances. * Apache2 only detected * If you have both freetds and mssql in your USE flags, parts of PHP * may not behave correctly, or may give strange warnings. You have * been warned! It's recommended that you pick ONE of them. For sybase * support, chose 'freetds'. For mssql support choose 'mssql'. >>> Unpacking php-4.3.11.tar.bz2 to /var/tmp/portage/mod_php-4.3.11/work * Applying stdint.diff ... * Failed Patch: stdint.diff ! * ( /usr/portage/dev-php/mod_php/files/stdint.diff ) * * Include in your bugreport the contents of: * * /var/tmp/portage/mod_php-4.3.11/temp/stdint.diff-11430.out !!! ERROR: dev-php/mod_php-4.3.11 failed. !!! Function epatch, Line 401, Exitcode 0 !!! Failed Patch: stdint.diff! !!! If you need support, post the topmost build error, NOT this status message.
Stable on ppc.
sparc looks good, though i'd rather hold this a bit until the PEAR-* problems (like on bug #88683) are solved. Note that this also affects other ARCHs, like on x86 on a server i have now horde/imp/others are b0rked because of this. This is because the php 4.3.11 ebuild doesn't include PEAR-DB and the ebuild for PEAR-DB doesn't work with php 4.3.11 correctly.
Stable on sparc since you're basically waiting on us. I'm not too happy about PEAR* stuff being broken, it should have been solved before going all stable with this. But since x86 is already stable i'll just pile up user complaints in the currently existing bugs for this.
mod_php and php-cgi should also be marked stable: dev-php/php-4.3.11 still misses: alpha hppa ia64 mips s390 >=dev-php/mod_php-4.3.11 still misses: alpha amd64 hppa ia64 mips s390 dev-php/php-cgi-4.3.11 still misses: alpha amd64 hppa ia64 mips
Alpha stable.
amd64 stable
Stable on ia64.
Security: Please vote on GLSA need. I tend to vote YES.
I vote YES.
GLSA 200504-15 hppa, mips, s390: please mark stable to benefit from GLSA
Already stable on hppa
Stable on mips.