Security warnings based on PHP version number are misleading #17147
Comments
|
The wording is in no way inaccurate. Using the PHP version number, it is a report of whether your PHP version is supported or not by the PHP project. Nothing more, nothing less. Based on the fact that PHP 5.5 is no longer supported by the PHP project, you receive the message indicated. We cannot and will not attempt to check information about forks of a PHP release that are included in operating system distributions. |
|
@mbabker What you just said would be accurate, except that is not the message given. The Joomla project developers look bad when their users are provided evidence that the statement is inaccurate by their hosting provider. How about: We have detected that your server is using PHP 5.5 which is obsolete and no longer receives official security updates from the PHP team. The Joomla! Project recommends upgrading your site to PHP 5.6 or later which will receive security updates at least until 2018-12-31. Please ask your host if moving to PHP 5.6 would be more secure. If your host already offers PHP 5.6 please inquire about switching to that version. Please see the comprehensive security checklist in the documentation at https://docs.joomla.org/Security_Checklist/Hosting_and_Server_Setup for more info. You might want to expand on that article and fix sentences like "PHP versions become deprecated and has become obsolete". Or stop supporting PHP < 5.6. Error Then people that know what they are doing can do what they want. |
|
Just because some enterprise corporations feel compelled to fork upstream projects and backport selected patches under the label of long term support does not mean their versions are inherently more secure or stable. PHP 5.5 is obsolete, regardless of what any hosting provider or enterprise corporation wants to tell anyone. It does not receive support from the project which created and released it. That is all we are concerned with checking and without requiring all Joomla installations have an additional C level extension which would allow us to check the compiled binaries for patches provided by third party vendors, there is no other way to improve the check. If anyone is providing evidence to Joomla's users that PHP 5.5 or earlier are no longer supported or are not secure, they are using a forked version of those PHP version branches and as such their statements are not 100% factual. PHP 5.3 thru 5.5 can be made secure, or even supported for as long as someone chooses, by backporting security and bug patches and compiling their own binaries for use on their systems. Nobody can prevent that. Similar to how nobody can prevent folks from doing the same with the obsolete Joomla releases. But as a statement of fact, PHP 5.5 and earlier are obsolete and officially abandoned by the source project and as such on their own, out of the box, they cannot be considered secure. |
When Joomla 4.0 is released, Joomla will be doing exactly that. Old PHP version will no longer be supported. It's best to just consider these warning messages as a "soft deprecation": even if your vendor is keeping your old PHP version patched, you should still take heed of them because sticking to an old PHP version will eventually bite you. By the way, here's a great case study in how the distros' policy of sticking with a version and back-porting for security is flawed and leads to problems... See ircmaxell/password_compat#10 This php library requires an update to PHP that was added in 3.5.7. Debian had standardised on 3.5.3, but did in fact implement the specific change that was required as a patch release. But other distros did not. There was also a lot of confusion with this library in the early days when these issues were being worked out; it really wasn't clear which distros would be compatible with it and which weren't. The lesson here is that (1) the distros' policy of not updating to the latest minor version can be problematic, and (2) it's impossible to realistically expect application and library vendors to be able to keep track of the versions supplied with all available distributions; it's only realistic to track against the standard release. |
|
@mbabker Yes! We all agree on that. But, why does the error message say something different? It should be reworded. |
|
I don't see how it says something other than "it's not supported by PHP itself anymore", unless the point of contention can be found in the "no longer receives official security updates by its developers" statement. Which is true from the perspective of PHP no longer provides updates, but false in that an entity which has elected to fork PHP at a given version may continue to provide support. The only thing we can communicate is PHP doesn't support the branch anymore, and that's all we are communicating. |
|
I am closing this based on the comments from @mbabker above |
|
So, I'm on an updated debian stretch (which is the current stable atm.) and I'm getting this warning for PHP 7.0.33-0+deb9u1 and PHP 7.1. What do you expect me to do here, install an unofficial debian package from some source I cannot verify? IMHO this is kinda harmful, and ur handling of the issue seems a bit arrogant, no? |
|
My last comment from July 2017 still stands. The PHP project itself no longer supports PHP 7.0 in any form and as of the beginning of this year only security support is provided for PHP 7.1. The plugin is based on the support timeframes from the PHP project. Operating systems which provide extended support outside of the PHP project's support timeframe are not considered in these checks. You are free to disable the plugin issuing the warning if you do not want to see it. |
Steps to reproduce the issue
Install Joomla on PHP < 5.6
Expected result
Joomla suggests at least PHP 5.6. Joomla has no idea about the security of your particular PHP version because it is not directly testing for vulnerabilities.
OR
Joomla has tested for and detected the vulnerabilities listed below. You could try to close them by updating your PHP version. List of detected vulnerabilities
Actual result
Error
We have detected that your server is using PHP 5.5.9-1ubuntu4.21 which is
obsolete and no longer receives official security updates by its developers.
The Joomla! Project recommends upgrading your site to PHP 5.6 or later which
will receive security updates at least until 2018-12-31. Please ask your
host to make PHP 5.6 or a later version the default version for your site.
If your host is already PHP 5.6 ready please enable PHP 5.6 on your site's
root and 'administrator' directories - typically you can do this yourself
through a tool in your hosting control panel, but it's best to ask your host
if you are unsure
System information (as much as possible)
Additional comments
The message suffers from false positives and false negatives. The information it is spreading is only accurate in rare circumstances, none of which are qualified. Its wording is misleading and could actually be harmful such as when a blind-follower replaces their secure LTS PHP package that is still receiving security updates with an insecure one they configured and compiled themselves, because Joomla told them it would be more secure. The security implications of the PHP version are a case-by-case basis that Joomla cannot reliably verify so the message should not be so definite.
Joomla users should be encouraged to learn about security and the implications of their hosting provider, but the current message doesn't help with that.
The text was updated successfully, but these errors were encountered: