PEAR
@pear
Followers
818
Following
98
Media
2
Statuses
644
The PHP Extension and Application Repository. Please use #pearPHP to get our attention if you have to use a hashtag!
Joined August 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Botafogo
• 185283 Tweets
Peñarol
• 182372 Tweets
#AgathaAllAlong
• 173896 Tweets
Flamengo
• 101272 Tweets
ドラフト
• 78160 Tweets
Warriors
• 72620 Tweets
Brey
• 69969 Tweets
Lilia
• 59039 Tweets
Riquelme
• 58249 Tweets
Anderson Cooper
• 52579 Tweets
石破首相
• 44665 Tweets
Romero
• 32655 Tweets
#Magpasikat2024AnneJugsTeddy
• 29127 Tweets
Suns
• 25842 Tweets
活動費報道
• 18976 Tweets
Clippers
• 18575 Tweets
Harden
• 16913 Tweets
Dana Bash
• 15208 Tweets
Patti LuPone
• 12817 Tweets
Luiz Henrique
• 12766 Tweets
TeamAnneMagpasikat WithBINI
• 10368 Tweets
A security breach has been found on the webserver, with a tainted go-pear.phar discovered.
The PEAR website itself has been disabled until a known clean site can be rebuilt. A more detailed announcement will be on the PEAR Blog once it's back online.
6
331
156
If you have downloaded this go-pear.phar in the past six months, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes. If different, you may have the infected file.
8
173
86
UPDATE: The `` channel is back up, at least enough to deliver release tarballs for `pear` CLI clients.
3
14
27
A new v1.10.10 release of pearweb_phars is available on
@github
. This rereleases the correct `go-pear.phar` as v1.10.9, the file that was found tainted on the `` server, and now includes separate GPG signature files with each `phar`.
4
15
25
1/5 What we know: the tainted go-pear.phar file was reported to us on 1/18 by the Paranoids FIRE Team. The last release of this file was done 12/20, so the taint occurred after that. The taint was verified by us on 1/19.
2
17
26
We *might* have the `` site back up by the end of this week, at least to the point where the `pear` CLI command is able to retrieve package tarballs for installation. We're at least close to that milestone in our recovery.
4
8
21
Very happy to say that installing/upgrading packages from the channel is working again. We are immensely grateful to everybody who has assisted getting us this far.
3
13
19
5/5 What we know: We cast a wide net by asking everyone to be concerned if they'd used the go-pear.phar file in the past six months. The server restoral is ongoing, by limited staff with timezone differences between the parties involved.
0
9
13
Workaround for installing PEAR packages while is down:
get the latest Release of the package at GitHub (e.g. ), unpack it, cd into that dir, and run `pear install package.xml` or `pear install package2.xml`.
3
4
8
2/5 What we know: The taint was an embedded line designed to spawn a reverse shell via Perl to IP 104.131.154.154. This IP has been reported to its host in relation to the taint.
1
10
9
10/10: The only community of users that likely interacted with a go-pear.phar file is someone that has PHP already and wanted to manually install PEAR themselves, and chose to manually download go-pear.phar to do it. Once PEAR is installed, go-pear.phar would not be used again.
3
4
8
3/5 What we know: no other breach was identified. The install-pear-nozlib.phar was ok. The go-pear.phar file at GitHub was ok, and could be used as a good md5sum comparison for any suspect copies.
0
7
8
Update: the Paranoids FIRE Team has evidence to support multiple users' claims that clean files were downloaded as late as 1/15... so users can limit their own investigations to go-pear.phar receipt and usage after 1/15.
1
2
8
4/5 What we know: being unsure of other potential insecurities, we took the site down in order to restore a new box from backups. A previous mirror box was set to host a "PEAR is down" single info page in the meantime.
0
6
7
UPDATE: the peardoc section has been restored, but we now have a DB error issue with most webpages. The REST portion of the site is still good, so `pear` CLI usage can still retrieve package tarballs and information.
1
2
6
@jarnheimer
ah, the poor elephpants! and no PEAR!
@php_pmd
, phpunit and composer aren't there either.
And HHVM should be in a bin 🤣
1
0
7
With in mind, we're happy to announce that the online documentation for all packages is now accessible again :-) . Thank you for your patience in letting us get this fixed.
2
2
7
Also, functionality for downloading directly from the pear website has been restored, since about an hour ago.
1
2
5
1/10: Regarding the "six months" timeframe in the initial announcement. In addition to the report we received about go-pear.phar, we had an *indication* of unexpected iptables changes. This turned out to be security work by another group, not an attack.
0
5
5
7/10: If your system has PHP and PEAR preinstalled, it is hugely unlikely that go-pear.phar is on it... and even more unlikely that you would have used it on that system.
0
3
4
We've had a flurry of activity building up to and including the release of PEAR 1.10, which adds PHP7 support.
http://t.co/TRsgMGffqy
\o/
0
2
4
PEAR 1.10.0dev2 is out! Adding support for man pages (role=man) and fixing a few issues. Go install it - and PEAR_Manpages-1.10.0dev2! \o/
0
4
4
More details about
#pear
1.10.0 are at
http://t.co/GCMRgGroPI
- the big news being
#php7
compatibility, but there's more goodness too!
#php
0
6
4
4/4: Also note that this does *not* affect the PEAR installer package itself... it affects the go-pear.phar executable that you would use to initially install the PEAR installer. Using the `pear` command to install various PEAR package is *not* affected.
0
5
4
6/10: The largest misunderstanding we see in the wild is thinking that go-pear.phar *is* the PEAR installer program itself, and that it's what you use over and over again to install various PEAR packages. This is *not* the case.
0
5
4
8/10: If you installed PEAR on your Linux system using your distribution's package management tool, it is hugely unlikely that go-pear.phar was included with it... and even more unlikely that you would have used it on that system.
0
3
2
@ModulusJoe
No intended radio silence, just extremely busy juggling real-life work, family life and getting the essential parts of back up!
1
0
3
9/10: If you manually installed PHP and it included a PEAR installation during its installation, it is hugely unlikely that go-pear.phar was pulled in for that task (it uses install-pear-nozlib.phar instead)... and even more unlikely that you would have used it on that system.
1
4
3
3/4: If you installed PEAR via a PHP installation, you should be fine since that method uses the install-pear-nozlib.phar file.
0
4
2
Sweet! Services_Twitter 0.6.2 was just released!
http://pear.php.net/package/Services_Twitter/download/0.6.2/
0
2
2
history gist updated --
0
1
2
1/4: So, if you downloaded go-pear.phar since 12/20 in order to run it once to install the PEAR package on your system, you *should* be concerned, particularly if your system has `sh` and `perl` available.
0
5
2
Alternatively, you could clone the GitHub repo, check out the tag of the release you want, cd and install. Generally I would advise against installing from the master/trunk branch directly... I would use the tag to get an actual released version of the code.
1
1
2
@PHMyriamL
thank you! It's pretty much down to
@ashnazg
and
@kenguest
- with a few others stepping up when needed.
1
0
2
3/10: We can say with confidence that if you downloaded the go-pear.phar file since 12/20, **and used it to install the PEAR package installer program on your system**, then you should be *very* concerned.
0
3
2
from planet
#pear
: Newly stable packages in PEAR: We've had 60 releases since July. While most a...
http://t.co/MH1SpYTj
0
1
0
Cache_Lite 1.7.9: - If sys_get_temp_dir() is available and the 'cacheDir' option is not provided in the constr...
http://tinyurl.com/4dotv96
0
0
1
@omercadocoss
Note the tweets with updates since the initial announcement. If you already used the one-use phar file, you already have the PEAR CLI command installed. There's no need to redownload go-pear.phar.
1
0
1
@Dave3Young
If you upgrade to 1.10.8 (released on 7th February) that XML_Util problem should go away. The Console_Getopt warning is standard and can be safely ignored.
1
0
1
Great horny toads! Services_Facebook 0.2.13 was just released!
http://pear.php.net/package/Services_Facebook/download/0.2.13/
0
0
1
@michieltcs
@skwashd
time and money are the factors. Some people offered help which is appreciated. Passive-aggressive fools not so much.
0
0
1
@Dave3Young
Ok. That should be trivial enough to fix (for varying values of trivial ;-) ) If possible we'll get to thay today.
0
0
1
@nathanielrsuchy
Also, package managers like apt would most likely package the PEAR installer itself, rather than the go-pear.phar installation script that downloads the PEAR installer package directly. Ubuntu Disco does not package go-pear.phar --
0
2
1
Archive_Tar 1.4.0 has been released - dropping support for PHP 4 and adding support for PHP 7.
http://t.co/Km59iZl2np.
0
1
1
@Dave3Young
You're very welcome - please let us know if you discover any other issues that we should take care of.
0
0
1
@Dave3Young
That's finally fixed now, and documentation for all packages and versions of them have been regenerated so you shouldn't find any dead-ends from either 403s or 404s :-)
1
0
1
@mipapo
@eUKhostLtd
not as yet, but we will post updates when there's something worth mentioning.
0
0
1
PHP_Archive 0.12.0 is out! phar compression detection is fixed, tests run on PHP 5.2-7 and more!
http://t.co/GLYKTeei24
0
1
1
@evertp
@official_php
Released version is fine... the copy of the phar on the box was altered. GitHub copy is ok.
2
0
1
@cloudabove
@official_php
This is just because of the mirror server () we are using to host the "PEAR is down" static page.
0
0
1
Sweet! Net_Whois 1.0.3 was just released!
http://pear.php.net/package/Net_Whois/download/1.0.3/
0
1
1
@OReillyMedia
@lornajane
@radar
@OReillyMedia
@lornajane
@radar
Some 13 years - count them - before composer was released. 2/2
0
0
1
@omercadocoss
What you'll need to do if you think you used the one-use tainted phar file is check your system based on the date you ran the phar. The taint is a remote shell opened by the phar execution. Look for anything that shell might have done.
1
0
1
@phpLibHunt
Major clarifications to that article, as it seems to assume that go-pear.phar is the actual PEAR package (the command line installer). go-pear.phar is a one use installation executable to get the PEAR package itself installed.
1
0
0
@cviebrock
Note these recent threads:
1/4: So, if you downloaded go-pear.phar since 12/20 in order to run it once to install the PEAR package on your system, you *should* be concerned, particularly if your system has `sh` and `perl` available.
0
5
2
0
1
1
2/4: If you downloaded go-pear.phar before 12/20, we have no concrete evidence you received a tainted file... but it would be prudent to check your system if you used go-pear.phar to perform a PEAR installation in the last several months.
0
4
1
@ElvisNgong2
@Mango
@orange
@guava
Cool. But how does this relate to the PEAR project except to say we are hard grafters/workers? 🤔
0
0
1
@TheOnlyDoo
Not sure if this is cute commentary or grand derision... I'll go with the former... at least that would make it recursive delusion if it was really the latter.
0
0
1
@Dave3Young
Sorry for the delay in replying, but I think we got that working again around the 17th. It is taking a while, but everything is slowing coming back into place - thanks for being so patient.
2
0
1
@zakgreant
Always happy to help awareness of both open-source (great) and burnouts (not great)
0
0
1
@thesaltydog42
Download the repo tarball for the last release from github (), unpack it, cd into that dir, and run `pear install package.xml`.
1
0
1
Great Scott! System_Daemon 0.10.0 was just released!
http://pear.php.net/package/System_Daemon/download/0.10.0/
0
1
1
@ScotEWells
Note these recent threads for updates:
&
1/4: So, if you downloaded go-pear.phar since 12/20 in order to run it once to install the PEAR package on your system, you *should* be concerned, particularly if your system has `sh` and `perl` available.
0
5
2
0
0
1
We *might* have the `` site back up by the end of this week, at least to the point where the `pear` CLI command is able to retrieve package tarballs for installation. We're at least close to that milestone in our recovery.
4
8
21
0
0
1
@Dave3Young
Sorry - I misspoke, viewing documentation for specific packages online isn't working yet, but it is included in the package .tgz that you can now download. Apologies for getting your hopes up.
0
2
1
0
1
1
Cool! System_Daemon 0.10.2 was just released!
http://pear.php.net/package/System_Daemon/download/0.10.2/
0
0
1
Server is fully restored now , including an explanation of what went wrong & why thing have taken so long to remedy.
0
2
1
@nathanielrsuchy
I would not consider it infected. There have been no reports of other package managers (e.g. apt) indicating that they picked up a bad go-pear.phar and repackaged it into their own packages.
1
2
1
PEAR 1.10.0 is out: working on
#PHP7
. It is E_DEPRECATED and E_STRICT compatible.
#pear
#php
Thanks to all involved!
http://t.co/X71MaedRsA
0
2
1