Need to upgrade apache2 and php5 for security reasons

Daniel Hahler ubuntu+lists at
Wed Jul 2 19:10:40 UTC 2008

Christian Desrochers wrote:

> Our web servers have been checked recently by an external security firm.
> We have been told that our web servers need to be upgraded to the latest
> version in order to fix some security issues.

The changelog for PHP 5.2.6 lists:
    *  Fixed possible stack buffer overflow in the FastCGI SAPI
identified by Andrei Nigmatulin.
    * Fixed integer overflow in printf() identified by Maksymilian
    * Fixed security issue detailed in CVE-2008-0599 identified by Ryan
    * Fixed a safe_mode bypass in cURL identified by Maksymilian
    * Properly address incomplete multibyte chars inside
escapeshellcmd() identified by Stefan Esser.
    * Upgraded bundled PCRE to version 7.6

..and there hasn't been any upload to *-security for this (AFAICS).

Previously I was using PHP from CVS (branch PHP_5_2) and updated that
from time to time, following the CVS commits.

On a new server I'm using the official packages, but have backported the
package from Debian unstable (and/or Intrepid) to include all the fixes.

I think it would make a lot of sense to request a backport for PHP (for
Dapper, Gutsy and Hardy; see

Still, it looks like a security update would be required, too.

> I know that I can download and compile these programs myself, but for
> future updates, it becomes complicated since we have lots of servers...

You can use a PPA for this (on or a local repository
(using e.g. mini-dinstall). The latter works great for me and packages
where I have made modifications: just add the local repository (or PPA)
to your sources.list file(s).
Make sure to use version numbers so that you get notified about new
official package versions.

All the above applies to PHP only - I'm using the provided Apache
packages (or rather nginx and Lighttpd).



More information about the Ubuntu-devel-discuss mailing list