I got an email from the PHP announcement list that version 5.2.6 is released. I have tested it today on Tiger and Leopard and I can tell you everything works as far as I can tell.

Security Enhancements in PHP 5.2.6:

• Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin.
• Fixed integer overflow in printf() identified by Maksymilian Aciemowicz.
• Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh.
• Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz.
• Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser.
• Upgraded bundled PCRE to version 7.6

For all the changes in 5.2.6 read the ChangeLog.

Somehow the PHP.net guys forget they have an announcement mailinglist to tell everyone a new version is released. I had a kind and very thoughtfull reminder in my mail from a happy DIYMacServer user telling me that a new version has been released.

So gentleman, start your download program and warm up your compiler. The PHP installation documentation has been updated and also has a Leopard configuration for all you early adopters.

The new release boasts the following fixes:

• Fixed dl() to only accept filenames. Reported by Laurent Gaffie.
• Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). Reported by Laurent Gaffie.
• Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. Reported by Rasmus Lerdorf
• Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie.
• Fixed “mail.force_extra_parameters” php.ini directive not to be modifiable in .htaccess due to the security implications. Reported by SecurityReason.
• Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms).
• Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()).

and the following enhancements:

• Upgraded PCRE to version 7.3
• Updated timezone database to version 2007.9
• Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable.
• Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc() functions
• Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll())
• Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax)
• Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23)
• Over 60 bug fixes.

Tiger shipped with the heavily outdated Apache 1.3.x and PHP 4.x. While both of these versions where working and helped people to get started most of us liked working on the newer releases of that software. Besides the Apache Software Foundation has moved into security update, and critical bug fix only mode for the 1.3.x series of the web server and as we all know the PHP project as announced end of life for PHP 4. Its a good time to move on as I showed you how to do on my blog.

To my surprise however I found when plating around with my Leopard install it has as default the latest version of Apache and PHP installed per default. You still need to activate the PHP module yourself by uncommenting it in the httpd.conf configuration file which is in a new location by the way.

The new location of the configuration and the modules is in ‘/etc/apache2/’ instead of the default ‘/etc/httpd/’ you would expect. I’m sticking to the last one by the way for my installation.

The modules are installed in ‘/usr/libexec/apache2/’ and there are some remarkable modules name in there. What would you think of a module called mod_bonjour, I wonder what that one does. Another one is mod_auth_svn which would indicate a default installation and wonder me it’s installed. Mod_perl and mod_fast-cgi are there as well. I will try to mimic the availabilty of these modules in my install scripts.

PHP is another question, with php-info() you can retrieve the configure command-line, it looks like:

./configure '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-dependency-tracking' '--with-apxs2=/usr/sbin/apxs' '--with-ldap=/usr' '--with-kerberos=/usr' '--enable-cli' '--with-zlib-dir=/usr' '--enable-trans-sid' '--with-xml' '--enable-exif' '--enable-ftp' '--enable-mbstring' '--enable-mbregex' '--enable-dbx' '--enable-sockets' '--with-iodbc=/usr' '--with-curl=/usr' '--with-config-file-path=/etc' '--sysconfdir=/private/etc' '--with-mysql-sock=/var/mysql' '--with-mysqli=/usr/bin/mysql_config' '--with-mysql=/usr' '--with-openssl' '--with-xmlrpc' '--with-xsl=/usr' '--without-pear'

Which looks a lot what I had with some extra’s, I’m looking into which ones I will add.

During my absence (having a summer holiday in Italy is something I can suggest as a well spend two weeks) there where again many updates. I’ll briefly name there here and will let you know later on if there where any problems with it.

PHP got upgraded to version 5.2.4 which covers several bug fixes and some inor security bugs. A detailed changelog can be found here.

Apache was updated to version 2.2.6, this version is principally a bug and security fix release. Read the changelog for more info.

Lighttpd was updated to version 1.4.18 which contains a fix for a buffer-overrun in the fastcgi protocol.

The PHP development team released a new version of PHP called 5.2.3. Sorry it took some time to blog about it but I had a problem testing it. There was a problem getting it compiled for Lighttpd (the new webserver in the documentation set). It took me a while as it wasn’t quite clear why it didn’t work properly but I found out that the ‘make install’ script has changed to rename the fastcgi version of php to php-cgi and have a cli version of the php binary. This wasn’t the case when using the previous version where the php binary was also usable as a fastcgi. So I had to change the documentation as well.

Here are the major changes, bugfixes, improvements and new features:

Security Enhancements and Fixes in PHP 5.2.3:

• Fixed an integer overflow inside chunk_split() (by Gerhard Wagner, CVE-2007-2872)
• Fixed possible infinite loop in imagecreatefrompng. (by Xavier Roche, CVE-2007-2756)
• Fixed ext/filter Email Validation Vulnerability (MOPB-45 by Stefan Esser, CVE-2007-1900)
• Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()) (by bugs dot php dot net at chsc dot dk)
• Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib.
• Added mysql_set_charset() to allow runtime altering of connection encoding.

The key improvements of PHP 5.2.3 include:

• Improved compilation of heredocs and interpolated strings.
• Optimized out a couple of per-request syscalls.
• Optimized digest generation in md5() and sha1() functions.
• Fixed bug #41236 (Regression in timeout handling of non-blocking SSL connections during reads and writes)
• Fixed bug #39542 (Behavior of require/include different to < 5.2.0)
• Fixed bug #41293 (Fixed creation of HTTP_RAW_POST_DATA when there is no default post handler)
• Fixed bug #41347 (checkdnsrr() segfaults on empty hostname)
• Fixed bug #41353 (crash in openssl_pkcs12_read() on invalid input)
• Fixed bug #41403 (json_decode cannot decode floats if localeconv decimal_point is not ‘.’)
• Fixed bug #41421 (Uncaught exception from a stream wrapper segfaults)
• Fixed bug #41504 (json_decode() incorrectly decodes JSON arrays with empty string keys).
• Over 40 bug fixes.

For users upgrading from PHP 5.0 and PHP 5.1, an upgrade guide is available
here, detailing the changes between those releases
and PHP 5.2.3.

For a full list of changes in PHP 5.2.3, see the ChangeLog.

I’ve been looking at Lighttpd for some time now and finally found some time to get it setup and to document the process. I’m not going to replace Apache on my production systems just yet but I thought it would be nice to have a choice. You can find the Lighttpd install instructions here and I also added a page on how to compile PHP5 for Lighttpd as it needs to be compiled differently.

Virtual servers and a SSL/HTTPS setup are planned to follow soon…

If you would like other software included in the documentation project let me know, try to convince me to include it. Donations usually help

Yes it’s finally there, the version that includes shared libraries in the binary distribution package which would mean we never have to recompile MySQL ourselves. I’ve downloaded the package and installed it on my test server. The installation went without a problem as usual, but trying to compile PHP brought a new issue, some linking issue with zlib libraries.

/usr/bin/ld: warning multiple definitions of symbol _inflateInit_
/usr/local/mysql/lib/libmysqlclient.dylib(inflate.o) definition of _inflateInit_
/Developer/SDKs/MacOSX10.4u.sdk/usr/lib/gcc/i686-apple-darwin8/4.0.1/../../../libz.dylib(inflate.o) definition of _inflateInit_
etc...

I guess we still need to recompile. I hope it is not due to some left over trial I did earlier, could someone confirm my findings ?

The PHP development team released an update to the core PHP system. It’s a major stability and security enhancement to the 5.2.1 release. Everybody is strongly encouraged to upgrade to this release as soon as possible. Release notes can be found here and the changelog here.

Quoted from the announcement:

Security Enhancements and Fixes in PHP 5.2.2:

• Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric)
• Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser)
• Fixed a bug in mb_parse_str() that can be used to activate register_globals (MOPB-26 by Stefan Esser)
• Fixed unallocated memory access/double free in in array_user_key_compare() (MOPB-24 by Stefan Esser)
• Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser)
• Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers. (MOPB-21 by Stefan Esser).
• Limit nesting level of input variables with max_input_nesting_level as fix for (MOPB-03 by Stefan Esser)
• Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team)
• Fixed a possible super-global overwrite inside import_request_variables(). (by Stefano Di Paola, Stefan Esser)
• Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. (by Stanislav Malyshev)
• Fixed a header injection via Subject and To parameters to the mail() function (MOPB-34 by Stefan Esser)
• Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan Esser)
• Fixed substr_compare and substr_count information leak (MOPB-14 by Stefan Esser) (Stas, Ilia)
• Fixed a remotely trigger-able buffer overflow inside make_http_soap_request(). (by Ilia Alshanetsky)
• Fixed a buffer overflow inside user_filter_factory_create(). (by Ilia Alshanetsky)

I still have the same issue on the PPC platform as with 5.2.1 which I’m still working on to solve. But it takes some time before I can move everything from my production server to a temporary one.

I’ve had some issues myself and got some reports of people who are trying to compile PHP 5.1.2. There error we get is about mulitple definitions of several PCRE lib related symbols and ends with the error that the _xmlTextReaderSchemaValidate is undefined.

/usr/bin/ld: warning multiple definitions of symbol _pcre_callout
ext/pcre/pcrelib/pcre_globals.o definition of _pcre_callout in section (__DATA,__data)
/usr/local/apache2/bin/httpd definition of _pcre_callout
/usr/bin/ld: warning multiple definitions of symbol _pcre_stack_free
ext/pcre/pcrelib/pcre_globals.o definition of _pcre_stack_free in section (__DATA,__data)
/usr/local/apache2/bin/httpd definition of _pcre_stack_free
/usr/bin/ld: warning multiple definitions of symbol _pcre_stack_malloc
ext/pcre/pcrelib/pcre_globals.o definition of _pcre_stack_malloc in section (__DATA,__data)
/usr/local/apache2/bin/httpd definition of _pcre_stack_malloc
/usr/bin/ld: Undefined symbols:
_xmlTextReaderSchemaValidate
collect2: ld returned 1 exit status
make: *** [libs/libphp5.bundle] Error 1

It all works on an Intel based Mac without any problem. If anyone has any idea what causes this problem please let me know !

The PHP development team just released an update to the core PHP system. It’s a major stability and security enhancement to the 5.2.0 release. Everybody is strongly encouraged to upgrade to this release as soon as possible.

Quoted from the announcement:

Security Enhancements and Fixes in PHP 5.2.1:

• Fixed possible safe_mode & open_basedir bypasses inside the session extension.
• Prevent searchs engine from indexing the phpinfo() page.
• Fixed a number of input processing bugs inside the filter extension.
• Fixed unserialize() abuse on 64 bit systems with certain input strings.
• Fixed possible overflows and stack corruptions in the session extension.
• Fixed an underflow inside the internal sapi_header_op() function.
• Fixed allocation bugs caused by attempts to allocate negative values in some code paths.
• Fixed possible stack overflows inside zip, imap & sqlite extensions.
• Fixed several possible buffer overflows inside the stream filters.
• Fixed non-validated resource destruction inside the shmop extension.
• Fixed a possible overflow in the str_replace() function.
• Fixed possible clobbering of super-globals in several code paths.
• Fixed a possible information disclosure inside the wddx extension.
• Fixed a possible string format vulnerability in *print() functions on 64 bit systems.
• Fixed a possible buffer overflow inside mail() and ibase_{delete,add,modify}_user() functions.
• Fixed a string format vulnerability inside the odbc_result_all() function.
• Memory limit is now enabled by default.
• Added internal heap protection.
• Extended filter extension support for $_SERVER in CGI and apache2 SAPIs.

The majority of the security vulnerabilities discovered and resolved can in most cases be only abused by local users and cannot be triggered remotely. However, some of the above issues can be triggered remotely in certain situations, or exploited by malicious local users on shared hosting setups utilizing PHP as an Apache module. Therefore, we strongly advise all users of PHP, regardless of the version to upgrade to 5.2.1 release as soon as possible. PHP 4.4.5 with equivalent security corrections will be available shortly.

The key improvements of PHP 5.2.1 include:

• Several performance improvements in the engine, streams API and some Windows specific optimizations.
• PDO_MySQL now uses buffered queries by default and emulates prepared statements to bypass limitations of MySQL’s prepared statement API.
• Many improvements and enhancements to the filter and zip extensions.
• Memory limit is now always enabled, this includes Windows builds, with a default limit of 128 megabytes.
• Added several performance optimizations using faster Win32 APIs (this change means that PHP no longer supports Windows 98).
• FastCGI speed optimized build of PHP for Windows made available for downloading.
• Over 180 bug fixes.

For users upgrading from PHP 5.0 and PHP 5.1, an upgrade guide is available at http://www.php.net/UPDATE_5_2.txt, detailing the changes between those releases and PHP 5.2.1.

For a full list of changes in PHP 5.2.1, see the ChangeLog (http://www.php.net/ChangeLog-5.php).

The new version compiled without any issue on my Intel Mac and worked like a charm. I do encountered some issues (I’m still working on it) on my production PPC Mac, but most of these occur because of stuff and libraries I’ve used in earlier setups. I wish I still had a second PPC Mac just to be able to clean up my production machine !