With the recently released PHP 5.4, the Suhosin patch and extension were removed from many Linux distribution packages (i.e., Debian et al.) and until three weeks ago, there was no possibility to compile and run the Suhosin extension under PHP 5.4. This little howto shall serve as installation instruction for Debian Wheezy users - your mileage may vary. I blogged about this here.

They start with the apt-get commands to install the latest PHP5 for your distribution (yum commands are similar, of course) and includes the location to download the latest Suhosin version from Stefan Esser's github account. Unpack it, compile and "phpize" it and if all goes well, you should have a shared module built and ready for use.

Ran into this issue when setting up a new VPS for AutoRidge. This happens when using Nginx and PHP-FPM with PHP 5.3+ and the Suhosin patch when trying to run a PHP script using a PHAR package. From what I can gather, the Suhosin patch basically blocks PHP include/require functions from executing files ending with .phar, which results in a PHP segfault that leaves no trace of any error at all.

His solution is a pretty simple one - edit the "suhosin.ini" file to allow for the opening of includes in phar files (suhosin.executor.include.whitelist). You can find out more about the Suhosin security tool on the project's website.

PHP 5.3.9 release was mostly meant to fix a security bug, but it introduced a new more serious bug. PHP 5.3.10 was just released to fix this issue. [...] This time it is a bug that allows arbitrary remote code execution. This means that it allows to run arbitrary code on the server, injected by an eventual attacker, so it can be used to cause many types of damage inside a server.

The upgrade to PHP 5.3.10 is highly recommended to prevent this issue from effecting your applications. The post also mentions the dropping of Suhosin support (a security plugin for PHP) on the Debian linux distribution's default installation and how the PHP community has reacted to the decision.

Last week, I received an email from someone who told me how the Suhosin patch had created problems for their team, and suggested that I write about it here. I thought this was a great idea, for a number of reasons. Particularly, Suhosin is one of those PHP patches that alters the way PHP operates in a fundamental fashion, yet also is installed by default in many places (for example, Ubuntu compiles this patch in by default on their installation).

He talks about some of the features it includes - disabling eval, not allowing for remote includes, makes it possible to modify the memory limit per script and allows you to set limits on the length of REQUEST arrays. He notes that, while the Suhosin patch is a good thing and can make a real difference in your application, it's by no means a requirement to creating a secure application (and shouldn't be used as a replacement for such).

There's also an interesting comment from Stefan Esser himself on the comments Brandon made in the post.

Because the new features of Suhosin Patch contains new code and some hacks I release the BETA version of the new Suhosin Patch to the public and hope people will test it in different OS/CPU/... and mail me the results to . The patch can be downloaded here.

Issues considered in this new patch version include the support for environment variables that let you configure how certain parts of the patch work (like memory handing and canary violation handling).

The hardened-php project has yet to release a suhosin patch for PHP 5.3.0. We're already using PHP 5.3, therefore I've modified the 0.9.7 patch for 5.2.10 to work with 5.3.0.

The Suhosin patch, created by the Hardened-PHP project is a protection system aiming to help protect your PHP installation from some of the common (and not so common) flaws in the PHP language itself. It's applied as a patch to the source before compiling and gives you a list of features for the base engine, runtime, session and filtering protection.

A meeting of the development team on July 30th nixed the inclusion of PHP 5.3 from inclusion in Karmic, the next iteration of Ubuntu for the desktop and the server. According to meeting minutes, there is concern amongst the Ubuntu security team that failure to include the suhosin patch in the PHP release would be a feature regression. Instead, the release will be referred to PPA until more testing can be completed.

Until the package is officially accepted and where users can update it as usual, you can still try your hand at compiling it manually and getting your Apache server up and running quickly.

The previous update (0.9.26) updated the utility with an improved randomness fixing a few issues with an ini setting and the uploadprogress extension as well as adding in a few new settings and updates to the randomizing functions that come included in PHP.

The 0.9.27 update (the most current) updates the patch with a lazy loading change that allows it to work correctly on systems that have it disabled by default (causing the previous patch to not work).

You can grab this latest release, 0.9.27, from the suhosin website.

Suhosin is a great and simple way of increasing your security without having a large impact on overall performance. In this tutorial I will cover the installation and configuration of Suhosin on both debian etch and centos 5. I may cover mod_security in a later tutorial.

They apt-get the packages needed for the patch in examples for two different distributions - Debian (etch) and CentOS. They also show how to set up some basic configuration to get the patch installed and working with your PHP installation.

It has been a very long time since the last Suhosin extension has been released, but today this has changed with the release of Suhosin 0.9.21. Among the changes are two new features that will protect applications that put to much trust into the SERVER variables from several XSS (and SQL injection) attacks. These features are suhosin.server.strip and suhosin.server.encode.

He details these two features and gives examples of what they protect from. You can find out more about the Suhosin patch on its website.