Security Vulnerability Announcement: HTML_AJAX

Another vulnerability in the HTML_AJAX package has been found which potentially allows remote code execution.

An new release of the package is available which fixes this issue. One is strongly encouraged to upgrade to it by using:

$ pear upgrade HTML_AJAX-0.5.8

This issue is CVE-2017-5677. More details can be found in bug #21165.

Thanks to Egidio Romano who reported this issue.

Posted in Security | Leave a comment

PEAR server fully restored

The server has been fully restored after we had to witness a fatal hard drive crash on 2015-11-29.

Our server sponsor eUKhost quickly provided us with a new machine after we told them the old had failed, and the last two weeks were spent setting it up to provide the same functionality as before:

All those things are back again. Continue reading

Posted in Announcements, Group Blog | Tagged | 3 Comments

Server outage 90% resolved

A short notice: Our replacement server is about 90% setup.

What’s currently missing:

  • manual
  • API documentation
  • old package files released more than 6 years ago
Posted in Announcements | Tagged | 2 Comments

PEAR 1.10.1 fixes nasty bugs and improves BC

PEAR 1.10.1 fixes two bugs:

  • #20968: Infinite loop when using the old PEAR constructor (which some other packages do)
  • #20959: Crash on channel discovery with channel.xml redirect

We also re-added the PHP4-style constructor for PEAR_Error for backwards compatibility reasons – classes in many PEAR packages still use it.

Posted in Announcements | 1 Comment

PEAR 1.10.0 with PHP7 support is out

After a year of development, PEAR version 1.10.0 has been released.

It works on PHP7 and is E_DEPRECATED and E_STRICT compatible.

Apart from those big changes, a number of annoying bugs have been fixed and some features implemented – have a look at the release notes and the roadmap.

Thanks to Ferenc Kovacs, Hannes Magnusson, Remi Collet and Ken Guest for their patches.


Upgrade your existing PEAR installation as follows:

$ pear clear-cache
$ pear upgrade pear-1.10.0

Fresh installation

See the PEAR installation documentation.

Posted in Uncategorized | Comments Off on PEAR 1.10.0 with PHP7 support is out

PEAR 1.10.0dev3 is out

PEAR 1.10.0dev3 – the probably last pre-release version before PEAR 1.10.0 stable appears – has been released.

It fixes the following bugs:

  • #20507: pear list-upgrades does not take PHP version into account [cweiske]
  • #20927: Use correct php-config [cweiske]
  • #20946: PEAR_Builder::log() declaration [remicollet]

You can download it here:

Upgrading your existing installation is also easy:

$ pear upgrade PEAR-1.10.0dev3
Posted in Announcements | Comments Off on PEAR 1.10.0dev3 is out

PEAR 1.10.0dev1 brings PHP 7 compatibility!

We’ve released PEAR installer version 1.10.0dev1, which brings support for PHP 7 while dropping support for PHP 4 – 5.3.

See the announcement post @ for more information.

Posted in Uncategorized | 1 Comment

Security Vulnerability Announcement

A vulnerability in the HTML_AJAX package has been found which allows arbitrary remote code execution. All versions of the package from 0.4.0 up to and including release 0.5.6 are affected by this.

An new release of the package is available which fixes this issue. One is strongly encouraged to upgrade to it by using:

$ pear upgrade HTML_AJAX-0.5.7.

Posted in Security | Comments Off on Security Vulnerability Announcement

PEAR 1.9.5 is out

The PEAR installer version 1.9.5 has been released today.

The new version – three years after the last stable 1.9.4 and 2 weeks after the preview – is a bugfix only release. 13 bugs have been fixed. Among them are the following:

  • #18466: Modifying paths during installation broken on Windows
  • #20203: PEAR channels on github user pages do not work
  • #20283: Report correct php.ini directive on xdebug installation (and every other zend_extension)

Our plan is to work on a new version 1.10 that is E_STRICT and E_DEPRECATED clean and ships a couple of new features.

Posted in Announcements | Comments Off on PEAR 1.9.5 is out

PEAR 1.9.5dev1 released

I’ve just released a preview of the upcoming PEAR installer version 1.9.5: PEAR 1.9.5dev1.

Version 1.9.5 will be the first release of the PEAR installer since 3 years, and thus needs quite some testing before declaring it stable. Instead of using “RC1”, we opted for “dev1” to keep the stability below alpha, so that upgrading normal packages in alpha/beta state do not automatically give you a potentially unstable PEAR version.

You can upgrade your existing PEAR version with the following command:
$ pear upgrade PEAR-1.9.5dev1

Pre-release versions of go-pear.phar and install-pear-nozlib.phar can be temporarily be found at

Please report any bugs you find on the PEAR bug tracker or on the pear-dev mailing list.

Posted in Uncategorized | 2 Comments