Publish PHP 5.1.4 security fixes for dapper

i assign thi to the security team.
I hope this was not for the motu-uvf ...

PHP 5.1.4 is out
http://www.php.net/ChangeLog-5.php#5.1.4

Fix some important bugs (and security fixes since 5.1.3)

I think dapper MUST have the last version of PHP which has a lot a improvements compared to PHP 5.1.2 (the dapper version when I'm writing this) because for a LTS distro, it's better to start with the last available version.

Having an obsolete version for a 5 years support distro sounds very strange to me.

Like the PHP.net website says : "All PHP users are encouraged to upgrade to this release as soon as possible."

I talked with Adam, he will prepare the new version soon.

CVE entries for the some of the above security issues that are resolved in PHP 5.1.4, but which are present in PHP 5.1.2:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0996
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1494

PHP 5.1.4 also contains the "Removed the E_STRICT deprecation notice from 'var'" change, which is a small but useful alteration that makes 'var' use in classes in PHP5 backwards-compatible to the PHP 4 releases, and forwards-compatible to PHP 6.

All the best,
Nick.

Hi

What happens to bugs like this one now that Dapper is out?
Will they still be fixed?

All the best,
Omni-vi

Hi,

omni-vi [2006-06-06 17:00 -0000]:
> Hi
>
> What happens to bugs like this one now that Dapper is out?
> Will they still be fixed?

We'll fix at least the security vulnerabilities, of course.

Martin

--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

Will your new release also fix
http://bugs.php.net/bug.php?id=37790
?
It's very annoying that Webservices cannot be used together with Ubuntu 6.06

Mike, we will not upgrade dapper to 5.1.4, we will just apply the security fixes. According to the upstream bug 37790, this was not yet broken with 5.1.2; can you confirm this, please?

http://www.ubuntu.com/usn/usn-320-1 fixed stables, edgy has 5.1.4.

We have experienced a number of show-stopper problems with PHP 5.1.2 as distributed with Dapper. These manifest themselves as segmentation faults in the Apache2 log (with no further information), e.g.
"[notice] child pid XXXXX exit signal Segmentation fault (11)"
and affect all manner of complex applications. For instance, the code embedding Gallery2 in Drupal is affected (and this is a key component of many of our commercial offerings) - resulting in blank screens and no other useful debug info, see: http://www.galleryembedded.com/forums/viewtopic.php?p=20500#20500

Note that based on the large number of views of this issue on the galleryembedded site, we're not alone in being affected by this problem.

As a possible workaround, we have installed "DotDeb"'s PHP 5.1.4 packages on a test machine, and although there are rather tricky dependency issues, we found that our application worked flawlessly following the upgrade, indicating that one of the bug fixes in 5.1.3 or 5.1.4 has addressed the problem.

We not only maintain a Ubuntu Dapper-based hosting infrastructure, but also roll out and maintain a signficant number of Dapper boxes for clients (all of whom have PHP apps) and would be thrilled to see 5.1.4 back ported to Dapper (particularly if it included in-built tidy support!!). If the Ubuntu team doesn't feel it's worthwhile doing it, we will attempt to do it ourselves. Is there anything we can do to help the Ubuntu team tackle this problem?
Kind regards,

Dave

davelane, Adam, mdz: the 5.1.3->5.1.4 upstream changes look just fine (see http://www.php.net/ChangeLog-5.php#5.1.4), but 5.1.3 has not only bug fixes, but also new features and intrusive changes. Things like 'FastCGI interface was completely reimplemented.' make me nervous and are not exactly the things we would like to introduce into a stable release.

On the other hand I do see that 5.1.3 fixed heaps of bugs (over 120 according to upstream) and that large-scale users like davelane need the new version. An backport would be ideal here, but we cannot do them right now (at least not the way we want to).

Adam, Matt, do you have an opinion about this? I do not see any bug reports about edgy's PHP which weren't present in dapper, too, so it does not seem too bad. OTOH edgy will be used on very few servers at the moment. My feeling is to manually backport the edgy version to dapper-proposed, let it mature a bit in there, and put it into dapper-updates in a month or two.

I know this is an older thread, but was a backport for a PHP release > 1.5.2 ever created/released for Dapper?

Will Dapper ever have php > 5.1.2 ?

Bug is marked as "Fix released", but I still only see php version 5.1.2.

Please but PHP 5.1.3 or 5.1.4 in backports.

We backported the security fixes to 5.1.2. We do not put new upstream releases into stable Ubuntu releases.

To bad... I will have to make the upgrade my self then.

Maybe the topic of this bug should be changes to reflect was has been fixed !?
Or status changed to "Wont fix"?

Unless you need new features, there should be no reason to need newer versions of PHP. As mentioned, the security vulnerabilities are back-ported to the stable release. If you need a newer PHP, I would recommend upgrading from Dapper (6.06 LTS) to Hardy (8.04 LTS).