[mapguide-internals] Re: [mapguide-users] Enable full 64-Bit support for MGOS 2.2 & MGE 2011 - insecure version PHP 5.3.1

Jason Birch jason at jasonbirch.com
Sun Aug 15 17:46:07 EDT 2010 

Hi Bernhard,

I've copied this to the mapguide-internals mailing list, as it's a more
appropriate place to discuss this with the developers.

The MGE installer is under a completely different process than the MGOS
installer now, don't count on anything being the same between them.
 MGE-specific questions likely won't be answered here (unless someone from
the Autodesk installer team speaks up).

It looks like Trevor is using Apache 2.2.15 for the 64bit build of Apache,
but it looks like the 32bit build is still using 2.2.11, and both installers
are using PHP 5.3.1. (see
http://trac.osgeo.org/mapguide/browser/trunk/Installer/Support/Web )

I personally don't see any security defects in the Apache change log between
2.2.11 and 2.2.15 that would concern me overly, but it would be good to
ensure that both installers were running the same version.

The PHP LCG Entropy issue which was fixed in 5.3.2 does look worrisome; it
makes it relatively easy for attackers to retrieve session data by guessing
session IDs.

Any developers / PSC members have comments?

Jason

On 15 August 2010 12:29, Bernhard Maehler wrote:

>
> Hello,
>
> I have successfully installed MGE 2011 (German version) on Windows Server
> 2008 R2 (64-Bit) with Apache and PHP.
>
> Things I noticed:
> - the Server is running in 64-Bit mode, the Web Tier (Apache & PHP) runs
> only in 32-Bit mode, ok that's not dramatic
> - the bundled Apache & PHP versions (Apache 2.2.11, PHP 5.3.1 which is
> definitively buggy and insecure) are not up to date (current versions:
> Apache 2.2.16, PHP 5.3.3)
> - PHP which came with MGOS 2.2 beta & MGE 2001 leaves many extensions out
> (for example I can't enable oci8.dll)
>
> Questions:
> - are there any reasons why the installed PHP version is 5.3.1 ?
> - is it possibble to enable the Web Tier (Apache & PHP) running in 64-Bit
> mode ?
> - what are the plans for MGOS 2.2 Finale Release ?
>
> Thanks a lot,
> Bernhard
>
> P.S.:
> Just found these sources for 64-Bit (ZIP archives):
> - PHP 5.3.3: http://www.anindya.com/php-5-3-3-x64-64-bit-for-windows/
> - Apache 2.2.16: http://www.apachehaus.com/cgi-bin/download.plx
> I'll try to update next week and post test results then.
> --
> View this message in context:
> http://osgeo-org.1803224.n2.nabble.com/Enable-full-64-Bit-support-for-MGOS-2-2-MGE-2011-insecure-version-PHP-5-3-1-tp5425848p5425848.html
> Sent from the MapGuide Users mailing list archive at Nabble.com.
> _______________________________________________
> mapguide-users mailing list
> mapguide-users at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapguide-users
>

More information about the mapguide-internals mailing list