TransWikia.com

PHP security updates in Debian after PHP version EOL

Unix & Linux Asked by Thorian93 on November 23, 2021

I got a quite stupid question I am afraid but I am kind of in need of written confirmation of my suspicion.

Consider a Debian 9 with PHP from the official repositories. The PHP version shipped by Debian 9 is 7.0.
I did not enable third party repositories such as Sury.

In my research I found the Debian PHP documentation which gives all the information I could need except for the following question: What happens, when the PHP version is not maintained upstream any more?

The PHP Project states in their supported versions document, that PHP 7.0 does not receive security updates since the beginning of 2019. So is the default PHP version in Debian 9 potentially vulnerable?

Thanks in advance for any input and information!

2 Answers

The PHP packages are covered as part of Debian Stretch LTS, until June 2022, on the LTS architectures (i386, amd64, arm64, armel and armhf). Ondřej Surý backports security fixes from later releases, see his July 6 upload for a recent example.

If you install the debian-security-support package, you’ll be told if your system uses any unsupported package.

Answered by Stephen Kitt on November 23, 2021

Debian 9.0 is currently supported.

PHP7.0 in Debian 9.0 does receive security fixes: https://metadata.ftp-master.debian.org/changelogs//main/p/php7.0/php7.0_7.0.33-0+deb9u8_changelog

TLDR: You're safe as long as Debian 9.0 is supported.

Answered by Artem S. Tashkinov on November 23, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP