Lot 49: Greg Beaver's blog

(30)

Do you develop a website? It is infinitely better to synchronize live and development sites using the PEAR Installer

(25)

doing the PEAR thing

(19)

Using PEAR 1.4.0 to install PEAR packages on a remote host

(19)

phpDocumentor and __get/__set/__call - give us your ideas (RFC)

(17)

Syndicate This Blog

RSS 0.91 feed

RSS 1.0 feed

RSS 2.0 feed

ATOM 0.3 feed

ATOM 1.0 feed

RSS 2.0 Comments

Powered by

Serendipity PHP Weblog

Friday, January 6. 2006

Why it is very important to upgrade to PEAR 1.4.6 from PEAR 1.3.x

PEAR 1.4.6 was just released at pear.php.net (http://pear.php.net/PEAR). This is a minor bugfix release and complete details are available at pear.php.net, but I must stress two points with extreme seriousness:

PEAR 1.4.6 fixes make install-pear INSTALL_ROOT=/rpm/packaging and introduces the --packagingroot option to install, which works like --installroot worked in PEAR 1.3.x
PEAR 1.3.x has several serious bugs and at least 2 serious security vulnerabilities. Using PEAR 1.3.x on a production machine is EXTREMELY dangerous

The second point applies to all people who think that the latest vulnerability in PEAR can be fixed in 1.3.5 with a simple patch. There are several unpublished serious bugs. A few days back, I was contacted by a diligent developer of a linux distribution who was wondering how serious the vulnerability in PEAR 1.4.2 and earlier is, and whether it would be possible to get a patch for PEAR 1.3.5. After reflection on the serious bugs in PEAR 1.3.x that were fixed in PEAR 1.4.x with unit testing, I came to realize that there is yet another serious security vulnerability in PEAR 1.3.x. I will publish the details shortly.pear.php

Don't hesitate, upgrade to PEAR 1.4.6 at your earliest convenience.

Posted by Greg Beaver in PEAR at 08:39 | Comments (5) | Trackbacks (0)

(Page 1 of 1, totaling 1 entries)