- Posts: 34
Question PHP version false alarm
- martin1
- Topic Author
- Offline
- New Member
webtrees tries to guess supported PHP versions.
But upstream PHP versions are not relevant for most Linux installations, so that warning is wrong. E. g. for PHP 7.4
Updates are managed by Linux distributions. Maybe that warning should be removed.
Please Log in or Create an account to join the conversation.
- Franz Frese
- Offline
- Elite Member
Please Log in or Create an account to join the conversation.
- martin1
- Topic Author
- Offline
- New Member
- Posts: 34
-> webtrees.net/install/
and btw I meant that security warning....
Please Log in or Create an account to join the conversation.
- Franz Frese
- Offline
- Elite Member
I do not see a warning.
Please Log in or Create an account to join the conversation.
- Warius
- Offline
- New Member
e.g. in my installationPHP Version 8.3.0
signature
Please Log in or Create an account to join the conversation.
- Franz Frese
- Offline
- Elite Member
Please Log in or Create an account to join the conversation.
- bertkoor
- Offline
- Platinum Member
- Greetings from Utrecht, Holland
webtrees tries to guess supported PHP versions.
No it does not. See www.php.net/supported-versions.php
PHP 7.4 for instance went end-of-life in December 2022. Ubuntu might have backported some patches to security vulnerabilities, but do you want to risk that? As robstone wrote on reddit :
robstone@reddit wrote: given Ubuntu's penchant for leaving packages in their repos without updates for known CVEs, my confidence in that actually happening is somewhat low.
Do you know how long the list is? It's rather impressive ...
webtrees has no knowledge of how the underlying server is exactly managed. Perhaps you find it obsolete, but for others it is not. It's just a warning, ignore it if you want.Maybe that warning should be removed.
stamboom.BertKoor.nl runs on webtrees v2.1.20
Please Log in or Create an account to join the conversation.
- martin1
- Topic Author
- Offline
- New Member
- Posts: 34
packages.debian.org/search?keywords=php&...uite=all§ion=all
The upstream php version roadmap is useless, because Linux does not work like this. It is using own packages.
So a warning "no updates anymore" is wrong.
Please Log in or Create an account to join the conversation.
- norwegian_sardines
- Offline
- Platinum Member
- Posts: 3137
2) PHP 7.3 is not supported any more. So YES the message "no updates any more" is correct! Here is the current supported PHP versions! If the packages provided via you Linux version make updates outside of the PHP support then the package is not 7.3 it is 7.3.x. or 7.3+ But it still is important to be on the current PHP version so that any new or deprecated functions are also maintained. webtrees may use or remove functions not supported in the current release of PHP!
Ken
Please Log in or Create an account to join the conversation.
- martin1
- Topic Author
- Offline
- New Member
- Posts: 34
en.wikipedia.org/wiki/Package_manager
Please Log in or Create an account to join the conversation.
- Franz Frese
- Offline
- Elite Member
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
"Your web server is using PHP version %s, which is no longer receiving security updates. You should upgrade to a later version as soon as possible."
This is based on the EOL date of your PHP version, as listed in post #9.
It's a warning, not an error. Nothing will stop working. It is only shown to admins on the control panel. Feel free to ignore it.
When you talk about "linux distributions managing packages", then I guess you are talking about Remi Collet's php-security-backport project.
e.g. github.com/remicollet/php-src-security/c...-security-backports/
(Remi works for RedHat and produces the PHP packages for RedHat, CentOS and other distributions).
Yes, he collects security fixes and backports them to older versions.
Does he catch all security fixes? Probably not.
Does he look for and fix issues that only exist in older versions? No.
Why do these packages exist? Because RedHat commits to providing stable systems for a decade. If your company has spent tens of millions building a website that only runs in PHP 7.4, then they may make a business decision to keep running it for a decade on PHP 7.4 because rolling-rewrites for newer PHP versions is too difficult/expensive. They will probably also implement plenty of other mitigations such as disabling all unused functions, etc.
BTW, I am responsible for info-sec for my department (at a large UK university) so I take these things fairly seriously. I wouldn't be allowed to deploy a server with an outdated version of PHP.
YMMV. Your server, your data, your choice.
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.
- martin1
- Topic Author
- Offline
- New Member
- Posts: 34
right.I guess you are talking about this message:
"Your web server is using PHP version %s, which is no longer receiving security updates. You should upgrade to a later version as soon as possible."
There is nothing to warn for up-to-date Debians and Ubuntus.This is based on the EOL date of your PHP version, as listed in post #9.
It's a warning, not an error. Nothing will stop working. It is only shown to admins on the control panel. Feel free to ignore it.
No. I meant the usual way Linux distros support software.When you talk about "linux distributions managing packages", then I guess you are talking about Remi Collet's php-security-backport project.
BTW, I am a certified Linux admin, working for big companies worldwide.BTW, I am responsible for info-sec for my department (at a large UK university) so I take these things fairly seriously. I wouldn't be allowed to deploy a server with an outdated version of PHP.
Your misinterpretation. Take a look at this page. Wordpress people have covert this issue:YMMV. Your server, your data, your choice.
php.watch/articles/extend-lifetime-legacy-php
And states: " only 16% of the reported WordPress sites run on a PHP version supported by the PHP core developers."
And the explanation for that: "Debian LTS, Ubuntu LTS, Rocky Linux, and RHEL are a few Linux-based operating systems that provide PHP in their default repositories. They do not receive bug fixes from upstream, but security fixes are backported as applicable."
Please Log in or Create an account to join the conversation.
- norwegian_sardines
- Offline
- Platinum Member
- Posts: 3137
But my php distribution is at 8.1? And I can select 8.2 if I desire. And I don’t compile my own, but if I had to I would!
Ken
Please Log in or Create an account to join the conversation.