Need to upgrade apache2 and php5 for security reasons

[Daniel Hahler]

Christian Desrochers wrote:

> Our web servers have been checked recently by an external security firm.
> We have been told that our web servers need to be upgraded to the latest
> version in order to fix some security issues.

The changelog for PHP 5.2.6 lists:
    *  Fixed possible stack buffer overflow in the FastCGI SAPI
identified by Andrei Nigmatulin.
    * Fixed integer overflow in printf() identified by Maksymilian
Aciemowicz.
    * Fixed security issue detailed in CVE-2008-0599 identified by Ryan
Permeh.
    * Fixed a safe_mode bypass in cURL identified by Maksymilian
Arciemowicz.
    * Properly address incomplete multibyte chars inside
escapeshellcmd() identified by Stefan Esser.
    * Upgraded bundled PCRE to version 7.6

..and there hasn't been any upload to *-security for this (AFAICS).

Previously I was using PHP from CVS (branch PHP_5_2) and updated that
from time to time, following the CVS commits.

On a new server I'm using the official packages, but have backported the
package from Debian unstable (and/or Intrepid) to include all the fixes.

I think it would make a lot of sense to request a backport for PHP (for
Dapper, Gutsy and Hardy; see
https://help.ubuntu.com/community/UbuntuBackports).

Still, it looks like a security update would be required, too.

> I know that I can download and compile these programs myself, but for
> future updates, it becomes complicated since we have lots of servers...

You can use a PPA for this (on launchpad.net) or a local repository
(using e.g. mini-dinstall). The latter works great for me and packages
where I have made modifications: just add the local repository (or PPA)
to your sources.list file(s).
Make sure to use version numbers so that you get notified about new
official package versions.

All the above applies to PHP only - I'm using the provided Apache
packages (or rather nginx and Lighttpd).


Cheers,
Daniel.

-- 
http://daniel.hahler.de/