Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Update PHP version

  1. #1
    Join Date
    Nov 2011
    Beans
    6

    Update PHP version

    Hello all,

    This is my first post to the Ubuntu Forums and I'm newer to Ubuntu, so please forgive if I misuse terms or accidentally omit any details.

    I'm currently in process of deploying a front end web server that's running on Ubuntu 11.10 (no UI) with LAMP installed. We ran an AppSec assessment against the server and discovered that the current PHP version is 5.3.6 which has a few medium level CVE vulnerabilities. My question is is there a way to update our PHP to the latest version without having to download the source and compiling? If no, could someone please provide some guidance in how to accomplish the version update and have Apache2 reflect the updated version?

    Thank you for your time in advance.

    Les

  2. #2
    Join Date
    Jan 2011
    Location
    India
    Beans
    253
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: Update PHP version


  3. #3
    Join Date
    Nov 2011
    Beans
    6

    Re: Update PHP version

    maverickaddicted-- Thank you for the link. I'll run through the blog steps today and report back the outcome.

    Have a good day.

    Les

  4. #4
    Join Date
    Nov 2011
    Beans
    6

    Re: Update PHP version

    So I just stepped through the process identified in the link. The php version specified when installing the php libapache2-mod is still 5.3.6. I've also verified that the current version still 5.3.6 by using a phpinfo page.

    Any ideas?


    Les

  5. #5
    Join Date
    Jan 2011
    Location
    India
    Beans
    253
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: Update PHP version

    Sorry for that link, but after doing some research. I was only able to get these two links -

    http://php53.dotdeb.org/dists/oldsta...5/binary-i386/
    http://www.dotdeb.org/2011/08/30/php...-is-available/

  6. #6
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,999
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Update PHP version

    I did a bit of browsing and could not find any .deb repositories offering PHP 5.3.8. It looks like you'd need to build it from scratch.

    I looked up the vulnerabilities you mentioned. The first, CVE-2011-2202, concerns specially-crafted file name entries that exploit a problem in the file uploading functions. If you don't allow uploading, this won't apply to you at all. If you do, you can just add some code to the PHP scripts that checks to make sure you've been sent a valid name. You should probably have been doing that already anyhow.

    The other vulnerability, CVE-2011-1938 concerns a problem with the sockets_connect() function that can be exploited by long file names. Do you use this function?

    However a quick check shows that patches to fix both these vulnerabilities were incorporated into the release version of PHP 5.3.2 for Ubuntu 10.10. I would assume that haven't been removed in 5.3.6.

  7. #7
    Join Date
    Jan 2008
    Beans
    7,749

    Re: Update PHP version

    You may find this article helpful (written for Red Hat but applies to Ubuntu as well): https://access.redhat.com/security/u...g/?sc_cid=3093

    You can check the Ubuntu Changelog to verify whether PHP has been patched to your satisfaction: http://changelogs.ubuntu.com/changel...u3.2/changelog

  8. #8
    Join Date
    Nov 2011
    Beans
    6

    Re: Update PHP version

    SeijiSensei-- Thank You for your post. This is a 3rd party Learning Management system that we are going to grant internal employees and external clients access to. Unfortunately, part of the site functionality is to allow various file types used by the different companies/groups to get uploaded. Concerning the long pathname, i'm not sure about this one, I know there are no restrictions on the file names uploaded into the application.

    Regards,

    Les

  9. #9
    Join Date
    Nov 2011
    Beans
    6

    Re: Update PHP version

    maverickaddicted and Snowpine-- Thank you for the links. I'll take a look at them this evening and provide feedback.


    Les

  10. #10
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,999
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Update PHP version

    I think you missed the part of my post pointing out that these vulnerabilities have already been fixed in the current version of PHP from Ubuntu. It's not uncommon to "backport" security fixes into a package rather than upgrading to a new version. Long-term releases like Ubuntu LTS or RedHat have followed this practice for years.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •