Cartaro

Geospatial CMS

Blog

Workaround for bug in Debian package php-curl 5.4.38-0

Deprecation warning:

This workaround is not necessary any more. The bug is solved, please upgrade to new newest versions again. If you followed the instructions here, please remove the pinning file and the additional apt archive.


On 18th March 2015 the Debian security team released new versions of PHP packages for Debian Wheezy and Debian Jessie to address several vulnerabilities in PHP which are listed in DSA 3195-1. The updated version of the PHP module 'php5-curl' contains a bug on handling cookie files which leads to connection problems between Cartaro and GeoServer. As a result of this bug, the authentication of users at GeoServer by Cartaro fails. Therefore, Cartaro does not work properly any more and new installations are not possible. This Debian Bug #780764 is already reported to Debian package maintainers but no fix is available yet.
In order to get Cartaro working again, it is possible to downgrade the older versions until a new version is released.
Warning: If you want to do this, please take in mind that this exposes you to the security bugs fixed by the newer version - you may want to wait instead for a patch for public available installations. Downgrading is only a temporary solution and it is highly recommended to upgrade as soon updated version is available. We are going to inform you via Twitter for news on this issue

Downgrade PHP packages

This howto uses Debian Wheezy (stable) as example system. You may have to adapt the paths for Debian Jessie.

The bug is present in version 5.4.38-0+deb7u1, so we have to downgrade to the former version 5.4.36-0+deb7u3. As first step, we have to add a new apt archive provided by snapshot.debian.org because the old packages are not available anymore. Please open the following file with superuser privileges with an editor of your choice

sudo vi /etc/apt/sources.list

and add

# wheezy-updates-snapshot deb http://snapshot.debian.org/archive/debian-security/20150317T155302Z/ wheezy/updates main

As next we have to pin our PHP packages to the snapshot archive to prevent them for being updated to the newest version. Execute this step by opening /etc/apt/preferences and adding the lines

Package: php5 php5-* libapache2-mod-php5 Pin: origin snapshot.debian.org Pin-Priority: 1001

Finally we can perform the downgrade by executing sudo apt-get update followed by sudo apt-get upgrade This last command should print

$ sudo apt-get upgrade Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be DOWNGRADED: php-pear php5 php5-cgi php5-cli php5-common php5-curl php5-dbg php5-dev php5-gd php5-pgsql 0 upgraded, 0 newly installed, 10 downgraded, 0 to remove and 0 not upgraded. Need to get 373 kB/25.5 MB of archives. After this operation, 5120 B disk space will be freed. Do you want to continue [Y/n]?

Your Cartaro installation should work again now


Please use this temporary solution only until a fixed version of php5-curl is released! As soon as Debian Bug #780764 is resolved, remove the snapshot.debian.org archive as well as the pinning definition and upgrade to new version!


« Back to Blog index