3

My Operating System is Debian 7.9.

My dedicated server hosts only a website in PHP (5.4 apparently), and some databases (MySQL). There are also programs like iptables, fail2ban, etc. set up.

I made an update recently and saw a warning about PHP 5.4 being deprecated (yes, I'm late) and that I would need to update to 5.6 and eventually upgrade from Debian 7.x to 8.x.

My problem:

  1. I didn't make the PHP code running on my website, so I'm wondering if I should follow a simple tutorial on how to update PHP 5.4 to 5.6, if it's wise (to fix security issues) or if it will break my site.

  2. They even suggest to upgrade to Debian 8, but I feel like it will cause more troubles than anything and I don't have much time to fix all the new issues that will come up (and I need my website online).

What should I do? What are your advices, please?

Will
  • 1,147
  • 10
  • 26
pedrotester
  • 29
  • 8

2 Answers2

4

Here is what the message in the DSA-3380 said:

Note to users of the oldstable distribution (wheezy): PHP 5.4 has reached end-of-life on September 14th, 2015. As a result, there will be no more new upstream releases. The security support of PHP 5.4 in Debian oldstable (wheezy) will be best effort only, and you are strongly advised to upgrade to latest Debian stable release (jessie), which includes PHP 5.6.

The Debian security team keeps your whole system "secure" (as far as that is humanly possible with PHP) by backporting the latest security patches while minimizing incompatibilities. Now there are no official security patches anymore from PHP upstream. So the Debian security team now needs to adapt security updates for higher PHP versions back to PHP 5.4. This probably takes additional time or might not be feasable at all.

So they recommend you to upgrade to Debian "Jessie" 8 (which is the current stable) as soon as possible. Debian "Wheezy" 7 is oldstable and should still be supported by the security team. But usually the security team support ends about a year after the stable release. As Debian "Jessie" 8 has been released on 2015-04-25 the usual year of support might end as soon as in two months from now.

After that there is supposed to be an additional Long Term Support (LTS) support period in which a different team tries to support that distribution for another period of time. According to the LTS wiki page, the LTS team has already taken over the security support of Debian "Wheezy" 7 and will support it until May 2018.

So to profit from the Debian maintenance to keep your whole system secure, you should probably upgrade to Debian "Jessie" 8 as soon as possible. Maintaining the security of software on your own is far more time consuming than upgrading your system once every few years, at least in my experience.

aef
  • 1,745
  • 4
  • 25
  • 43
  • "Maintaining the security of software on your own is far more time consuming than upgrading your system once every few years, at least in my experience." I have no idea on how to maintain the security of each software myself lol, if you mean running apt-get upgrade then it's not much work :D So I could still use debian 7 and php 5.4 for two years before upgrading? – pedrotester Feb 06 '16 at 21:23
  • What I meant with maintaining it by yourself is compiling PHP from source, applying the `suhosin` patches and possibly more and keeping track of vulnerabilities in the used PHP version and every time you recognize that you are vulnerable, compile the new version and start over. This is quite a lot more time consuming than using `aptitude update` and `aptitude full-upgrade` on the current `stable` Debian system. Even more so, because Debian tries hard to give you the security updates without breaking your application compatibility. – aef Feb 06 '16 at 23:17
1

@aef's answer is great, but I wanted to also cover two other things you were asking.

The Debian upgrade process is fairly simple and safe. With the setup and tools you're describing, I doubt that you'd run into any problems, unless your PHP code itself has incompatibilities with 5.6. You can find the the official Debian upgrade instructions for Wheezy to Jessie here.

As far as PHP is concerned, 5.4 to 5.5 and 5.4 to 5.6 are fairly safe. Here are the major incompatibilities that may affect typical users:

  • The json_decode() method is a bit more strict, and no-longer allows non-lowercase true, false, and null. But this would be a violation of the JSON specification, so as long as your JSON APIs are compliant, this will be fine.

  • The Mcrypt module now requires valid keys and Initialization Vectors.

  • pack() and unpack() had a few small changes that will be incompatible with some code that uses it.

  • php://input is now re-usable.

Those are the highlights, really, and they don't affect many people. The complete list is here and here.

Will
  • 1,147
  • 10
  • 26
  • 1
    Thanks! I will review these and I guess I should just try it in local. The PHP used is quite basic but since it wasn't made by a pro, I was a bit concerned, so I'm going to verify what you mentioned, thank you! – pedrotester Feb 11 '16 at 21:26
  • No problem. I'd imagine it will work fine; but, good to be safe. Maybe test it on a different machine/a VM on your local machine first. – Will Feb 11 '16 at 22:17
  • Eh good idea for debian testing! I already use VM. Thanks lol, I think these are the best solutions to avoid any problem. I need to find the time to do it though :) – pedrotester Feb 11 '16 at 22:28