Is PHP 5.4.X on CentOS 7 vulnerable?

General support questions
Post Reply
yuwfsu
Posts: 2
Joined: 2017/05/15 12:23:01

Is PHP 5.4.X on CentOS 7 vulnerable?

Post by yuwfsu » 2021/09/13 14:59:16

Hello,

We have a few CentOS 7 servers that have PHP 5.4.16. Our university security team asked us to update the PHP to the latest PHP7. They say the PHP 5.4.X is vulnerable. I remember RedHat always patches PHP to address security vulnerabilities but does not always update the PHP version.

My questions are is the PHP 5.4.16 from CentOS 7 repository a vulnerable version? Do I need to manually install PHP 7 (it'll certainly break the applications we run like mailwatch and roundcube).

Thank you.

James Wang
CS, FSU

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Is PHP 5.4.X on CentOS 7 vulnerable?

Post by TrevorH » 2021/09/13 15:51:19

Just like all the other packages in CentOS 7, they are rebuilt from the source used to produce RHEL 7 of the same point release. Red Hat support their packages for 10 years from the initial release date - so for CentOS 7 which came out in 2014, that's until 2024.

If you look at https://www.php.net/eol.php you can see that 5.4 went EOL on 3 Sep 2015. If you look at the package changelog you can see Red Hat fixing problems much more recently:

Code: Select all

$ rpm -q --changelog php-common 
* Tue Oct 29 2019 Remi Collet <rcollet@redhat.com> - 5.4.16-48
- fix underflow in env_path_info in fpm_main.c CVE-2019-11043

* Wed Aug 21 2019 Remi Collet <rcollet@redhat.com> - 5.4.16-47
- fix stack-buffer-overflow while parsing HTTP response CVE-2018-7584
- fix out-of-bounds read in base64_decode_xmlrpc CVE-2019-9024
- fix reflected XSS in phar 404 page CVE-2018-5712
- fix reflected XSS in phar 403 and 404 error pages CVE-2018-10547

* Tue Jun 19 2018 Remi Collet <rcollet@redhat.com> - 5.4.16-46
- load openssl configuration file on startup #1408301

* Tue Jan 23 2018 Remi Collet <rcollet@redhat.com> - 5.4.16-45
- gd: fix buffer over-read into uninitialized memory CVE-2017-7890
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

yuwfsu
Posts: 2
Joined: 2017/05/15 12:23:01

Re: Is PHP 5.4.X on CentOS 7 vulnerable?

Post by yuwfsu » 2021/09/13 15:54:50

Thank you Trevor. It really helped.

James Wang
CS, FSU

Post Reply