back to article PHP users warned to stay away from latest update

Maintainers of the PHP scripting language are urging users to avoid an update released last week that introduces a serious bug affecting some cryptographic functions. The flaw in version 5.3.7 involves the crypt() function used to cryptographically hash a text string. When using the command with the MD5 algorithm and some salt …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    WTF?

    I be totally confuzzled

    Okay. The maintainers want us to stay away from the update, and the maintainers also released said update anyway. Can someone explain this to me, please?

    1. Anonymous Coward
      Anonymous Coward

      Answer.

      People.

    2. Tomato42
      Boffin

      Re: I be totally confuzzled

      They released the update fixing few problems. The update introduced a serious bug. The bug has been pointed to developers. Developers say to stay away from the update for the time being.

      1. Anonymous Coward
        FAIL

        The title is required, and must contain letters and/or digits

        Why not pull it then?

        1. Rob Aley
          Thumb Up

          Why its still there

          If you don't use the crypt function, but need the other fixes included in the update, then it would be sensible to use the release. If you use the crypt function, or deploy it on shared hosts etc. where others may use it, then you should avoid the update.

          I.E. it is still useful for some, so it shouldn't be pulled, just flagged as it has been.

          1. Anonymous Coward
            Anonymous Coward

            If you need the other fixes...

            Then I still think you're taking huge risks if you install such a version anyway. Just because /you/ don't use the broken crypt() function doesn't mean others won't try to exploit it either.

            Have to agree with the comment above; I too think releasing anyway is a very doubtful move.

          2. tiggertaebo
            FAIL

            Still doesn't make sense

            I'd be suprised if there were people so desperate for the other fixes that they couldn't wait "a few days" for the next release.

            the PHP guys are from from alone in making screw-ups (lets not even go there on the amount of big names who have released updates that have properly screwed things up) but let's not pretend this is anything other than a clusterfuck.

  2. Anonymous Coward
    WTF?

    Don't see the problem

    Shouldn't be using MD5 anyway. I doubt anyone using crypt() would be - anyone using md5 would just use the straight md5() function surely?

    1. Anonymous Coward
      Anonymous Coward

      no md5 crypt?

      > Shouldn't be using MD5 anyway

      Why not?

      > I doubt anyone using crypt() would be - anyone using md5 would just use the straight md5() function surely?

      You do still want salt with your md5. And using a common interface makes it easier to switch algorithms whenever you feel like it.

      1. Daniel B.

        no md5 crypt!

        They shouldn't be using md5 'coz it has been already attacked, it has been proven to be the hash equivalent to DES so everyone's moved to Blowfish for passwd crypto or SHA1/SHA2 for message digests.

  3. Anonymous Coward
    FAIL

    Yet another reason to use a real language then

    'nuff said.

    1. Field Marshal Von Krakenfart
      FAIL

      Yes it is a FAIL

      because you failed to supply any reason to support your argument or the reason for your preference for using other programming languages.

    2. CD001

      Wow

      Predictable comment is predictable - only mildly surprised it was so far down the page.

      Trollin' Trollin' Trollin' RAWHIDE!

  4. Eddie Edwards
    FAIL

    Unit tests

    Hmm, so one of the pillars of the LAMP model doesn't actually do unit tests before shipping a new release. Just goes to show you get what you pay for with open source.

    1. James Dunmore

      ...yes clarity

      at least we know why it failed... if this was closed door, we wouldn't know why it broke, and be hidden from the truth - how many times does this happen at microsoft and apple (for example) - we'll never know.

    2. Anonymous Coward
      Devil

      Thats why some people LAPT

      LAPT into Linux, Apache, Postgres and Tomcat.

  5. Bitbeisser
    Alert

    You're late to the party folks...

    5.3.7 was released on 8/18, the warning about the MD5 bug was released on 8/22 and the fixed 5.3.8 update was released on 8/23...

This topic is closed for new posts.

Other stories you might like