PEAR channels on google code currently broken

PEAR channels hosted on google code (like the unofficial Smarty channel, unofficial Zend Framework channel and the unofficial Mediawiki channel) are currently broken.

The reason for it has been discovered in the corresponding bug report: HTTP requests containing a port number in the “Host” header field are rejected, returning a 404.

The issue is currently being investigated by Google. If you cannot wait, apply a hack-fix to your PEAR installation. Alternatively, use Pyrus, the next-gen PEAR installer.

Posted in Announcements, Group Blog | Tagged , , | 1 Comment

PEAR in March 2010

After a quiet holiday season, the PEAR community has started rumbling again.

Digg gave PEAR a plug, new versions of Mail, Services_Facebook, System_Daemon, and HTML_Template_IT were released, the number of bugs reported dropped to less than one per package for a brief time, and two promising new proposals in PEPr arrived.

What’s even more exciting, we’ve got a continuous integration environment currently set up; discussion (and bug fixing) is turning more and more towards the future of pear, and the quiet on the mailing lists has vanished in a recent flood of posts.

Even better, we’ve seen the conceptual basis of PEAR (channel server and installer) take off with Pirum and PEARFarm being launched; and several large projects like PHPUnit, Smarty, and even Zend Framework (!) being installable via pear channels.

If this level of activity is anything to judge by, the future of PEAR looks bright for 2010!

Posted in Uncategorized | Comments Off

Net_Traceroute and Net_Ping security advisory

PEAR Security Advisory (PSA 200911-14-01)

Severity: Serious
Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection
Date: November 14, 2009
ID: 200911-14-01

Synopsis

Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute.

Background

Net_Ping is an OS independent wrapper class for executing ping calls from PHP

Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP

Affected packages

———————————————————————————————
Package                   /  Vulnerable  /             Unaffected
———————————————————————————————
1  Net_Ping                   < 2.4.5                   >= 2.4.5
2  Net_Traceroute       < 0.21.2                  >= 0.21.2

———————————————————————————————
2 affected packages on all of their supported architectures.
———————————————————————————————

Description

Remote Arbitrary Command Injection

Impact

When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.

Workaround

Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.

Resolution

The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven’t already:

The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven’t already:

Reported By

Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.

Link

http://pear.php.net/advisory20091114-01.txt

Posted in Announcements, Blogroll, Group Blog, President Blog | 4 Comments

Ubuntu Karmic Ships with PEAR-Affecting Issues

Be aware that the initial release of Ubuntu Karmic contains a bug that affects PHP and PEAR, whose fix came a tad too late to make the initial release.  The bug is fixed, and will be included in upcoming updates from Ubuntu.

From PEAR’s perspective, the key issue relates to the zlib library.  This is evident in any attempt to install or upgrade a package, since doing so involves downloading a tarball file that must be uncompressed.  The bug causes some zlib functions to be unavailable to PHP, and the Archive_Tar code will silently fail due to this.

If you attempt to install or upgrade a package, it may appear to finish without error, but without a final “install ok” or “upgrade ok” message.  This means the process failed.  The workaround is to include the -Z argument, so that a .tar file will be downloaded rather than a .tgz file:

pear install -Z phpdocumentor

Posted in Announcements | Tagged , , | 11 Comments

Outage over

The core router issues at the hosting provider have been resolved.  Sorry for the inconvenience.  pear.php.net and the PEAR channel are now back in business.

Posted in Uncategorized | Comments Off

PEAR Website Outage

The PEAR website is currently unavailable due to network issues where the server is located. The hosting provider is working to restore service.

In the meantime, the best alternative for PEAR installer usage is to point your “preferred_mirror” to one of the mirror PEAR channel servers. Use one of the commands below to choose a mirror near you:

  • U.S: pear config-set preferred_mirror us.pear.php.net
  • Germany: pear config-set preferred_mirror de.pear.php.net

If you are using a PEAR installer older than version 1.9.0, and the preferred_mirror settings do not work successfully for you, a manual alternative for retrieving packages is to use the “download” command and point directly to the tarball file:

  • pear download http://us.pear.php.net/get/PEAR-1.9.0.tgz
  • pear download http://de.pear.php.net/get/PEAR-1.9.0.tar

If using this option, you must specify the package name in the correct case, while including the version number and the file type:

  • PEAR-1.9.0.tgz
  • Archive_Tar-1.2.3.tar
Posted in Announcements | Tagged , | 2 Comments

Fixing “unsupported protocol”

Some PEAR installations on PHP 5.2.9 and 5.2.10 seem to be corrupted. When trying to install something, you will get the error:

pear.php.net is using a unsupported protocal – This should never happen. install failed

This problem comes from corrupted channel files. Go into your PEAR php directory and backup .channels directory:


cd `pear config-get php_dir`
mv .channels .channels-broken
pear update-channels

This means you lost all your channels except for the default ones (pear, pecl, doc and __uri) – but at least you do not have to re-install PEAR.

Sorry for the inconvenience.

Posted in Uncategorized | 16 Comments

The new Group has been elected!

I am more than glad to announce the arrival, the announcement of the new PEAR Group for 2009 and 2010.

With a few fresh faces in the Group, this year looks very promising with the mix of both new blood and experienced PEAR Group members.

Congratulations to the elected 7s (In no particular order):

  • Christian Weiske
  • Chuck Burgress
  • Daniel O’Connor
  • Ken Guest
  • Bill Shupp
  • Michael Gauthier
  • Brett Bieber

I can’t wait to have our first meeting and get the year kicking!

Thanks to everyone who voted!

Posted in Announcements, Blogroll, President Blog | Tagged , , , , | 5 Comments

The elections are still going!

As every year, the elections for the PEAR Group and PEAR President are happening. This year due to a few factors and messages lost in translation, we decided to extend the elections period by 10 days so more people would have time to vote!

So remember to cast your vote at http://pear.php.net/election/ and you have until the the 5th of August 2009.

There are many new candidates for the Group and I think you should go and check them out!

Posted in Announcements, Blogroll, Group Blog, President Blog | 2 Comments

Setting Up PEAR2 and PEAR Checkouts With SVN 1.5+

Now that pear2 is in svn.php.net, it is possible to do commits with
multiple packages using a feature of subversion called “sparse checkouts.”

Rasmus wrote about this for setting up php checkouts here:
http://news.php.net/php.internals/44993

Here is the version I used to set up pear and pear2 in a way that will
allow committing to both pear and pear2 packages in a single commit.
For packages like Console_CommandLine that live in both repositories,
this is very useful for tracking merges.  (Note: on windows, get
TortoiseSVN 1.6.3, and right-click “checkout” for checkout, and use the
“update to revision” option for the sparse updates)

svn co http://svn.php.net/repository –set-depth empty phpsvn
cd phpsvn
svn up –set-depth immediates pear pear2
svn up –set-depth immediates pear2/* pear/*
svn up –set-depth infinity pear2/*/trunk pear/*/trunk
svn up –set-depth immediates pear2/sandbox
svn up –set-depth infinity pear2/sandbox/*/trunk
svn up –set-depth immediates pear/peardoc
svn up –set-depth infinity pear/peardoc/trunk

At this point, your work is done.  You can perform the same steps for
pearweb if you’re a maintainer, and be on your way.

With the above setup, when you make a change to a package, you can
update the documentation immediately and commit it together, by changing
to phpsvn and running “svn commit” (Windows: right-click on the phpsvn
folder and choose “svn commit”)

Hopefully this will get people started with being able to develop more
efficiently and to work effectively with PEAR2.

If you want to start a Pear2 package, all you need to do is send an
email to the pear-dev@lists.php.net, and the PEAR Group will get you set up.  I’m happy to answer
any questions.

Greg Beaver

Posted in Uncategorized | Tagged , , | 5 Comments