This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: [RHEA-1999:010-01] Update to PHP 3.0.9 (mod_php3)
From: Preston Brown <pbrown@redhat.com>
Date: Tue, 22 Jun 1999 10:59:08 -0400 (EDT)
- ---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: Update to PHP 3.0.9 (mod_php3)
Advisory ID: RHEA-1999:010-01
Issue date: 1999-06-21
Keywords: mod_php3 php fclose postgresql imap pgsql
- ---------------------------------------------------------------------
1. Topic:
New PHP 3.0.9 (mod_php3) RPMs are available for Red Hat Linux 6.0.
These RPMs replace a previous errata release which fixed some, but not
all, of the problems with the original PHP3 RPMs included in Red Hat
Linux 6.0.
2. BugIDs fixed:
3273
3. Relevant releases/architectures:
Red Hat Linux 6.0, all architectures
4. Obsoleted by:
5. Conflicts with:
6. RPMs required:
Intel: ftp://updates.redhat.com/6.0/i386/
mod_php3-3.0.9-1.i386.rpm
mod_php3-imap-3.0.9-1.i386.rpm
mod_php3-manual-3.0.9-1.i386.rpm
mod_php3-pgsql-3.0.9-1.i386.rpm
Alpha: ftp://updates.redhat.com/6.0/alpha/
mod_php3-3.0.9-1.alpha.rpm
mod_php3-imap-3.0.9-1.alpha.rpm
mod_php3-manual-3.0.9-1.alpha.rpm
mod_php3-pgsql-3.0.9-1.alpha.rpm
Sparc: ftp://updates.redhat.com/6.0/sparc
mod_php3-3.0.9-1.sparc.rpm
mod_php3-imap-3.0.9-1.sparc.rpm
mod_php3-manual-3.0.9-1.sparc.rpm
mod_php3-pgsql-3.0.9-1.sparc.rpm
7. Problem description:
Red Hat Linux 6.0 shipped with PHP 3.0.7. This release of PHP had
some problems with glibc 2.1. A later errata release corrected those
problems, but it had problems with postgresql, which it intended to
support.
8. Solution:
This release corrects all known problems with PHP3, as well as adding
modular postgresql and imap support. Upgrade to the new PHP 3.0.9 RPMs.
For each RPM for your particular architecture, run:
rpm -Uvh <filename>
where filename is the name of the RPM.
You will need to install at least the base mod_php3 RPM, and
optionally the imap and pgsql subpackages for IMAP and PostgreSQL
support. You may wish to install the manual subpackage as well to
have the HTML-formatted PHP documentation available.
9. Verification:
These packages are PGP signed by Red Hat Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nopgp <filename>
10. References:
===
Subject: php 3.0.8 rpms Release 2
From: Pablo Costa <pablo@shark.ib.usp.br>
Date: Wed, 2 Jun 1999 19:46:15 -0300 (EST)
* Wed Jun 02 1999 Pablo Costa <pablo@ib.usp.br>
- Added %post and %preun scripts
- Compile with apache 1.3.6 and glibc 2.1
- Add nis(YP) support
- Add package cgi. Now php can work without apache
- Add packages with apache modules: gd, imap, ldap, mysql, pgsql and xml
- Add packages with cgi modules: gd, imap, ldap, mysql, pgsql and xml
- Suppressed post and preun scripts (Wait for next release :-)
Just uploaded the following to ftp://incoming.redhat.com/libc6
APACHE DEPENDENT RPMS
mod-php3-3.0.8-2.i386.rpm
mod-php3-gd-3.0.8-2.i386.rpm
mod-php3-imap-3.0.8-2.i386.rpm
mod-php3-ldap-3.0.8-2.i386.rpm
mod-php3-mysql-3.0.8-2.i386.rpm
mod-php3-pgsql-3.0.8-2.i386.rpm
mod-php3-xml-3.0.8-2.i386.rpm
APACHE NO REQUIRED RPMS
mod-php3-cgi-3.0.8-2.i386.rpm
mod-php3-cgi-gd-3.0.8-2.i386.rpm
mod-php3-cgi-imap-3.0.8-2.i386.rpm
mod-php3-cgi-ldap-3.0.8-2.i386.rpm
mod-php3-cgi-mysql-3.0.8-2.i386.rpm
mod-php3-cgi-pgsql-3.0.8-2.i386.rpm
mod-php3-cgi-xml-3.0.8-2.i386.rpm
mod-php3-doc-3.0.8-2.i386.rpm
mod-php3-3.0.8-2.src.rpm
mod_php3.spec
They are also available at http://linusp.usp.br/~pablo/rpms/php3
Or http://shark.ib.usp.br/~pablo/rpms/php3
RPMs are built on a Pentium 233mmx 128megs RAM with
RedHat 6.0 installed.
Required programs to install shared binary rpm.
-----------------------------------------------
Standard Red Hat 6.0 installation
Name : mod-php3 Relocations: (not relocateable)
Version : 3.0.8 Vendor: (none)
Release : 1 Build Date: Tue May 25 16:33:48 1999
Install date: (not installed) Build Host: capella
Group : Networking/Daemons Source RPM: mod-php3-3.0.8-1.src.rpm
Size : 788897 License: GPL
Packager : Pablo Costa <pablo@ib.usp.br>
URL : http://www.php.net
Summary : A server-side, HTML-embedded scripting language
Description :
PHP: Hypertext Preprocessor Version 3.0 is an HTML-embedded scripting
language. Much of its syntax is borrowed from C, Java and Perl with a
couple of unique PHP-specific features thrown in. The goal of the
language is to allow web developers to write dynamically generated
pages quickly.
This package provides the loadable module for the apache webserver, some
modules providing extra functions, and a php/fi 2.0 -> php3 script converter
(works most of the time).
.
With additional modules it supports direct communication with postgresql,
mysql, msql databases, dbf files, and it has an interface to the libgd
graphics library.
* Tue May 25 1999 Pablo Costa <pablo@ib.usp.br>
- Rename add-php-doc, del-php-doc to php-add and php-del
* Tue Mar 02 1999 Henri Gomez <gomez@slib.fr>
- Upgraded to 3.0.7.
- Suppressed patches no more needed.
- Added INSTALL.DSO and INSTALL.REDHAT files in doc
* Tue Feb 02 1999 Henri Gomez <gomez@slib.fr>
- moved html php3 docs to /home/httpd/html/manual/mod/mod_php3 to follow RH & mod_ssl way
* Wed Jun 02 1999 Pablo Costa <pablo@ib.usp.br>
- Add %post and %preun scripts
* Tue May 25 1999 Pablo Costa <pablo@ib.usp.br>
- Upgrade to 3.0.8
- Compile with apache 1.3.6 and glibc 2.1
- Compile without ssl
- Add nis(YP) support
- Add package cgi. Now php can work without apache
- Add packages with apache modules: gd, imap, ldap, mysql, pgsql and xml
- Add packages with cgi modules: gd, imap, ldap, mysql, pgsql and xml
- Rename add-php, del-php to php-add and php-del
- Change config path to /etc/php3/apache (apache version)
- Change config path to /etc/php3/cgi (cgi version)
- Suppressed post and preun scripts (Wait for next release :-)
===
Subject: RE: Integrating Apache and MySQL
From: Ken Pooley <kpooley@sewanee.edu>
Date: Tue, 8 Jun 1999 13:57:47 -0500
My experience is that php is pretty cool...there is a really good webmonkey
tutorial on wired's website about ingtegrating MySQL, php and Apache...also
the is a phpbuilder website which has scripts thoug they tend to be
msql....
===
From: Eric Lee Green <eric@linux-hw.com>
Date: Fri, 26 Mar 1999 12:17:12 -0500 (EST)
Subject: Re: cgi security issues
On Wed, 24 Mar 1999, Wes Owen wrote:
> I have RHL5.2 with the latest Apache built with suexec.
>
> Just for kicks, I put a script that did a cat on /etc/passwd just to see if
> I could read that file, and I nearly had a heart attack when I found out
> that I could. That means I could also read most other valuable system
> files that are chmod 744 or whatever.
>
> Is there any way to prohibit users from getting this information?
CGI almost by definition has full system accesses of the owner. I believe
you can tell Apache to run a CGI script under a certain user ID, but the
CGI script will have access to everything that can be accessed by that
user ID.
PHP3 (http://www.php3.org) has an option so that you cannot access any
file outside of the web server tree. If you are wanting to do secure "CGI"
then using mod_php3 is probably the most "secure" that you can get, not to
mention being faster than CGI. But it depends on how much you like/hate
PHP3.
===
From: Kenny Lim <kenny@mail.tke.po.my>
Date: Thu, 11 Mar 1999 08:52:06 +0800
Subject: Re: PHP3 Support for MySQL
Gene Wilburn wrote:
>
> I installed the standard PHP3 support along with the Apache RPM's in RH52
> and discovered that there is no database support in them.
>
> I followed the FAQ on the PHP site about rebuilding a new RPM for MySQL
> support (I have MySQL installed) but when I type
>
> rpm -bb /usr/src/redhat/SPECS/mod_php3.spec
>
> I get the following error message:
>
> checking for MySQL support... no
> configure: error: Invalid MySQL directory - unable to find mysql.h
> under /usr
> Bad exit status from /var/tmp/rpm-tmp.86203 (%build)
>
> The only mysql.h files on my system appear to be related to Perl and to
> DBI/DBD, not to MySQL itself.
>
> This is my first attempt at rebuilding an RPM. If anyone has successfully
> re-built MySQL support for the PHP3 RPM module, I'd love to see a tip or
> two.
When you build PHP3 enable --with-mysql=/usr where /usr
contains lib/mysql and include/mysql (that should be the
default if you install the mysql-dev RPM from www.mysql.com
example;
./configure --prefix=/usr \
--with-apxs=/usr/sbin/apxs \
--with-config-file-path=/usr/lib \
--enable-debug=no \
--enable-safe-mode \
--with-exec-dir=/usr/bin \
--with-system-regex \
--with-mysql=/usr
attached is the mod_php3.spec for version 3.05
I have not yet made one for 3.07, if anyone is successful,
send me a copy of the 3.07 spec file.
--------------3378423E00E2A4781F83A0A6
"mod_php3.spec"
Summary: PHP3 - a powerful scripting language for HTML
Name: mod_php3
Version: 3.0.5
Release: 3
Group: Networking/Daemons
Source0: http://www.php.net/distributions/php-%{PACKAGE_VERSION}.tar.gz
Source1: php3-manual.tar.gz
Copyright: GPL
BuildRoot: /tmp/php3-root
Requires: webserver
%description
PHP3 is a powerful apache module that adds scripting and database connection
capabilities to the apache server.
%prep
%setup -q -n php-%{PACKAGE_VERSION}
mkdir manual; cd manual && tar xzf $RPM_SOURCE_DIR/php3-manual.tar.gz
chown -R root.root .
%build
./configure --prefix=/usr \
--with-apxs=/usr/sbin/apxs \
--with-config-file-path=/usr/lib \
--enable-debug=no \
--enable-safe-mode \
--with-exec-dir=/usr/bin \
--with-system-regex \
--with-mysql=/usr
make
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/usr/lib/apache
install -m 755 libphp3.so $RPM_BUILD_ROOT/usr/lib/apache
%clean
rm -rf $RPM_BUILD_ROOT
%changelog
* Fri Jan 22 1999 Kenny Lim <kenny@predawnia.org>
- rebuild with --with-mysql
* Mon Oct 12 1998 Cristian Gafton <gafton@redhat.com>
- rebuild for apache 1.3.3
* Thu Oct 08 1998 Preston Brown <pbrown@redhat.com>
- updated to 3.0.5, fixes nasty bugs in 3.0.4.
* Sun Sep 27 1998 Cristian Gafton <gafton@redhat.com>
- updated to 3.0.4 and recompiled for apache 1.3.2
* Thu Sep 03 1998 Preston Brown <pbrown@redhat.com>
- improvements; builds with apache-devel package installed.
* Tue Sep 01 1998 Preston Brown <pbrown@redhat.com>
- Made initial cut for PHP3.
%files
/usr/lib/apache/libphp3.so
%doc TODO CODING_STANDARDS CREDITS ChangeLog LICENSE BUGS examples
%doc manual/*
--------------3378423E00E2A4781F83A0A6
"kenny.vcf" Card for Kenny Lim
begin:vcard
n:Lim;Kenny
tel;fax:60-4-5072266
tel;work:60-4-5072277
x-mozilla-html:FALSE
org:Tongkah Electronics Sdn Bhd;Engineering MIS
version:2.1
email;internet:kenny@mail.tke.po.my
title:System & Test Engineering Manager
adr;quoted-printable:;;Plot 105, Mk11=0D=0ABukit Tengah Industrial Park;Bukit Tengah;Penang;14000;Malaysia
x-mozilla-cpt:;-4448
fn:Kenny Lim
end:vcard
--------------3378423E00E2A4781F83A0A6--
===