As I have not received any feedback on this I am going to assume that I have taken the correct approach and I will be uploading php5 later today, followed by a clean build then upload of php-pecl-http tomorrow (utilizing the new php5 once it is available in the archive).
Regards, -Roberto On Sun, Sep 15, 2019 at 07:29:24AM -0400, Roberto C. Sánchez wrote: > Hello all, > > I wanted to follow-up on the issue of building PHP extensions in jessie. > > On Sat, Sep 07, 2019 at 11:34:46AM -0400, Roberto C. Sánchez wrote: > > Hello all, > > > > In working on an update for php-pecl-http I discovered that (all? nearly > > all?) PHP extensions fail to build in jessie because of a bug in php5. > > Specifically, the bug is #805222. > > > > It appears that jessie was originally released with PHP 5.6.7 and the > > bug in question became known when PHP 5.6.16 was in unstable. A fix was > > made to php5 and the separate php-pear package in unstable, but fixes > > were never made to jessie while it was stable or oldstable. > > > > It seems that this update of php-pecl-http is the first PECL extension > > security update in jessie, which is why this problem has not previously > > appeared. Though, the last comment on #805222 indicates that at least > > one user attempted to rebuild a PECL extension in jessie/stable and > > encountered the failure. No action was taken on his follow-up to the > > bug. > > > In exploring the history of php5 in unstable, version 5.6.16+dfsg-3 > contained this changelog entry: > > * Revert PEAR version to last working version from PHP 5.6.14 > (Closes: #805222) > > Based on that I downloaded the 5.6.14 release archive from upstream and > used that to replace the PEAR in the jessie version in the same way that > Ondřej did in that version. > > > I have added php5 to dla-needed.txt and, unless there are objections, it > > is my intention to begin working on an update that addresses this bug in > > jessie. I would then test it in an environment where I could attempt to > > build php-pecl-http to 1) verify that php5 is actually fixed with regard > > to #805222, and 2) that php-pecl-http can be made to build from source. > > > After replacing PEAR as described above, I build php5, installed it in a > jessie chroot and then was able to successfully build php-pecl-http. > > My proposed course of action is: > > - Upload a php5 update with this change: > > php5 (5.6.40+dfsg-0+deb8u6) jessie-security; urgency=high > > * Non-maintainer upload by the LTS Team. > * Revert PEAR version to last working version from PHP 5.6.14 > (Closes: #805222) > > -- Roberto C. Sanchez <[email protected]> Sun, 15 Sep 2019 07:02:48 -0400 > > - Release a DLA describing the reason for the update/change > - In addition to the CVE-2016-7398 patch to php-pecl-http, include this > change: > > diff --git a/debian/control b/debian/control > index 9e1da87..db7b4b3 100644 > --- a/debian/control > +++ b/debian/control > @@ -3,8 +3,9 @@ Section: web > Priority: optional > Maintainer: Facundo Guerrero <[email protected]> > Uploaders: Ulises Vitulli <[email protected]> > -Build-Depends: debhelper (>= 9), po-debconf, xsltproc, php5-dev, dh-php5, > - pkg-php-tools (>= 1.6), php5-raphf-dev, php5-propro-dev, libpcre3-dev, > chrpath > +Build-Depends: debhelper (>= 9), po-debconf, xsltproc, php5-dev (>= > 5.6.40+dfsg-0+deb8u6), dh-php5, > + pkg-php-tools (>= 1.6), php5-raphf-dev, php5-propro-dev, libpcre3-dev, > chrpath, > + php-pear (>= 5.6.40+dfsg-0+deb8u6) > Standards-Version: 3.9.5 > Homepage: http://pecl.php.net/package/pecl_http > > - Proceed with the normal upload/advisory process for php-pecl-http > > The main items where I would like to make sure I have not overlooked > something important are: > > - Does updating php5 in this way make sense/seem appropriate? > - Does the change to Build-Depends in php-pecl-http seem > correct/necessary? > > Unless I hear any objections or suggested alternatives I intend to go > ahead with the steps outlined above late this week. > > Regards, > > -Roberto > > -- > Roberto C. Sánchez -- Roberto C. Sánchez
