27Oct

Apache 2.2.25 and PHP 5.3.27 Upgrade


This evening all Mr.Host web servers were upgraded to Apache 2.2.25 and PHP 5.3.27.

Apache 2.2.25

This version of Apache is principally a security and bug fix legacy release, including the following security fixes:

  • SECURITY: CVE-2013-1896 (cve.mitre.org) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault.
  • SECURITY: CVE-2013-1862 (cve.mitre.org) mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file.

PHP 5.3.27

  • Core:
    • Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC).
    • Fixed bug #64960 (Segfault in gc_zval_possible_root).
    • Fixed bug #64934 (Apache2 TS crash with get_browser()).
    • Fixed bug #63186 (compile failure on netbsd).
  • DateTime:
    • Fixed bug #53437 (Crash when using unserialized DatePeriod instance).
  • PDO_firebird:
    • Fixed bug #64037 (Firebird return wrong value for numeric field).
    • Fixed bug #62024 (Cannot insert second row with null using parametrized query).
  • PDO_pgsql:
    • Fixed bug #64949 (Buffer overflow in _pdo_pgsql_error).
  • pgsql:
    • Fixed bug #64609 (pg_convert enum type support).
  • SPL:
    • Fixed bug #64997 (Segfault while using RecursiveIteratorIterator on 64-bits systems).
  • XML:
    • Fixed bug #65236 (heap corruption in xml parser).
31Mar

GST/HST Changes for BC and PEI


As you may already know, the Canada Revenue Agency is changing how sales taxes are administered in British Columbia and Prince Edward Island.

British Columbia

On April 1, 2013 the 12% HST will be replaced by the 5% GST.

Price Edward Island

On April 1, 2013 PEI will follow the provinces of Ontario, Nova Scotia, New Brunswick, and Newfoundland and Labrador in replacing its PST with the HST. The combined HST rate in PEI will be 14%, of which 5% will represent the federal part and 9% the provincial part.

Mr.Host will be adjusting our tax rates as of midnight on April 1st, 2013. Good news for our BC customers who’s monthly bills will be going down; unfortunately, our PEI customers aren’t as lucky.

20Dec

PHP 5.3.20 Upgrade


This evening all Mr.Host web servers have been upgraded to PHP 5.3.20. Below are the changes since version 5.3.17:

Version 5.3.18

  • Core
    • Fixed bug #63111 (is_callable() lies for abstract static method).
    • Fixed bug #63093 (Segfault while load extension failed in zts-build).
    • Fixed bug #62976 (Notice: could not be converted to int when comparing some builtin classes).
    • Fixed bug #61767 (Shutdown functions not called in certain error situation).
    • Fixed bug #61442 (exception threw in __autoload can not be catched).
    • Fixed bug #60909 (custom error handler throwing Exception + fatal error = no shutdown function).
  • cURL
    • Fixed bug #62085 (file_get_contents a remote file by Curl wrapper will cause cpu Soaring).
  • FPM
    • Fixed bug #62954 (startup problems fpm / php-fpm).
    • Fixed bug #62886 (PHP-FPM may segfault/hang on startup).
    • Fixed bug #63085 (Systemd integration and daemonize).
    • Fixed bug #62947 (Unneccesary warnings on FPM).
    • Fixed bug #62887 (Only /status?plain&full gives “last request cpu”).
    • Fixed bug #62216 (Add PID to php-fpm init.d script).
  • Intl
    • Fix bug #62915 (defective cloning in several intl classes).
  • SOA
    • Fixed bug #50997 (SOAP Error when trying to submit 2nd Element of a choice).
  • SPL
    • Bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined variables).

Version 5.3.19

  • Core:
    • Fixed bug #63241 (PHP fails to open Windows deduplicated files).
    • Fixed bug #62444 (Handle leak in is_readable on windows).
  • Libxml:
    • Fixed bug #63389 (Missing context check on libxml_set_streams_context() causes memleak).
  • Mbstring:
    • Fixed bug #63447 (max_input_vars doesn’t filter variables when mbstring.encoding_translation = On).
  • MySQL:
    • Fixed compilation failure on mixed 32/64 bit systems.
  • OCI8:
    • Fixed bug #63265 (Add ORA-00028 to the PHP_OCI_HANDLE_ERROR macro)
  • PCRE:
    • Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite).
    • Fixed bug #63284 (Upgrade PCRE to 8.31).
  • PDO:
    • Fixed bug #63235 (buffer overflow in use of SQLGetDiagRec).
  • PDO_pgsql:
    • Fixed bug #62593 (Emulate prepares behave strangely with PARAM_BOOL).
  • Phar:
    • Fixed bug #63297 (Phar fails to write an openssl based signature).
  • Streams:
    • Fixed bug #63240 (stream_get_line() return contains delimiter string).

Version 5.3.20

  • Zend Engine:
    • Fixed bug #63635 (Segfault in gc_collect_cycles).
    • Fixed bug #63512 (parse_ini_file() with INI_SCANNER_RAW removes quotes from value).
    • Fixed bug #63468 (wrong called method as callback with inheritance).
  • Core:
    • Fixed bug #63451 (config.guess file does not have AIX 7 defined, shared objects are not created).
    • Fixed bug #63377 (Segfault on output buffer).
  • Apache2 Handler SAPI:
    • Enabled Apache 2.4 configure option for Windows.
  • Date:
    • Fixed bug #63435 (Datetime::format(‘u’) sometimes wrong by 1 microsecond).
  • Fileinfo:
    • Fixed bug #63248 (Load multiple magic files from a directory under Windows).
    • Fixed bug #63590 (Different results in TS and NTS under Windows).
  • FPM:
    • Fixed bug #63581 (Possible null dereference and buffer overflow).
  • Imap:
    • Fixed bug #63126 (DISABLE_AUTHENTICATOR ignores array).
  • MySQLnd:
    • Fixed bug #63398 (Segfault when polling closed link).
  • Reflection:
    • Fixed bug #63614 (Fatal error on Reflection).
  • SOAP
    • Fixed bug #63271 (SOAP wsdl cache is not enabled after initial requests).
24Sep

PHP 5.3.17 Upgrade


This evening all Mr.Host web servers have been upgraded to PHP 5.3.17. We missed a few updates between 5.3.14 and 5.3.17, so this post outlines all the changes since 5.3.14.

5.3.15

  • Zend Engine
    • Fixed bug #51094 (parse_ini_file() with INI_SCANNER_RAW cuts a value that includes a semi-colon)
  • COM
    • Fixed bug #62146 com_dotnet cannot be built shared
  • Core
    • Fixed potential overflow in _php_stream_scandir, CVE-2012-2688
    • Fixed bug #62432 (ReflectionMethod random corrupt memory on high concurrent)
    • Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)
  • Fileinfo
    • Fixed magic file regex support
  • FPM
    • Fixed bug #61045 (fpm don’t send error log to fastcgi clients)
    • Fixed bug #61835 (php-fpm is not allowed to run as root)
    • Fixed bug #61295 (php-fpm should not fail with commented ‘user’ for non-root start)
    • Fixed bug #61026 (FPM pools can listen on the same address)
    • Fixed bug #62033 (php-fpm exits with status 0 on some failures to start)
    • Fixed bug #62153 (when using unix sockets, multiples FPM instances can be launched without errors)
    • Fixed bug #62160 (Add process.priority to set nice(2) priorities)
    • Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI requests)
    • Fixed bug #62205 (php-fpm segfaults (null passed to strstr))
  • Intl
    • Fixed bug #62083 (grapheme_extract() memory leaks)
    • Fixed bug #62081 (IntlDateFormatter constructor leaks memory when called twice)
    • Fixed bug #62070 (Collator::getSortKey() returns garbage)
    • Fixed bug #62017 (datefmt_create with incorrectly encoded timezone leaks pattern)
    • Fixed bug #60785 (memory leak in IntlDateFormatter constructor)
  • JSON
    • Reverted fix for bug #61537
  • Phar
    • Fixed bug #62227 (Invalid phar stream path causes crash)
  • Reflection
    • Fixed bug #62384 (Attempting to invoke a Closure more than once causes segfault)
    • Fixed bug #62202 (ReflectionParameter::getDefaultValue() memory leaks with constant)
  • SPL
    • Fixed bug #62262 (RecursiveArrayIterator does not implement Countable)
  • SQLite
    • Fixed open_basedir bypass, CVE-2012-3365
  • XML Write
    • Fixed bug #62064 (memory leak in the XML Writer module)
  • Zip
    • Upgraded libzip to 0.10

5.3.16

  • Core
    • Fixed bug #62763 (register_shutdown_function and extending class).
    • Fixed bug #62744 (dangling pointers made by zend_disable_class).
    • Fixed bug #62716 (munmap() is called with the incorrect length).
    • Fixed bug #62460 (php binaries installed as binary.dSYM).
    • Fixed bug #60194 (–with-zend-multibyte and –enable-debug reports LEAK with run-test.php).
  • CURL
    • Fixed bug #62839 (curl_copy_handle segfault with CURLOPT_FILE).
    • Fixed bug #62499 (curl_setopt($ch, CURLOPT_COOKIEFILE, “”) returns false).
  • DateTime
    • Fixed bug #62500 (Segfault in DateInterval class when extended).
  • Enchant
    • Fixed bug #62838 (enchant_dict_quick_check() destroys zval, but fails to initialize it).
  • PDO
    • Fixed bug #62685 (Wrong return datatype in PDO::inTransaction()).
  • Reflection
    • Fixed bug #62715 (ReflectionParameter::isDefaultValueAvailable() wrong result).
  • Session
    • Fixed bug (segfault due to retval is not initialized).
  • SPL
    • Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)

5.3.17

  • Core
    • Fixed bug (segfault while build with zts and GOTO vm-kind)
    • Fixed bug #62955 (Only one directive is loaded from “Per Directory Values” Windows registry)
    • Fixed bug #62763 (register_shutdown_function and extending class)
    • Fixed bug #62744 (dangling pointers made by zend_disable_class)
    • Fixed bug #62716 (munmap() is called with the incorrect length)
    • Fixed bug ##62460 (php binaries installed as binary.dSYM)
  • CURL
    • Fixed bug #62839 (curl_copy_handle segfault with CURLOPT_FILE)
  • DateTime
    • Fixed bug #62852 (Unserialize invalid DateTime causes crash)
  • Intl
    • Fix null pointer dereferences in some classes of ext/intl
  • MySQLnd
    • Fixed bug #62885 (mysqli_poll – Segmentation fault)
  • PDO
    • Fixed bug #62685 (Wrong return datatype in PDO::inTransaction())
  • Session
    • Fixed bug (segfault due to retval is not initialized)
    • SPL Fixed bug #62904 (Crash when cloning an object which inherits SplFixedArray)
  • Enchant
    • Fixed bug #62838 (enchant_dict_quick_check() destroys zval, but fails to initialize it)
02Jul

Secure FTP (Implicit and Explicit FTPS)


We’re excited to announce that the Mr.Host FTP servers have been upgraded to support secure encrypted connections, for all Mr.Host web hosting customers.

We’ve included support for both “implicit” SSL (running on port 990), and “explicit” (also referred to as TLS, AUTH TLS or FTPES), running the standard FTP port 21.

 

How to Upgrade

We’ve added a Knowledge Base article with details on how to enable encrypted FTP in the most common FTP clients, available here:

http://mrhost.ca/system/knowledge-base/ftp-access/ftp-client-setup/secure-ftp-using-ssl-encryption-with-ftp/

If you have any questions or need help configuring your FTP client, you can contact us @help@mrhost.ca

 

Technical Stuff – Implicit vs Explicit vs FTPS vs SFTP

There seems to be a lot of confusion over the different types of secure FTP, as there are several methods of securely transferring files that have been called “Secure FTP” at one point or another:

FTPS

Explicit FTPS  is an extension to the FTP standard that allows clients to request that the FTP session be encrypted. This is done by sending the “AUTH TLS” command. The server has the option of allowing or denying connections that do not request TLS. This protocol extension is defined in the proposed standard: RFC 4217.

Implicit FTPS is a deprecated standard for FTP that required the use of a SSL or TLS connection. It was specified to use different ports than plain FTP (usually port 990).

Mr.Host support both of these FTPS methods.

SFTP

Is not actually FTP, but a method for copying files over an SSH connection, using a similar command set.

Mr.Host does not currently support this.