Need to upgrade apache2 and php5 for security reasons

sean finney seanius at debian.org
Tue Jul 1 16:13:35 BST 2008


hi christian,

(sending follow-up to -discuss as requested by scott)

my impression is in line with scott's, that they probably did some kind of 
generic check/audit and compared that the version was less than "the latest".

i would strongly, strongly, advise against leaving the package management 
system and "rolling your own" to get the latest.  php upstream does not make 
distinction between security-only releases and new-feature releases, and it 
is often the case that a new version (even a point-release) will introduce 
new bugs/regressions/security issues.  the solution for the new regressions 
is to either wait for yet another release, wherein you repeat the above 
procedure, or "install from latest CVS", which should make the skin crawl for 
any sysadmin worth their pay.

furthermore, you have the issues with any other systems change: new versions 
may break compatibility with previously working applications and installed 
software, etc.

the packaged versions of php recieve official security support from 
the "vendor" (in this case debian/ubuntu) with reviewed, tested, and 
isolated,  fixes.  this is similar to what is done in other "enterprise" 
distributions, such as redhat/suse, which also do not use "the latest 
version".  i would argue that as long as you do not require something from a 
newer version, this is the optimal configuration.


	sean
	(debian php package maintainer)

On Tuesday 01 July 2008 04:06:21 pm Scott Kitterman wrote:
> On Monday 30 June 2008 10:52, Christian Desrochers wrote:
> > Hi all,
> >
> > Our web servers have been checked recently by an external security firm.
> > We have been told that our web servers need to be upgraded to the latest
> > version in order to fix some security issues.
> >
> > Security updates are applied every week on our servers. If I want to
> > upgrade Apache to version 2.2.9 and PHP to 5.2.6, how do I proceed if my
> > servers are already up to date and if there is nothing to upgrade, even
> > when I use the backports repository? I have both dapper and gutsy
> > systems.
> >
> > I know that I can download and compile these programs myself, but for
> > future updates, it becomes complicated since we have lots of servers...
> >
> > Currently, for Gutsy, the version of Apache is 2.2.4-3ubuntu0.1 and PHP
> > is PHP5.2.3-1ubuntu6.3.
> >
> > Any ideas on how to softly upgrade those two packages?
> >
> > Thanks,
> >
> > Chris
>
> Did this external security firm check to see what security fixes have been
> added to those releases or did they just look at version numbers? 
> Generally for supported packages security fixes get added to the existing
> packages in the release, so odds are these issues are fixed.
>
> If there are vulnerabilities that are not patched in Dapper and Gutsy for
> apache and php, then we need to know so they can be fixed.
>
> Also, I'm sending this to ubuntu-devel-discuss as that's a more appropriate
> list for this discussion.  Follow-ups there please.
>
> Scott K
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20080701/d45a7942/attachment.pgp 


More information about the Ubuntu-devel-discuss mailing list