php 5.3.5

@lilmike:

Hi,

I read today that there is a bug affecting php where it could cause the system to go into an infinite loop if trying to convert certain strings to floating point values.

I also heard that there was a fix for it, php 5.3.5.

I tried running phpinfo() on my server, and it returned I was running php 5.3.31 ubuntu 9.

I would like to upgrade to php 5.3.5, but not sure if it's in the repositories for ubuntu 10.10 yet, or if it will be soon.

Thanks for any help,

-Michael.

I believe you mean "5.3.3-1ubuntu9"? (essentially some patched version of 5.3.3)

5.3.5 is not in the ubuntu repositories and it seems unlikely that 5.3.5 specifically ever will be there for 10.10.

However, I think it's pretty safe to assume that an update with the fix for that issue will arrive shortly.

(If things are done the usual way that would probably be known as "5.3.3-1ubuntu10" or something along those lines.)

You can follow the changelog at packages.ubuntu here: http://packages.ubuntu.com/maverick/php5

(there's a link 'Ubuntu Changelog' on the RHS)

I don't see any bug entry for this item in launchpad though. I have no idea if anything is working on this.

@sirpengi:

You can follow the changelog at packages.ubuntu here: http://packages.ubuntu.com/maverick/php5

(there's a link 'Ubuntu Changelog' on the RHS)

I don't see any bug entry for this item in launchpad though. I have no idea if anything is working on this.

https://bugs.launchpad.net/ubuntu/+sour … bug/697181">https://bugs.launchpad.net/ubuntu/+source/php5/+bug/697181

for the bug entry

It usually takes a few days for these bug fixes to reach Debian, and then another day or two for Ubuntu. The version numbers will be different though. Run apt-get update && apt-get upgrade once in a while, and you'll get the bugfix sooner or later.

Thanks alot.

-Michael.

to test if your linode is vulnerable, rename this script to test.php, upload this script and execute via cli:

php test.php.

if it errors youre vulnerable

more info:

http://bugs.php.net/bug.php?id=53632

ps theres a fix available

Just to follow this up, please see http://www.ubuntu.com/usn/usn-1042-1 for info on the recently released update for Ubuntu

today APT updated all my PHP packages (I'm running Ubuntu 10.10)… I guess that was the fix!

Confirmed fixed:

Ubuntu 10.04 – 5.3.2-1ubuntu4.6

Ubuntu 10.10 -- 5.3.3-1ubuntu9.2

Oddly, Debian doesn't seem to have released a fixed version for Lenny (5.0) yet. Squeeze (6.0) has fixed it, though. I know Squeeze is going to be baptized stable any day now, but it's odd.

Is lenny running php 5.2, I noticed my php 5.2 installation wasn't vulnerable but 5.3 was.

@obs:

Is lenny running php 5.2, I noticed my php 5.2 installation wasn't vulnerable but 5.3 was.
Lenny has PHP 5.2.

But according to the PHP website, 5.2.16 was vulnerable so they had to release 5.2.17. This is the third time the PHP devs had to break their own word that 5.2 would receive no further updates.

Maybe one of the patches Debian made to PHP 5.2 makes it immune to the "2.2250738585072011e-308" bug? I don't have a Lenny box so I can't tell.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609315

That says that the problem could never be reproduced with the php version in Lenny, for whatever reason.

FYI, today my PHP has been updated (again) to 5.3.3-1ubuntu9.3.