A Question about keeping PHP 5.6 up to date

Dear Nextcloudians,

I have a question which may not sound like much, but belive me when i say it is very important to me personally.

Just had an Argument with a friend, because i decided to stick around with PHP Version 5.6.30 for a while now, even though 5.6.37 is already out. 5.6 is because i had Trouble running 7.x when i tried it and Things generally seem to break when upgrading php in General. Maybe bad Karma, or i just didnt understand the System as good as i wished (most likley second Option, though).

For reference: https://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-217402/PHP-PHP-5.6.30.html

There are a few CVEs open on 5.6.30 but Nothing i worried to much, since it would (in my opinion) take a hacker wizz to do anything other than crashing PHP occasionally if he would like to.

My friend is like the world is going to end, hell will break loose, i am going to be hacked imediatly. Or more to earth: This poses an unbearable security Risk.

My Question: I my behaviour reasonable or am i being recklessly secruity negligent and should never oversee a production Linux VM in my life again?

As stated: Just a personal Question, but i am eager to get honest anwers and opinions about this, and maybe tomorrow is another normal day, but in the meantime this just really grinds my gears.

I am Running Ubuntu Minimal 16.04 (plus hardening measures) Apache 2.4 and MariaDB 10

Thanks in Advance.

And sorry for the stupid german autocorrect that wants to begin every single word with a capital letter.

I wouldn’t use my own built php unless there are important reasons to not take the php packages of my distribution. Normally, they should provide regular updates which fit perfectly in your system so it won’t cause any hickups when security patches are applied.

If you build your own php, you should have an update strategy and know when, why and how to apply patches. If you have questions regarding this, better ask the php community.

By the way, upcoming Nextcloud 14 requires php 7.0 or higher.

1 Like

Thanks for your reply, i asked here, because nextcloud security is concerned, and the php community cant probably say something about the specific program i am running. I thought about it and the decided to post it here.

The hole problem arose i guess, because i had troubles with the built in php 7 at the time and stuck with the design, will have some work to do and build a new template with standard php to get my updates straight.

Very helpful, thanks again.