A vulnerability in the HTML_AJAX package has been found which allows arbitrary remote code execution. All versions of the package from 0.4.0 up to and including release 0.5.6 are affected by this.
An new release of the package is available which fixes this issue. One is strongly encouraged to upgrade to it by using:
$ pear upgrade HTML_AJAX-0.5.7.
The PEAR installer version 1.9.5 has been released today.
The new version – three years after the last stable 1.9.4 and 2 weeks after the preview – is a bugfix only release. 13 bugs have been fixed. Among them are the following:
- #18466: Modifying paths during installation broken on Windows
- #20203: PEAR channels on github user pages do not work
- #20283: Report correct php.ini directive on xdebug installation (and every other zend_extension)
Our plan is to work on a new version 1.10 that is E_STRICT and E_DEPRECATED clean and ships a couple of new features.
I’ve just released a preview of the upcoming PEAR installer version 1.9.5: PEAR 1.9.5dev1.
Version 1.9.5 will be the first release of the PEAR installer since 3 years, and thus needs quite some testing before declaring it stable. Instead of using “RC1″, we opted for “dev1″ to keep the stability below alpha, so that upgrading normal packages in alpha/beta state do not automatically give you a potentially unstable PEAR version.
You can upgrade your existing PEAR version with the following command:
$ pear upgrade PEAR-1.9.5dev1
Pre-release versions of go-pear.phar and install-pear-nozlib.phar can be temporarily be found at
Please report any bugs you find on the PEAR bug tracker or on the pear-dev mailing list.
Since October 2011, 5 million lines of the PEAR codebase has shifted to github.
Hand in hand with this shift has been the tireless work of Daniel C – someone who brazenly said “I will fix the failing packages!” in the tail end of last year.
Coupling his efforts with a call to arms, we’ve now seen an evaluation of the Known Good packages against PHP 5.4, and massive input by the community. The net result is as follows:
- Releases of Text_LanguageDetect, HTTP2, Net_Growl, Image_QRCode, Tree, HTML_BBCodeParser, Net_IMAP, Net_DNSBL, Services_Amazon, Image_Barcode2, Validate, Console_Color2, Services_ExchangeRates, Validate_DK, PEAR_PackageFileManager_Frontend, Text_Highlighter, PHP_Shell, Date, Image_Text, PEAR_Frontend_Gtk2, PHP_DocBlockGenerator, & Validate_AR through Dec/January
- All test infrastructure upgrading to PHP 5.4 release candidates
- All database driven test suites executing properly, catching a variety of simple bugs
- Just shy of 900 commit emails to the pear-cvs list for Dec/Jan – many containing multiple commits & fixes
- Hitting a point of “near zero” patches to be applied to unmaintained packages
- Applying no less than 30+ patches contributed by the community across all of PEAR
- Increasingly, the PEAR QA team is delivering PHP 5.3+ friendly forks of existing packages
I’d like to thank Daniel C for his efforts to date, as well as the contributors who may have previously lurked or found themselves distracted by other concerns.
Dec/Jan has been a great and vigorous period for the project – I heartily look forward to a great 2012.
With the PEAR move to github surpassing 200 repositories, we’re seeing more contributions from folks lurking in the shadows.
In particular I’d like to highlight the efforts of meldra and Gemorroj.
With XML_Feed_Parser hosted on github, Meldra has been able to provide all of the patches that have been sitting in the wings internally back to PEAR, with no fuss.
Faced with a backwards compability requirement on Image_Barcode, Gemorroj contributed heavily to an Image_Barcode2.
Having watched these two individuals over the last few weeks provide new vigour and input to some of our underloved packages, I’d like to put a challenge out to the community.
If you have a patch we have pushed back on because of backwards compatibility concerns, talk to us about making the next significant version of that package – we’ll get the code on github and help you get what you need.
No red tape. No run around. Just a solution to your problem by creating an appropriate fork, and a new major version to avoid any BC concerns.
If you have fixes for defects or enhancements being used within your organisation – send us a pull request.
Where there isn’t source available on github yet – ask for it.
PEAR is about providing the PHP community with reusable, effective components – this has been our mission since day 1.
If there is anything we can do to make that goal happen, to assist you as an individual or company, I would strongly encourage you to let us know – we’re here to help.
Like many other projects, many components of PEAR have started a migration to github.
We have two primary organisations set up for PEAR and PEAR2.
While the existing PEAR packages will continue to use the pear.php.net distribution and bug tracking capabilities; it’s never been easier to contribute to a PEAR package – simply fork; add your changes and send us a pull request.
If your preferred packages aren’t yet on github, please feel free to drop us a line on the pear-dev mailing list.
We’ve had 60 releases since July. While most are often minor improvements or bug fixes; a number of packages really stand out.
Net_DNS2, and HTTP_Request2. Each of these packages represents the second edition of their respective APIs; each having been honed over time to a point of stability.
If you have an existing project using Net_DNS or HTTP_Request; it is highly recommended you evaluate these new stable releases.
There’s nothing quite like having your blogging system go MIA for a while to give your community an overwhelming impression that no one is home.
Thankfully; despite the radio silence between updates there’s quite a lot to talk about!
We’ve seen well put together PEPr proposals around VersionControl_Hg, Services_Libravatar; Twitter_Uploader & many more; as well as new packages like Date_Holidays_Croatia, Date_Holidays_Australia & Validate_IR.
We’ve seen new members of the community such as arash, (Validate_IR); mgocobachi (HTML_Safe, Event_Dispatcher) and pce (Config_Lite).
Most exciting from my perspective? We’ve seen an explosion in the number of PEAR channels available – at this time, we know of no less than 55 different channels, from those with one small component to those with hundreds.
This is coupled with conversations in the community; around how PHP projects can create a robust; diverse ecosystem based on some of the core concepts built into PEAR; and how PEAR itself continues on.
Speaking of the future of PEAR, Pyrus is absolutely worth a look if you are working in a PHP 5.3+ environment.
The final place I’d like to throw the spotlight on is HTML_QuickForm2. If you are a user of the original HTML_QuickForm but haven’t thought about upgrading; this is the package for you.
The API is much cleaner, there are at least 3 plugins being proposed via PEPr at the moment; and it’s a snap to extend it to render really slick HTML5 controls.
What’s the pear project been up to recently? We’ve been fairly quiet, launching pear2 and pyrus into the line up, welcoming new faces to the QA team, Jesús Espino, and getting ready to call an election for the new pear group.
In addition to that, we’ve seen releases of Net_DNS, Net_IPv4, Services_Twitter, and File_MARC (read more) to name a few.
We’ve seen a fair few of the more active members of the community go into hibernation as life gets busier, so if you’ve ever wanted to help out with PEAR; now is a great time!
Not sure how to help? There’s plenty of ways; from stomping out deprecated code, writing unit tests for bug reports / packages, proposing a package, urging your favorite project to host a pear channel, becoming a member of the QA team or even part of the PEAR group itself.
Come and join us on the pear-dev mailing list to find out more.
After the recent problems regarding the usage of PEAR channels hosted in google code SVN repositories, we are glad to announce that the problem has been fixed on both sides!
Reason for the problem was that PEAR sent HTTP “Host:” headers with the port included, i.e. “Host: pear.php.net:80″. This is completly valid according to the HTTP/1.0 specification, and it worked with all of the channels – except those from Google.
Google fixed their HTTP servers to accept Hosts with port numbers, and we at PEAR fixed the PEAR installer not to add the port to HTTP host headers. Version 1.9.1 of PEAR includes that fix.