Maintainers of the PHP scripting language are urging users to avoid an update released last week that introduces a serious bug affecting some cryptographic functions. The flaw in version 5.3.7 involves the crypt() function used to cryptographically hash a text string. When using the command with the MD5 algorithm and some salt …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Tuesday 23rd August 2011 00:28 GMT Anonymous Coward

I be totally confuzzled

Okay. The maintainers want us to stay away from the update, and the maintainers also released said update anyway. Can someone explain this to me, please?

0 0
1. Tuesday 23rd August 2011 05:41 GMT Anonymous Coward
  
  Answer.
  
  People.
  
  3 0
2. Tuesday 23rd August 2011 05:41 GMT Tomato42
  
  Re: I be totally confuzzled
  
  They released the update fixing few problems. The update introduced a serious bug. The bug has been pointed to developers. Developers say to stay away from the update for the time being.
  
  0 0
  1. Tuesday 23rd August 2011 08:53 GMT Anonymous Coward
    
    The title is required, and must contain letters and/or digits
    
    Why not pull it then?
    
    1 0
    1. Tuesday 23rd August 2011 09:19 GMT Rob Aley
      
      Why its still there
      
      If you don't use the crypt function, but need the other fixes included in the update, then it would be sensible to use the release. If you use the crypt function, or deploy it on shared hosts etc. where others may use it, then you should avoid the update.
      
      I.E. it is still useful for some, so it shouldn't be pulled, just flagged as it has been.
      
      1 0
      1. Tuesday 23rd August 2011 11:53 GMT Anonymous Coward
        
        If you need the other fixes...
        
        Then I still think you're taking huge risks if you install such a version anyway. Just because /you/ don't use the broken crypt() function doesn't mean others won't try to exploit it either.
        
        Have to agree with the comment above; I too think releasing anyway is a very doubtful move.
        
        0 0
      2. Tuesday 23rd August 2011 11:56 GMT tiggertaebo
        
        Still doesn't make sense
        
        I'd be suprised if there were people so desperate for the other fixes that they couldn't wait "a few days" for the next release.
        
        the PHP guys are from from alone in making screw-ups (lets not even go there on the amount of big names who have released updates that have properly screwed things up) but let's not pretend this is anything other than a clusterfuck.
        
        0 0
Tuesday 23rd August 2011 07:17 GMT Anonymous Coward

Don't see the problem

Shouldn't be using MD5 anyway. I doubt anyone using crypt() would be - anyone using md5 would just use the straight md5() function surely?

0 1
1. Tuesday 23rd August 2011 08:51 GMT Anonymous Coward
  
  no md5 crypt?
  
  > Shouldn't be using MD5 anyway
  
  Why not?
  
  > I doubt anyone using crypt() would be - anyone using md5 would just use the straight md5() function surely?
  
  You do still want salt with your md5. And using a common interface makes it easier to switch algorithms whenever you feel like it.
  
  0 0
  1. Tuesday 23rd August 2011 15:10 GMT Daniel B.
    
    no md5 crypt!
    
    They shouldn't be using md5 'coz it has been already attacked, it has been proven to be the hash equivalent to DES so everyone's moved to Blowfish for passwd crypto or SHA1/SHA2 for message digests.
    
    0 1
Tuesday 23rd August 2011 08:53 GMT Anonymous Coward

Yet another reason to use a real language then

'nuff said.

2 11
1. Tuesday 23rd August 2011 09:50 GMT Field Marshal Von Krakenfart
  
  Yes it is a FAIL
  
  because you failed to supply any reason to support your argument or the reason for your preference for using other programming languages.
  
  2 1
2. Tuesday 23rd August 2011 12:35 GMT CD001
  
  Wow
  
  Predictable comment is predictable - only mildly surprised it was so far down the page.
  
  Trollin' Trollin' Trollin' RAWHIDE!
  
  2 0
Tuesday 23rd August 2011 09:49 GMT Eddie Edwards

Unit tests

Hmm, so one of the pillars of the LAMP model doesn't actually do unit tests before shipping a new release. Just goes to show you get what you pay for with open source.

3 1
1. Tuesday 23rd August 2011 12:27 GMT James Dunmore
  
  ...yes clarity
  
  at least we know why it failed... if this was closed door, we wouldn't know why it broke, and be hidden from the truth - how many times does this happen at microsoft and apple (for example) - we'll never know.
  
  1 0
2. Tuesday 23rd August 2011 18:45 GMT Anonymous Coward
  
  Thats why some people LAPT
  
  LAPT into Linux, Apache, Postgres and Tomcat.
  
  0 0
Friday 26th August 2011 15:09 GMT Bitbeisser

You're late to the party folks...

5.3.7 was released on 8/18, the warning about the MD5 bug was released on 8/22 and the fixed 5.3.8 update was released on 8/23...

0 0