After the recent problems regarding the usage of PEAR channels hosted in google code SVN repositories, we are glad to announce that the problem has been fixed on both sides!
Reason for the problem was that PEAR sent HTTP “Host:” headers with the port included, i.e. “Host: pear.php.net:80″. This is completly valid according to the HTTP/1.0 specification, and it worked with all of the channels – except those from Google.
Google fixed their HTTP servers to accept Hosts with port numbers, and we at PEAR fixed the PEAR installer not to add the port to HTTP host headers. Version 1.9.1 of PEAR includes that fix.
PEAR channels hosted on google code (like the unofficial Smarty channel, unofficial Zend Framework channel and the unofficial Mediawiki channel) are currently broken.
The reason for it has been discovered in the corresponding bug report: HTTP requests containing a port number in the “Host” header field are rejected, returning a 404.
The issue is currently being investigated by Google. If you cannot wait, apply a hack-fix to your PEAR installation. Alternatively, use Pyrus, the next-gen PEAR installer.
After a quiet holiday season, the PEAR community has started rumbling again.
Digg gave PEAR a plug, new versions of Mail, Services_Facebook, System_Daemon, and HTML_Template_IT were released, the number of bugs reported dropped to less than one per package for a brief time, and two promising new proposals in PEPr arrived.
What’s even more exciting, we’ve got a continuous integration environment currently set up; discussion (and bug fixing) is turning more and more towards the future of pear, and the quiet on the mailing lists has vanished in a recent flood of posts.
Even better, we’ve seen the conceptual basis of PEAR (channel server and installer) take off with Pirum and PEARFarm being launched; and several large projects like PHPUnit, Smarty, and even Zend Framework (!) being installable via pear channels.
If this level of activity is anything to judge by, the future of PEAR looks bright for 2010!
PEAR Security Advisory (PSA 200911-14-01)
Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection
Date: November 14, 2009
Multiple remote arbitrary command injections have been found in the Net_Ping
Net_Ping is an OS independent wrapper class for executing ping calls from PHP
Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP
Package / Vulnerable / Unaffected
1 Net_Ping < 2.4.5 >= 2.4.5
2 Net_Traceroute < 0.21.2 >= 0.21.2
2 affected packages on all of their supported architectures.
Remote Arbitrary Command Injection
When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.
Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.
The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven’t already:
The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven’t already:
Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.
Be aware that the initial release of Ubuntu Karmic contains a bug that affects PHP and PEAR, whose fix came a tad too late to make the initial release. The bug is fixed, and will be included in upcoming updates from Ubuntu.
From PEAR’s perspective, the key issue relates to the zlib library. This is evident in any attempt to install or upgrade a package, since doing so involves downloading a tarball file that must be uncompressed. The bug causes some zlib functions to be unavailable to PHP, and the Archive_Tar code will silently fail due to this.
If you attempt to install or upgrade a package, it may appear to finish without error, but without a final “install ok” or “upgrade ok” message. This means the process failed. The workaround is to include the -Z argument, so that a .tar file will be downloaded rather than a .tgz file:
pear install -Z phpdocumentor
The core router issues at the hosting provider have been resolved. Sorry for the inconvenience. pear.php.net and the PEAR channel are now back in business.
The PEAR website is currently unavailable due to network issues where the server is located. The hosting provider is working to restore service.
In the meantime, the best alternative for PEAR installer usage is to point your “preferred_mirror” to one of the mirror PEAR channel servers. Use one of the commands below to choose a mirror near you:
- U.S: pear config-set preferred_mirror us.pear.php.net
- Germany: pear config-set preferred_mirror de.pear.php.net
If you are using a PEAR installer older than version 1.9.0, and the preferred_mirror settings do not work successfully for you, a manual alternative for retrieving packages is to use the “download” command and point directly to the tarball file:
- pear download http://us.pear.php.net/get/PEAR-1.9.0.tgz
- pear download http://de.pear.php.net/get/PEAR-1.9.0.tar
If using this option, you must specify the package name in the correct case, while including the version number and the file type:
Some PEAR installations on PHP 5.2.9 and 5.2.10 seem to be corrupted. When trying to install something, you will get the error:
pear.php.net is using a unsupported protocal – This should never happen. install failed
This problem comes from corrupted channel files. Go into your PEAR php directory and backup .channels directory:
cd `pear config-get php_dir`
mv .channels .channels-broken
This means you lost all your channels except for the default ones (pear, pecl, doc and __uri) – but at least you do not have to re-install PEAR.
Sorry for the inconvenience.
I am more than glad to announce the arrival, the announcement of the new PEAR Group for 2009 and 2010.
With a few fresh faces in the Group, this year looks very promising with the mix of both new blood and experienced PEAR Group members.
Congratulations to the elected 7s (In no particular order):
- Christian Weiske
- Chuck Burgress
- Daniel O’Connor
- Ken Guest
- Bill Shupp
- Michael Gauthier
- Brett Bieber
I can’t wait to have our first meeting and get the year kicking!
Thanks to everyone who voted!
As every year, the elections for the PEAR Group and PEAR President are happening. This year due to a few factors and messages lost in translation, we decided to extend the elections period by 10 days so more people would have time to vote!
So remember to cast your vote at http://pear.php.net/election/ and you have until the the 5th of August 2009.
There are many new candidates for the Group and I think you should go and check them out!