a better way to upgrade rhel

Per LP519547, we have just pushed php52-suhosin and php53-suhosin to our el5-stable repositories for Red Hat Enterprise Linux 5 and clones.

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

The packages pushed to IUS only implement the extension and not the core PHP patches.  Whether or not you should use Suhosin is up to you, but you may wish to read the Why? section on their site first.

We have packaged up the latest Python 3 for IUS EL5.  We have added it in hopes of encouraging the Python community to start porting their applications sooner than later.  Along with Python 3 we have also added Mod_WSGI 3.0c5 to make working with Python 3 web applications possible on RHEL/CentOS 5.

Currently, Setup Tools is not Python 3 compatible, and there is heavy debate [read uncertainty] over whether it ever will be.  Because of that the project was forked, and the necessary compatibility is available via the Distribute project.  Distribute is Python 3 compatible and is effectively a drop in replacement for setuptools.

Installing Python 3 from IUS

For new comers to IUS, please see the Getting Started Guide.  Once setup, installation is as easy as:

root@linux ~]# yum install python31 python31-distribute


Once you have python31 and python31-distribute installed, you can install from the cheeze shop as well as access the python3.1 binary:


root@linux ~]# easy_install-3.1 threecheck
root@linux ~]# python3.1
python> import threecheck


For a list of Python 3 compatible packages, check out PyPI.

Reporting Bugs

We appreciate any feedback you have, good or bad.  If you come across any issues please report a bug at our Launchpad Project Page.

Update: 2009-11-04

We have moved mod_wsgi-python31 to the development repository for the time being until it has exited release candidate and becomes general availability.  Currently, the ius-release package does not have the repo config for development and possible may not for a while.  You can however download the files from the link provided above and install via rpm, or manually add the repo for the development repository.

A vulnerability in both PHP 5.2.11 and 5.3.0 was announced on September 30, 2009 via Security Reason.  Grzegorz Stachowiak discovered a safe_mode bypass in the tempnam() function allowing any local user or any scripts owned by the Apache user, with writable permissions on another user’s directory to bypass safe_mode restrictions.

The Vulnerability

The vulnerability exists due to the fact that the tempnam() function in ./ext/standard/file.c only checks for open_basedir restrictions and not standard safe_mode UID/GID restrictions.  Take the following example:

UserX and UserY both have virtual hosts on a shared server with safe_mode enabled.  Safe mode dictates that scripts owned by UserX can not access UserY’s directories/files… even though the Apache user is the one executing the scripts and has system level permissions to access both.

With the vulnerability in tempnam(), UserX can craft a script that generates a temp file in UserY’s directory (if writable by Apache or UserX) such as:


tempnam('/home/UserY/www', 'user_x_file.php');

This will successfully create a file in ‘/home/UserY/www’ that UserX can then write to, and execute.

The Fix

The PHP developers have patched this bug in upstream CVS, which has been backported by the IUS CoreDev team and applied to our php52 and php53 packages.  The diffs are available here:

• Patch for PHP 5.3.0
• Patch for PHp 5.2.11

Installing IUS Patched RPMs for RHEL/CentOS

Packages are available for RHEL/CentOS 4 (php52) and RHEL/CentOS 5 (php52, php53).  For installation/upgrade instructions see the Getting Started page and/or check out the Wiki for more information.

Other IUS Package Updates

In addition to these package updates we have also released a number of other updates to IUS Stable.  Please see our other announcements:

• Updates Pushed to IUS Stable for Redhat/CentOS EL 5
• Updates Pushed to IUS Stable for Redhat/CentOS EL 4

Thanks!

—
BJ Dierkes
Linux Systems Engineer IV / [RH]acker
Infrastructure Services [OS & Applications]
Rackspace Hosting

The following builds have been pushed to IUS Stable for Redhat/CentOS EL 5

• python26-2.6.2-1.ius
• mysql51-5.1.39-1.ius

Update details follow… please expect 24 hours for your local mirrors to sync.

Build: python26-2.6.2-1.ius

Python is an interpreted, interactive, object-oriented programming language

Update Information:

%changelog
* Tue Sep 01 2009 BJ Dierkes  - 2.6.2-1.ius
- Latest sources from upstream.
- Replaced Patch0: python-2.6-config.patch with
  Patch0: Python-2.6.2-rhconfig.patch
- Replaced Patch3: python-2.6-canonicalize.patch with
  Patch3: python-2.6.2-canonicalize.patch
- Replaced Patch200: python-2.6-autoconf.patch with
  Patch200: Python-2.6.2-autoconf.patch
- Removed Patch10: python-2.5.2-binutils-no-dep.patch
- Build with system ffi
- Add -lcrypt to crypto module

References:

[ 1 ] Bug #437070 – Python 2.6.2 Source Update Available
https://bugs.launchpad.net/ius/+bug/437070

Build: mysql51-5.1.39-1.ius

MySQL is a multi-user, multi-threaded SQL database server.

Update Information:

%changelog
* Fri Sep 25 2009 BJ Dierkes  - 5.1.39-1.ius
- Latest sources from upstream.
- Added _with_innodb_plugin build option, but left disabled by default
  due to MySQL's claim that it is of beta quality.

References:

[ 1 ] Bug #434120 – MySQL 5.1.39 Source Update
https://bugs.launchpad.net/ius/+bug/434120

Reporting Bugs or No Bugs

Any and all feedback is greatly appreciated, whether it be because you found bugs or to let us know that you didn’t have any issues. Please report all bugs to:

http://bugs.launchpad.net/ius

Thanks!

Per yesterday’s announcement of PHP 5.2.11, the IUS CoreDev Team has updated our php52 RPM set which is currently available for testing.

Installing Packages From Testing

When packages are tagged as ‘testing’ in our buildfarm they are added to the testing repository.  If you have installed the ius-release package then you already have this repo configured in yum, but disabled by default.  Simply issue the following command for the package(s) you want to install from testing:

root@linuxbox ~]# yum install PACKAGE_NAME --enablerepo=ius-testing

OR if you already have our .ius packages installed, simply upgrade.

root@linuxbox ~]# yum upgrade --enablerepo=ius-testing

Providing Feedback

We appreciate any feedback at all, both good and bad. If you have tested or are using these packages already please submit feedback via the tracker for this release. Once we have enough positive feedback or enough time has passed we can push these packages to stable.

2009-09-23 Update

The IUS Packages for php52-5.2.11-1.ius have been pushed to stable.