The movie Philadelphia has a a line in it that is also Sub Reddit. "Explain it to me like I am 5"-.


As a security person, my vulnerability scanner picked up these two vulnerabilities as an example:
Obsolete Version of PHP
PHP versions prior to 5.6 are no longer supported. General support for PHP 5.5.37 has been discontinued since July 10, 2016. It is strongly recommended to upgrade to PHP 5.6 or later.

and

PHP CGI Argument Injection https://www.rapid7.com/db/vulnerabil...p-php-obsolete


The response I have back is that the version of Apache and PHP is fully supported.


Can someone reconcile those two statements? Just want to have a sanity check before I start commenting.

Here is the explaination:

https://access.redhat.com/solutions/445713
What version of httpd is supported on RHEL?
Is the community version of Apache httpd supported?
Which versions of Apache httpd are supported?
How can I install Apache 2.4/2.5? Is Apache httpd 2.4/2.5 supported?
Does Redhat support self compiled apache installations?
What are supported install methods for apache 2.4(e.g. rpm and yum only etc.)?
Support for apache installation.
We need to update the httpd version from 2.4.9 to 2.4.12 . we are unable to find the same on portal. Please provide Apache executable file for this.
Which is the latest version of httpd(Apache) server available from RHEL.
Apache HTTPD Upgrade
I am aware that the Apache HTTPD version supplied for RHEL7.1 is version 2.4.6.Will Redhat upgrade this to 2.5 in future for RHEL7?
I also have RHEL6.6 OS. Will there be plans to upgrade the Apache Httpd package in future?
Apache Prior to 2.4.4 and 2.2.24 Multiple Vulnerabilities

Apache HTTP Server Prior to 2.2.25 Multiple Vulnerabilities
httpd vulnerabilty on port 443
We patched httpd packages to latest (available on RHEL6 repository) to solve below vulnerabilties, but seems there is still vulnerability that Qualys is reporting
What is the latest version of httpd supported on RHEL
It looks like the latest is 2.2.3 but this is quite old.
Does RHEL 7 supports Apache version 2.2.31?Else which Apache Version does RHEL 7 supports?
Which versions of Apache are available for my version of Red Hat Enterprise Linux?
It is necessary to install a specific version of Apache, does the installed version of Red Hat Enterprise Linux supports it?
We need to know which is latest Apache (httpd) version that Redhat support?
Does Apache/2.2.31 (Unix) supported in RHEL6 or RHEL7?


Upstream is discussing EOL dates for PHP 5.3.
https://wiki.php.net/rfc/php53eol
Can you verify that RHEL6 will support PHP 5.3.x for the entire lifespan of RHEL6?
Or is it possible that PHP 5.3.x will also become EOL for RHEL6?
Please suggest how and where I can get the PHP 5.3.25 or above to install using Yum in RHEL6?
Resolution
At the time of this writing, we have following default versions of php packages available for RHEL5, RHEL6 and RHEL7
RHEL5 :- php-5.1 (latest RHEL provides php-5.3 in php53 package)
RHEL6 :- php-5.3
RHEL7 :- php-5.4
The major version for php will remain as above for its whole life cycle. Please check below paragraph on how are RHEL packages managed. Red Hat Software Collections provides support for php-5.4, php-5.5, php-5.6, and php-7.0 for RHEL6 as well RHEL7 (as Software Collections follows a different naming convention, these packages are named as php54, php55, rh-php56, rh-php70 respectively). Please visit How to use Red Hat Software Collections for more information.
Red Hat Enterprise Linux is a maintained collection of many different components, which are drawn from the wider open source software community. At the time our product is released we have a particular version of each of the software components, selected for features and stability. During the life cycle of our product we backport any relevant bug fixes and security enhancements created by the upstream maintainers to the packages that we maintain, as well as contributing any fixes that we do.
We have our own version numbering scheme for the packages that we create based on these backported changes. We do not change the version of any of the software components based on the release of a new version by an upstream project.
For example, if PHP releases a new version of PHP. we will not update our package to that new version. This is in order to maintain compatibility and stability. We will backport any bug fixes or security errata that are relevant to the version of PHP that is part of Red Hat Enterprise Linux.
For more information about Red Hat's policy on the backporting of security updates, visit the following;
What is Red Hat's security patch and backport policy

The bugfixes are backported to the old versions so that the major functionality remains the same over the life of the system.

Note the patch history or change log for the packages in question. There will probably also be a minor point change in the package name. That way if you start out with PHP 5.3 in CentOS 6 then you will have PHP 5.3 for the duration of the system's lifecycle and your PHP scripts will thus most likely not break.

If I recall correctly:

If you have questions about RHEL6, then you'd get more accurate information using that support subscription you are paying for.

1 members found this post helpful.

Thanks for the prompt reply to my question. So in summary you are indicating that the PHP, despite showing a vulnerability based upon file version/date created, is actually been re-mediated, and the prove would be in the change log?

No problem.

Yes, the proof would be in the change log. You'd have to check that to be sure. What you see is that something like php-5.3.0.rpm being vulnerable while php-5.3.0.01a.rpm will have been fixed.