Lighttpd

Some more updates happened

During my absence (having a summer holiday in Italy is something I can suggest as a well spend two weeks) there where again many updates. I’ll briefly name there here and will let you know later on if there where any problems with it.

PHP got upgraded to version 5.2.4 which covers several bug fixes and some inor security bugs. A detailed changelog can be found here.

Apache was updated to version 2.2.6, this version is principally a bug and security fix release. Read the changelog for more info.

Lighttpd was updated to version 1.4.18 which contains a fix for a buffer-overrun in the fastcgi protocol.

PHP updated to 5.2.3

The PHP development team released a new version of PHP called 5.2.3. Sorry it took some time to blog about it but I had a problem testing it. There was a problem getting it compiled for Lighttpd (the new webserver in the documentation set). It took me a while as it wasn’t quite clear why it didn’t work properly but I found out that the ‘make install’ script has changed to rename the fastcgi version of php to php-cgi and have a cli version of the php binary. This wasn’t the case when using the previous version where the php binary was also usable as a fastcgi. So I had to change the documentation as well.

Here are the major changes, bugfixes, improvements and new features:

Security Enhancements and Fixes in PHP 5.2.3:

  • Fixed an integer overflow inside chunk_split() (by Gerhard Wagner, CVE-2007-2872)
  • Fixed possible infinite loop in imagecreatefrompng. (by Xavier Roche, CVE-2007-2756)
  • Fixed ext/filter Email Validation Vulnerability (MOPB-45 by Stefan Esser, CVE-2007-1900)
  • Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()) (by bugs dot php dot net at chsc dot dk)
  • Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib.
  • Added mysql_set_charset() to allow runtime altering of connection encoding.

The key improvements of PHP 5.2.3 include:

  • Improved compilation of heredocs and interpolated strings.
  • Optimized out a couple of per-request syscalls.
  • Optimized digest generation in md5() and sha1() functions.
  • Fixed bug #41236 (Regression in timeout handling of non-blocking SSL connections during reads and writes)
  • Fixed bug #39542 (Behavior of require/include different to < 5.2.0)
  • Fixed bug #41293 (Fixed creation of HTTP_RAW_POST_DATA when there is no default post handler)
  • Fixed bug #41347 (checkdnsrr() segfaults on empty hostname)
  • Fixed bug #41353 (crash in openssl_pkcs12_read() on invalid input)
  • Fixed bug #41403 (json_decode cannot decode floats if localeconv decimal_point is not ‘.’)
  • Fixed bug #41421 (Uncaught exception from a stream wrapper segfaults)
  • Fixed bug #41504 (json_decode() incorrectly decodes JSON arrays with empty string keys).
  • Over 40 bug fixes.

For users upgrading from PHP 5.0 and PHP 5.1, an upgrade guide is available
here, detailing the changes between those releases
and PHP 5.2.3.

For a full list of changes in PHP 5.2.3, see the ChangeLog.

Included a Lighttpd installation to the documentation

I’ve been looking at Lighttpd for some time now and finally found some time to get it setup and to document the process. I’m not going to replace Apache on my production systems just yet but I thought it would be nice to have a choice. You can find the Lighttpd install instructions here and I also added a page on how to compile PHP5 for Lighttpd as it needs to be compiled differently.

Virtual servers and a SSL/HTTPS setup are planned to follow soon…

If you would like other software included in the documentation project let me know, try to convince me to include it. Donations usually help ;-)