CentOS 8/RHEL8/OL8에 PHP 5.3.3 설치

2021. 2. 18. 19:57PC/Linux

반응형

PHP 5.3.3은 2010년 7월 20일에 릴리즈된 낡은 소프트웨어입니다. PHP 5.3 버전대에 대한 업데이트는 2014년 8월 14일자로 종료되었지요.

하지만 PHP 5.3.3은 Red Hat® Enterprise Linux® 6의 Yum 저장소에 기본 탑재되어 있는 PHP 버전이기도 합니다. 이 말은 레드햇에서 RHEL6의 지원 기간이 끝나기 전까지는 메인라인 보안패치를 백포팅하는 등 최소한의 유지보수를 제공해 준다는 것입니다.

레드햇을 믿고 CentOS 8/RHEL 8/Oracle Linux 8에서 레드햇 패치가 들어간 PHP를 빌드해서 설치해봅시다.

Apache / MariaDB 설치

dnf install httpd httpd-devel
dnf install mariadb mariadb-server

PHP 설치

PHP 5.3.3에 Redhat 보안 패치 적용

$ curl -o php.rpm http://ftp.redhat.com/redhat/linux/enterprise/6Server/en/os/SRPMS/php-5.3.3-50.el6_10.src.rpm
$ d php.rpm  | cpio -idmv
$ tar xf php-5.3.3.tar.gz
$ cd php-5.3.3
$ patch -p1 < ../php-5.3.3-bug54268.patch
$ patch -p1 < ../php-5.3.3-pdopgsql.patch
$ patch -p1 < ../php-5.3.3-bug66762.patch
$ patch -p1 < ../php-5.3.3-bug52636.patch
$ patch -p1 < ../php-5.3.3-rfc2616.patch
$ patch -p1 < ../php-5.3.3-r305043.patch
$ patch -p1 < ../php-5.3.3-bug53141.patch
$ patch -p1 < ../php-5.3.3-openssl.patch
$ patch -p1 < ../php-5.3.3-bug54609.patch
$ patch -p1 < ../php-5.3.3-curltls.patch
$ patch -p1 < ../php-5.3.3-bug63635.patch
$ patch -p1 < ../php-5.3.3-CVE-2010-3709.patch
$ patch -p1 < ../php-5.3.2-CVE-2010-3870.patch
$ patch -p1 < ../php-5.3.3-CVE-2010-3710.patch
$ patch -p1 < ../php-5.3.2-CVE-2010-4645.patch
$ patch -p1 < ../php-5.3.3-CVE-2010-4156.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-0708.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1148.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1466.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1468.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1469.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1470.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1471.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1938.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-2202.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-2483.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-4885.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-4566.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-0830.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-1823.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-2336.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-4153.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-0781.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-1172.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-2143.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-2386.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-0057.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-0789.patch
$ patch -p1 < ../php-5.3.3-CVE-2010-2950.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-2688.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-0831.patch
$ patch -p1 < ../php-5.3.3-CVE-2011-1398.patch
$ patch -p1 < ../php-5.3.3-CVE-2013-1643.patch
$ patch -p1 < ../php-5.3.3-CVE-2006-7243.patch
$ patch -p1 < ../php-5.3.3-CVE-2013-4113.patch
$ patch -p1 < ../php-5.3.3-CVE-2013-4248.patch
$ patch -p1 < ../php-5.3.3-CVE-2013-6420.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-0237.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-0238.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-2270.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-1943.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3479.patch
$ patch -p1 < ../php-5.3.3-CVE-2012-1571.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3480.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-4721.patch
$ patch -p1 < ../php-5.3.3-CVE-2013-6712.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-4049.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3515.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-2497.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3587.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3597.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-4698.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-4670.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3668.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3669.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3670.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-3710.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-9425.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-0232.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-9709.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-0273.patch
$ patch -p1 < ../php-5.3.3-CVE-2014-9705.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-2301.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-2787.patch
$ patch -p1 < ../php-5.3.3-bug69085.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-2783.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-3329.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-4021.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-4022.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-4024.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-4026.patch
$ patch -p1 < ../php-5.3.3-bug69353.patch
$ patch -p1 < ../php-5.3.3-bug69152.patch
$ patch -p1 < ../php-5.3.3-CVE-2015-4644.patch
$ patch -p1 < ../php-5.3.3-CVE-2016-5385.patch

필요 라이브러리

CentOS/RHEL 8 및 이의 저장소에는 OpenSSL 1.1.1이 내장되어 있으나 PHP 5.3의 OpenSSL 권장버전은 0.9.8 정도입니다. 절충해서 1.0.2로 하기로 합니다.

추가: 실험 결과 OpenSSL 1.0.2로는 별로 좋지 못한 결과가 나옵니다. 아래와 같이 LibreSSL을 쓰는 것을 권장드립니다.

또 PHP에서 필요로 하는 라이브러리 중 일부가 OS(또는 기본 저장소)에 내장된 버전에서는 OpenSSL 1.1.1으로 링크되어 있기 때문에 빌드 시 오류가 발생합니다. 따라서 libcurl, OpenLDAP, Kerberos 또한 직접 빌드하도록 하겠습니다.

OpenSSL 1.0.2* 빌드

dnf remove openssl-devel
mkdir openssl
curl -o openssl102u.tgz https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz
tar xzf openssl102u.tgz
cd openssl-1.0.2u/
./Configure linux-x86_64 shared --prefix=/usr/local/openssl-1.0.2u --openssldir=/usr/local/openssl-1.0.2u
make && make install

LD / CFLAGS 설정

echo '/usr/local/openssl-1.0.2u/lib' > /etc/ld.so.conf.d/openssl-1.0.2u.conf
export LDFLAGS='-L/usr/local/openssl-1.0.2u/lib'
export CPPFLAGS='-I/usr/local/openssl-1.0.2u/include/'
export CFLAGS='-I/usr/local/openssl-1.0.2u/include/'

libcurl 빌드

curl -o curl-7.72.0.tgz https://curl.haxx.se/download/curl-7.72.0.tar.gz
tar xzf curl-7.72.0.tgz
cd curl-7.72.0
./configure --prefix /usr/local/curl-7.72.0 --with-ssl=/usr/local/openssl-1.0.2u
make && make install

# PHP 빌드를 위해 curl-config 필요
mkdir /usr/local/curl-7.72.0/bin
cp /usr/local/curl-7.72.0/curl-config /usr/local/curl-7.72.0/bin/
export PATH=$PATH:/usr/local/curl-7.72.0/bin/
chmod +x /usr/local/curl-7.72.0/bin/curl-config

OpenLDAP 빌드

curl -o openldap-2.4.52.tgz https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-2.4.52.tgz
tar xf openldap-2.4.52.tgz && cd openldap-2.4.52
./configure --prefix=/usr/local/openldap-2.4.52
make depend && make && make install
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/openldap-2.4.52/

Kerberos 5 빌드

curl -o krb5-1.18.2.tgz https://web.mit.edu/kerberos/www/dist/krb5/1.18/krb5-1.18.2.tar.gz
tar xf krb5-1.18.2.tgz && cd krb5-1.18.2/src
dnf install byacc
./configure --prefix=/usr/local/krb5-1.18.2
make && make install

PHP 빌드

./configure  '--with-apxs2' '--with-iconv' '--with-mysql=mysqlnd' '--with-mysqli=mysqlnd' '--with-zlib' '--with-gd' '--with-freetype-dir' '--enable-gd-native-ttf' '--with-openssl-dir=/usr/local/openssl-1.0.2u' '--with-openssl=/usr/local/openssl-1.0.2u' '--with-curl=/usr/local/curl-7.72.0' '--enable-sockets' '--enable-zip' '--with-jpeg-dir' '--with-png-dir'
make
make test
make install

이론상 성공

# /usr/local/bin/php -v
PHP 5.3.3 (cli) (built: Sep  3 2020 15:44:34) 
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

야호!

추가

OpenSSL 1.0.2를 썼더니 PHP의 curl이 HTTPS 요청에 대해 제대로 작동하지 않는 문제가 발생했습니다. (libcrypto가 segfault를 냄)
그래서 php에 curl을 포함시켜서 빌드하지 않고, curl extension을 따로 빼기로 했습니다.

LibreSSL + libcurl

# curl -o libressl-3.2.1.tar.gz https://cloudflare.cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.1.tar.gz
# tar xzf libressl-3.2.1.tar.gz
# cd libressl-3.2.1
# ./configure --prefix=/usr/local/libressl-3.2.1
# make check
# make install
# ./configure --prefix=/usr/local/curl-7.72.0 --with-ssl=/usr/local/libressl-3.2.1
(...)
configure: Configured to build curl/libcurl:

  Host setup:       x86_64-pc-linux-gnu
  Install prefix:   /usr/local/curl-7.72.0
  Compiler:         gcc
   CFLAGS:          -Werror-implicit-function-declaration -O2 -Wno-system-headers -pthread
   CPPFLAGS:        -isystem /usr/local/libressl-3.2.1/include
   LDFLAGS:         -L/usr/local/libressl-3.2.1/lib
   LIBS:            -lssl -lcrypto -lssl -lcrypto -lldap -llber -lz

  curl version:     7.72.0
  SSL:              enabled (libressl)
  SSH:              no      (--with-{libssh,libssh2})
  zlib:             enabled
  brotli:           no      (--with-brotli)
  zstd:             no      (--with-zstd)
  GSS-API:          no      (--with-gssapi)
  TLS-SRP:          no      (--enable-tls-srp)
  resolver:         POSIX threaded
  IPv6:             enabled
  Unix sockets:     enabled
  IDN:              no      (--with-{libidn2,winidn})
  Build libcurl:    Shared=yes, Static=yes
  Built-in manual:  enabled
  --libcurl option: enabled (--disable-libcurl-option)
  Verbose errors:   enabled (--disable-verbose)
  Code coverage:    disabled
  SSPI:             no      (--enable-sspi)
  ca cert bundle:   /etc/pki/tls/certs/ca-bundle.crt
  ca cert path:     no
  ca fallback:      no
  LDAP:             enabled (OpenLDAP)
  LDAPS:            enabled
  RTSP:             enabled
  RTMP:             no      (--with-librtmp)
  Metalink:         no      (--with-libmetalink)
  PSL:              no      (libpsl not found)
  Alt-svc:          no      (--enable-alt-svc)
  HTTP2:            disabled (--with-nghttp2)
  HTTP3:            disabled (--with-ngtcp2, --with-quiche)
  ESNI:             no      (--enable-esni)
  Protocols:        DICT FILE FTP FTPS GOPHER HTTP HTTPS IMAP IMAPS LDAP LDAPS POP3 POP3S RTSP SMB SMBS SMTP SMTPS TELNET TFTP
  Features:         AsynchDNS HTTPS-proxy IPv6 NTLM NTLM_WB SSL UnixSockets libz

# make && make install
반응형
1 2 3