Maintainers of the PHP scripting language are urging users to avoid an update released last week that introduces a serious bug affecting some cryptographic functions. The flaw in version 5.3.7 involves the crypt() function used to cryptographically hash a text string. When using the command with the MD5 algorithm and some salt …
I be totally confuzzled
Okay. The maintainers want us to stay away from the update, and the maintainers also released said update anyway. Can someone explain this to me, please?
Re: I be totally confuzzled
They released the update fixing few problems. The update introduced a serious bug. The bug has been pointed to developers. Developers say to stay away from the update for the time being.
The title is required, and must contain letters and/or digits
Why not pull it then?
Why its still there
If you don't use the crypt function, but need the other fixes included in the update, then it would be sensible to use the release. If you use the crypt function, or deploy it on shared hosts etc. where others may use it, then you should avoid the update.
I.E. it is still useful for some, so it shouldn't be pulled, just flagged as it has been.
If you need the other fixes...
Then I still think you're taking huge risks if you install such a version anyway. Just because /you/ don't use the broken crypt() function doesn't mean others won't try to exploit it either.
Have to agree with the comment above; I too think releasing anyway is a very doubtful move.
Still doesn't make sense
I'd be suprised if there were people so desperate for the other fixes that they couldn't wait "a few days" for the next release.
the PHP guys are from from alone in making screw-ups (lets not even go there on the amount of big names who have released updates that have properly screwed things up) but let's not pretend this is anything other than a clusterfuck.
Don't see the problem
Shouldn't be using MD5 anyway. I doubt anyone using crypt() would be - anyone using md5 would just use the straight md5() function surely?
no md5 crypt?
> Shouldn't be using MD5 anyway
> I doubt anyone using crypt() would be - anyone using md5 would just use the straight md5() function surely?
You do still want salt with your md5. And using a common interface makes it easier to switch algorithms whenever you feel like it.
no md5 crypt!
They shouldn't be using md5 'coz it has been already attacked, it has been proven to be the hash equivalent to DES so everyone's moved to Blowfish for passwd crypto or SHA1/SHA2 for message digests.
Yet another reason to use a real language then
Yes it is a FAIL
because you failed to supply any reason to support your argument or the reason for your preference for using other programming languages.
Predictable comment is predictable - only mildly surprised it was so far down the page.
Trollin' Trollin' Trollin' RAWHIDE!
Hmm, so one of the pillars of the LAMP model doesn't actually do unit tests before shipping a new release. Just goes to show you get what you pay for with open source.
at least we know why it failed... if this was closed door, we wouldn't know why it broke, and be hidden from the truth - how many times does this happen at microsoft and apple (for example) - we'll never know.
Thats why some people LAPT
LAPT into Linux, Apache, Postgres and Tomcat.
You're late to the party folks...
5.3.7 was released on 8/18, the warning about the MD5 bug was released on 8/22 and the fixed 5.3.8 update was released on 8/23...