Please upgrade php5 to new upstream version 5.2.9

Bug #305393 reported by Micah Gersten on 2008-12-05
288
This bug affects 5 people
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Wishlist
Unassigned
Declined for Jaunty by Steve Langasek

Bug Description

Binary package hint: php5

Can this go into Jaunty?

Changed in php5:
importance: Undecided → Wishlist
status: New → Triaged

Looks reasonable to me according to the changelog.

chuck

Micah Gersten (micahg) wrote :

Received Blog notification of potential bug:
http://www.macvicar.net/blog/2008/12/critical-bug-in-php-527.html

Here's the text:
Critical Bug in PHP 5.2.7

PHP 5.2.7 was released on Thursday but unfortunately a critical bug was introduced during the release candidate process that essentially full disables magic_quotes_gpc even when it’s marked as enabled. The end result being that if you relied on magic_quotes_gpc being enabled it’s now not, potentially a security issue.

The other problem is that even if you don’t rely on it being enabled but have an application which attempts to undo the work of magic_quotes_gpc you may end up with some data loss. Such code is present within most applications that want to work with it disabled

This has been fixed in CVS so you can grab a snapshot if you've already upgraded to PHP 5.2.7, if not then hold out for PHP 5.2.8 which should appear early next week.

If magic_quotes_gpc doesn’t matter to you and you normally run with it disabled then this doesn’t really matter.

Micah Gersten (micahg) wrote :

It's been officially removed from php.net, here's the announcement:

PHP 5.2.7 has been removed from distribution
[07-Dec-2008]

Due to a security bug found in the PHP 5.2.7 release, it has been removed from distribution. The bug affects configurations where magic_quotes_gpc is enabled, because it remains off even when set to on. In the meantime, use PHP 5.2.6 until PHP 5.2.8 is later released.

Not sure what to do with this request.

Thanks.

Chris Coulson (chrisccoulson) wrote :

We can just wait until 5.2.8 is released

Micah Gersten (micahg) wrote :

PHP 5.2.8 Released!
[08-Dec-2008]

The PHP development team would like to announce the immediate availability of PHP 5.2.8. This release addresses a regression introduced by 5.2.7 inregard to the magic_quotes functionality, that was broken by an incorrect fix to the filter extension. All users who have upgraded to 5.2.7 are encouraged to upgrade to this release, alternatively you can apply a work-around for the bug by changing "filter.default_flags=0" in php.ini.

I using PPA for PHP 5.2.8. If anybody want to update to 5.2.8 please put it into sources.list:

deb http://ppa.launchpad.net/tarkus/ubuntu intrepid main
deb-src http://ppa.launchpad.net/tarkus/ubuntu intrepid main

PPA: https://launchpad.net/~tarkus/+archive

ep (ep-exvere) wrote :

My apologies if this is not the appropriate place to ask, but how can I upgrade to php 5.2.8 with apt-get if I have 5.2.6 installed? I am new to the deb package system and am being impacted by a bug in 5.2.6. I have added Ari's two URL's to my sources.list, but I have been unsuccessful figuring out the upgrade procedure. Any help would be appreciated. Thanks!

Artur Rona (ari-tczew) wrote :

If you have correctly added ~tarkus'es repos, type it in console:

sudo apt-get update
sudo apt-get upgrade

If php isn't updated, type it:

sudo apt-get dist-upgrade

Artur Rona (ari-tczew) wrote :

Does php 5.2.8 will be added into jaunty?

On Tue, Mar 3, 2009 at 11:42 AM, Ari <email address hidden> wrote:
> Does php 5.2.8 will be added into jaunty?

Sorry, no. We are past Feature Freeze for Jaunty, so it will have
php5_5.2.6 + patches.

--
:-Dustin

Dustin Kirkland  (kirkland) wrote :

Of course, it will be upgraded for Karmic...

:-Dustin

Micah Gersten (micahg) wrote :

This should be closed if 5.2.9 makes it into debian unstable.

Phil Bayfield (philio) wrote :

PHP 5.2.8 release was 8th December 2008
Jaunty feature freeze was February 19th 2009

Yet Jaunty ships with 5.2.6, bit of a let down for people running server edition and wanting useful updates...

Hmm, interestingly, it seems that the appendage of ".dfsg.1-3ubuntu2"
onto Ubuntu's php5 versioning seems to break the merge analysis and
the grab-merge.sh script.

It seems that php5 slipped through the cracks for Jaunty.

Unfortunately, that means it's probably too late at this point. Sorry.

:-Dustin

Dustin Kirkland  (kirkland) wrote :

Sorry, disregard my last comment.

The trouble is that Debian is still on php 5.2.6.dfsg.1-3, and we draw
from Debian for this package.

See:
 * http://packages.qa.debian.org/p/php5.html

:-Dustin

Ragimiri (ragimiri) wrote :

I have problem with this bug:

http://bugs.php.net/bug.php?id=42862

Will this be fixed in Ubuntu Server 8.10?

dmuir (dmuir) wrote :

5.2.9 has recently been merged into Debian testing from Debian unstable:
http://packages.qa.debian.org/p/php5/news/20090512T163920Z.html

Can we please have 5.2.9 in Karmic?

papukaija (papukaija) wrote :

The php 5.2.9 has some security fixes. Can we have it in Jaunty too?
http://www.php.net/ChangeLog-5.php#5.2.9

papukaija (papukaija) on 2009-05-20
security vulnerability: no → yes
Artur Rona (ari-tczew) on 2009-06-07
Changed in php5 (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.