PEAR security breach

[jamesmontalvo3]

Usage of PEAR is currently broken. http://pear.php.net/ says:

PEAR server is down
A security breach has been found on the http://pear.php.net webserver, with a tainted go-pear.phar discovered. The PEAR website itself has been disabled until a known clean site can be rebuilt. A more detailed announcement will be on the PEAR Blog once it's back online.

If you have downloaded this go-pear.phar in the past six months, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes. If different, you may have the infected file.

There is no ETA for when the server will be back up.

I believe this only impacts installs performed using go-pear.phar but wanted to make sure you were aware of the issue in case it has further reaching impacts.

[carlwgeorge]

Thanks for the heads up. Thankfully we don't use any phar files for our package sources. And if they believe this breach occurred in the past six months, we should be OK as well because our last release of the package was back in 2017. Just in case, after the site is back up I'll update the package with the latest verified upstream source.

[jamesmontalvo3]

Thanks for the quick response!

[carlwgeorge]

I've created a new pear1 package that obsoletes this one, with the latest 1.10.9 version (released upstream on 2019-04-10).