Feeds

back to article PHP users warned to stay away from latest update

Maintainers of the PHP scripting language are urging users to avoid an update released last week that introduces a serious bug affecting some cryptographic functions. The flaw in version 5.3.7 involves the crypt() function used to cryptographically hash a text string. When using the command with the MD5 algorithm and some salt …

COMMENTS

This topic is closed for new posts.
Bronze badge
WTF?

I be totally confuzzled

Okay. The maintainers want us to stay away from the update, and the maintainers also released said update anyway. Can someone explain this to me, please?

0
0
Anonymous Coward

Answer.

People.

3
0
Boffin

Re: I be totally confuzzled

They released the update fixing few problems. The update introduced a serious bug. The bug has been pointed to developers. Developers say to stay away from the update for the time being.

0
0
FAIL

The title is required, and must contain letters and/or digits

Why not pull it then?

1
0
Thumb Up

Why its still there

If you don't use the crypt function, but need the other fixes included in the update, then it would be sensible to use the release. If you use the crypt function, or deploy it on shared hosts etc. where others may use it, then you should avoid the update.

I.E. it is still useful for some, so it shouldn't be pulled, just flagged as it has been.

1
0
Silver badge

If you need the other fixes...

Then I still think you're taking huge risks if you install such a version anyway. Just because /you/ don't use the broken crypt() function doesn't mean others won't try to exploit it either.

Have to agree with the comment above; I too think releasing anyway is a very doubtful move.

0
0
FAIL

Still doesn't make sense

I'd be suprised if there were people so desperate for the other fixes that they couldn't wait "a few days" for the next release.

the PHP guys are from from alone in making screw-ups (lets not even go there on the amount of big names who have released updates that have properly screwed things up) but let's not pretend this is anything other than a clusterfuck.

0
0
WTF?

Don't see the problem

Shouldn't be using MD5 anyway. I doubt anyone using crypt() would be - anyone using md5 would just use the straight md5() function surely?

0
1
Anonymous Coward

no md5 crypt?

> Shouldn't be using MD5 anyway

Why not?

> I doubt anyone using crypt() would be - anyone using md5 would just use the straight md5() function surely?

You do still want salt with your md5. And using a common interface makes it easier to switch algorithms whenever you feel like it.

0
0
Silver badge

no md5 crypt!

They shouldn't be using md5 'coz it has been already attacked, it has been proven to be the hash equivalent to DES so everyone's moved to Blowfish for passwd crypto or SHA1/SHA2 for message digests.

0
1
FAIL

Yet another reason to use a real language then

'nuff said.

2
11
FAIL

Yes it is a FAIL

because you failed to supply any reason to support your argument or the reason for your preference for using other programming languages.

2
1

Wow

Predictable comment is predictable - only mildly surprised it was so far down the page.

Trollin' Trollin' Trollin' RAWHIDE!

2
0
FAIL

Unit tests

Hmm, so one of the pillars of the LAMP model doesn't actually do unit tests before shipping a new release. Just goes to show you get what you pay for with open source.

3
1

...yes clarity

at least we know why it failed... if this was closed door, we wouldn't know why it broke, and be hidden from the truth - how many times does this happen at microsoft and apple (for example) - we'll never know.

1
0
Silver badge
Devil

Thats why some people LAPT

LAPT into Linux, Apache, Postgres and Tomcat.

0
0
Alert

You're late to the party folks...

5.3.7 was released on 8/18, the warning about the MD5 bug was released on 8/22 and the fixed 5.3.8 update was released on 8/23...

0
0
This topic is closed for new posts.