PEAR Blog

Archive for the ‘Announcements’ Category

Net_Traceroute and Net_Ping security advisory

Saturday, November 14th, 2009

PEAR Security Advisory (PSA 200911-14-01)

Severity: Serious
Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection
Date: November 14, 2009
ID: 200911-14-01

Synopsis

Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute.

Background

Net_Ping is an OS independent wrapper class for executing ping calls from PHP

Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP

Affected packages

———————————————————————————————
Package                   / Vulnerable /             Unaffected
———————————————————————————————
1 Net_Ping                   < 2.4.5                   >= 2.4.5
2 Net_Traceroute       < 0.21.2                  >= 0.21.2

———————————————————————————————
2 affected packages on all of their supported architectures.
———————————————————————————————

Description

Remote Arbitrary Command Injection

Impact

When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.

Workaround

Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.

Resolution

The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven’t already:

http://download.pear.php.net/package/Net_Ping-2.4.5.tgz
pear upgrade Net_Ping-2.4.5

The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven’t already:

http://download.pear.php.net/package/Net_Traceroute-0.21.2.tgz
pear upgrade Net_Traceroute-0.21.2

Reported By

Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.

Link

http://pear.php.net/advisory20091114-01.txt

Posted in Announcements, Blogroll, Group Blog, President Blog | 4 Comments »

Ubuntu Karmic Ships with PEAR-Affecting Issues

Tuesday, November 3rd, 2009

Be aware that the initial release of Ubuntu Karmic contains a bug that affects PHP and PEAR, whose fix came a tad too late to make the initial release. The bug is fixed, and will be included in upcoming updates from Ubuntu.

From PEAR’s perspective, the key issue relates to the zlib library. This is evident in any attempt to install or upgrade a package, since doing so involves downloading a tarball file that must be uncompressed. The bug causes some zlib functions to be unavailable to PHP, and the Archive_Tar code will silently fail due to this.

If you attempt to install or upgrade a package, it may appear to finish without error, but without a final “install ok” or “upgrade ok” message. This means the process failed. The workaround is to include the -Z argument, so that a .tar file will be downloaded rather than a .tgz file:

pear install -Z phpdocumentor

Posted in Announcements | 10 Comments »

PEAR Website Outage

Friday, September 25th, 2009

The PEAR website is currently unavailable due to network issues where the server is located. The hosting provider is working to restore service.

In the meantime, the best alternative for PEAR installer usage is to point your “preferred_mirror” to one of the mirror PEAR channel servers. Use one of the commands below to choose a mirror near you:

U.S: pear config-set preferred_mirror us.pear.php.net
Germany: pear config-set preferred_mirror de.pear.php.net

If you are using a PEAR installer older than version 1.9.0, and the preferred_mirror settings do not work successfully for you, a manual alternative for retrieving packages is to use the “download” command and point directly to the tarball file:

pear download http://us.pear.php.net/get/PEAR-1.9.0.tgz
pear download http://de.pear.php.net/get/PEAR-1.9.0.tar

If using this option, you must specify the package name in the correct case, while including the version number and the file type:

PEAR-1.9.0.tgz
Archive_Tar-1.2.3.tar

Posted in Announcements | 2 Comments »

The new Group has been elected!

Monday, August 10th, 2009

I am more than glad to announce the arrival, the announcement of the new PEAR Group for 2009 and 2010.

With a few fresh faces in the Group, this year looks very promising with the mix of both new blood and experienced PEAR Group members.

Congratulations to the elected 7s (In no particular order):

Christian Weiske
Chuck Burgress
Daniel O’Connor
Ken Guest
Bill Shupp
Michael Gauthier
Brett Bieber

I can’t wait to have our first meeting and get the year kicking!

Thanks to everyone who voted!

Posted in Announcements, Blogroll, President Blog | 5 Comments »

The elections are still going!

Saturday, August 1st, 2009

As every year, the elections for the PEAR Group and PEAR President are happening. This year due to a few factors and messages lost in translation, we decided to extend the elections period by 10 days so more people would have time to vote!

So remember to cast your vote at http://pear.php.net/election/ and you have until the the 5th of August 2009.

There are many new candidates for the Group and I think you should go and check them out!

Posted in Announcements, Blogroll, Group Blog, President Blog | 2 Comments »

PHP 5.3 Windows and PEAR (go-pear.phar)

Wednesday, July 1st, 2009

Some users have reported that the windows builds of PHP 5.3 are not able to open the shipped go-pear.phar file.

As a workaround, users can run the distributed phar with php -d phar.require_hash=0 go-pear.phar or download and use the http://pear.php.net/go-pear non-pharred version.

Posted in Announcements | 29 Comments »

Election 2008 Results

Sunday, June 22nd, 2008

2008 Elections are now over, you can view the offical results on the PEAR website.

The new PEAR group is:

elections are now over and a new PEAR Group has been formed. Just like last year and always following the Constitution, the new members have been elected by a secret ballot of PEAR Developers. They have chosen:

Joshua Eichorn
Helgi Þormar Þorbjornsson
Joe Stump
Christian Weiske
Chuck Burgess
Travis Swicegood
Brett Bieber

The new PEAR President is: David Coallier

The kickoff meeting for the new group is being held today.

Posted in Announcements, Group Blog, President Blog | No Comments »

Election time 2008

Wednesday, June 4th, 2008

As every year it is the time of the election for the PEAR Group and PEAR President for the year 2008 and 2009. If you haven’t casted your vote just yet, NOW is the perfect time to do it so go to the election page and place your vote.

This year’s election contains a great mix of fresh mindsets, experienced and long time PEAR users and members of last year’s PEAR Group.

Go, vote!

Posted in Announcements | No Comments »

PEAR communities

Saturday, October 20th, 2007

Those of you on linkedin.com should join the PEAR group, it is open to all. Those of you on facebook.com should join the PEAR group, just search for “PEAR” and it will pop up.

These groups are primarily for fun, but also act as networking tools to get to know the people who are developing and using PEAR. The official support channels for PEAR are still the mailing lists and bug tracker, and are listed at http://pear.php.net/support.php

Posted in Announcements | 2 Comments »

The PEAR Project mourns the loss of Bertrand Gugger

Sunday, June 17th, 2007

The PEAR Project has lost a member of its community. Bertrand Gugger (toggg) passed away in the night from June 16th to 17th after suffering a heart attack.

Bertrand was involved in the maintenance of several important PEAR packages, including the Validate package family.

He leaves behind a wife and four children, who have our deepest sympathy. He will be missed.

The SPIP project, where Bertrand was involved as well, has compiled a list of his achievements as a tribute to him. It is available at
http://www.spip-contrib.net/Les-Projets-de-toggg.

Posted in Announcements | 33 Comments »