Go Down

Topic: upgrading PHP on my server? is it worth the effort? (Read 779 times) previous topic - next topic

travis_farmer

according to a security scanner site, i should upgrade PHP on my server (5.4.16).
I see that 7.1.3 is out now, and it rather suggests i am a bit behind.

is it worth it? is it stable?

the security scanner site stated the following:
Quote
According to its banner, the version of PHP 5.4.x installed on the remote host is a version prior to 5.4.17. It is, therefore, potentially affected by a buffer overflow error that exists in the function '_pdo_pgsql_error' in the file 'ext/pdo_pgsql/pgsql_driver.c'.
~Travis
Current Obsession: My server rack cooler, and my CNC Router
Check out my website, i have my own under-used forum on my hobby server.

travis_farmer

I decided to update, due to the unanimous response here ;)

had to go through the RemiRepo though to get it.

~Travis
Current Obsession: My server rack cooler, and my CNC Router
Check out my website, i have my own under-used forum on my hobby server.

Qdeathstar

It depends on if you are running anything that requires/depends on the older version of PHP since it's not always backwards compatible. And it depends on how secure your site needs to be, and how hard it will be to modify your website to accept the changes.
A creaking creeping shadow
stiff against the freezing fog
glares at a tickless watch.

Time has failed him -- all things shall pass.

msssltd

#3
Mar 20, 2017, 08:50 am Last Edit: Mar 20, 2017, 08:51 am by MattS-UK
aining about one module which is dedicated to Postgres SQL.  Don't use Postgres and there is no vulnerability.
I decided to update, due to the unanimous response here ;)
Sorry, day job getting in the way again.  Knee deep in FTP and e-mail servers for the last week.

Too late now but might be useful for next time.

Quote
it worth it? is it stable?
CentOS is a clone of Red Hat Enterprise Linux to all intents and purposes; arrived at by rebuilding the RHEL source repository without the Red Hat trademarks.  RHEL is focussed on stability and as such the package versions lag some way behind the leading and bleeding edges - This makes for very stable production servers.  RHEL7 will be supporting PHP5 until EoL around 2024.  

The decision to upgrade PHP should be driven by the PHP applications that are running.  There are major differences between 5 and 7 which application developers are still getting to grips with.  An application which was written for PHP5 is likely to be throwing bugs on PHP7 for some time to come.

Quote
the security scanner site stated the following:
...'pgsql_driver.c'
The security scanner is complaining about one vulnerability in one file, dedicated to Postgres SQL.  You don't run Postgres, therefore there is no vulnerability.  So no, I would not have upgraded.  You should take care interpreting vulnerability reports.  SSL/TLS is a prime example.  Scanners will often complain about the Beast vulnerability but completely mitigating the Beast vulnerability, creates a far more dangerous vulnerability.

Quote
had to go through the RemiRepo though to get it.
Whenever possible, it is best to stick with package versions from the official CentOS/RHEL repos; as it avoids polluting a dependency chain built from extremely well tested code, with less well tested code.  If you want the leading edge from Red Hat, you can use Fedora but you can expect there to be more bugs and 'other' vulnerabilities.

[/quote]

travis_farmer

Quote
Sorry, day job getting in the way again.  Knee deep in FTP and e-mail servers for the last week.

Too late now but might be useful for next time.
wasn't necessarily directed at you, just that the thread has no replies at the time.

Quote
CentOS is a clone of Red Hat Enterprise Linux to all intents and purposes; arrived at by rebuilding the RHEL source repository without the Red Hat trademarks.  RHEL is focussed on stability and as such the package versions lag some way behind the leading and bleeding edges - This makes for very stable production servers.  RHEL7 will be supporting PHP5 until EoL around 2024. 

The decision to upgrade PHP should be driven by the PHP applications that are running.  There are major differences between 5 and 7 which application developers are still getting to grips with.  An application which was written for PHP5 is likely to be throwing bugs on PHP7 for some time to come.
Hmm, i may have jumped the gun. not that i tend to be impulsive...

Quote
The security scanner is complaining about one vulnerability in one file, dedicated to Postgres SQL.  You don't run Postgres, therefore there is no vulnerability.  So no, I would not have upgraded.  You should take care interpreting vulnerability reports.  SSL/TLS is a prime example.  Scanners will often complain about the Beast vulnerability but completely mitigating the Beast vulnerability, creates a far more dangerous vulnerability.
Hmm, yeah, i definitely jumped the gun. funny thing though, i knew i wasn't running PostgresSQL, but i didn't connect the dots.

Quote
Whenever possible, it is best to stick with package versions from the official CentOS/RHEL repos; as it avoids polluting a dependency chain built from extremely well tested code, with less well tested code.  If you want the leading edge from Red Hat, you can use Fedora but you can expect there to be more bugs and 'other' vulnerabilities.
looks like i may have to keep an eye on the error logs during the shakedown period. so far, things work, but i won't know until every page is checked for every condition.

At some point, i will have to enlist some beta testers, before i let the server go 100% public.

i have had several hits from all over the world from hackers (or script kiddies) trying to find holes to exploit. mostly looking for PhpMyAdmin, which i don't have. I could post all the hits Suricata logged, but it is a very large list. even with the redundant hits filtered out.

~Travis
Current Obsession: My server rack cooler, and my CNC Router
Check out my website, i have my own under-used forum on my hobby server.

travis_farmer

Code: [Select]
[Mon Mar 20 06:14:44.971129 2017] [php7:error] [pid 28306] [client 10.142.174.141:35720] PHP Fatal error:  Uncaught Error: Call to undefined function mysql_connect() in /var/storage/www/html/smf/Sources/Subs-Db-mysql.php:58\nStack trace:\n#0 /var/storage/www/html/smf/Sources/Load.php(2610): smf_db_initiate('localhost:3306', 'smf', '***', '***', 'smf_', Array)\n#1 /var/storage/www/html/smf/index.php(71): loadDatabase()\n#2 {main}\n  thrown in /var/storage/www/html/smf/Sources/Subs-Db-mysql.php on line 58


figures, php just broke. how do i remove and reinstall PHP?

~Travis
Current Obsession: My server rack cooler, and my CNC Router
Check out my website, i have my own under-used forum on my hobby server.

travis_farmer

ok, i removed all of php with webmin, then reinstalled it from the CentOS repo.

it's back, but i don't know what else is missing. but the important thing is, i got it back :D

~Travis
Current Obsession: My server rack cooler, and my CNC Router
Check out my website, i have my own under-used forum on my hobby server.

Go Up