[mapguide-internals] Re: [mapguide-users] Enable full 64-Bit support for MGOS 2.2 & MGE 2011 - insecure version PHP 5.3.1

Mon Aug 16 16:53:15 EDT 2010

Hi Jason,

We should upgrade the 32bit installer to use Apache 2.2.15 before we release RC1. 2.2.11 is buggy under load.  See http://trac.osgeo.org/mapguide/ticket/1278.  

If you consider the PHP LCG issue to be serious, we should probably upgrade to PHP 5.3.3.  I might be good to run a header check to compare PHP 5.3.1 and PHP 5.3.3.  If the headers are the same, we should be able to upgrade the installer binaries and leave the source under Oem alone.

I am backlogged working on Linux issues right now so it will be a while before I can take a look at these upgrades.  I am currently working on the std::string issues for Linux and will be looking at the Linux build of the PostGIS and PostgreSQL providers next.

Regards,
Trevor

-----Original Message-----
From: mapguide-internals-bounces at lists.osgeo.org [mailto:mapguide-internals-bounces at lists.osgeo.org] On Behalf Of Jason Birch
Sent: August 15, 2010 3:46 PM
To: MapGuide Internals Mail List; bernhard.maehler at gmx.de
Subject: [mapguide-internals] Re: [mapguide-users] Enable full 64-Bit support for MGOS 2.2 & MGE 2011 - insecure version PHP 5.3.1

Hi Bernhard,

I've copied this to the mapguide-internals mailing list, as it's a more
appropriate place to discuss this with the developers.

The MGE installer is under a completely different process than the MGOS
installer now, don't count on anything being the same between them.
 MGE-specific questions likely won't be answered here (unless someone from
the Autodesk installer team speaks up).

It looks like Trevor is using Apache 2.2.15 for the 64bit build of Apache,
but it looks like the 32bit build is still using 2.2.11, and both installers
are using PHP 5.3.1. (see
http://trac.osgeo.org/mapguide/browser/trunk/Installer/Support/Web )

I personally don't see any security defects in the Apache change log between
2.2.11 and 2.2.15 that would concern me overly, but it would be good to
ensure that both installers were running the same version.

The PHP LCG Entropy issue which was fixed in 5.3.2 does look worrisome; it
makes it relatively easy for attackers to retrieve session data by guessing
session IDs.

Any developers / PSC members have comments?

Jason

On 15 August 2010 12:29, Bernhard Maehler wrote:

>
> Hello,
>
> I have successfully installed MGE 2011 (German version) on Windows Server
> 2008 R2 (64-Bit) with Apache and PHP.
>
> Things I noticed:
> - the Server is running in 64-Bit mode, the Web Tier (Apache & PHP) runs
> only in 32-Bit mode, ok that's not dramatic
> - the bundled Apache & PHP versions (Apache 2.2.11, PHP 5.3.1 which is
> definitively buggy and insecure) are not up to date (current versions:
> Apache 2.2.16, PHP 5.3.3)
> - PHP which came with MGOS 2.2 beta & MGE 2001 leaves many extensions out
> (for example I can't enable oci8.dll)
>
> Questions:
> - are there any reasons why the installed PHP version is 5.3.1 ?
> - is it possibble to enable the Web Tier (Apache & PHP) running in 64-Bit
> mode ?
> - what are the plans for MGOS 2.2 Finale Release ?
>
> Thanks a lot,
> Bernhard
>
> P.S.:
> Just found these sources for 64-Bit (ZIP archives):
> - PHP 5.3.3: http://www.anindya.com/php-5-3-3-x64-64-bit-for-windows/
> - Apache 2.2.16: http://www.apachehaus.com/cgi-bin/download.plx
> I'll try to update next week and post test results then.
> --
> View this message in context:
> http://osgeo-org.1803224.n2.nabble.com/Enable-full-64-Bit-support-for-MGOS-2-2-MGE-2011-insecure-version-PHP-5-3-1-tp5425848p5425848.html
> Sent from the MapGuide Users mailing list archive at Nabble.com.
> _______________________________________________
> mapguide-users mailing list
> mapguide-users at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapguide-users
>
_______________________________________________
mapguide-internals mailing list
mapguide-internals at lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapguide-internals