November 2009


Upgrading PHP with GD on OS X Server 10.5.x

This is a small write-up of the installation I was asked to do for a client on his mini with OS X Server (Leopard). It took me a while to get this working because of the various issiues that I encountered and while googling for a sollution found that there are many people looking for an answer, hence the write-up. Please note that these instructions are not part of the normal documentation set, these instructions only work on OS X Server Leopard and not on the regular OS X Workstation.

First make a copy of the original php module for safekeeping:

sudo cp /usr/libexec/apache2/libphp5.so /usr/libexec/apache2/libphp5.so.apple

Then we need to make some preparations. First of them is get the MySQL include source files and the client libraries as documented in this knowledge base article. Remeber this is only tested on 10.5.x of OS X Server.

Please download http://www.opensource.apple.com/darwinsource/other/MySQL-49.binaries.tar.gz

Unpack and copy the following directories using the following commands:

tar -zxvf MySQL-49.binaries.tar.gz
cd usr/include/
sudo cp -R usr/include/mysql /usr/include/
sudo cp -R usr/lib/mysql /usr/lib/

Next we need to get the iconv library and compile it to get it properly working with PHP. The default iconv library on OS X gives linking errors. You can download it from: http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.13.1.tar.gz and unpack it.

Use the following commands to compile and install it:

export MACOSX_DEPLOYMENT_TARGET=10.6 \
CFLAGS=”-arch x86_64″ \
CXXFLAGS=”-arch x86_64″
./configure –prefix=/usr/local
 
make
 
sudo make install

Next download the source code for the JPEG library from the Freshmeat libjpeg project. I’ve used the source file jpegsrc.v7.tar.gz.

First unpack the source code and then go into the folder “jpeg-7″ for the source and execute the following commands:

cp /usr/share/libtool/config.sub .
cp /usr/share/libtool/config.guess .

Which will copy these files to the current directory. They are required for the configuration fase of this installation.

export MACOSX_DEPLOYMENT_TARGET=10.6
CFLAGS="-arch x86_64" \
CXXFLAGS="-arch x86_64" \
LDFLAGS="-arch x86_64" \
./configure --enable-shared
 
make
 
sudo make install

Next download PHP version 5.2.11 (this is the version installed on OS X Server 10.5.x) unpack it and use the following commands to configure, compile and install it:

export MACOSX_DEPLOYMENT_TARGET=10.6 \
CFLAGS=”-arch x86_64″ \
CXXFLAGS=”-arch x86_64″
./configure –prefix=/usr \
  --mandir=/usr/share/man \
  --infodir=/usr/share/info \
  --disable-dependency-tracking \
  --with-apxs2=/usr/sbin/apxs \
  --with-ldap=/usr \
  --with-kerberos=/usr \
  --enable-cli \
  --with-zlib-dir=/usr \
  --enable-trans-sid \
  --with-xml \
  --enable-exif \
  --enable-ftp \
  --enable-mbstring \
  --enable-mbregex \
  --enable-dbx \
  --enable-sockets \
  --with-iodbc=/usr \
  --with-curl=/usr \
  --with-config-file-path=/etc \
  --sysconfdir=/private/etc \
  --with-openssl \
  --with-xmlrpc \
  --with-xsl=/usr \
  --with-mysql-sock=/var/mysql \
  --with-mysqli=/usr/bin/mysql_config \
  --with-mysql=/usr \
  --with-gd \
  --with-jpeg-dir=/usr/local/lib \
  --with-png-dir=/usr/X11R6 \
  --with-freetype-dir=/usr/X11R6 \
  --with-xpm-dir=/usr/X11R6 \
  --with-iconv=/usr/local \
  --without-pear

Next do not start compiling but we need to edit the Makefile.

Find the line that starts with:

GDLIB_CFLAGS =

and add at the end of the line:

-arch x86_64

The nfind the line that starts with:

EXTRA_LIBS =

and add at the end of this multiline:

-lresolv

Next replace the line:

$(CC) $(MH_BUNDLE_FLAGS) $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(LDFLAGS) $(EXTRA_LDFLAGS) $(PHP_GLOBAL_OBJS:.lo=.o) $(PHP_SAPI_OBJS:.lo=.o) $(PHP_FRAMEWORKS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) -o $@ && cp $@ libs/libphp$(PHP_MAJOR_VERSION).so

with:

$(CC) $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(LDFLAGS) $(EXTRA_LDFLAGS) $(PHP_GLOBAL_OBJS:.lo=.o) $(PHP_SAPI_OBJS:.lo=.o) $(PHP_FRAMEWORKS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) $(MH_BUNDLE_FLAGS) -o $@ && cp $@ libs/libphp$(PHP_MAJOR_VERSION).so

Save the file and when your done you can start compiling and installing with:

make
 
sudo make install

This means it’s ready.

Now restart apache and check your site. Now you have a new PHP version with GD on your server.

Dovecot updated to 1.2.8

A new version of Dovecot has been released. It’s just a minor bug fix and not a real security fix. I think that if you are not affected (like running on a server with no other local users) then you are not required to upgrade and can skip this one.

This is mainly to fix the 0777 base_dir creation issue, which could be considered a security hole, exploitable by local users. An attacker could for example replace Dovecot’s auth socket and log in as other users. Gaining root privileges isn’t possible though.

This affects only v1.2 users, v1.1 and older versions were creating the directory with 0755 permission.

If your Dovecot’s base_dir isn’t in /var/run/dovecot/, you should also make sure that the $prefix/var/ and $prefix/var/run/ (i.e. /usr/local/var/, /usr/local/var/run/ by default) aren’t 0777.

The fixes include:

  • Dovecot v1.2.x had been creating base_dir (and its parents if necessary) with 0777 permissions. The base_dir’s permissions get changed to 0755 automatically at startup, but you may need to chmod the parent directories manually.
  • acl: If user has rights from more than one group, merge them instead of choosing one group’s rights and ignoring others.
  • virtual: When using a lot of mailboxes, the virtual mailbox’s header could have grown over 32 kB and caused “out of memory” crashes. Also over 64 kB headers couldn’t even be updated with existing transaction log records. Added a new record type that gets used with >=64 kB headers. Older Dovecot versions don’t understand this header and will log errors if they see it.
  • FETCH BODYSTRUCTURE didn’t return RFC 2231 “key*” fields correctly

PHP updated to 5.3.1

The PHP development team released a new version of the 5.3.x release. Before you upgrade to a 5.3.x release on a production machine, please check if all PHP based apps are supporting 5.3.x as there are some compatibility problems and you might get some strange results. This release focuses on improving the stability of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. I’ve tested it on a test server with Snow Leopard without any problems.

Security Enhancements and Fixes in PHP 5.3.1:

  • Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion. (Ilia)
  • Added missing sanity checks around exif processing. (CVE-2009-3292, Ilia)
  • Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
  • Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
  • Fixed bug #50063 (safe_mode_include_dir fails). (CVE-2009-3559, Johannes, christian at elmerot dot se)
  • Fixed bug #44683 (popen crashes when an invalid mode is passed). (CVE-2009-3294, Pierre)

Key Enhancements in PHP 5.3.1 include:

  • Fixed crash in com_print_typeinfo when an invalid typelib is given. (Pierre)
  • Fixed crash in SQLiteDatabase::ArrayQuery() and SQLiteDatabase::SingleQuery() when calling using Reflection. (Felipe)
  • Fixed crash when instantiating PDORow and PDOStatement through Reflection. (Felipe)
  • Fixed bug #49910 (no support for ././@LongLink for long filenames in phar tar support). (Greg)
  • Fixed bug #49908 (throwing exception in __autoload crashes when interface is not defined). (Felipe)
  • Around 100 other bug fixes

For instructions on how to upgrade PHP please read: Upgrading PHP.

MySQL released 5.1.41 and 5.0.88

MySQL released new versions of the 5.1.x and 5.0.x community versions of their database server. There is a security issue releated to them so if you are affected I would advise you to upgrade. I’ve upgraded all my servers without any issue following the normal upgrade path as documented.

Read more about the specifics for each release here:

Mac OS X Update 10.6.2 and Security Update 2009-006

Warning, be careful when updating your server. I noticed a few hick-ups on my machine. I will update this post with my findings through the day when I find out more.

Leopard Issues:

  • Resolved: My remote desktop isn’t working anymore, still looking into this one. Solution: It somehow works again after some time waiting, probably I was trying to fast

Working: Everything else does not look to be affected, even Postfix is as is (in contrast to Snow Leopard)

Snow Leopard issues:

  • Postfix binary get’s replaced, you’ll have to do a ‘sudo make install’ from the last install direcory to get it working again.

For the rest on Snow Leopard everything seems to be working as intended. Will do some more test during the day.

Read more about the update to 10.6.2 here and the security update 2009-006 here.

If you find anything please let us know in the comments and I will try to verify.

Update: No more problems found, I guess it was just a postfix problem and as Joe has commented I need to change the location to prevent future issues.

Next Page »