Security Update: PHP-PEAR

November 28, 2007 | By admin In Linux | Comments(0)

 

Currently I’m working on installing and implementing Kayako supporting ticketing system for my company. As my LAMP seems quite old version, I decided to upgrade my apache + php + mysql on one of my webserver before I install Kayako.

Configuring php with –with-curl option require to upgrade PEAR XML_RPC. Current version have security issue with the PEAR XML_RPC class that allows a remote attacker to run arbitrary PHP code.

Make install in php source, produce an error as below :
[root@webserver php-4.4.7]# make install
Installing PHP SAPI module: apache
Installing PHP CLI binary: /usr/local/bin/
Installing PHP CLI man page: /usr/local/man/man1/
Installing PEAR environment: /usr/local/lib/php/
[PEAR] Archive_Tar - already installed: 1.3.2
[PEAR] Console_Getopt - already installed: 1.2.1
[PEAR] HTML_Template_IT- already installed: 1.1
[PEAR] Net_UserAgent_Detect- already installed: 2.0.1
pear/PEAR requires package “pear/XML_RPC” (version >= 1.4.0), installed version is 1.3.1
Notice: Only variables should be assigned by reference in /usr/local/src/php-4.4 .7/pear/PEAR/Installer.php on line 990
[PEAR] PEAR: Installation failed: invalid package file
[PEAR] Structures_Graph- already installed: 1.0.2
……………..

To upgrade XML_RPC I issue this command :

[root@webserver src]# pear upgrade XML_RPC
downloading XML_RPC-1.5.1.tgz …
Starting to download XML_RPC-1.5.1.tgz (32,215 bytes)
………done: 32,215 bytes
upgrade ok: XML_RPC 1.5.1

Then I reissue make install command in php source :

[root@webserver php-4.4.7]# make install
Installing PHP SAPI module: apache
Installing PHP CLI binary: /usr/local/bin/
Installing PHP CLI man page: /usr/local/man/man1/
Installing PEAR environment: /usr/local/lib/php/
[PEAR] Archive_Tar - upgraded: 1.3.2
[PEAR] Console_Getopt - upgraded: 1.2.1
[PEAR] HTML_Template_IT- already installed: 1.1
[PEAR] Net_UserAgent_Detect- already installed: 2.0.1
[PEAR] PEAR - upgraded: 1.5.0
Wrote PEAR system config file at: /usr/local/etc/pear.conf
You may want to add: /usr/local/lib/php to your php.ini include_path
[PEAR] Structures_Graph- already installed: 1.0.2
Installing build environment: /usr/local/lib/php/build/
Installing header files: /usr/local/include/php/
Installing helper programs: /usr/local/bin/
program: phpize
program: php-config
Installing man pages: /usr/local/man/man1/
page: phpize.1
page: php-config.1
[root@webserver php-4.4.7]#

 

Filed under: Linux