upgrading PHP on my server? is it worth the effort?

according to a security scanner site, i should upgrade PHP on my server (5.4.16). I see that 7.1.3 is out now, and it rather suggests i am a bit behind.

is it worth it? is it stable?

the security scanner site stated the following:

According to its banner, the version of PHP 5.4.x installed on the remote host is a version prior to 5.4.17. It is, therefore, potentially affected by a buffer overflow error that exists in the function '_pdo_pgsql_error' in the file 'ext/pdo_pgsql/pgsql_driver.c'.


It depends on if you are running anything that requires/depends on the older version of PHP since it's not always backwards compatible. And it depends on how secure your site needs to be, and how hard it will be to modify your website to accept the changes.

aining about one module which is dedicated to Postgres SQL. Don't use Postgres and there is no vulnerability.

travis_farmer: I decided to update, due to the unanimous response here ;)

Sorry, day job getting in the way again. Knee deep in FTP and e-mail servers for the last week.

Too late now but might be useful for next time.

it worth it? is it stable?

CentOS is a clone of Red Hat Enterprise Linux to all intents and purposes; arrived at by rebuilding the RHEL source repository without the Red Hat trademarks. RHEL is focussed on stability and as such the package versions lag some way behind the leading and bleeding edges - This makes for very stable production servers. RHEL7 will be supporting PHP5 until EoL around 2024.

The decision to upgrade PHP should be driven by the PHP applications that are running. There are major differences between 5 and 7 which application developers are still getting to grips with. An application which was written for PHP5 is likely to be throwing bugs on PHP7 for some time to come.

the security scanner site stated the following: ...'pgsql_driver.c'

The security scanner is complaining about one vulnerability in one file, dedicated to Postgres SQL. You don't run Postgres, therefore there is no vulnerability. So no, I would not have upgraded. You should take care interpreting vulnerability reports. SSL/TLS is a prime example. Scanners will often complain about the Beast vulnerability but completely mitigating the Beast vulnerability, creates a far more dangerous vulnerability.

had to go through the RemiRepo though to get it.

Whenever possible, it is best to stick with package versions from the official CentOS/RHEL repos; as it avoids polluting a dependency chain built from extremely well tested code, with less well tested code. If you want the leading edge from Red Hat, you can use Fedora but you can expect there to be more bugs and 'other' vulnerabilities.