Hello, I have a question about PHP updates under CentOS 7. My colleagues think that PHP updates on CentOS are backported up to EoL of CentOS 7, so that PHP 5.4.16 (cli) (built: Apr 1 2020 04:07:17) includes all current security updates.
My opinion on this is different, according to my research. PHP 5 is no longer supported by RedHat and CentOS and you have to manually update to a current PHP version; a simple "yum update" doesn't help.
I would like to hear an outside opinion on this.
Greetings Daniel
PHP Version / Security Updates
Re: PHP Version / Security Updates
The distro php 5.4.16 will continue to receive important/critical security updates until the EOL of CentOS 7 next year.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
d.geismann
- Posts: 2
- Joined: 2023/12/12 10:58:45
Re: PHP Version / Security Updates
Thanks for the quick answer, but only important or critical vulnerabilities are fixed, but not all?
This is how e.g. B. CVE-2022-31629 no longer fixed by Redhat because it is not that critical?
https://access.redhat.com/security/cve/cve-2022-31629
On the Redhat page it says "Out of support scope" for RHEL 7.
This is how e.g. B. CVE-2022-31629 no longer fixed by Redhat because it is not that critical?
https://access.redhat.com/security/cve/cve-2022-31629
On the Redhat page it says "Out of support scope" for RHEL 7.
Re: PHP Version / Security Updates
Yes, only important or critical.
Red Hat describes "Out of Support Scope" as:
RHEL 7 (and CentOS 7) does have only php 5.4, and 7.3 via Software Collections. The latter has "Will not fix" status, so you either risk that the issue is not critical for you or have to find something else.
Remi maintains PHP repositories https://blog.remirepo.net/ so there might be upstream versions for el7. Whether they are any better fixed for this is an another matter.
The alternative is to install a new distro. That will soon be necessary anyway as CentOS 7 is truly on its last leg.
Red Hat describes "Out of Support Scope" as:
The example CVE-2022-31629 offers no mitigation options, so that leaves either removal of php or "upgrade".When a product is listed as "Out of Support Scope", it means a vulnerability with the impact level assigned to this CVE is no longer covered by its current support lifecycle phase. The product has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed. The product should be assumed to be affected. Customers are advised to apply any mitigation options documented on this page, consider removing or disabling the impacted component, or upgrade to a supported version of the product that has an update available.
RHEL 7 (and CentOS 7) does have only php 5.4, and 7.3 via Software Collections. The latter has "Will not fix" status, so you either risk that the issue is not critical for you or have to find something else.
Remi maintains PHP repositories https://blog.remirepo.net/ so there might be upstream versions for el7. Whether they are any better fixed for this is an another matter.
The alternative is to install a new distro. That will soon be necessary anyway as CentOS 7 is truly on its last leg.