Skip to content
This repository has been archived by the owner on Feb 13, 2023. It is now read-only.

deprecated / vulnerable PHP 5.6 on ubuntu 14.04 #921

Closed
marji opened this issue Oct 11, 2016 · 5 comments
Closed

deprecated / vulnerable PHP 5.6 on ubuntu 14.04 #921

marji opened this issue Oct 11, 2016 · 5 comments

Comments

@marji
Copy link

marji commented Oct 11, 2016

Using
vagrant_box: geerlingguy/ubuntu1404 to get PHP 5.6 (as specified by http://docs.drupalvm.com/en/latest/other/php-56/), deprecated PHP packages installed:

vagrant@drupalvm:~$ dpkg -l php5 | tail -1
ii  php5                                5.6.23+dfsg-1+deprecated+dontuse+deb.sury.org~trusty+1 all

The installed PHP 5.6.23 packages also have a few security vulnerabilities.

The current PHP 5.6 is 5.6.26 and is available in https://launchpad.net/~ondrej/+archive/ubuntu/php

@marji
Copy link
Author

marji commented Oct 11, 2016

@geerlingguy
Copy link
Owner

@marji - We're currently using ondrej's php5-5.6 apt PPA for Ubuntu (as you pointed out) here: https://github.com/geerlingguy/drupal-vm/blob/master/provisioning/tasks/init-debian.yml#L27-L29

I'm going to see what it takes to swap it out for the non-deprecated 'universal php' repo for 5.6... likely just a docs update.

@geerlingguy
Copy link
Owner

Ugh, I hate having all the versions mixed together in one repo, because things like this (https://github.com/oerdnj/deb.sury.org/wiki/PPA-migration-to-ppa:ondrej-php#explaining-php-pear-dependency) become annoying to deal with. Apparently installation of php-pear triggers a default install of PHP 7.0 alongside 5.6, and then there are some other ways 7.0 also gets installed, which then means there are two PHP versions on the server, and CLI tools like Composer and other PHP utilities can't properly detect which version to use (unless you go through some trickery).

These are among the many reasons I hate using Debian/Ubuntu; it seems the entire OS ecosystem is built with the presumption that people manage things by hand! :P

@geerlingguy
Copy link
Owner

Almost there... had to change pathing, package list, something in the PHP role...

@geerlingguy
Copy link
Owner

Docs are updated now too. Since this is a (slightly) breaking change, it warrants a minor version bump. Anyone using PHP 5.6 will need to change package names.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants