I'm trying to get PCI Compliance for my dedicated server (Red Hat Enterprise Linux), which is running Magento. When I first installed Magento on the server, I realized that RHEL comes with a PHP version which is too old for Magento (5.1.6). So, I found a separate repo with PHP version 5.2.11, which got everything running fine, but now I'm in a bind. My PCI Compliance test says that since my PHP version is < 5.3.1 it has security issues. If I try to update to 5.3.1, Magento breaks. I don't want to edit the Magento core to fix those problems, so I guess what I need is a repo with PHP 5.2.11, but that I can confidently say/prove has back-ported to patch up the issues that the PCI Compliance scan identifies.
I realize this is terribly convoluted, but if you have any suggestions/tips I'd be happy to hear them.
Thanks.
If you are using 5.2.11, that is the current stable version of the 5.2 branch so you would be safe from a PCI perspective (it should be the same as saying I'm running Office 2003 with all the service packs). There won't be any backporting issues as 5.3 and 5.2 are two different sets of code. Bugs in 5.3 will not necessarily affect 5.2 and vice versa.
This is unlike kernels, where Redhat will regularly backport patches. Redhat keeps all the CVE's updated with this information.
Related
Is any one installed the following library or extension (curl,libcurl,pearl,pecl,mongodb driver for php) with php 5.6.6 or higher not 7 in Ubuntu 14
I have used all of this with php 5.5 now I afraid of version compatibility,
if any one ensure me to can I migrate from Ubuntu 12.0.4 to 14 and php 5.5 to 5.6.6 or higher ?
The library or extension are third party softwares which they are developed by there own and able to bind in PHP or any other language.
E.g. CURL library is developed in C and it can be used or bind in many different languages.
Also it is good to stay always up-to date, while upgrading to new version E.g PHP, you can check the change-log of version and base on that you can understand, Is any library supporting change or not.
Many Web Servers are always try to upgrade or staying latest versions of languages or you can also inform them to upgrade server base on requirement and they will do, so it is no worry about server configuration.
From my system I upgraded from Ubuntu 12.4 to 14.4 and currently PHP version is 5.5.9 and every library is working fine.
And thing is that when the language version upgraded some good stuff also come, some bugs are fixed. So its cool stuff to always stay up
We have a requirement for upgrading the PHP version (5.3.25) to current stable version which is 5.6.17. So, for this we need to find which approach would be best.
Step by step approach, in which we can upgrade from 5.3.X to 5.4.X, 5.4.X to 5.5.X and so on.
Direct upgrade, in this we will directly upgrade from 5.3.X to 5.6.X.
Apart from the upgrade, what all things we should keep in mind while doing this.
It would be good, if any of you have any documents which we can refer to.
PHP maintainers upload list of incompatible changes of every release. Here are the documents you may want to read:
5.4 incompatible changes
5.5 incompatible changes
5.6 incompatible changes
If you have regression tests, you're the lucky man; if you don't, i strongly recommend test every change in virtual environment before real environment update on main server. If you're brave enough, you can try to setup vagrant - this will allow developers to easily share their environment and to reproduce server state as it should be after upgrade to 5.6.
I also wouldn't recommend partial upgrades, i think it's better to target for 5.6 at the first (and only) migration step.
On my experience, we upgraded our PHP version from 5.3.28 to 5.6.6 directly because of server upgrades, and one more reason is you can easily check all your modules faster if there's an error rather than checking it on every version.
What you should keep in mind:
deprecated functions
if you're using PHP frameworks (CodeIgniter, Laravel, etc.), consider upgrading them too
current code implementations
So, RedHat Enterprise Linux doesn't support the MCrpyt module, but you can get it from the Fedora project through the EPL. This would work fine, except the fact that we're using SoftWare Collections (SCL) to get a newer version of PHP (5.4).
So what is the best approach to getting the dependencies for laravell on RHEL 6.6 and keeping PHP 5.4 in the most vendor supported way possible?
About mcrypt, libmcrypt is a dead project, unmaintained for ~8 years, last version 2.5.8 was released in February 2007!... and despite lot of open tickets, no activity. Cryptography is a very important part of security management. Looking at the past, and issue discovered / fixed in various software, and the need to always increase security standards, and to drop old algorithms, how can we imagine using an 8 years old software ?
More, http://blog.remirepo.net/post/2015/07/07/About-libmcrypt-and-php-mcrypt
This explain why php-mcript is not part of RHEL/RHSCL official packages.
Additional packages for php54 collection (including php54-php-mcrypt) are available on https://www.softwarecollections.org/en/scls/remi/php54more/
And FYI, Laravel 5.1 doesn't requires mcrypt anymore.
I'm currently about to install PHP for an Apache/Windows-based development environment, but it seems I'm about to fall at the first hurdle: Choosing the right package to install.
PHP is available in no less than four flavours:
VC9 x86 Non Thread Safe
VC9 x86 Thread Safe
VC6 x86 Non Thread Safe
VC6 x86 Thread Safe
What's the difference between these versions in a practical sense?
If this wasn't complicated enough, version 5.3 of PHP is only available in VC9 (with 5.2 coming with the VC6 packages). And yet, according to the PHP site, you should not use VC9 with Apache... So why does Apache get the older version?
It's all very confusing and I'd like some help understanding the choices.
After a lot of research, I've managed to find my own answers to this question.
In its most basic form, the answer is: What version of PHP you should install comes down what webserver you are running.
Here's a deeper explanation of the terms used in picking a version of PHP based on what I learned:
VC6 vs VC9
Firstly, different versions of Apache for Windows are compiled with different compilers. For example, the versions on Apache.org are designed to be compiled using Microsoft Visual C++ 6, also known as VC6. This compiler is very popular, but also very old. (It dates back to 1998.)
There are different versions of Apache made for different compilers. For example, the versions available for download from ApacheLounge.com are designed to be compiled with the popular and more much recent compiler, Microsoft Visual C++ 9 from 2008. Also known as VC9.
(Note: These two compilers are the two most popular options. So while it's possible to have a VC7, VC8, etc. compiled version of Apache, it's unlikely that you'll come across them.)
The use of this more recent compiler (VC9) is important because the latest versions of PHP are only being distributed in VC9 form (although older versions are still available for VC6).
On top of that, according to ApacheLounge there are numerous improvements when using a version of Apache compiled with VC9, "in areas like Performance, MemoryManagement and Stability".
If that wasn't enough, the developers of PHP made the following statement on their site:
Windows users: please mind that we do
no longer provide builds created with
Visual Studio C++ 6 (VC6). It is
impossible to maintain a high quality
and safe build of PHP for Windows
using this unmaintained compiler.
We recommend the VC9 Apache builds as
provided by ApacheLounge.
All PHP users should note that the PHP
5.2 series is NOT supported anymore. All users are strongly encouraged to
upgrade to PHP 5.3.6.
In all, this is an extremely compelling argument to use VC9 versions of Apache and PHP, if you ask me.
So if you're using a version of Apache from the official Apache site, it will be compiled with VC6, and as such, you should use the older version of PHP for that compiler. If you're using a version of Apache compiled with VC9, like the one available on ApacheLounge.com, you can use the latest version of PHP (for VC9).
For me, running a local development environment, it would be preferable to have the latest version of PHP, so a VC9 version of Apache is required, so I can use the VC9 version of PHP.
Thread Safe vs Non Thread Safe
Once again this comes down to your webserver. By default Apache is installed on Windows as Module, but it can be changed to run as FastCGI. There's plenty of differences between the two, but essentially FastCGI is more modern, faster, more robust, and more resource hungry. For someone running a local development environment, FastCGI might be overkill, but apparently lots of hosting companies run as FastCGI for the reasons I've stated, so there are good arguments for doing so in a development environment.
If you're running Apache (or IIS) as FastCGI (or CGI) then you want the Non Thread Safe version of PHP. If you're running Apache as default (as a Module), then you'll want the more traditional Thread Safe version.
Please note: This all only applies to Windows users.
I'm not going to bother with FastCGI (unless someone convinces me otherwise), so for me, I want the VC9 Thread Safe version of PHP.
And that's it.
Further reading:
Official statement regarding PHP and VC6
Difference between PHP thread safe and non thread safe binaries
FastCGI at Wikipedia
FastCGI for IIS
Visual C++ at Wikipedia
Compile your own PHP (explanation of VC6/VC9)
Personally, I use a virtualised LAMP server. Every hosting service I use is on some flavour of Linux, and there are too many differences between WAMP and LAMP. Then I just use the default tasksel LAMP server for that version of Linux.
My actual setup right now is with VMWare (Fusion on Mac, Player on Windows). I have 3 VMs - one for PHP5.3 with Ubuntu 10.04 LTS, and another for PHP 5.1 on Ubuntu 8.04 LTS. (One of the hosts I use is on RedHat, which currently supports only PHP 5.1). I have a third VM for RubyOnRails dev.
In other words, I try to get my development environment as close to my production environment as possible. So work out what version of Apache and PHP is on your host, and use that as your guide.
I've been learning up on PHP, and a lot of the time in the books and tutorials I read, features come up as having been introduced in PHP 5. I don't know anything about PHP history, so I don't know if I can safely use these features on most servers. I know in Python, adoption of new versions is very slow (few apps use 3.x, most desktops have 2.6, many server distros like Red Hat have versions as early as 2.4).
Is there a similar situation in the PHP ecosystem? My server has version 5.2, but are some servers still running PHP 4? What version of PHP can I safely assume a server would run?
PHP 5 was released in 2004, and PHP 4 reached End of Life at the end of 2007. You can safely assume that the server has at least 5.0.
PHP 5.3 was released in 2009, but there are still major pieces of software that have not fully taken into account everything that was changed in it; additionally, there are still distributions within their mainstream support cycles (like fairly recent versions of Ubuntu and Debian) that do not have it by default.
However, assuming PHP 5.2 is definitely safe.
At this point you should expect if not demand PHP 5.2.x. If your host doesnt have that, switch hosts - they dont deserve your money. PHP 5.3 on the other hand is a different story... not all shared hosts offer that yet so youll want to check it before deploying or setting up an account if thats the version youre targeting.
I wouldn't assume minimum versions of any software installed anywhere. I'm sure there are people still running PHP4 in 2010. Having said that, I also wouldn't be developing any new software targeted at PHP4 in 2010. PHP 5.2 is probably a good, practical choice at this point in time.
Distrowatch can be a useful resource for this type of question. Here's an example: It appears that RedHat went to PHP 5 in RHEL 5.5, which came out in March. That's not actually so long ago; it wouldn't surprise me if some enterprise users haven't upgraded (I work at a large university and we have many production servers running RHEL 4).
Nonetheless, if we were going to run a PHP app on one of those servers, it's a safe bet that we would update PHP. I'd use 5.2 and just document the requirement.
So, we've got some current data after all:
http://phpadvent.org/2010/usage-statistics-by-ilia-alshanetsky
PHP version | usage at the end of 2010
---------------+----------------------------
4.4 | 6%
4.4 | 16%
5.1 | 8%
5.2 | 66%
5.3 | 4%
And a more recent analyzation (says June 2011)
http://w3techs.com/technologies/details/pl-php/5.3/all
5.3 | 8.6% (from 6.6%/0.764)
Most web hosting providers are using PHP5. Some of them still provide both use of PHP 4 & 5 on a hosting account. In any case keep on with development in PHP5.