12Mar

PHP 7.1 and MySQL 5.6


This evening, all Mr.Host servers were upgraded to support PHP 7.1, and MySQL 5.6.

Mr.Host supports several versions of PHP, including 5.3, 5.6, and now 7.1, configurable via the Mr.Host Customer Control Panel.

There are quite a few backwards incompatible changes in the 7.x branch of PHP, but recent versions of the most common applications, such as WordPress or Joomla, will all work fine. It’s recommended that you always keep your code up-to-date, and that you update your site to use PHP 7.1, as there are significant performance and security improvements.

As always, if you have any questions, please feel free to contact us anytime,

The Mr.Host Team

27Oct

Apache 2.2.25 and PHP 5.3.27 Upgrade


This evening all Mr.Host web servers were upgraded to Apache 2.2.25 and PHP 5.3.27.

Apache 2.2.25

This version of Apache is principally a security and bug fix legacy release, including the following security fixes:

  • SECURITY: CVE-2013-1896 (cve.mitre.org) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault.
  • SECURITY: CVE-2013-1862 (cve.mitre.org) mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file.

PHP 5.3.27

  • Core:
    • Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC).
    • Fixed bug #64960 (Segfault in gc_zval_possible_root).
    • Fixed bug #64934 (Apache2 TS crash with get_browser()).
    • Fixed bug #63186 (compile failure on netbsd).
  • DateTime:
    • Fixed bug #53437 (Crash when using unserialized DatePeriod instance).
  • PDO_firebird:
    • Fixed bug #64037 (Firebird return wrong value for numeric field).
    • Fixed bug #62024 (Cannot insert second row with null using parametrized query).
  • PDO_pgsql:
    • Fixed bug #64949 (Buffer overflow in _pdo_pgsql_error).
  • pgsql:
    • Fixed bug #64609 (pg_convert enum type support).
  • SPL:
    • Fixed bug #64997 (Segfault while using RecursiveIteratorIterator on 64-bits systems).
  • XML:
    • Fixed bug #65236 (heap corruption in xml parser).
20Dec

PHP 5.3.20 Upgrade


This evening all Mr.Host web servers have been upgraded to PHP 5.3.20. Below are the changes since version 5.3.17:

Version 5.3.18

  • Core
    • Fixed bug #63111 (is_callable() lies for abstract static method).
    • Fixed bug #63093 (Segfault while load extension failed in zts-build).
    • Fixed bug #62976 (Notice: could not be converted to int when comparing some builtin classes).
    • Fixed bug #61767 (Shutdown functions not called in certain error situation).
    • Fixed bug #61442 (exception threw in __autoload can not be catched).
    • Fixed bug #60909 (custom error handler throwing Exception + fatal error = no shutdown function).
  • cURL
    • Fixed bug #62085 (file_get_contents a remote file by Curl wrapper will cause cpu Soaring).
  • FPM
    • Fixed bug #62954 (startup problems fpm / php-fpm).
    • Fixed bug #62886 (PHP-FPM may segfault/hang on startup).
    • Fixed bug #63085 (Systemd integration and daemonize).
    • Fixed bug #62947 (Unneccesary warnings on FPM).
    • Fixed bug #62887 (Only /status?plain&full gives “last request cpu”).
    • Fixed bug #62216 (Add PID to php-fpm init.d script).
  • Intl
    • Fix bug #62915 (defective cloning in several intl classes).
  • SOA
    • Fixed bug #50997 (SOAP Error when trying to submit 2nd Element of a choice).
  • SPL
    • Bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined variables).

Version 5.3.19

  • Core:
    • Fixed bug #63241 (PHP fails to open Windows deduplicated files).
    • Fixed bug #62444 (Handle leak in is_readable on windows).
  • Libxml:
    • Fixed bug #63389 (Missing context check on libxml_set_streams_context() causes memleak).
  • Mbstring:
    • Fixed bug #63447 (max_input_vars doesn’t filter variables when mbstring.encoding_translation = On).
  • MySQL:
    • Fixed compilation failure on mixed 32/64 bit systems.
  • OCI8:
    • Fixed bug #63265 (Add ORA-00028 to the PHP_OCI_HANDLE_ERROR macro)
  • PCRE:
    • Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite).
    • Fixed bug #63284 (Upgrade PCRE to 8.31).
  • PDO:
    • Fixed bug #63235 (buffer overflow in use of SQLGetDiagRec).
  • PDO_pgsql:
    • Fixed bug #62593 (Emulate prepares behave strangely with PARAM_BOOL).
  • Phar:
    • Fixed bug #63297 (Phar fails to write an openssl based signature).
  • Streams:
    • Fixed bug #63240 (stream_get_line() return contains delimiter string).

Version 5.3.20

  • Zend Engine:
    • Fixed bug #63635 (Segfault in gc_collect_cycles).
    • Fixed bug #63512 (parse_ini_file() with INI_SCANNER_RAW removes quotes from value).
    • Fixed bug #63468 (wrong called method as callback with inheritance).
  • Core:
    • Fixed bug #63451 (config.guess file does not have AIX 7 defined, shared objects are not created).
    • Fixed bug #63377 (Segfault on output buffer).
  • Apache2 Handler SAPI:
    • Enabled Apache 2.4 configure option for Windows.
  • Date:
    • Fixed bug #63435 (Datetime::format(‘u’) sometimes wrong by 1 microsecond).
  • Fileinfo:
    • Fixed bug #63248 (Load multiple magic files from a directory under Windows).
    • Fixed bug #63590 (Different results in TS and NTS under Windows).
  • FPM:
    • Fixed bug #63581 (Possible null dereference and buffer overflow).
  • Imap:
    • Fixed bug #63126 (DISABLE_AUTHENTICATOR ignores array).
  • MySQLnd:
    • Fixed bug #63398 (Segfault when polling closed link).
  • Reflection:
    • Fixed bug #63614 (Fatal error on Reflection).
  • SOAP
    • Fixed bug #63271 (SOAP wsdl cache is not enabled after initial requests).
24Sep

PHP 5.3.17 Upgrade


This evening all Mr.Host web servers have been upgraded to PHP 5.3.17. We missed a few updates between 5.3.14 and 5.3.17, so this post outlines all the changes since 5.3.14.

5.3.15

  • Zend Engine
    • Fixed bug #51094 (parse_ini_file() with INI_SCANNER_RAW cuts a value that includes a semi-colon)
  • COM
    • Fixed bug #62146 com_dotnet cannot be built shared
  • Core
    • Fixed potential overflow in _php_stream_scandir, CVE-2012-2688
    • Fixed bug #62432 (ReflectionMethod random corrupt memory on high concurrent)
    • Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)
  • Fileinfo
    • Fixed magic file regex support
  • FPM
    • Fixed bug #61045 (fpm don’t send error log to fastcgi clients)
    • Fixed bug #61835 (php-fpm is not allowed to run as root)
    • Fixed bug #61295 (php-fpm should not fail with commented ‘user’ for non-root start)
    • Fixed bug #61026 (FPM pools can listen on the same address)
    • Fixed bug #62033 (php-fpm exits with status 0 on some failures to start)
    • Fixed bug #62153 (when using unix sockets, multiples FPM instances can be launched without errors)
    • Fixed bug #62160 (Add process.priority to set nice(2) priorities)
    • Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI requests)
    • Fixed bug #62205 (php-fpm segfaults (null passed to strstr))
  • Intl
    • Fixed bug #62083 (grapheme_extract() memory leaks)
    • Fixed bug #62081 (IntlDateFormatter constructor leaks memory when called twice)
    • Fixed bug #62070 (Collator::getSortKey() returns garbage)
    • Fixed bug #62017 (datefmt_create with incorrectly encoded timezone leaks pattern)
    • Fixed bug #60785 (memory leak in IntlDateFormatter constructor)
  • JSON
    • Reverted fix for bug #61537
  • Phar
    • Fixed bug #62227 (Invalid phar stream path causes crash)
  • Reflection
    • Fixed bug #62384 (Attempting to invoke a Closure more than once causes segfault)
    • Fixed bug #62202 (ReflectionParameter::getDefaultValue() memory leaks with constant)
  • SPL
    • Fixed bug #62262 (RecursiveArrayIterator does not implement Countable)
  • SQLite
    • Fixed open_basedir bypass, CVE-2012-3365
  • XML Write
    • Fixed bug #62064 (memory leak in the XML Writer module)
  • Zip
    • Upgraded libzip to 0.10

5.3.16

  • Core
    • Fixed bug #62763 (register_shutdown_function and extending class).
    • Fixed bug #62744 (dangling pointers made by zend_disable_class).
    • Fixed bug #62716 (munmap() is called with the incorrect length).
    • Fixed bug #62460 (php binaries installed as binary.dSYM).
    • Fixed bug #60194 (–with-zend-multibyte and –enable-debug reports LEAK with run-test.php).
  • CURL
    • Fixed bug #62839 (curl_copy_handle segfault with CURLOPT_FILE).
    • Fixed bug #62499 (curl_setopt($ch, CURLOPT_COOKIEFILE, “”) returns false).
  • DateTime
    • Fixed bug #62500 (Segfault in DateInterval class when extended).
  • Enchant
    • Fixed bug #62838 (enchant_dict_quick_check() destroys zval, but fails to initialize it).
  • PDO
    • Fixed bug #62685 (Wrong return datatype in PDO::inTransaction()).
  • Reflection
    • Fixed bug #62715 (ReflectionParameter::isDefaultValueAvailable() wrong result).
  • Session
    • Fixed bug (segfault due to retval is not initialized).
  • SPL
    • Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)

5.3.17

  • Core
    • Fixed bug (segfault while build with zts and GOTO vm-kind)
    • Fixed bug #62955 (Only one directive is loaded from “Per Directory Values” Windows registry)
    • Fixed bug #62763 (register_shutdown_function and extending class)
    • Fixed bug #62744 (dangling pointers made by zend_disable_class)
    • Fixed bug #62716 (munmap() is called with the incorrect length)
    • Fixed bug ##62460 (php binaries installed as binary.dSYM)
  • CURL
    • Fixed bug #62839 (curl_copy_handle segfault with CURLOPT_FILE)
  • DateTime
    • Fixed bug #62852 (Unserialize invalid DateTime causes crash)
  • Intl
    • Fix null pointer dereferences in some classes of ext/intl
  • MySQLnd
    • Fixed bug #62885 (mysqli_poll – Segmentation fault)
  • PDO
    • Fixed bug #62685 (Wrong return datatype in PDO::inTransaction())
  • Session
    • Fixed bug (segfault due to retval is not initialized)
    • SPL Fixed bug #62904 (Crash when cloning an object which inherits SplFixedArray)
  • Enchant
    • Fixed bug #62838 (enchant_dict_quick_check() destroys zval, but fails to initialize it)
02Jul

PHP 5.3.14 Upgrade


This evening all Mr.Host web servers have been upgraded to PHP 5.3.14. We missed a few updates between 5.3.10 and 5.3.14, so this post outlines all the changes since 5.3.10.

5.3.11

Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:

    • Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).
    • Add open_basedir checks to readline_write_history and readline_read_history.

Security Enhancement affecting PHP 5.3.11 only:

    • Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831).

Key enhancements in these releases include:

    • Added debug info handler to DOM objects.
    • Fixed bug #61172 (Add Apache 2.4 support).

5.3.12, 5.3.13

The releases complete a fix for a vulnerability in CGI-based setups (CVE-2012-2311). Note: mod_php and php-fpm are not vulnerable to this attack.

PHP 5.4.3 fixes a buffer overflow vulnerability in the apache_request_headers() (CVE-2012-2329). The PHP 5.3 series is not vulnerable to this issue.

5.3.14

The release fixes multiple security issues: A weakness in the DES implementation of crypt and a heap overflow issue in the phar extension

PHP 5.4.4 and PHP 5.3.14 fixes over 30 bugs. Please note that the use of php://fd streams is now restricted to the CLI SAPI

For a full list of changes from PHP v 5.3.10 to 5.3.14, see the ChangeLog.