Re: [PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0
At 10:22 AM 7/24/02 -0400, Scott Fletcher wrote: >It work very nicely The whole process take 30 to 45 minutes for just >one server. I wonder how does someone did 12 computers in 10 minutes. >Cool! For me the key to upgrading many servers is to compile once then copy the resulting files to all my other servers. I also compile Apache + mod_ssl + PHP static into one file so usually all I have to do is copy the httpd file to the other machines. The machines need similar CPUs and identical library versions, but that isn't too hard to do. With Linux it is legal to copy in the new httpd file then apachectl restart to update the server. Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0
On Wednesday 24 July 2002 22:22, Scott Fletcher wrote: > It work very nicely The whole process take 30 to 45 minutes for just > one server. You've got a slow computer and/or you type too slow ;-) > I wonder how does someone did 12 computers in 10 minutes. > Cool! For me it was a case of 'typing' in 6 commands: 1) download php 2) untar it 3) cd 4) configure 5) make 6) make install Actually I just copy and pasted those commands which took me all of 5 seconds to do. So unless you count the download and compilation time, 12 systems in 10 minutes is in the ballpark. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* Yow! I just went below the poverty line! */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0
It work very nicely The whole process take 30 to 45 minutes for just one server. I wonder how does someone did 12 computers in 10 minutes. Cool! "Matt Schroebel" <[EMAIL PROTECTED]> wrote in message 4B08FD7DB3CBD4119F560002A508C453015B38DA@hsus3">news:4B08FD7DB3CBD4119F560002A508C453015B38DA@hsus3... > > From: Scott Fletcher [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, July 23, 2002 12:43 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [PHP] Re: PHP Security Advisory: Vulnerability > > in PHP versions 4.2.0 > > > > > > I don't know how to appy patches to the PHP software. I just finish > > upgrading the website to work with PHP 4.2.1 from PHP 4.0.6. And now > > this So, just patched it then configure openssl, > > mycrypt, curl, modssl > > then do the usual stuff for PHP then apache, right?? > > Rebuilding from source: > 1. download the new php source, extract it to whereever you do. > 2. cd to php-4.2.2 copy config.nice from your existing php compile dir (this has your previous complies config command). > 3. Run it: > ./config.nice > 4. make > 5. apachectl stop > 6. make install > 7a. i. If php is a DSO: > ii. apachectl start (you're done) > 7b. i. If php is compiled into apache: > ii. cd to apache compile dir > iii. make clean > iv. ./config.status > v. make > vi. make install > vii. apachectl start (you're done) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0
Doing that right now! Just like a basic upgrade. Thanks, FletchSOD "Matt Schroebel" <[EMAIL PROTECTED]> wrote in message 4B08FD7DB3CBD4119F560002A508C453015B38DA@hsus3">news:4B08FD7DB3CBD4119F560002A508C453015B38DA@hsus3... > > From: Scott Fletcher [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, July 23, 2002 12:43 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [PHP] Re: PHP Security Advisory: Vulnerability > > in PHP versions 4.2.0 > > > > > > I don't know how to appy patches to the PHP software. I just finish > > upgrading the website to work with PHP 4.2.1 from PHP 4.0.6. And now > > this So, just patched it then configure openssl, > > mycrypt, curl, modssl > > then do the usual stuff for PHP then apache, right?? > > Rebuilding from source: > 1. download the new php source, extract it to whereever you do. > 2. cd to php-4.2.2 copy config.nice from your existing php compile dir (this has your previous complies config command). > 3. Run it: > ./config.nice > 4. make > 5. apachectl stop > 6. make install > 7a. i. If php is a DSO: > ii. apachectl start (you're done) > 7b. i. If php is compiled into apache: > ii. cd to apache compile dir > iii. make clean > iv. ./config.status > v. make > vi. make install > vii. apachectl start (you're done) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0
Hmmm, interesting I didn't know about this and didn't see it in the docs. So now I know for my next upgrade. Anyway, my upgrade is in, and through the mails it should be clear to those who thought how terribly difficult and time consuming it is/was to do the upgrades that it was in fact not difficult at all, and seemingly even easier that the way I did it. Ian On Wednesday 24 July 2002 01:03, Andrew Chase wrote: > If all you're doing is applying the patch (not adding/removing any > extensions), you should be able to use > > ./config.nice > > which will use all of the configuration commands from your last compile > (This is an extremely handy thing if your GD/Freetype setup was > particularly ornery the first time around! ;) ) > > -Andy > > > -Original Message- > > From: Ricky Dhatt [mailto:[EMAIL PROTECTED]] > > > > ./configure --with-mysql --with-apxs=/usr/local/apache/bin/apxs > > --with-ldap > > > > > make > > > make install > > > /usr/local/apache/bin/apachectl restart > > > > Hmm...is the configure step really necessary? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0
If all you're doing is applying the patch (not adding/removing any extensions), you should be able to use ./config.nice which will use all of the configuration commands from your last compile (This is an extremely handy thing if your GD/Freetype setup was particularly ornery the first time around! ;) ) -Andy > -Original Message- > From: Ricky Dhatt [mailto:[EMAIL PROTECTED]] > > ./configure --with-mysql --with-apxs=/usr/local/apache/bin/apxs > --with-ldap > > make > > make install > > /usr/local/apache/bin/apachectl restart > > Hmm...is the configure step really necessary? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0
"Ian Ball" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > patch -p0 < php-4.2.1-to-4.2.2.patch > cd php-4.2.1 > ./configure --with-mysql --with-apxs=/usr/local/apache/bin/apxs --with-ldap > make > make install > /usr/local/apache/bin/apachectl restart Hmm...is the configure step really necessary? --Ricky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0
> From: Scott Fletcher [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, July 23, 2002 12:43 PM > To: [EMAIL PROTECTED] > Subject: Re: [PHP] Re: PHP Security Advisory: Vulnerability > in PHP versions 4.2.0 > > > I don't know how to appy patches to the PHP software. I just finish > upgrading the website to work with PHP 4.2.1 from PHP 4.0.6. And now > this So, just patched it then configure openssl, > mycrypt, curl, modssl > then do the usual stuff for PHP then apache, right?? Rebuilding from source: 1. download the new php source, extract it to whereever you do. 2. cd to php-4.2.2 copy config.nice from your existing php compile dir (this has your previous complies config command). 3. Run it: ./config.nice 4. make 5. apachectl stop 6. make install 7a. i. If php is a DSO: ii. apachectl start (you're done) 7b. i. If php is compiled into apache: ii. cd to apache compile dir iii. make clean iv. ./config.status v. make vi. make install vii. apachectl start (you're done) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0
Amended to this recent posting. Already started a new posting from scratch. "Scott Fletcher" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I don't know how to appy patches to the PHP software. I just finish > upgrading the website to work with PHP 4.2.1 from PHP 4.0.6. And now > this So, just patched it then configure openssl, mycrypt, curl, modssl > then do the usual stuff for PHP then apache, right?? > > "Adam Alkins" <[EMAIL PROTECTED]> wrote in message > 050a01c231c2$d483f770$aa9303c4@alkins">news:050a01c231c2$d483f770$aa9303c4@alkins... > > Any real programmer should know that almost nothing is bug free, even if > you > > test it beyond your imagination. Something is always going to elude you > and > > be found by someone experimenting down the road. > > > > For the widespread use of PHP, I'm rather impressed by the small amount of > > vunerabilities discovered in PHP so far. > > > > Some humans are just never ever satisfied... > > > > -- > > Adam Alkins > > http://www.rasadam.com > > -- > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0
I don't know how to appy patches to the PHP software. I just finish upgrading the website to work with PHP 4.2.1 from PHP 4.0.6. And now this So, just patched it then configure openssl, mycrypt, curl, modssl then do the usual stuff for PHP then apache, right?? "Adam Alkins" <[EMAIL PROTECTED]> wrote in message 050a01c231c2$d483f770$aa9303c4@alkins">news:050a01c231c2$d483f770$aa9303c4@alkins... > Any real programmer should know that almost nothing is bug free, even if you > test it beyond your imagination. Something is always going to elude you and > be found by someone experimenting down the road. > > For the widespread use of PHP, I'm rather impressed by the small amount of > vunerabilities discovered in PHP so far. > > Some humans are just never ever satisfied... > > -- > Adam Alkins > http://www.rasadam.com > -- > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0
Any real programmer should know that almost nothing is bug free, even if you test it beyond your imagination. Something is always going to elude you and be found by someone experimenting down the road. For the widespread use of PHP, I'm rather impressed by the small amount of vunerabilities discovered in PHP so far. Some humans are just never ever satisfied... -- Adam Alkins http://www.rasadam.com -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0
[delete some flaming] Hehe, and I thought I had to go to USENET to see a flamewar. This is great, a flamewar delivered directly to my mailbox, it doesn't get better... Let me put my $0.02 in. Security holes happen, no matter what software you use. PHP and open source in general, unlike M$, does not have a new vius of the week, or security hole of the month. Their recent couple of announcements is bad luck, not bad design/development and I still happily stand by the PHP guys. I think PHP users should also be grateful that the PHP guys have said there is a need to upgrade to fix this hole, rahter than just put out a new release and hope most people see it and think "great, a new version, I will upgrade". As for the the implied terrible difficulty of upgrading, on my Linux systems it was tragically complicated - I chose to patch my 4.2.1 source, then recompile, install and restart apache: patch -p0 < php-4.2.1-to-4.2.2.patch cd php-4.2.1 ./configure --with-mysql --with-apxs=/usr/local/apache/bin/apxs --with-ldap make make install /usr/local/apache/bin/apachectl restart Yes, with a script like this, it is terribly complicated. This whole process took less than 5 minutes. I had to do it on three machines, and there were no problems to be seen. If you are going to wine about having to upgrade software because of security holes, get off the net, it would be easier and take much less precious time. That's my $0.02 (or in my case 0.02 Euro). Now I will go back to trying to work out my ldap problems. Ian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Yes. Please post something to php.announce! Nothing ever gets announced in there anymore. "Steve Meyers" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Can you post this to php.announce as well? > > Marko Karppinen wrote: > > > > >PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 > > > > > > Issued on: July 22, 2002 > > Software: PHP versions 4.2.0 and 4.2.1 > > Platforms: All > > > > > >The PHP Group has learned of a serious security vulnerability in PHP > >versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary > >code with the privileges of the web server. This vulnerability may be > >exploited to compromise the web server and, under certain conditions, > >to gain privileged access. > > > > > > Description > > > >PHP contains code for intelligently parsing the headers of HTTP POST > >requests. The code is used to differentiate between variables and files > >sent by the user agent in a "multipart/form-data" request. This parser > >has insufficient input checking, leading to the vulnerability. > > > >The vulnerability is exploitable by anyone who can send HTTP POST > >requests to an affected web server. Both local and remote users, even > >from behind firewalls, may be able to gain privileged access. > > > > > > Impact > > > >Both local and remote users may exploit this vulnerability to > >compromise the web server and, under certain conditions, to gain > >privileged access. So far only the IA32 platform has been verified to > >be safe from the execution of arbitrary code. The vulnerability can > >still be used on IA32 to crash PHP and, in most cases, the web server. > > > > > > Solution > > > >The PHP Group has released a new PHP version, 4.2.2, which incorporates > >a fix for the vulnerability. All users of affected PHP versions are > >encouraged to upgrade to this latest version. The downloads web site at > > > > http://www.php.net/downloads.php > > > >has the new 4.2.2 source tarballs, Windows binaries and source patches > >from 4.2.0 and 4.2.1 available for download. > > > > > > Workaround > > > >If the PHP applications on an affected web server do not rely on HTTP > >POST input from user agents, it is often possible to deny POST requests > >on the web server. > > > >In the Apache web server, for example, this is possible with the > >following code included in the main configuration file or a top-level > >.htaccess file: > > > > > > Order deny,allow > > Deny from all > > > > > >Note that an existing configuration and/or .htaccess file may have > >parameters contradicting the example given above. > > > > > > Credits > > > >The PHP Group would like to thank Stefan Esser of e-matters GmbH for > >discovering this vulnerability. > > > > > > Copyright (c) 2002 The PHP Group. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Hi all, Just wanting to notify everyone that the link for the PHP.4.2.2 download is broken. -Stathis. -- Rouvas Stathis [EMAIL PROTECTED] http://www.di.uoa.gr/~rouvas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Can you post this to php.announce as well? Marko Karppinen wrote: > >PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 > > > Issued on: July 22, 2002 > Software: PHP versions 4.2.0 and 4.2.1 > Platforms: All > > >The PHP Group has learned of a serious security vulnerability in PHP >versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary >code with the privileges of the web server. This vulnerability may be >exploited to compromise the web server and, under certain conditions, >to gain privileged access. > > > Description > >PHP contains code for intelligently parsing the headers of HTTP POST >requests. The code is used to differentiate between variables and files >sent by the user agent in a "multipart/form-data" request. This parser >has insufficient input checking, leading to the vulnerability. > >The vulnerability is exploitable by anyone who can send HTTP POST >requests to an affected web server. Both local and remote users, even >from behind firewalls, may be able to gain privileged access. > > > Impact > >Both local and remote users may exploit this vulnerability to >compromise the web server and, under certain conditions, to gain >privileged access. So far only the IA32 platform has been verified to >be safe from the execution of arbitrary code. The vulnerability can >still be used on IA32 to crash PHP and, in most cases, the web server. > > > Solution > >The PHP Group has released a new PHP version, 4.2.2, which incorporates >a fix for the vulnerability. All users of affected PHP versions are >encouraged to upgrade to this latest version. The downloads web site at > > http://www.php.net/downloads.php > >has the new 4.2.2 source tarballs, Windows binaries and source patches >from 4.2.0 and 4.2.1 available for download. > > > Workaround > >If the PHP applications on an affected web server do not rely on HTTP >POST input from user agents, it is often possible to deny POST requests >on the web server. > >In the Apache web server, for example, this is possible with the >following code included in the main configuration file or a top-level >.htaccess file: > > > Order deny,allow > Deny from all > > >Note that an existing configuration and/or .htaccess file may have >parameters contradicting the example given above. > > > Credits > >The PHP Group would like to thank Stefan Esser of e-matters GmbH for >discovering this vulnerability. > > > Copyright (c) 2002 The PHP Group. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php