February 2007

Issue compiling PHP 5.2.1 on PPC

I’ve had some issues myself and got some reports of people who are trying to compile PHP 5.1.2. There error we get is about mulitple definitions of several PCRE lib related symbols and ends with the error that the _xmlTextReaderSchemaValidate is undefined.

/usr/bin/ld: warning multiple definitions of symbol _pcre_callout
ext/pcre/pcrelib/pcre_globals.o definition of _pcre_callout in section (__DATA,__data)
/usr/local/apache2/bin/httpd definition of _pcre_callout
/usr/bin/ld: warning multiple definitions of symbol _pcre_stack_free
ext/pcre/pcrelib/pcre_globals.o definition of _pcre_stack_free in section (__DATA,__data)
/usr/local/apache2/bin/httpd definition of _pcre_stack_free
/usr/bin/ld: warning multiple definitions of symbol _pcre_stack_malloc
ext/pcre/pcrelib/pcre_globals.o definition of _pcre_stack_malloc in section (__DATA,__data)
/usr/local/apache2/bin/httpd definition of _pcre_stack_malloc
/usr/bin/ld: Undefined symbols:
collect2: ld returned 1 exit status
make: *** [libs/libphp5.bundle] Error 1

It all works on an Intel based Mac without any problem. If anyone has any idea what causes this problem please let me know !

Security Update 2007-002

It’s time again for a security update. This time it’s a pure security patch and not really DIYMacServer related. It fixes a security hole in iChat, Java and Finder. I’ve installed it on my servers and didn’t run into any issues as expected because of the affected components. Read more about the update here.

PHP Upgraded to 5.2.1

The PHP development team just released an update to the core PHP system. It’s a major stability and security enhancement to the 5.2.0 release. Everybody is strongly encouraged to upgrade to this release as soon as possible.

Quoted from the announcement:

Security Enhancements and Fixes in PHP 5.2.1:

  • Fixed possible safe_mode & open_basedir bypasses inside the session extension.
  • Prevent searchs engine from indexing the phpinfo() page.
  • Fixed a number of input processing bugs inside the filter extension.
  • Fixed unserialize() abuse on 64 bit systems with certain input strings.
  • Fixed possible overflows and stack corruptions in the session extension.
  • Fixed an underflow inside the internal sapi_header_op() function.
  • Fixed allocation bugs caused by attempts to allocate negative values in some code paths.
  • Fixed possible stack overflows inside zip, imap & sqlite extensions.
  • Fixed several possible buffer overflows inside the stream filters.
  • Fixed non-validated resource destruction inside the shmop extension.
  • Fixed a possible overflow in the str_replace() function.
  • Fixed possible clobbering of super-globals in several code paths.
  • Fixed a possible information disclosure inside the wddx extension.
  • Fixed a possible string format vulnerability in *print() functions on 64 bit systems.
  • Fixed a possible buffer overflow inside mail() and ibase_{delete,add,modify}_user() functions.
  • Fixed a string format vulnerability inside the odbc_result_all() function.
  • Memory limit is now enabled by default.
  • Added internal heap protection.
  • Extended filter extension support for $_SERVER in CGI and apache2 SAPIs.

The majority of the security vulnerabilities discovered and resolved can in most cases be only abused by local users and cannot be triggered remotely. However, some of the above issues can be triggered remotely in certain situations, or exploited by malicious local users on shared hosting setups utilizing PHP as an Apache module. Therefore, we strongly advise all users of PHP, regardless of the version to upgrade to 5.2.1 release as soon as possible. PHP 4.4.5 with equivalent security corrections will be available shortly.

The key improvements of PHP 5.2.1 include:

  • Several performance improvements in the engine, streams API and some Windows specific optimizations.
  • PDO_MySQL now uses buffered queries by default and emulates prepared statements to bypass limitations of MySQL’s prepared statement API.
  • Many improvements and enhancements to the filter and zip extensions.
  • Memory limit is now always enabled, this includes Windows builds, with a default limit of 128 megabytes.
  • Added several performance optimizations using faster Win32 APIs (this change means that PHP no longer supports Windows 98).
  • FastCGI speed optimized build of PHP for Windows made available for downloading.
  • Over 180 bug fixes.

For users upgrading from PHP 5.0 and PHP 5.1, an upgrade guide is available at http://www.php.net/UPDATE_5_2.txt, detailing the changes between those releases and PHP 5.2.1.

For a full list of changes in PHP 5.2.1, see the ChangeLog (http://www.php.net/ChangeLog-5.php).

The new version compiled without any issue on my Intel Mac and worked like a charm. I do encountered some issues (I’m still working on it) on my production PPC Mac, but most of these occur because of stuff and libraries I’ve used in earlier setups. I wish I still had a second PPC Mac just to be able to clean up my production machine !

Apache documentation updated and migrated

After the first steps on migrating the MySQL documentation and opening up this site I haven’t been sitting idle and waiting for all those new visitors. I’ve been rewriting the Apache2 install and configure documentation that I’ve had on the old site. I just finished it and it’s ready for you to use. I hope you’ll enjoy this version as much as you all did the last one. Just click on over to the Docs section to see it all. When all the documentation has migrated I will enhance the documentation a bit further and I think I’ll show you how to compile and install individual Apache2 modules.

Postfix updated to 2.3.7

Just got an email from the Postfix announcement mailinglist telling me that Wietse has released another update. It fixes minor problems and introduces one incompatibility.

  • postmap support for NIS maps was broken with Postfix 2.3.
  • Workaround to avoid breaking digital signatures for malformed MIME attachments.
  • Incorrect handling of ![address] forms in match lists. such as mynetworks, inet_interfaces etc.

from the announcement:

Incompatible changes with Postfix 2.3.7:
Postfix no longer inserts an empty-line header/body separator into malformed MIME attachments, to avoid breaking digital signatures.

This change introduces ambiguity. Postfix still treats the remainder of the attachment as body content; header_checks rules will therefore not detect forbidden MIME types inside a message/rfc822 attachment.

With the empty-line header/body separator no longer inserted by Postfix, other software may process the malformed attachment differently, and thus may become exposed to forbidden MIME types.

I see no problems in our setup for Postfix as we don’t do any header_checks inside Postfix, we only do that in DSpam and that is not affected as far as I can tell.