SecurityInfo thinks my PHP is vulnerable because it's from Debian Stable

[strugee]

I'm running PHP 5.6.9-0+deb8u1, aka PHP 5.6.9 as packaged in Debian Stable ("Jessie", as of this writing). SecurityInfo wants me to update to PHP 5.6.11, but this isn't actually very good advice:

1. If I install PHP from some other source, then I'm installing an untrusted binary on my system. Not only that, but I'm basically giving the distributor root, because dpkg will execute package maintainer scripts as root.
2. If I fix the first issue by building PHP from source, then I don't receive automatic security upgrades.
3. If I fix the first issue by installing PHP from Backports, then I don't get support from the Debian security team, and have to rely on the backporter to push out security updates.

There really isn't a good answer. The solution is for SecurityInfo to check against the latest version of PHP available from Debian (on Debian systems, obviously), and ensure that the versions match.

[wolfgang42]

I have the same problem on Ubuntu 16.04: "You are running PHP 7.0.13-0ubuntu0.16.04.1. The latest version of PHP is 7.1.1."

[robocoder]

@strugee It sounds more like you didn't have debian-security in your apt sources list, e.g.,

deb http://security.debian.org/debian-security/ jesse/updates main

Looking at the Debian page https://packages.debian.org/jessie/php5, I see it has the latest version of 5.6.x. The PHP devs released 5.6.33 on January 4, 2018. The Debian packages were published on January 5, 2018.

---

@wolfgang42 Ubuntu security updates aren't as timely. On xenial, I see the latest is 7.0.33 (Oct 26, 2017) while the php devs released 7.0.35 on January 4, 2018. The response from http://php.net/releases/?serialize=1&version=7 doesn't include minor php7 versions anymore (e.g., 7.0.x, 7.1.x), so it'll report the latest version is 7.2.2 (at time of this writing).

---

FYI Ondřej Surý is one of the maintainers on the Debian php packages. He also happens to maintain his own builds:

• Debian: https://packages.sury.org/
• Ubuntu (PPA): https://launchpad.net/~ondrej/+archive/ubuntu/php

We've been using his builds in production since 2012 (starting with Ubuntu precise). He has published debs for the latest versions of php 5.6, 7.0, 7.1, and 7.2 on trusty, xenial, artful, bionic, jesse, and stretch.

[strugee]

@robocoder I have debian-security enabled and I guarantee I had it enabled then. The issue is that I filed this bug a long time ago, so that description isn't current. apt-cache policy php5 now reports 5.6.33+dfsg-0+deb8u1, and SecurityInfo still reports the latest version of PHP being PHP 7.