PHP5.2.通过构造Hash冲突可以实现拒绝服务攻击,针对此漏洞官方发布了PHP 5.3.9但不会为此发布PHP 5.2.18. 5.2. 可以打上下面的patch来解决此问题.
https://github.com/laruence/laruence.github.com/tree/master/php-5.2-max-input-vars
目前已知的受影响的语言以及版本有::
Java, 所有版本
JRuby <= 1.6.5
PHP <= 5.3.8, <= 5.4.0RC3
Python, 所有版本
Rubinius, 所有版本
Ruby <= 1.8.7-p356
Apache Geronimo, 所有版本
Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22
Oracle Glassfish <= 3.1.1
Jetty, 所有版本
Plone, 所有版本
Rack, 所有版本
V8 JavaScript Engine, 所有版本
不受此影响的语言或者修复版本的语言有::
PHP >= 5.3.9, >= 5.4.0RC4
JRuby >= 1.6.5.1
Ruby >= 1.8.7-p357, 1.9.x
Apache Tomcat >= 5.5.35, >= 6.0.35, >= 7.0.23
Oracle Glassfish, N/A (Oracle reports that the issue is fixed in the main codeline and scheduled for a future CPU)
将php从5.2.14升级到5.2.17并打上补丁 下载patch https://github.com/laruence/laruence.github.com/zipball/master
到之前的php编译目录
cd src/lempelf/package/ wget http://www.php.net/get/php-5.2.17.tar.gz/from/kr.php.net/mirror wget http://php-fpm.org/downloads/php-5.2.17-fpm-0.5.14.diff.gz tar zxvf php-5.2.17.tar.gz gzip -cd php-5.2.17-fpm-0.5.14.diff.gz |patch -d php-5.2.17 -p1 patching file configure Hunk #7 succeeded at 110645 (offset 1324 lines). Hunk #9 succeeded at 119634 (offset 1324 lines). patching file configure.in patching file libevent/ChangeLog patching file libevent/Makefile.am patching file libevent/Makefile.in patching file libevent/README patching file libevent/aclocal.m4 patching file libevent/autogen.sh patching file libevent/buffer.c patching file libevent/compat/sys/_time.h patching file libevent/compat/sys/queue.h patching file libevent/config.h.in patching file libevent/configure patching file libevent/configure.in patching file libevent/depcomp patching file libevent/devpoll.c patching file libevent/epoll.c patching file libevent/epoll_sub.c patching file libevent/evbuffer.c patching file libevent/event-config.h patching file libevent/event-fpm.h patching file libevent/event-internal.h patching file libevent/event.3 patching file libevent/event.c patching file libevent/event.h patching file libevent/evhttp.h patching file libevent/evport.c patching file libevent/evsignal.h patching file libevent/evutil.c patching file libevent/evutil.h patching file libevent/http-internal.h patching file libevent/http.c patching file libevent/install-sh patching file libevent/kqueue.c patching file libevent/log.c patching file libevent/log.h patching file libevent/min_heap.h patching file libevent/missing patching file libevent/poll.c patching file libevent/select.c patching file libevent/signal.c patching file libevent/strlcpy-internal.h patching file libevent/strlcpy.c patching file main/php_config.h.in patching file sapi/cgi/Makefile.frag patching file sapi/cgi/cgi_main.c patching file sapi/cgi/config9.m4 patching file sapi/cgi/fastcgi.c patching file sapi/cgi/fastcgi.h patching file sapi/cgi/fpm/Makefile.frag patching file sapi/cgi/fpm/acinclude.m4 patching file sapi/cgi/fpm/conf/php-fpm.conf.in patching file sapi/cgi/fpm/config.m4 patching file sapi/cgi/fpm/fpm.c patching file sapi/cgi/fpm/fpm.h patching file sapi/cgi/fpm/fpm_arrays.h patching file sapi/cgi/fpm/fpm_atomic.h patching file sapi/cgi/fpm/fpm_autoconf.h.in patching file sapi/cgi/fpm/fpm_children.c patching file sapi/cgi/fpm/fpm_children.h patching file sapi/cgi/fpm/fpm_cleanup.c patching file sapi/cgi/fpm/fpm_cleanup.h patching file sapi/cgi/fpm/fpm_clock.c patching file sapi/cgi/fpm/fpm_clock.h patching file sapi/cgi/fpm/fpm_conf.c patching file sapi/cgi/fpm/fpm_conf.h patching file sapi/cgi/fpm/fpm_config.h patching file sapi/cgi/fpm/fpm_env.c patching file sapi/cgi/fpm/fpm_env.h patching file sapi/cgi/fpm/fpm_events.c patching file sapi/cgi/fpm/fpm_events.h patching file sapi/cgi/fpm/fpm_php.c patching file sapi/cgi/fpm/fpm_php.h patching file sapi/cgi/fpm/fpm_php_trace.c patching file sapi/cgi/fpm/fpm_php_trace.h patching file sapi/cgi/fpm/fpm_process_ctl.c patching file sapi/cgi/fpm/fpm_process_ctl.h patching file sapi/cgi/fpm/fpm_request.c patching file sapi/cgi/fpm/fpm_request.h patching file sapi/cgi/fpm/fpm_shm.c patching file sapi/cgi/fpm/fpm_shm.h patching file sapi/cgi/fpm/fpm_shm_slots.c patching file sapi/cgi/fpm/fpm_shm_slots.h patching file sapi/cgi/fpm/fpm_signals.c patching file sapi/cgi/fpm/fpm_signals.h patching file sapi/cgi/fpm/fpm_sockets.c patching file sapi/cgi/fpm/fpm_sockets.h patching file sapi/cgi/fpm/fpm_stdio.c patching file sapi/cgi/fpm/fpm_stdio.h patching file sapi/cgi/fpm/fpm_str.h patching file sapi/cgi/fpm/fpm_trace.c patching file sapi/cgi/fpm/fpm_trace.h patching file sapi/cgi/fpm/fpm_trace_mach.c patching file sapi/cgi/fpm/fpm_trace_pread.c patching file sapi/cgi/fpm/fpm_trace_ptrace.c patching file sapi/cgi/fpm/fpm_unix.c patching file sapi/cgi/fpm/fpm_unix.h patching file sapi/cgi/fpm/fpm_worker_pool.c patching file sapi/cgi/fpm/fpm_worker_pool.h patching file sapi/cgi/fpm/init.d/php-fpm.in patching file sapi/cgi/fpm/xml_config.c patching file sapi/cgi/fpm/xml_config.h patching file sapi/cgi/fpm/zlog.c patching file sapi/cgi/fpm/zlog.h unzip laruence-laruence.github.com-43969a1.zip cd php-5.2.17 patch -p1 patching file configure Hunk #1 succeeded at 2176 (offset 11 lines). patching file configure.in patching file main/main.c patching file main/php_globals.h patching file main/php_variables.c patching file main/php_version.h打好补丁,重编译一遍php
./configure –prefix=/opt/php-5.2.17p1 –with-config-file-path=/opt/php-5.2.17p1/etc –with-mysql=/opt/mysql –with-mysqli=/opt/mysql/bin/mysql_config –with-iconv-dir=/usr/local –with-freetype-dir –with-jpeg-dir –with-png-dir –with-zlib –with-libxml-dir=/usr –disable-rpath –enable-discard-path –enable-safe-mode –enable-bcmath –enable-shmop –enable-sysvsem –enable-inline-optimization –with-curl –with-curlwrappers –enable-mbregex –enable-fastcgi –enable-fpm –enable-force-cgi-redirect –enable-mbstring –with-mcrypt –with-gd –enable-gd-native-ttf –with-openssl –with-mhash –enable-pcntl –enable-sockets –with-xmlrpc –enable-zip –enable-soap –enable-xml –enable-zend-multibyte –disable-debug –disable-ipv6 make ZEND_EXTRA_LIBS=’-liconv’ make install cd ../memcache-3.0.5 make clean /opt/php-5.2.17p1/bin/phpize ./configure –with-php-config=/opt/php-5.2.17p1/bin/php-config make make install cd ../eaccelerator-0.9.6.1 make clean /opt/php-5.2.17p1/bin/phpize ./configure –enable-eaccelerator=shared –with-php-config=/opt/php-5.2.17p1/bin/php-config make make install cd ../PDO_MYSQL-1.0.2 make clean /opt/php-5.2.17p1/bin/phpize ./configure –with-php-config=/opt/php-5.2.17p1/bin/php-config –with-pdo-mysql=/opt/mysql make make install cd ../imagick-2.2.2/ make clean /opt/php-5.2.17p1/bin/phpize ./configure –with-php-config=/opt/php-5.2.17p1/bin/php-config make make install #32位用下面 cp ../ZendOptimizer-3.3.9-linux-glibc23-i386/data/5_2_x_comp/ZendOptimizer.so /opt/php-5.2.17p1/lib/php/extensions/no-debug-non-zts-20060613/ #64位用下面 cp ../ZendOptimizer-3.3.9-linux-glibc23-x86_64/data/5_2_x_comp/ZendOptimizer.so /opt/php-5.2.17p1/lib/php/extensions/no-debug-non-zts-20060613/ mkdir -p /opt/php-5.2.17p1/eaccelerator_cache chown www:website /opt/php-5.2.17p1/eaccelerator_cache/ chmod 770 /opt/php-5.2.17p1/eaccelerator_cache/ touch /opt/php-5.2.17p1/logs/php_error.log chown www:website /opt/php-5.2.17p1/logs/php_error.log chmod 770 /opt/php-5.2.17p1/logs/php_error.log #升级pear (可选) /opt/php-5.2.17p1/bin/pear upgrade pear /opt/php-5.2.17p1/bin/pear install Benchmark Cache_Lite DB HTTP Mail Mail_Mime Net_SMTP Net_Socket Pager XML_Parser XML_RPC cp -p /opt/php/etc/php.ini /opt/php-5.2.17p1/etc/ cp -p /opt/php/etc/php-fpm.conf /opt/php-5.2.17p1/etc/ chown root:website /opt/php-5.2.17p1/etc/* chmod 660 /opt/php-5.2.17p1/etc/* /opt/php/sbin/php-fpm stop #删掉软连接,切换php rm /opt/php ln -s /opt/php-5.2.17p1/ /opt/php /opt/php/sbin/php-fpm start注意phpfpm.conf,php.ini中的路径
找不到libmysqlclient.so.16
./conftest: error while loading shared libraries: libmysqlclient.so.16echo /opt/mysql/lib/mysql >> /etc/ld.so.conf ldconfig -v
eAccelerator出错
[eAccelerator] This build of “eAccelerator” was compiled for PHP version 5.2.14. Rebuild it for your PHP version (5.2.17p1) or download precompiled binaries.重新编译eAccelerator
No Responses (yet)
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.