Need to upgrade apache2 and php5 for security reasons
seanius at debian.org
Tue Jul 1 16:13:35 BST 2008
(sending follow-up to -discuss as requested by scott)
my impression is in line with scott's, that they probably did some kind of
generic check/audit and compared that the version was less than "the latest".
i would strongly, strongly, advise against leaving the package management
system and "rolling your own" to get the latest. php upstream does not make
distinction between security-only releases and new-feature releases, and it
is often the case that a new version (even a point-release) will introduce
new bugs/regressions/security issues. the solution for the new regressions
is to either wait for yet another release, wherein you repeat the above
procedure, or "install from latest CVS", which should make the skin crawl for
any sysadmin worth their pay.
furthermore, you have the issues with any other systems change: new versions
may break compatibility with previously working applications and installed
the packaged versions of php recieve official security support from
the "vendor" (in this case debian/ubuntu) with reviewed, tested, and
isolated, fixes. this is similar to what is done in other "enterprise"
distributions, such as redhat/suse, which also do not use "the latest
version". i would argue that as long as you do not require something from a
newer version, this is the optimal configuration.
(debian php package maintainer)
On Tuesday 01 July 2008 04:06:21 pm Scott Kitterman wrote:
> On Monday 30 June 2008 10:52, Christian Desrochers wrote:
> > Hi all,
> > Our web servers have been checked recently by an external security firm.
> > We have been told that our web servers need to be upgraded to the latest
> > version in order to fix some security issues.
> > Security updates are applied every week on our servers. If I want to
> > upgrade Apache to version 2.2.9 and PHP to 5.2.6, how do I proceed if my
> > servers are already up to date and if there is nothing to upgrade, even
> > when I use the backports repository? I have both dapper and gutsy
> > systems.
> > I know that I can download and compile these programs myself, but for
> > future updates, it becomes complicated since we have lots of servers...
> > Currently, for Gutsy, the version of Apache is 2.2.4-3ubuntu0.1 and PHP
> > is PHP5.2.3-1ubuntu6.3.
> > Any ideas on how to softly upgrade those two packages?
> > Thanks,
> > Chris
> Did this external security firm check to see what security fixes have been
> added to those releases or did they just look at version numbers?
> Generally for supported packages security fixes get added to the existing
> packages in the release, so odds are these issues are fixed.
> If there are vulnerabilities that are not patched in Dapper and Gutsy for
> apache and php, then we need to know so they can be fixed.
> Also, I'm sending this to ubuntu-devel-discuss as that's a more appropriate
> list for this discussion. Follow-ups there please.
> Scott K
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20080701/d45a7942/attachment.pgp
More information about the Ubuntu-devel-discuss