Forum Stats

  • 3,853,257 Users
  • 2,264,198 Discussions
  • 7,905,296 Comments

Discussions

Updated PHP 7.4 Releases on Oracle Linux 8?

User_ZXOJA
User_ZXOJA Member Posts: 1 Green Ribbon

I am trying to find if there are any upcoming PHP 7.4 releases? Right now the Oracle Linux 8 repositories only have PHP 7.4.19 which was built back in May of 2021.

There have been at least four PHP 7.4 releases since 7.4.19 that have dealt with severe vulnerabilities in the 7.4 train. Security Scans show multiple vulnerabilities in the current version (7.4.19) available and recommend that we upgrade to 7.4.26 or higher.

While I would prefer to move to PHP 8, several of our servers run applications that are not yet certified for PHP 8 and our policy is to keep the same version on all systems.

Is there an OL8 repository with an up-to-date version of PHP 7.4? I have all of the standard Oracle Linux 8 official repositories and the Oracle EPEL repository enabled. Is there another repository that Oracle can recommend that we use instead?

Thank you. - Ray

Tagged:

Answers

  • Todd Vierling-Oracle
    Todd Vierling-Oracle Member Posts: 34 Employee
    edited Aug 22, 2022 11:17PM

    Oracle Linux tends to follow the RHEL8 release trains. That said, the current version of php-7.4 in OL8 AppStream is:

    php-7.4.19-3.module+el8.6.0

    This was built in June 2022, not May 2021. Bear in mind that backports of security fixes are the most common way to get fixes in RPM packages, as the goal is *stable functionality* with security fixes sometimes backported. As a rule, rebases of package versions happen much more rarely than backported bugfixes.

    If you look at the changelog of that RPM, it contains the following on top of baseline 7.4.19:


    - fix password of excessive length triggers buffer overflow leading to RCE

     CVE-2022-31626

    - fix SSRF bypass in FILTER_VALIDATE_URL

     CVE-2021-21705

    - fix Local privilege escalation via PHP-FPM

     CVE-2021-21703


    Which means all the above CVEs are indeed fixed in the released php-7.4.19-3 RPM. That "-3" indicates a patchlevel of the RPM which includes backported fixes. You can see this with

    rpm -q --changelog php | less

    on an installed RPM, or if you have the RPM file,

    rpm -qp --changelog php-7.4.19-*.rpm | less

    If there is a CVE you are concerned about that is not listed here and you're an Oracle Linux Support customer, please file a support ticket/SR with the CVE number(s) and we'll dive further into it, in case Oracle needs to do backports on top of what's already released.