From owner-freebsd-stable@FreeBSD.ORG Sat Dec 26 12:39:56 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48E371065670 for ; Sat, 26 Dec 2009 12:39:56 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA04.westchester.pa.mail.comcast.net (qmta04.westchester.pa.mail.comcast.net [76.96.62.40]) by mx1.freebsd.org (Postfix) with ESMTP id E73A18FC13 for ; Sat, 26 Dec 2009 12:39:55 +0000 (UTC) Received: from OMTA20.westchester.pa.mail.comcast.net ([76.96.62.71]) by QMTA04.westchester.pa.mail.comcast.net with comcast id Mobr1d0031YDfWL54ofwKV; Sat, 26 Dec 2009 12:39:56 +0000 Received: from koitsu.dyndns.org ([98.248.46.159]) by OMTA20.westchester.pa.mail.comcast.net with comcast id Mogo1d00C3S48mS3gogpJT; Sat, 26 Dec 2009 12:40:49 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id E6B501E301B; Sat, 26 Dec 2009 04:39:53 -0800 (PST) Date: Sat, 26 Dec 2009 04:39:53 -0800 From: Jeremy Chadwick To: freebsd-stable@freebsd.org Message-ID: <20091226123953.GA8864@icarus.home.lan> References: <4B344459.4020202@ellicit.org> <4B35FC4C.7050100@unsane.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4B35FC4C.7050100@unsane.co.uk> User-Agent: Mutt/1.5.20 (2009-06-14) Subject: Re: php5-5.2.11_1 Vulnerabilities X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Dec 2009 12:39:56 -0000 On Sat, Dec 26, 2009 at 12:06:36PM +0000, Vincent Hoffman wrote: > Xin LI wrote: > > I think ale@ has posted a patch to update it to PHP 5.3.1 which is not > > vulnerable. Is it an option for you? > > > > http://www.alexdupre.com/php53.diff > > > We've found 5.3 is different enough from 5.2 at work that a number of > customers have needed downgrading again after upgrading. (We're a linux > shop but same theory applies) a particular gotcha was the removal of the > mhash module which is used by plenty of shopping cart code, (its now > emulated by the built in hash stuff, but php configure needs the > --with-mhash flag. And because its emulated it cant be built as a > module.) Test throughly if your thinking of moving to php5.3. > However as yet various stuff thats in the php5.2.11 port isnt > available or has changed a bit for 5.2.12. for example the Suhosin > hardening patch isnt available for 5.2.12 yet (People taking time off > for the holidays I'd guess ;) People said the exact same thing about PHP 4 --> PHP 5. "Oh crap, don't upgrade, it'll break all kinds of stuff!" In that case, it was the migration to $_GET, $_POST, and $_COOKIE with register_globals being disabled by default. There were other changes which stomped on people as well. Then there was an OO change between minor versions of PHP 5 where code that was previously allowed now started throwing "Cannot access empty property" errors. This was because $this->$var (where $var is a variable defined within the class itself) should have been $this->var, but PHP let people get away with it... until that update. Have you taken the time to investigate the major changes in PHP 6[1]? The major ones which are going to bite you are below. The latter two probably won't hurt that many, but the first two will. - Removal of magic_quotes - Removal of ereg(), eregi(), ereg_replace(), and ereg_replacei() - Removal of register_long_arrays - Removal of register_globals Let's not forget the huge battle that ensued amongst PHP devteam folks, as well as between devs and users, when it came to what the namespace separator string should be. They ultimately agreed upon "::", which is what every other language uses, but did you know that the initial implementation, which is what sparked the argument, was to use "\"? Check out some of the other proposals[2], including ":)" (yes really). PHP is a horrible language. You're screwed no matter which way you go with it -- if you stay with an old version you're likely susceptible to security holes, while if you upgrade to a new version you're susceptible to breakage because the core language was never truly engineered -- just a bunch of monkeys banging on pots. I say this as both someone who does web hosting and codes in PHP. I often wonder what the point of PHP is given Markup::Perl[3]'s existence. [1]: http://www.ibm.com/developerworks/opensource/library/os-php-future/ [2]: http://wiki.php.net/rfc/namespaceseparator [3]: http://search.cpan.org/~mmathews/Markup-Perl-0.5/lib/Markup/Perl.pm -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |