You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm running PHP 5.6.9-0+deb8u1, aka PHP 5.6.9 as packaged in Debian Stable ("Jessie", as of this writing). SecurityInfo wants me to update to PHP 5.6.11, but this isn't actually very good advice:
If I install PHP from some other source, then I'm installing an untrusted binary on my system. Not only that, but I'm basically giving the distributor root, because dpkg will execute package maintainer scripts as root.
If I fix the first issue by building PHP from source, then I don't receive automatic security upgrades.
If I fix the first issue by installing PHP from Backports, then I don't get support from the Debian security team, and have to rely on the backporter to push out security updates.
There really isn't a good answer. The solution is for SecurityInfo to check against the latest version of PHP available from Debian (on Debian systems, obviously), and ensure that the versions match.
The text was updated successfully, but these errors were encountered:
@strugee It sounds more like you didn't have debian-security in your apt sources list, e.g.,
deb http://security.debian.org/debian-security/ jesse/updates main
Looking at the Debian page https://packages.debian.org/jessie/php5, I see it has the latest version of 5.6.x. The PHP devs released 5.6.33 on January 4, 2018. The Debian packages were published on January 5, 2018.
@wolfgang42 Ubuntu security updates aren't as timely. On xenial, I see the latest is 7.0.33 (Oct 26, 2017) while the php devs released 7.0.35 on January 4, 2018. The response from http://php.net/releases/?serialize=1&version=7 doesn't include minor php7 versions anymore (e.g., 7.0.x, 7.1.x), so it'll report the latest version is 7.2.2 (at time of this writing).
FYI Ondřej Surý is one of the maintainers on the Debian php packages. He also happens to maintain his own builds:
We've been using his builds in production since 2012 (starting with Ubuntu precise). He has published debs for the latest versions of php 5.6, 7.0, 7.1, and 7.2 on trusty, xenial, artful, bionic, jesse, and stretch.
@robocoder I have debian-security enabled and I guarantee I had it enabled then. The issue is that I filed this bug a long time ago, so that description isn't current. apt-cache policy php5 now reports 5.6.33+dfsg-0+deb8u1, and SecurityInfo still reports the latest version of PHP being PHP 7.
I'm running PHP
5.6.9-0+deb8u1
, aka PHP 5.6.9 as packaged in Debian Stable ("Jessie", as of this writing). SecurityInfo wants me to update to PHP 5.6.11, but this isn't actually very good advice:dpkg
will execute package maintainer scripts as root.There really isn't a good answer. The solution is for SecurityInfo to check against the latest version of PHP available from Debian (on Debian systems, obviously), and ensure that the versions match.
The text was updated successfully, but these errors were encountered: