php 5.3.5
I read today that there is a bug affecting php where it could cause the system to go into an infinite loop if trying to convert certain strings to floating point values.
I also heard that there was a fix for it, php 5.3.5.
I tried running phpinfo() on my server, and it returned I was running php 5.3.31 ubuntu 9.
I would like to upgrade to php 5.3.5, but not sure if it's in the repositories for ubuntu 10.10 yet, or if it will be soon.
Thanks for any help,
-Michael.
13 Replies
@lilmike:
Hi,
I read today that there is a bug affecting php where it could cause the system to go into an infinite loop if trying to convert certain strings to floating point values.
I also heard that there was a fix for it, php 5.3.5.
I tried running phpinfo() on my server, and it returned I was running php 5.3.31 ubuntu 9.
I would like to upgrade to php 5.3.5, but not sure if it's in the repositories for ubuntu 10.10 yet, or if it will be soon.
Thanks for any help,
-Michael.
I believe you mean "5.3.3-1ubuntu9"? (essentially some patched version of 5.3.3)
5.3.5 is not in the ubuntu repositories and it seems unlikely that 5.3.5 specifically ever will be there for 10.10.
However, I think it's pretty safe to assume that an update with the fix for that issue will arrive shortly.
(If things are done the usual way that would probably be known as "5.3.3-1ubuntu10" or something along those lines.)
(there's a link 'Ubuntu Changelog' on the RHS)
I don't see any bug entry for this item in launchpad though. I have no idea if anything is working on this.
@sirpengi:
You can follow the changelog at packages.ubuntu here:
http://packages.ubuntu.com/maverick/php5 (there's a link 'Ubuntu Changelog' on the RHS)
I don't see any bug entry for this item in launchpad though. I have no idea if anything is working on this.
for the bug entry
-Michael.
this script
php test.php.
if it errors youre vulnerable
more info:
ps theres a fix available
Ubuntu 10.04 – 5.3.2-1ubuntu4.6
Ubuntu 10.10 -- 5.3.3-1ubuntu9.2
Oddly, Debian doesn't seem to have released a fixed version for Lenny (5.0) yet. Squeeze (6.0) has fixed it, though. I know Squeeze is going to be baptized stable any day now, but it's odd.
@obs:
Is lenny running php 5.2, I noticed my php 5.2 installation wasn't vulnerable but 5.3 was.
Lenny has PHP 5.2.
But according to the PHP website, 5.2.16 was vulnerable so they had to release 5.2.17. This is the third time the PHP devs had to break their own word that 5.2 would receive no further updates.
Maybe one of the patches Debian made to PHP 5.2 makes it immune to the "2.2250738585072011e-308" bug? I don't have a Lenny box so I can't tell.
That says that the problem could never be reproduced with the php version in Lenny, for whatever reason.