Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SecurityInfo thinks my PHP is vulnerable because it's from Debian Stable #6

Open
strugee opened this issue Jul 26, 2015 · 3 comments
Open
Labels
Milestone

Comments

@strugee
Copy link

strugee commented Jul 26, 2015

I'm running PHP 5.6.9-0+deb8u1, aka PHP 5.6.9 as packaged in Debian Stable ("Jessie", as of this writing). SecurityInfo wants me to update to PHP 5.6.11, but this isn't actually very good advice:

  1. If I install PHP from some other source, then I'm installing an untrusted binary on my system. Not only that, but I'm basically giving the distributor root, because dpkg will execute package maintainer scripts as root.
  2. If I fix the first issue by building PHP from source, then I don't receive automatic security upgrades.
  3. If I fix the first issue by installing PHP from Backports, then I don't get support from the Debian security team, and have to rely on the backporter to push out security updates.

There really isn't a good answer. The solution is for SecurityInfo to check against the latest version of PHP available from Debian (on Debian systems, obviously), and ensure that the versions match.

@mattab mattab added the bug label Oct 30, 2015
@mattab mattab added this to the Short term milestone Oct 31, 2015
@wolfgang42
Copy link
Contributor

I have the same problem on Ubuntu 16.04: "You are running PHP 7.0.13-0ubuntu0.16.04.1. The latest version of PHP is 7.1.1."

@robocoder
Copy link
Contributor

@strugee It sounds more like you didn't have debian-security in your apt sources list, e.g.,

deb http://security.debian.org/debian-security/ jesse/updates main

Looking at the Debian page https://packages.debian.org/jessie/php5, I see it has the latest version of 5.6.x. The PHP devs released 5.6.33 on January 4, 2018. The Debian packages were published on January 5, 2018.


@wolfgang42 Ubuntu security updates aren't as timely. On xenial, I see the latest is 7.0.33 (Oct 26, 2017) while the php devs released 7.0.35 on January 4, 2018. The response from http://php.net/releases/?serialize=1&version=7 doesn't include minor php7 versions anymore (e.g., 7.0.x, 7.1.x), so it'll report the latest version is 7.2.2 (at time of this writing).


FYI Ondřej Surý is one of the maintainers on the Debian php packages. He also happens to maintain his own builds:

We've been using his builds in production since 2012 (starting with Ubuntu precise). He has published debs for the latest versions of php 5.6, 7.0, 7.1, and 7.2 on trusty, xenial, artful, bionic, jesse, and stretch.

@strugee
Copy link
Author

strugee commented Feb 15, 2018

@robocoder I have debian-security enabled and I guarantee I had it enabled then. The issue is that I filed this bug a long time ago, so that description isn't current. apt-cache policy php5 now reports 5.6.33+dfsg-0+deb8u1, and SecurityInfo still reports the latest version of PHP being PHP 7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants