New php issue

[27-Feb-2002] Due to a security issue found in all versions of PHP (including 3.x and 4.x), a new version of PHP has been released. Details about the security issue are available here. All users of PHP are strongly encouraged to either upgrade to PHP 4.1.2, or install the patch (available for PHP 3.0.18, 4.0.6 and 4.1.0/4.1.1).

My question is how do I install the patch? It's a gz file. Not sure how those work. Can anyone give me a hand on this?

you are 4 days late. get onto some mailing list if you are really interested in security.

.gz says it is zip-packed (.zip in win*** world). do "gunzip filename.gz" to get the unzipped version. and read the docs how to apply it...

is it a source code patch or a binary one?

you probably better get the complete patched version (4.1.2)..... and install it over your old one.

How would I go about that?

http://www.php.net/downloads.php

but is is only available as source as far as i could see...
if you are on linux, compiling is easy on win**** - didn´t ever even try...

Can anyone give me a hand here with an answer?

ok, step-by-step:

download the .tar.gz file.
login as root, copy it to your /root directory.
type "tar xvzf <filename>"
cd to the new dir that was created
type "./configure" (read the README for the parameters to supply if you want apache-module and how to compile in mySQL and other stuff you might need)
if you get no errors, type "make".
if this gives you no errors either, you should end up with a "mod_php.so" or similar in one of the dirs.
copy this to /usr/lib/apache (or the location your old mod_php.so is at)

this should do the job. it is probably not as easy as it seems, but since there is no binary available yet, it´s the only way around disabling PHP completely......

i did not test this since i don´t have linux around at home. if you have further questions, ask again. i am sure there is ppl on this board that did this step already and can supply the exact way...

see ya,
M.Hirsch

See this thread in another forum: http://www.tek-tips.com/gviewthread.../434/qid/221223

Also, this security breach deals with PHP's file upload functionality. If you don't need file uploads, you can just disable that feature in php.ini, and you will be safe again. That's the quickest fix for now, until you are ready to deal with an upgrade.

Just change:

file_uploads = On

to

file_uploads = Off