Workaround for bug in Debian package php-curl 5.4.38-020 March 2015
Deprecation warning:This workaround is not necessary any more. The bug is solved, please upgrade to new newest versions again. If you followed the instructions here, please remove the pinning file and the additional apt archive.
On 18th March 2015 the Debian security team released new versions of PHP packages for Debian Wheezy and Debian Jessie to address several vulnerabilities in PHP which are listed in DSA 3195-1.
The updated version of the PHP module 'php5-curl' contains a bug on handling cookie files which leads to connection problems between Cartaro and GeoServer. As a result of this bug, the authentication of users at GeoServer by Cartaro fails. Therefore, Cartaro does not work properly any more and new installations are not possible. This Debian Bug #780764 is already reported to Debian package maintainers but no fix is available yet.
In order to get Cartaro working again, it is possible to downgrade the older versions until a new version is released.
Warning: If you want to do this, please take in mind that this exposes you to the security bugs fixed by the newer version - you may want to wait instead for a patch for public available installations. Downgrading is only a temporary solution and it is highly recommended to upgrade as soon updated version is available. We are going to inform you via Twitter for news on this issue
Downgrade PHP packagesThis howto uses Debian Wheezy (stable) as example system. You may have to adapt the paths for Debian Jessie.
The bug is present in version 5.4.38-0+deb7u1, so we have to downgrade to the former version 5.4.36-0+deb7u3. As first step, we have to add a new apt archive provided by snapshot.debian.org because the old packages are not available anymore. Please open the following file with superuser privileges with an editor of your choice
sudo vi /etc/apt/sources.list
/etc/apt/preferencesand adding the lines
Finally we can perform the downgrade by executing
sudo apt-get update followed by
sudo apt-get upgrade This last command should print
Your Cartaro installation should work again now
Please use this temporary solution only until a fixed version of php5-curl is released! As soon as Debian Bug #780764 is resolved, remove the snapshot.debian.org archive as well as the pinning definition and upgrade to new version!
« Back to Blog index