A newer version of php and apache-mod_php is available in 2010.2/main/updates due to security advisories: http://lists.mandriva.com/security-announce/2011-11/msg00003.php http://lists.mandriva.com/security-announce/2011-11/msg00004.php These packages need to be updated for Mageia 1 so that they will upgraded when upgrading from MDV 2010.2.
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Keywords: (none) => TriagedAssignee: bugsquad => thomas
CC: (none) => dmorganec
Status: NEW => ASSIGNED
Just in case you didn't see it, this is related to the 5.3.8 update: http://lists.mandriva.com/security-announce/2011-11/msg00006.php
php-suhosin is also missing a security update. The mail to the MDV security list on November 28th is missing from their web archives. The patch is here: http://svn.mandriva.com/svn/packages/cooker/php-suhosin/current/SOURCES/suhosin-0.9.32.1-CVE-2011-2483.diff The CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483 The MDV advisory: A vulnerability was discovered and fixed in php-suhosin: crypt_blowfish before 1.1, as used in suhosin does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash (CVE-2011-2483). The updated packages have been patched to correct this issue.
OK the mail the php-suhosin advisory is in the archives after all, just out of order: http://lists.mandriva.com/security-announce/2011-12/msg00017.php
php-pear has also been updated in MDV 2010.2 updates to 1.9.4 and we have 1.9.2 in Mageia 1, so this will need an update: http://lists.mandriva.com/security-announce/2011-12/msg00012.php
Two more CVEs were just added for PHP: http://lists.mandriva.com/security-announce/2011-12/msg00030.php
The package is now in core/updates_testing the pear package has to be done too, but I believe php needs to go into updates first?
CC: (none) => thomas
I can't answer to your question sorry :/ but I get A requested package cannot be installed: php-cgi-5.3.8-0.1.mga1.x86_64 (due to unsatisfied php-ini[>= 5.3.8])
php-ini needs to be upgraded (the change is only the name) it's now in testing and so is php-pear-1.9.4 I guess I need to assign it to QA?
What about php-apc, php-suhosin, and apache-mod_php? I think those come from different SRPMS. Also, does your PHP update include the fixes for CVE-2011-4566 and CVE-2011-4885, I couldn't tell from the changelog? (always a good idea to put the CVEs in the changelog)
Just to give some references, apache-mod_php was included in the first advisory in the original bug description here. php-apc is Comment 2. php-suhosin is Comment 3 and Comment 4.
These patches have been applied: php-5.3.8-CVE-2011-3379.diff php-5.3.8-CVE-2011-4566.diff php-5.3.8-CVE-2011-4885.diff php-apc php-suhosin I am working on it. dmorgan is the maintainer for apache-mod
dmorgan is the maintainer for apache-mod_php
php-suhosin is in updates-testing php-apc: We have 3.1.7 and the regression is for 3.1.9. Our policy is not to upgrade released versions if not needed. I don't see any bugs filed for this in mga 1
php-apc has to be updated, because if someone upgrades from MDV 2010.2, that package won't be updated. Our policy is to upgrade things if MDV 2010.2 does in updates.
can you pls provide a link to that policy?
Thomas, this is part of the fact that upgrading from MDV 2010.2 is officially supported.
http://www.mageia.org/en/1/migrate/
OK it's in upgrades_testing It needs another version bump, but let's get it trough testing first.
dmorgan has informed me that apache-mod_php has also been pushed to updates_testing. I'll let you know when I'm able to test these. Thanks dmorgan and Thomas.
i just pushed apache-mod_php
Ok thanks guys, so we have to test: apache-mod_php-5.3.8-0.1.mga1.src.rpm php-5.3.8-0.1.mga1.src.rpm php-apc-3.1.9-0.1.mga1.src.rpm php-ini-5.3.8-0.1.mga1.src.rpm php-memcache-3.0.6-1.1.mga1.src.rpm php-pear-1.9.4-0.1.mga1.src.rpm php-suhosin-0.9.32.1-5.1.mga1.src.rpm
Assignee: thomas => qa-bugs
Note to QA: as Thomas alluded to in Comment 19, php-apc will need to be rebuilt to increase the release to at least 0.2 before this is pushed to updates (MDV version is php-apc-3.1.9-0.2mdv2010.2).
I ran successful tests on i586, specifically for apache-mod_php, php (php-cgi, php-dba, and php-gd), php-ini, and php-suhosin. I did not test php-memcache or php-pear. Installing php-apc broke my test cases and I got error logs: [Sat Dec 31 19:47:44 2011] [error] [client 127.0.0.1] PHP Fatal error: PHP Startup: apc_mmap: mkstemp on /var/lib/php-apc/apc.PPz22o failed: in Unknown on line 0, referer: http://localhost/~david/survey.html [Sat Dec 31 19:47:44 2011] [error] [client 127.0.0.1] PHP Fatal error: PHP Startup: apc_fcntl_create: open(/var/lib/php-apc/.apc.BqnBiD, O_RDWR|O_CREAT, 0666) failed: in Unknown on line 0, referer: http://localhost/~david/survey.html [Sat Dec 31 19:47:44 2011] [error] [client 127.0.0.1] Premature end of script headers: mail, referer: http://localhost/~david/survey.html [Sat Dec 31 19:48:23 2011] [error] [client 127.0.0.1] PHP Fatal error: PHP Startup: apc_mmap: mkstemp on /var/lib/php-apc/apc.yghJYO failed: in Unknown on line 0, referer: http://localhost/~david/test2.php [Sat Dec 31 19:48:23 2011] [error] [client 127.0.0.1] PHP Fatal error: PHP Startup: apc_fcntl_create: open(/var/lib/php-apc/.apc.cdWeg5, O_RDWR|O_CREAT, 0666) failed: in Unknown on line 0, referer: http://localhost/~david/test2.php [Sat Dec 31 19:48:23 2011] [error] [client 127.0.0.1] Premature end of script headers: counter, referer: http://localhost/~david/test2.php
Note that I get similar errors with php-apc from mga1/release, so this is not a regression.
Could somebody please provide an advisory so we know what we should be testing for, it is not clear. Some of the earlier mentioned CVE's don't appear to be relevant to this version. Thankyou :)
This update for php and apache-mod_php fixes CVEs from these advisories: http://lists.mandriva.com/security-announce/2011-11/msg00003.php (2202 and 1148 were fixed in a previous mga update) http://lists.mandriva.com/security-announce/2011-11/msg00004.php http://lists.mandriva.com/security-announce/2011-12/msg00030.php This update for php-apc fixes this: http://lists.mandriva.com/security-announce/2011-11/msg00006.php (just a reminder of Comment 23 that this one will need to be rebuilt before this update is issued) This update for php-suhosin fixes this: http://lists.mandriva.com/security-announce/2011-12/msg00017.php This update for php-pear fixes this: http://lists.mandriva.com/security-announce/2011-12/msg00012.php Basically just test that these things still work. I directly tested apache-mod_php, php-cgi, php-dba, and php-gd with example PHPs I wrote years ago and verified that they all work. I don't use Pear and don't know how to use apc correctly so I couldn't test those.
Thomas, I looked more carefully and found that there are two more SRPMS that need to be rebuilt in association with this PHP update. They are php-timezonedb and php-xdebug, and here are their mdv and mga versions. php-timezonedb: php-timezonedb-2011.14-0.1mdv2010.2.i586.rpm php-timezonedb-2011.5-1.mga1.i586.rpm php-xdebug: php-xdebug-2.1.2-0.1mdv2010.2.i586.rpm php-xdebug-2.1.0-5.mga1.i586.rpm
These are now in updates_testing
Is php-eaccelerator included with this? Running maintenance scripts from a mediawiki installation told me it was built against php 5.3.6 and needs to be rebuilt.
David, do you care to share your test scripts please. Thanks.
(In reply to comment #30) > Is php-eaccelerator included with this? > > Running maintenance scripts from a mediawiki installation told me it was built > against php 5.3.6 and needs to be rebuilt. No. Does it need to rebuilt? It doesn't need to be updated. Is there anything else that needs a rebuild just because PHP is being updated?
Yes it needs rebuild. I already did before : #2780
CC: (none) => lists.jjorge
Created attachment 1344 [details] PHP test files OK here are my test cases. They assume they will be installed in /home/david/public_html, so if you test them somewhere else you will have to edit some hard-coded things in them, including the username david and some paths. You can visit http://localhost/~david/survey.html in your browser and fill out the form, and it should e-mail david locally and redirect you to a page with a page counter on it (test.html). If you visit test.html manually and keep reloading it, the counter should increase. Also, viewing the test.php page should show its own counter. It assumes that php-cgi, apache_mod-php, php-gd, php-dba, and apache-mod_userdir are installed. I also have apache-mod_suexec installed, so it may not work without that. If needed, you can rebuild it from Cauldron (you might have to change the version number in the SPEC file to match apache).
(In reply to comment #34) > Created attachment 1344 [details] > PHP test files > > OK here are my test cases. They assume they will be installed in > /home/david/public_html, so if you test them somewhere else you will have to > edit some hard-coded things in them, including the username david and some > paths. > > You can visit http://localhost/~david/survey.html in your browser and fill out > the form, and it should e-mail david locally and redirect you to a page with a > page counter on it (test.html). If you visit test.html manually and keep > reloading it, the counter should increase. Also, viewing the test.php page > should show its own counter. > > It assumes that php-cgi, apache_mod-php, php-gd, php-dba, and > apache-mod_userdir are installed. I also have apache-mod_suexec installed, so > it may not work without that. If needed, you can rebuild it from Cauldron (you > might have to change the version number in the SPEC file to match apache). You also need to change /etc/php.ini to have cgi.force_redirect = 0, and restart apache.
Thanks David, they will help with testing. I will see about putting them onto the wiki.
php-eaccelerator is now in updates_testing
We currently have the following ten php srpms in updates testing php-5.3.8-0.1.mga1.src.rpm php-apc-3.1.9-0.1.mga1.src.rpm php-eaccelerator-0.9.6.1-5.2.mga1.src.rpm php-ini-5.3.8-0.1.mga1.src.rpm php-memcache-3.0.6-1.1.mga1.src.rpm php-pear-1.9.4-0.1.mga1.src.rpm php-suhosin-0.9.32.1-5.1.mga1.src.rpm php-timezonedb-2011.14-1.1.mga1.src.rpm php-xdebug-2.1.2-1.1.mga1.src.rpm phpmyadmin-3.3.10.5-1.mga1.src.rpm Should they all be pushed together for this update?
CC: (none) => davidwhodgins
(In reply to comment #38) > We currently have the following ten php srpms in updates testing > php-5.3.8-0.1.mga1.src.rpm > php-apc-3.1.9-0.1.mga1.src.rpm > php-eaccelerator-0.9.6.1-5.2.mga1.src.rpm > php-ini-5.3.8-0.1.mga1.src.rpm > php-memcache-3.0.6-1.1.mga1.src.rpm > php-pear-1.9.4-0.1.mga1.src.rpm > php-suhosin-0.9.32.1-5.1.mga1.src.rpm > php-timezonedb-2011.14-1.1.mga1.src.rpm > php-xdebug-2.1.2-1.1.mga1.src.rpm > phpmyadmin-3.3.10.5-1.mga1.src.rpm > > Should they all be pushed together for this update? phpmyadmin is part of Bug 4063, not this bug. The rest of those, as well the following are part of this bug: apache-mod_php-5.3.8-0.1.mga1.src.rpm php-apc needs to be rebuilt to tag it as 0.2 before this is pushed.
yes, please push together php-apc needs to be rebuilt to tag it as 0.2 before this is pushed Just pushed to updates_Testing
(In reply to comment #40) > yes, please push together > > php-apc needs to be rebuilt to tag it as 0.2 before this is pushed > Just pushed to updates_Testing urpmi php-apc A requested package cannot be installed: php-eaccelerator-admin-0.9.6.1-5.1.mga1.i586 (in order to keep php-eaccelerator-admin-0.9.6.1-5.2.mga1.i586)
Ping. php-apc needs to have it's requires fixed.
I am not sure if need but I did it anyway.
Created attachment 1361 [details] Output of urpmi php-apc --debug Something is still wrong that is blocking the install of php-apc.
(In reply to comment #44) > Created attachment 1361 [details] > Output of urpmi php-apc --debug > > Something is still wrong that is blocking the install of php-apc. Dave, you're not supposed to install both of them at the same time (php-apc and php-eaccelerator). They basically both serve the same purpose. Try them each on their own.
I had no problem to upgrade. I added updates_testing to the source and did urpmi --auto-updates and it upgrade 87 packages, including php-apc and php-apc-admin
As Thomas noted on the mageia-dev list, this all now needs to be upgraded again to PHP 5.3.9: https://www.zarb.org/pipermail/mageia-dev/2012-January/011193.html Mandriva has issued this advisory today (January 15) to address this: http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVA-2012:004 On the Mandriva side this included a rebuild of all of the same SRPMS as are on this bug except for two. Included: (apache-mod_php, php, php-apc, php-eaccelerator, php-ini, php-suhosin, php-timezonedb, php-xdebug). Not included: (php-memcache, php-pear). Also, other SRPMS were included in Mandriva's update that haven't been rebuilt (yet) here: (libmbfl, php-gearman, php-mcal, php-sasl, php-ssh2, php-xattr), as well as ones we don't have in Mageia 1: (php-mailparse, php-optimizer, php-pinba, php-sphinx, php-tclink, php-translit, php-vld).
Summary: PHP needs to be updated to 5.3.8 (as it was in MDV 2010.2) => PHP needs to be updated to 5.3.9 (as it was in MDV 2010.2)
why not push this update. Waiting for the 5.39 and the testing will just delay what we already have and then go through another update. I still have about 30 php-pear packages to update in cauldron, that are pretty outdated.
(In reply to comment #48) > why not push this update. Waiting for the 5.39 and the testing will just delay > what we already have and then go through another update. > I still have about 30 php-pear packages to update in cauldron, that are pretty > outdated. We're three months behind on the 5.3.8 update, a little while longer won't kill us. Anyway, nobody has even tested this on x86_64 yet, so it's not like this update is ready to push anyway. Might as well just build the 5.3.9 update and do the (x86_64) testing once. It won't take us long to re-test i586. Also, I think getting this update done should be a priority over pear packages in Cauldron.
(In reply to comment #48) > why not push this update. Waiting for the 5.39 and the testing will just delay > what we already have and then go through another update. Because we should aim to minimize the amount of updates we do if possible. > I still have about 30 php-pear packages to update in cauldron, that are pretty > outdated. Security updates are more important.
CC: (none) => tmb
(In reply to comment #45) > (In reply to comment #44) > > Created attachment 1361 [details] > > Output of urpmi php-apc --debug > > > > Something is still wrong that is blocking the install of php-apc. > > Dave, you're not supposed to install both of them at the same time (php-apc and > php-eaccelerator). They basically both serve the same purpose. Try them each > on their own. Ok. Thanks for the explanation. I consider i586 testing complete then.
I am working on the 3.5.9 I am going to do it in cauldron first.
This may be because it isn't ready yet but there is currently a problem, so I thought it worth mentioning. Sorry, the following packages cannot be selected: - apache-mod_php-5.3.9-1.mga1.x86_64 (due to unsatisfied php-ini[>= 5.3.9]) - php-cgi-5.3.9-1.mga1.x86_64 (due to unsatisfied php-ini[>= 5.3.9]) - php-cli-5.3.9-1.mga1.x86_64 (due to unsatisfied php-ini[>= 5.3.9])
php-5.3.9 is now in updates_testing There are still a few more that need to be rebuilt.
Thomas, could you let us know when everything is ready to QA please. This bug has become a bit disorganised which can easily lead to mistakes being made. Could you also provide an advisory saying what has been included in the various updates. There is an example linked to from our updates policy here: https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29 Thankyou :)
CC: (none) => kristoffer.grundstrom1983
the php-ini is now in upgrades_testing. I did install the update on my VB and used kolab-webmin to make changes to the kolab settings.I know this is a very basic test, but I have nothing else. This concludes to fix all the security advisories and we should be at the same state as Mandriva. fwang fixed some spelling errors in the mageia logo patch as far as I could see. He usually does these things very quietly. Please do the same testing as you have already done on i586 (comment 49) Please complete this before we need another security update otherwise it will really become messy.
Thomas, for future updates could you create separate bugs please. It is much easier to keep track of exactly what has been updated and needing testing and why it is being updated. It is going to be difficult to write an advisory for you. It is usually something done by the packager as per the updates policy. If QA creates one now will you please check it is correct? Also please check that the list of SRPM's is complete. Please see the link in the updates policy on the wiki for a template you can use for providing advisories. This bug is a good example of the reasons it is important to follow the policy.
apache-mod_php-5.3.8-0.1.mga1.src.rpm php-5.3.9-1.3.mga1.src.rpm php-apc-3.1.9-0.4.mga1.src.rpm php-eaccelerator-0.9.6.1-5.2.mga1.src.rpm php-ini-5.3.9-1.1.mga1.src.rpm php-memcache-3.0.6-1.1.mga1.src.rpm php-pear-1.9.4-0.1.mga1.src.rpm php-suhosin-0.9.32.1-5.1.mga1.src.rpm php-timezonedb-2011.14-1.1.mga1.src.rpm php-xdebug-2.1.2-1.1.mga1.src.rpm These are the php SRPM's in updates_testing, is this the correct list? There is also phpmyadmin-3.3.10.5-1.mga1.src.rpm which was built around the same time, is it included?
(In reply to comment #57) > Thomas, for future updates could you create separate bugs please. It is much > easier to keep track of exactly what has been updated and needing testing and > why it is being updated. > > It is going to be difficult to write an advisory for you. It is usually > something done by the packager as per the updates policy. If QA creates one now > will you please check it is correct? Also please check that the list of SRPM's > is complete. > > Please see the link in the updates policy on the wiki for a template you can > use for providing advisories. This bug is a good example of the reasons it is > important to follow the policy. I think it's ok to keep everything in one bug report : PHP + dependent packages, or if we create several bug reports, they must not be pushed independently. I agree about the advisory being hard to write without comprehensive information about what changed and without a list of updated SRPMs.
(In reply to comment #58) > There is also phpmyadmin-3.3.10.5-1.mga1.src.rpm which was built around the > same time, is it included? Hmm, no, phpmyadmin must have its own bug report, it's not a php core package or extension.
CC: (none) => stormi
Created attachment 1393 [details] basic test script for php-memcache x86_64 33 Packages updated php-memcache tested with the attached script. General testing with mediawiki, zoneminder and phpmyadmin Ok so far
php-apc tested with php-apc-admin by visiting localhost/php-apc and watching cache entries while browsing mediawiki
removed php-apc and admin and installed php-eaccelerator and php-eaccelerator-admin. Tested by browsing to localhost/php-eaccelerator and logging in with admin/eAccelerator. There is no thing showed under build information and none of the buttons seem to do anything. It is showed as being not enabled. /etc/php.d/Z99_eaccelerator.ini shows eaccelerator.enable = "1" I don't know how to show it is actually running or not or whether the problem is with the admin.
you can install php-cli and issue php -m or php -i or create a /var/www/html/test.php file containing : <?php phpinfo();
(In reply to comment #64) > you can install php-cli and issue php -m or php -i > > or create a /var/www/html/test.php file containing : > > <?php > phpinfo(); And access it at http://localhost/test.php So far on i586 no problem with phpmyadmin nor mageia-app-db
/var/log/httpd/error.log shows problems [Thu Jan 19 16:43:45 2012] [error] [client 127.0.0.1] PHP Warning: Division by zero in /var/www/php-eaccelerator/index.php on line 117, referer: http://localhost/php-eaccelerator/ The line number alters anywhere between 111 and 117 Actually there are pages of warnings for php-apc-admin too.. [Thu Jan 19 16:38:03 2012] [error] [client 127.0.0.1] PHP Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you use d any of those methods and you are still getting this warning, you most likely mis spelled the timezone identifier. We selected 'UTC' for 'GMT/0.0/no DST' instead in /var/www/php-apc/index.php on line 1124, referer: http://localhost/php-apc/index. Removed php-eaccelerator and admin and removed /var/cache/httpd/php-eaccelerator and reinstalled but the problem is still there.
# php -m [eAccelerator] This build of "eAccelerator" was compiled for PHP version 5.3.8. Rebuild it for your PHP version (5.3.9) or download precompiled binaries.
#php -i eAccelerator eAccelerator support => enabled Version => 0.9.6.1 Caching Enabled => false Optimizer Enabled => false Check mtime Enabled => false
Installed php-xdebug from testing and now /var/log/httpd/error.log shows a backtrace from localhost/php-eaccelerator so php-xdebug tested OK :) [Thu Jan 19 17:36:10 2012] [error] [client 127.0.0.1] PHP Warning: Division by zero in /var/www/php-eaccelerator/index.php on line 116 [Thu Jan 19 17:36:10 2012] [error] [client 127.0.0.1] PHP Stack trace: [Thu Jan 19 17:36:10 2012] [error] [client 127.0.0.1] PHP 1. {main}() /var/www/php-eaccelerator/index.php:0 [Thu Jan 19 17:36:10 2012] [error] [client 127.0.0.1] PHP 2. space_graph() /var/www/php-eaccelerator/index.php:330 [Thu Jan 19 17:36:10 2012] [error] [client 127.0.0.1] PHP Warning: Division by zero in /var/www/php-eaccelerator/index.php on line 117 [Thu Jan 19 17:36:10 2012] [error] [client 127.0.0.1] PHP Stack trace: [Thu Jan 19 17:36:10 2012] [error] [client 127.0.0.1] PHP 1. {main}() /var/www/php-eaccelerator/index.php:0 [Thu Jan 19 17:36:10 2012] [error] [client 127.0.0.1] PHP 2. space_graph() /var/www/php-eaccelerator/index.php:330
(In reply to comment #58) > apache-mod_php-5.3.8-0.1.mga1.src.rpm > php-5.3.9-1.3.mga1.src.rpm > php-apc-3.1.9-0.4.mga1.src.rpm > php-eaccelerator-0.9.6.1-5.2.mga1.src.rpm > php-ini-5.3.9-1.1.mga1.src.rpmBug 4063 > php-memcache-3.0.6-1.1.mga1.src.rpm > php-pear-1.9.4-0.1.mga1.src.rpm > php-suhosin-0.9.32.1-5.1.mga1.src.rpm > php-timezonedb-2011.14-1.1.mga1.src.rpm > php-xdebug-2.1.2-1.1.mga1.src.rpm > > These are the php SRPM's in updates_testing, is this the correct list? > > There is also phpmyadmin-3.3.10.5-1.mga1.src.rpm which was built around the > same time, is it included? As I mentioned earlier, phymyadmin is Bug 4063. According to claire's recent comments, it appears php-eaccelerator needs to be rebuilt against 5.3.9. Hopefully nothing else needs rebuilt against it. apache-mod_php needs updated again to 5.3.9. I'll ping D Morgan about it when I get home if it hasn't happened by then.
apache-mod_php-5.3.9-1.3.mga1 is already available
> As I mentioned earlier, phymyadmin is Bug 4063. According to claire's recent > comments, it appears php-eaccelerator needs to be rebuilt against 5.3.9. > Hopefully nothing else needs rebuilt against it. As I mentioned earlier, yes. x86_64 ------ So far all appears OK, apart from php-apc and php-eaccelerator Not specifically tested yet, php-pear or php-timezonedb php-pear is required by horde, kolab and bacula-gui-web so will test with one of those tomorrow. php-timezonedb is required by php-cli & php-cgi so may have been tested already.
I am not convinced php-eaccelerator and php-apc need a rebuild as they have been rebuilt against the RC4, but I did it anyway. They are now in updates_testing
Created attachment 1397 [details] Basic test script for php-pear Tested php-pear with the attached script and also installed bacula-gui-web and browsed to localhost/bacula/bacula-web/test.php which showed Pear as being OK. I then updated php-eaccelerator and php-eaccelerator-admin and reloaded the bacula page and it caused an apache segfault. This is causing segfaults on every page I try to access. I'll try reinstalling eaccelerator and clean out the cache directory again.
Segfaults cured by using '# service httpd restart' instead of '# apachectl restart'. I'm not sure what the difference is or whether that is a bug with apache. php-eaccelerator and php-eaccelerator-admin tested OK, showing correctly on the admin page now too and version nags in /var/log/httpd/error.log are gone.
There is still a problem with php-apc or perhaps just php-apc-admin. It is working and the admin works properly too. After changing the password in /var/www/php-apc/index.php I can login with those credentials too. The apache error log is full of errors like this as before. [Fri Jan 20 14:28:30 2012] [error] [client 127.0.0.1] PHP Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'UTC' for 'GMT/0.0/no DST' instead in /var/www/php-apc/index.php on line 807, referer: http://localhost/php-apc/index.php?SCOPE=A&SORT1=H&SORT2=D&COUNT=20&OB=9 [Fri Jan 20 14:28:30 2012] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/php-apc/index.php?SCOPE=A&SORT1=H&SORT2=D&COUNT=20&OB=9 [Fri Jan 20 14:28:30 2012] [error] [client 127.0.0.1] PHP 1. {main}() /var/www/php-apc/index.php:0, referer: http://localhost/php-apc/index.php?SCOPE=A&SORT1=H&SORT2=D&COUNT=20&OB=9 [Fri Jan 20 14:28:30 2012] [error] [client 127.0.0.1] PHP 2. date() /var/www/php-apc/index.php:807, referer: http://localhost/php-apc/index.php?SCOPE=A&SORT1=H&SORT2=D&COUNT=20&OB=9 php-xdebug is currently still installed.
Google suggests this is likely a php configuration issue, should the timezone be set automatically?
I'm satisfied with the i586 testing. The timezone error message is not a regression. Claire, I think we should go ahead and validate this update once we have an advisory. I think the phpmyadmin is ready to validate as well, but should be pushed at the same time as this update, since we are using this version for the testing of phpmyadmin. What do you think?
As it currently prevents a successful upgrade from MDV2010 Dave, yes I agree. Especially with Mandriva's future being uncertain, there are bound to be people migrating. It is an issue which should be addressed though as it floods the log files. Bug 4214 created for the timezone problem. phpmyadmin is not a part of this update (bug 4063) and Jose hasn't assigned QA yet so I think we need to hold off with that one for the time being, it is another upgrade blocker though. Thomas could you provide the update advisory please, then we can validate. Thankyou!
PHP 5.3.9 update passes my tests (from Comment 34) on i586. phpmyadmin hasn't been updated to a version as new as MDV 2010.2 has, so it's not ready for QA yet.
Thomas: libmbfl still needs to be updated or rebuilt because the MDV version is now newer (1.1.0-5.1) than ours (1.1.0-3) as it was included in MDV's PHP 5.3.9 update ("The libmbfl packages has been upgraded to reflect the changes as of php-5.3.9.") php-ssh2 also was upgraded in MDV's update to 0.11.3, so we need to match that (we have 0.11.2). Also, MDV has rebuilt the php-mcal, php-sasl php-gearman, and php-xattr packages in their PHP updates. Did you determine that ours do not require a rebuild?
I've organized the information on this bug to help with the advisory. PHP has been updated to version 5.3.9 to fix several bugs and security vulnerabilities. Additionally: - php-apc has been patched to fix a regression with the PHP update. - php-timezonedb has been upgraded to the latest version. - php-suhosin and php-pear have been updated to fix security vulnerabilities. - php-eaccelerator, php-memcache, and php-xdebug have been rebuilt against 5.3.9 References: PHP: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3267 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3268 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:165 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3379 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4885 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:197 http://www.php.net/ChangeLog-5.php#5.3.9 https://qa.mandriva.com/64711 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVA-2012:004 php-apc: https://qa.mandriva.com/64683 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVA-2011:068 php-suhosin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:180 php-pear: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1072 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:187 ======================== Notes: - CVE-2011-2202 and CVE-2011-1148 from the first MDV PHP 5.3.8 update were fixed in a previous Mageia update. - apache-mod_php is now built from the php SRPM instead of its own SRPM. - libmbfl and php-ssh2 need to be updated before this update can be pushed. - php-mcal, php-sasl, php-gearman, and php-xattr may need rebuilt as well. ======================== Updated packages in core/updates_testing: ======================== SRPMS: php-5.3.9-1.3.mga1.src.rpm php-apc-3.1.9-0.5.mga1.src.rpm php-eaccelerator-0.9.6.1-5.3.mga1.src.rpm php-ini-5.3.9-1.1.mga1.src.rpm php-memcache-3.0.6-1.1.mga1.src.rpm php-pear-1.9.4-0.1.mga1.src.rpm php-suhosin-0.9.32.1-5.1.mga1.src.rpm php-timezonedb-2011.14-1.1.mga1.src.rpm php-xdebug-2.1.2-1.1.mga1.src.rpm RPMS: apache-mod_php-5.3.9-1.3.mga1 libphp5_common5-5.3.9-1.3.mga1 php-apc-3.1.9-0.5.mga1 php-apc-admin-3.1.9-0.5.mga1 php-bcmath-5.3.9-1.3.mga1 php-bz2-5.3.9-1.3.mga1 php-calendar-5.3.9-1.3.mga1 php-cgi-5.3.9-1.3.mga1 php-cli-5.3.9-1.3.mga1 php-ctype-5.3.9-1.3.mga1 php-curl-5.3.9-1.3.mga1 php-dba-5.3.9-1.3.mga1 php-devel-5.3.9-1.3.mga1 php-doc-5.3.9-1.3.mga1 php-dom-5.3.9-1.3.mga1 php-eaccelerator-0.9.6.1-5.3.mga1 php-eaccelerator-admin-0.9.6.1-5.3.mga1 php-enchant-5.3.9-1.3.mga1 php-exif-5.3.9-1.3.mga1 php-fileinfo-5.3.9-1.3.mga1 php-filter-5.3.9-1.3.mga1 php-fpm-5.3.9-1.3.mga1 php-ftp-5.3.9-1.3.mga1 php-gd-5.3.9-1.3.mga1 php-gettext-5.3.9-1.3.mga1 php-gmp-5.3.9-1.3.mga1 php-hash-5.3.9-1.3.mga1 php-iconv-5.3.9-1.3.mga1 php-imap-5.3.9-1.3.mga1 php-ini-5.3.9-1.1.mga1 php-intl-5.3.9-1.3.mga1 php-json-5.3.9-1.3.mga1 php-ldap-5.3.9-1.3.mga1 php-mbstring-5.3.9-1.3.mga1 php-mcrypt-5.3.9-1.3.mga1 php-memcache-3.0.6-1.1.mga1 php-mssql-5.3.9-1.3.mga1 php-mysql-5.3.9-1.3.mga1 php-mysqli-5.3.9-1.3.mga1 php-mysqlnd-5.3.9-1.3.mga1 php-odbc-5.3.9-1.3.mga1 php-openssl-5.3.9-1.3.mga1 php-pcntl-5.3.9-1.3.mga1 php-pdo-5.3.9-1.3.mga1 php-pdo_dblib-5.3.9-1.3.mga1 php-pdo_mysql-5.3.9-1.3.mga1 php-pdo_odbc-5.3.9-1.3.mga1 php-pdo_pgsql-5.3.9-1.3.mga1 php-pdo_sqlite-5.3.9-1.3.mga1 php-pear-1.9.4-0.1.mga1 php-pgsql-5.3.9-1.3.mga1 php-phar-5.3.9-1.3.mga1 php-posix-5.3.9-1.3.mga1 php-pspell-5.3.9-1.3.mga1 php-readline-5.3.9-1.3.mga1 php-recode-5.3.9-1.3.mga1 php-session-5.3.9-1.3.mga1 php-shmop-5.3.9-1.3.mga1 php-snmp-5.3.9-1.3.mga1 php-soap-5.3.9-1.3.mga1 php-sockets-5.3.9-1.3.mga1 php-sqlite3-5.3.9-1.3.mga1 php-suhosin-0.9.32.1-5.1.mga1 php-sybase_ct-5.3.9-1.3.mga1 php-sysvmsg-5.3.9-1.3.mga1 php-sysvsem-5.3.9-1.3.mga1 php-sysvshm-5.3.9-1.3.mga1 php-tidy-5.3.9-1.3.mga1 php-timezonedb-2011.14-1.1.mga1 php-tokenizer-5.3.9-1.3.mga1 php-wddx-5.3.9-1.3.mga1 php-xdebug-2.1.2-1.1.mga1 php-xml-5.3.9-1.3.mga1 php-xmlreader-5.3.9-1.3.mga1 php-xmlrpc-5.3.9-1.3.mga1 php-xmlwriter-5.3.9-1.3.mga1 php-xsl-5.3.9-1.3.mga1 php-zip-5.3.9-1.3.mga1 php-zlib-5.3.9-1.3.mga1
php-ssh2, php-mcal, php-sasl, php-gearman, and php-xattr have been updated libmbfl, I do not see why this has to be updated for PHP-5.3.9 but it need to be updated for updated from MDV I having problem to build this one, so be patient
libmbfl is now in updates_testing.
(In reply to comment #84) > libmbfl is now in updates_testing. It looks like you just increased the release number and didn't actually apply the update. See here for the SPEC diff: http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/updates/2010.1/libmbfl/current/SPECS/libmbfl.spec?r1=595561&r2=760944 Here is a direct link to the updated patch: http://svn.mandriva.com/svn/packages/updates/2010.1/libmbfl/current/SOURCES/libmbfl-php539RC1.diff I think once that is fixed, this can be validated, but I'll wait for confirmation from QA. I'll post an updated version of the advisory once that is fixed though.
patch libmbfl-php539RC1.diff applied and in testing as libmbfl-5.3
Thanks Thomas! QA, I think this can be validated, please confirm. Advisory: PHP has been updated to version 5.3.9 to fix several bugs and security vulnerabilities. Additionally: - php-apc has been patched to fix a regression with the PHP update. - php-timezonedb and php-ssh2 have been upgraded to the latest versions. - php-suhosin and php-pear have been updated to fix security vulnerabilities. - libmbfl has been updated to work with PHP 5.3.9. - php-eaccelerator, php-gearman, php-memcache, php-mcal, php-sasl, php-xattr, and php-xdebug have been rebuilt against PHP 5.3.9 References: PHP: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3267 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3268 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:165 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3379 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4885 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:197 http://www.php.net/ChangeLog-5.php#5.3.9 https://qa.mandriva.com/64711 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVA-2012:004 php-apc: https://qa.mandriva.com/64683 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVA-2011:068 php-suhosin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:180 php-pear: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1072 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:187 ======================== Notes: - CVE-2011-2202 and CVE-2011-1148 from the first MDV PHP 5.3.8 update were fixed in a previous Mageia update. - apache-mod_php is now built from the php SRPM instead of its own SRPM. ======================== Updated packages in core/updates_testing: ======================== SRPMS: libmbfl-1.1.0-5.3.mga1.src.rpm php-5.3.9-1.3.mga1.src.rpm php-apc-3.1.9-0.5.mga1.src.rpm php-eaccelerator-0.9.6.1-5.3.mga1.src.rpm php-gearman-0.7.0-5.1.mga1.src.rpm php-ini-5.3.9-1.1.mga1.src.rpm php-mcal-0.6-39.1.mga1.src.rpm php-memcache-3.0.6-1.1.mga1.src.rpm php-pear-1.9.4-0.1.mga1.src.rpm php-sasl-0.1.0-34.1.mga1.src.rpm php-ssh2-0.11.3-1.1.mga1.src.rpm php-suhosin-0.9.32.1-5.1.mga1.src.rpm php-timezonedb-2011.14-1.1.mga1.src.rpm php-xattr-1.1.0-17.1.mga1.src.rpm php-xdebug-2.1.2-1.1.mga1.src.rpm RPMS: apache-mod_php-5.3.9-1.3.mga1 libmbfl-devel-1.1.0-5.3.mga1 libmbfl1-1.1.0-5.3.mga1 libphp5_common5-5.3.9-1.3.mga1 php-apc-3.1.9-0.5.mga1 php-apc-admin-3.1.9-0.5.mga1 php-bcmath-5.3.9-1.3.mga1 php-bz2-5.3.9-1.3.mga1 php-calendar-5.3.9-1.3.mga1 php-cgi-5.3.9-1.3.mga1 php-cli-5.3.9-1.3.mga1 php-ctype-5.3.9-1.3.mga1 php-curl-5.3.9-1.3.mga1 php-dba-5.3.9-1.3.mga1 php-devel-5.3.9-1.3.mga1 php-doc-5.3.9-1.3.mga1 php-dom-5.3.9-1.3.mga1 php-eaccelerator-0.9.6.1-5.3.mga1 php-eaccelerator-admin-0.9.6.1-5.3.mga1 php-enchant-5.3.9-1.3.mga1 php-exif-5.3.9-1.3.mga1 php-fileinfo-5.3.9-1.3.mga1 php-filter-5.3.9-1.3.mga1 php-fpm-5.3.9-1.3.mga1 php-ftp-5.3.9-1.3.mga1 php-gd-5.3.9-1.3.mga1 php-gearman-0.7.0-5.1.mga1 php-gettext-5.3.9-1.3.mga1 php-gmp-5.3.9-1.3.mga1 php-hash-5.3.9-1.3.mga1 php-iconv-5.3.9-1.3.mga1 php-imap-5.3.9-1.3.mga1 php-ini-5.3.9-1.1.mga1 php-intl-5.3.9-1.3.mga1 php-json-5.3.9-1.3.mga1 php-ldap-5.3.9-1.3.mga1 php-mbstring-5.3.9-1.3.mga1 php-mcal-0.6-39.1.mga1 php-mcrypt-5.3.9-1.3.mga1 php-memcache-3.0.6-1.1.mga1 php-mssql-5.3.9-1.3.mga1 php-mysql-5.3.9-1.3.mga1 php-mysqli-5.3.9-1.3.mga1 php-mysqlnd-5.3.9-1.3.mga1 php-odbc-5.3.9-1.3.mga1 php-openssl-5.3.9-1.3.mga1 php-pcntl-5.3.9-1.3.mga1 php-pdo-5.3.9-1.3.mga1 php-pdo_dblib-5.3.9-1.3.mga1 php-pdo_mysql-5.3.9-1.3.mga1 php-pdo_odbc-5.3.9-1.3.mga1 php-pdo_pgsql-5.3.9-1.3.mga1 php-pdo_sqlite-5.3.9-1.3.mga1 php-pear-1.9.4-0.1.mga1 php-pgsql-5.3.9-1.3.mga1 php-phar-5.3.9-1.3.mga1 php-posix-5.3.9-1.3.mga1 php-pspell-5.3.9-1.3.mga1 php-readline-5.3.9-1.3.mga1 php-recode-5.3.9-1.3.mga1 php-sasl-0.1.0-34.1.mga1 php-session-5.3.9-1.3.mga1 php-shmop-5.3.9-1.3.mga1 php-snmp-5.3.9-1.3.mga1 php-soap-5.3.9-1.3.mga1 php-sockets-5.3.9-1.3.mga1 php-sqlite3-5.3.9-1.3.mga1 php-ssh2-0.11.3-1.1.mga1 php-suhosin-0.9.32.1-5.1.mga1 php-sybase_ct-5.3.9-1.3.mga1 php-sysvmsg-5.3.9-1.3.mga1 php-sysvsem-5.3.9-1.3.mga1 php-sysvshm-5.3.9-1.3.mga1 php-tidy-5.3.9-1.3.mga1 php-timezonedb-2011.14-1.1.mga1 php-tokenizer-5.3.9-1.3.mga1 php-wddx-5.3.9-1.3.mga1 php-xattr-1.1.0-17.1.mga1 php-xdebug-2.1.2-1.1.mga1 php-xml-5.3.9-1.3.mga1 php-xmlreader-5.3.9-1.3.mga1 php-xmlrpc-5.3.9-1.3.mga1 php-xmlwriter-5.3.9-1.3.mga1 php-xsl-5.3.9-1.3.mga1 php-zip-5.3.9-1.3.mga1 php-zlib-5.3.9-1.3.mga1
Created attachment 1417 [details] basic script to test a few php-mbstring functions lib64mbstring1 tested OK x86_64 with the above script and phpmyadmin which has it as a recursive require. Once it's tested i586 too these updates can be validated \o/
I should say php-mbstring which has lib64mbfl1 as a recursive require and phpmyadmin which has php-mbstring as one.
I've completed testing on i586 with the script from comment 88. I'll go ahead and validate this update. Could someone from the sysadmin team push this php update using the list of srpms and advisory from comment 87.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Hardware: i586 => All
update pushed
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
So I just noticed a libmcal0 in updates_testing (from mcal SRPM) built by Thomas Spuhler around the same time as some of the other pieces rebuilt for this update. Thomas, was that supposed to be included in this update?
Unfortunately, php-5.3.9 introduces a new security problem: CVE-2012-0830: Arbitrary remote code execution vulnerability reported by Stefan Esser. Upstream suggested upgrading to 5.3.10, which have landed in mageia 1 core/updates_testing.
Status: RESOLVED => REOPENEDCC: (none) => fundawangResolution: FIXED => (none)Summary: PHP needs to be updated to 5.3.9 (as it was in MDV 2010.2) => PHP needs to be updated to 5.3.10
There will be packages needing to be rebuilt for this new version. Funda, could you create a new bug for this update please and include the packages which need rebuilding. This bug was a bit of a mess and it will only add to the confusion to continue it. Thanks!
Closing this bug report, the new update will need a new bug report.
Status: REOPENED => RESOLVEDResolution: (none) => FIXED
Summary: PHP needs to be updated to 5.3.10 => PHP needs to be updated to 5.3.9