[arch-dev-public] Warning on php-apc update
Dear PHP user, the update from php-apc to Version 3.0.17 includes a security fix: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1488 But it seems that the other changes of that new version are introducing several problems which will cause php to crash. It seems to be quite random but I have seen phpMyAdmin triggering those crashes a lot. I would recommend to disable APC until this is fixed. My current plan is to downgrade APC to 3.0.16 again and try to backport the security patch only. Greetings, Pierre PS: this bug-report seems to be related: http://pecl.php.net/bugs/bug.php?id=13505 -- archlinux.de
Am Mittwoch, 26. März 2008 22:11:31 schrieb Pierre Schmitz:
Dear PHP user,
the update from php-apc to Version 3.0.17 includes a security fix: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1488
But it seems that the other changes of that new version are introducing several problems which will cause php to crash. It seems to be quite random but I have seen phpMyAdmin triggering those crashes a lot.
I would recommend to disable APC until this is fixed. My current plan is to downgrade APC to 3.0.16 again and try to backport the security patch only.
Greetings,
Pierre
PS: this bug-report seems to be related: http://pecl.php.net/bugs/bug.php?id=13505
I have downgraded APC and added a backport of the CVE-2008-1488 patch. Please make sure to use php-apc-3.0.16-4. -- archlinux.de
On Wed, Mar 26, 2008 at 5:00 PM, Pierre Schmitz <pierre@archlinux.de> wrote:
I have downgraded APC and added a backport of the CVE-2008-1488 patch. Please make sure to use php-apc-3.0.16-4.
Weird, this isn't fixed/patchable in 3.0.17? Or is it too recent to tell?
Am Mittwoch, 26. März 2008 23:17:30 schrieb Aaron Griffin:
On Wed, Mar 26, 2008 at 5:00 PM, Pierre Schmitz <pierre@archlinux.de> wrote:
I have downgraded APC and added a backport of the CVE-2008-1488 patch. Please make sure to use php-apc-3.0.16-4.
Weird, this isn't fixed/patchable in 3.0.17? Or is it too recent to tell?
3.0.17 is not fixed yet; it was released at 25.3. I know that going back and forth is not ideal, but this was the best and fastest way to fix the problem. We'll have to wait for an upstream update. (might take a while because the crash is not that easy to reproduce) -- archlinux.de
On Wed, Mar 26, 2008 at 6:09 PM, Pierre Schmitz <pierre@archlinux.de> wrote:
Am Mittwoch, 26. März 2008 23:17:30 schrieb Aaron Griffin:
On Wed, Mar 26, 2008 at 5:00 PM, Pierre Schmitz <pierre@archlinux.de> wrote:
I have downgraded APC and added a backport of the CVE-2008-1488 patch. Please make sure to use php-apc-3.0.16-4.
Weird, this isn't fixed/patchable in 3.0.17? Or is it too recent to tell?
3.0.17 is not fixed yet; it was released at 25.3. I know that going back and forth is not ideal, but this was the best and fastest way to fix the problem. We'll have to wait for an upstream update. (might take a while because the crash is not that easy to reproduce)
Right. I was more just laughing at upstream here 8)
participants (2)
-
Aaron Griffin
-
Pierre Schmitz