PHP 5.2.8

Kain114 · **Joined:** Fri Dec 12, 2008 2:59 pm **Posts:** 14

Nothing worked...

Still have three that I need to pass.

TCP Port 8443 - OpenSSL which is older than 0.9.6m or 0.9.7d
TCP Port 8443 - The remote service accepts connections encrypted using SSL 2.0

TCP Port 80 - Apache Tomcat (prior to 3.3.1a) is prone to a directory listing

Port blocking / changing didn't work, 8443 still responds as a Plesk panel.

Any suggestions?

scott · **Posted:** Thu Dec 18, 2008 9:57 am

You're assuming that those 3 vulnerabilities are actually true, which odds are high they arent if you're up to date with the latest packages from the vendor.

Kain114 · **Joined:** Fri Dec 12, 2008 2:59 pm **Posts:** 14

I'm using the art channel. Stat's that everything is up-to-date.

I think I'm down to one issue now, the so called tomcat one that got added when I ran the yum update using the art channel.

We believe we figured out disabling plesk and keeping everything online that is needed during the scan. (Can no longer access the control panel via 8443 / 8800, load's as page cannot be found when I issue the "service psa stop" command!!!)

scott · **Posted:** Mon Dec 29, 2008 9:46 am

So it looks like there is still an unresolved bug in PHP 5.2.8/5.2.9-dev that results in a very bad memory leak. The first one was in strtotime(), which I was able to fix, the other one is unknown at this time. I'm still digging through the php bug list and snapshots to sort it out.

aus-city · **Joined:** Thu Oct 26, 2006 11:56 pm **Posts:** 665

Scott,

Checkout fedora koji as Remi just built php-5.2.8 for F10 and F9.

I took the 10 srpm and rpmbuilt a f8 version and put it on.

The intermittent segfaults are now gone completely!

Also you can make a F10 php now.

Cheers,

scott · **Posted:** Sun Jan 04, 2009 11:38 pm

Thats the one I used, and it had at least 2 separate memory leak issues. One was resolved in the -dev (pre-5.2.9) tree. The latter takes a few days to manifest on my systems here and is not related to the strtotime() leak.

The following is some test code to show the strtotime leak.

Code:

<?php

// Run with the PHP CLI on the Linux shell...
// WARNING: If this bug affects you as well, your machine
// might start swapping within just a few seconds!

while (true)
    strtotime('2008-12-16 19:48:27');

?>

octet · **Joined:** Fri Dec 14, 2007 11:35 am **Posts:** 40

Hello,

This memory leak is killing me, once a day! Server freezes and can be resolved only by a Reboot from the serial console.

Scot, what would be the best approach until it has been eradicated? Could I downgrade to 5.2.7? Are the packages still available somewhere in your repositories for CentOS 5.2?

Regards,
Adrian

hostingguy · **Joined:** Mon Oct 29, 2007 6:51 pm **Posts:** 606

This was fixed in their 5.2.8-3 build I believe - at least the strtotime part.

Kain114 · **Joined:** Fri Dec 12, 2008 2:59 pm **Posts:** 14

Quote:

I think I'm down to one issue now, the so called tomcat one that got added when I ran the yum update using the art channel.

I think I "might" have it figured out.

When I just ran the httpd -M command I noticed that it was running the module " proxy_ajp_module (shared)" so I went into the conf.d folder and found a module load file for it and commented out every line. Now when I run httpd -M it does not display this module.

I hope this is the issue, it's running a PCI compliance scan now.

Kain114 · **Joined:** Fri Dec 12, 2008 2:59 pm **Posts:** 14

Nope, still says its using Tomcat...

SecurityMetrics support is useless, they wont even answer a general false positive request, let alone any question.

scott · **Posted:** Tue Jan 13, 2009 9:35 am

Thanks for following up at least! I actually make more notes on the things that don't work for me when I'm debugging than the things that do. Have you looked for all the installed tomcat packages (rpm -qa) and tried removing them?

In regard to PCI compliance testers... if they're not doing local checks you're always going to have high rates of false positives like that. It has to do with the limited way they use their (otherwise fantastic) vulnerability scanners.

Highland · **Joined:** Mon Apr 10, 2006 12:55 pm **Posts:** 656

So 5.2.8-3 is stable enough for production now?

hostingguy · **Joined:** Mon Oct 29, 2007 6:51 pm **Posts:** 606

I'm using it in production, no major problems but I do see some segfaults every so often although not sure why exactly.

Kain114 · **Joined:** Fri Dec 12, 2008 2:59 pm **Posts:** 14

scott wrote:

Thanks for following up at least! I actually make more notes on the things that don't work for me when I'm debugging than the things that do. Have you looked for all the installed tomcat packages (rpm -qa) and tried removing them?

In regard to PCI compliance testers... if they're not doing local checks you're always going to have high rates of false positives like that. It has to do with the limited way they use their (otherwise fantastic) vulnerability scanners.

-bash-3.2# locate tomc
/usr/local/psa/admin/bin/tomcatmng
/usr/local/psa/admin/plib/tomcatmng.php
/usr/local/psa/admin/plib/api-cli/tomcat.php
/usr/local/psa/admin/sbin/tomcatmng
/usr/local/psa/bin/tomcat
/usr/local/psa/bin/tomcat.sh
/usr/local/psa/etc/logrotate.d/tomcat
/usr/local/psa/etc/service/tomcat.xml
/usr/local/psa/etc/service/stdmode/tomcat.xml
/usr/local/psa/etc/service/vzmode/tomcat.xml

-bash-3.2# rpm -qa | grep tomc
-bash-3.2#

PHP 5.2.8

Who is online