반응형
PHP 5.3.3은 2010년 7월 20일에 릴리즈된 낡은 소프트웨어입니다. PHP 5.3 버전대에 대한 업데이트는 2014년 8월 14일자로 종료되었지요.
하지만 PHP 5.3.3은 Red Hat® Enterprise Linux® 6의 Yum 저장소에 기본 탑재되어 있는 PHP 버전이기도 합니다. 이 말은 레드햇에서 RHEL6의 지원 기간이 끝나기 전까지는 메인라인 보안패치를 백포팅하는 등 최소한의 유지보수를 제공해 준다는 것입니다.
레드햇을 믿고 CentOS 8/RHEL 8/Oracle Linux 8에서 레드햇 패치가 들어간 PHP를 빌드해서 설치해봅시다.
Apache / MariaDB 설치
dnf install httpd httpd-devel
dnf install mariadb mariadb-serverPHP 설치
PHP 5.3.3에 Redhat 보안 패치 적용
$ curl -o php.rpm http://ftp.redhat.com/redhat/linux/enterprise/6Server/en/os/SRPMS/php-5.3.3-50.el6_10.src.rpm
$ rpm2cpio php.rpm | cpio -idmv
$ tar xf php-5.3.3.tar.gz
$ cd php-5.3.3
$ patch -p1 < ../php-5.3.3-bug54268.patch
$ patch -p1 < ../php-5.3.3-pdopgsql.patch
$ patch -p1 < ../php-5.3.3-bug66762.patch
$ patch -p1 < ../php-5.3.3-bug52636.patch
$ patch -p1 < ../php-5.3.3-rfc2616.patch
$ patch -p1 < ../php-5.3.3-r305043.patch
$ patch -p1 < ../php-5.3.3-bug53141.patch
$ patch -p1 < ../php-5.3.3-openssl.patch
$ patch -p1 < ../php-5.3.3-bug54609.patch
$ patch -p1 < ../php-5.3.3-curltls.patch
$ patch -p1 < ../php-5.3.3-bug63635.patch
$ patch -p1 < ../php-5.3.3-CVE-2010-3709.patch
$ patch -p1 < ../php-5.3.2-CVE-2010-3870.patch
$ patch -p1 < ../php-5.3.3-CVE-2010-3710.patch
$ patch -p1 < ../php-5.3.2-CVE-2010-4645.patch
$ patch -p1 < ../php-5.3.3-CVE-2010-4156.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-0708.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1148.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1466.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1468.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1469.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1470.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1471.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1938.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-2202.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-2483.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-4885.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-4566.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-0830.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-1823.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-2336.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-4153.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-0781.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-1172.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-2143.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-2386.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-0057.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-0789.patch
$ patch -p1 < ../php-5.3.3-CVE-2010-2950.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-2688.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-0831.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1398.patch
$ patch -p1 < ../php-5.3.3-CVE-2013-1643.patch
$ patch -p1 < ../php-5.3.3-CVE-2006-7243.patch
$ patch -p1 < ../php-5.3.3-CVE-2013-4113.patch
$ patch -p1 < ../php-5.3.3-CVE-2013-4248.patch
$ patch -p1 < ../php-5.3.3-CVE-2013-6420.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-0237.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-0238.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-2270.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-1943.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3479.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-1571.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3480.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-4721.patch
$ patch -p1 < ../php-5.3.3-CVE-2013-6712.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-4049.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3515.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-2497.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3587.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3597.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-4698.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-4670.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3668.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3669.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3670.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3710.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-9425.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-0232.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-9709.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-0273.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-9705.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-2301.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-2787.patch
$ patch -p1 < ../php-5.3.3-bug69085.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-2783.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-3329.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-4021.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-4022.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-4024.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-4026.patch
$ patch -p1 < ../php-5.3.3-bug69353.patch
$ patch -p1 < ../php-5.3.3-bug69152.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-4644.patch
$ patch -p1 < ../php-5.3.3-CVE-2016-5385.patch필요 라이브러리
CentOS/RHEL 8 및 이의 저장소에는 OpenSSL 1.1.1이 내장되어 있으나 PHP 5.3의 OpenSSL 권장버전은 0.9.8 정도입니다. 절충해서 1.0.2로 하기로 합니다.
추가: 실험 결과 OpenSSL 1.0.2로는 별로 좋지 못한 결과가 나옵니다. 아래와 같이 LibreSSL을 쓰는 것을 권장드립니다.
또 PHP에서 필요로 하는 라이브러리 중 일부가 OS(또는 기본 저장소)에 내장된 버전에서는 OpenSSL 1.1.1으로 링크되어 있기 때문에 빌드 시 오류가 발생합니다. 따라서 libcurl, OpenLDAP, Kerberos 또한 직접 빌드하도록 하겠습니다.
OpenSSL 1.0.2* 빌드
dnf remove openssl-devel
mkdir openssl
curl -o openssl102u.tgz https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz
tar xzf openssl102u.tgz
cd openssl-1.0.2u/
./Configure linux-x86_64 shared --prefix=/usr/local/openssl-1.0.2u --openssldir=/usr/local/openssl-1.0.2u
make && make installLD / CFLAGS 설정
echo '/usr/local/openssl-1.0.2u/lib' > /etc/ld.so.conf.d/openssl-1.0.2u.conf
export LDFLAGS='-L/usr/local/openssl-1.0.2u/lib'
export CPPFLAGS='-I/usr/local/openssl-1.0.2u/include/'
export CFLAGS='-I/usr/local/openssl-1.0.2u/include/'
libcurl 빌드
curl -o curl-7.72.0.tgz https://curl.haxx.se/download/curl-7.72.0.tar.gz
tar xzf curl-7.72.0.tgz
cd curl-7.72.0
./configure --prefix /usr/local/curl-7.72.0 --with-ssl=/usr/local/openssl-1.0.2u
make && make install
# PHP 빌드를 위해 curl-config 필요
mkdir /usr/local/curl-7.72.0/bin
cp /usr/local/curl-7.72.0/curl-config /usr/local/curl-7.72.0/bin/
export PATH=$PATH:/usr/local/curl-7.72.0/bin/
chmod +x /usr/local/curl-7.72.0/bin/curl-configOpenLDAP 빌드
curl -o openldap-2.4.52.tgz https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-2.4.52.tgz
tar xf openldap-2.4.52.tgz && cd openldap-2.4.52
./configure --prefix=/usr/local/openldap-2.4.52
make depend && make && make install
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/openldap-2.4.52/Kerberos 5 빌드
curl -o krb5-1.18.2.tgz https://web.mit.edu/kerberos/www/dist/krb5/1.18/krb5-1.18.2.tar.gz
tar xf krb5-1.18.2.tgz && cd krb5-1.18.2/src
dnf install byacc
./configure --prefix=/usr/local/krb5-1.18.2
make && make installPHP 빌드
./configure '--with-apxs2' '--with-iconv' '--with-mysql=mysqlnd' '--with-mysqli=mysqlnd' '--with-zlib' '--with-gd' '--with-freetype-dir' '--enable-gd-native-ttf' '--with-openssl-dir=/usr/local/openssl-1.0.2u' '--with-openssl=/usr/local/openssl-1.0.2u' '--with-curl=/usr/local/curl-7.72.0' '--enable-sockets' '--enable-zip' '--with-jpeg-dir' '--with-png-dir'
make
make test
make install이론상 성공
# /usr/local/bin/php -v
PHP 5.3.3 (cli) (built: Sep 3 2020 15:44:34)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies야호!
추가
OpenSSL 1.0.2를 썼더니 PHP의 curl이 HTTPS 요청에 대해 제대로 작동하지 않는 문제가 발생했습니다. (libcrypto가 segfault를 냄)
그래서 php에 curl을 포함시켜서 빌드하지 않고, curl extension을 따로 빼기로 했습니다.
LibreSSL + libcurl
# curl -o libressl-3.2.1.tar.gz https://cloudflare.cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.1.tar.gz
# tar xzf libressl-3.2.1.tar.gz
# cd libressl-3.2.1
# ./configure --prefix=/usr/local/libressl-3.2.1
# make check
# make install# ./configure --prefix=/usr/local/curl-7.72.0 --with-ssl=/usr/local/libressl-3.2.1
(...)
configure: Configured to build curl/libcurl:
Host setup: x86_64-pc-linux-gnu
Install prefix: /usr/local/curl-7.72.0
Compiler: gcc
CFLAGS: -Werror-implicit-function-declaration -O2 -Wno-system-headers -pthread
CPPFLAGS: -isystem /usr/local/libressl-3.2.1/include
LDFLAGS: -L/usr/local/libressl-3.2.1/lib
LIBS: -lssl -lcrypto -lssl -lcrypto -lldap -llber -lz
curl version: 7.72.0
SSL: enabled (libressl)
SSH: no (--with-{libssh,libssh2})
zlib: enabled
brotli: no (--with-brotli)
zstd: no (--with-zstd)
GSS-API: no (--with-gssapi)
TLS-SRP: no (--enable-tls-srp)
resolver: POSIX threaded
IPv6: enabled
Unix sockets: enabled
IDN: no (--with-{libidn2,winidn})
Build libcurl: Shared=yes, Static=yes
Built-in manual: enabled
--libcurl option: enabled (--disable-libcurl-option)
Verbose errors: enabled (--disable-verbose)
Code coverage: disabled
SSPI: no (--enable-sspi)
ca cert bundle: /etc/pki/tls/certs/ca-bundle.crt
ca cert path: no
ca fallback: no
LDAP: enabled (OpenLDAP)
LDAPS: enabled
RTSP: enabled
RTMP: no (--with-librtmp)
Metalink: no (--with-libmetalink)
PSL: no (libpsl not found)
Alt-svc: no (--enable-alt-svc)
HTTP2: disabled (--with-nghttp2)
HTTP3: disabled (--with-ngtcp2, --with-quiche)
ESNI: no (--enable-esni)
Protocols: DICT FILE FTP FTPS GOPHER HTTP HTTPS IMAP IMAPS LDAP LDAPS POP3 POP3S RTSP SMB SMBS SMTP SMTPS TELNET TFTP
Features: AsynchDNS HTTPS-proxy IPv6 NTLM NTLM_WB SSL UnixSockets libz
# make && make install반응형
'콤퓨우터 > Linux' 카테고리의 다른 글
| Linux Foundation 자격증 시험 가격 및 할인 정보 (CKA, CKAD, LFCS 등) (0) | 2023.03.24 |
|---|---|
| Linux에서 AMDGPU 드라이버 사용 중 Navi 10 그래픽카드의 전압/클럭 조정 (0) | 2020.10.29 |
| 리눅스마스터 1급 2차(실기) 간단 후기 (4) | 2017.08.16 |