Debian User Forums

[w-sky]

MySQL 5.5 and PHP 5 are outdated and insecure - my question is, will they be updated within the Debian 8 updates in "foreseeable" time, or should all admins running Debian 8 as a server update them manually?

[dasein]

...my question is, will they be updated within the Debian 8 updates in "foreseeable" time

No.

, or should all admins running Debian 8 as a server update them manually?

No.

[kedaha]

MySQL 5.5 and PHP 5 are outdated and insecure - my question is, will they be updated within the Debian 8 updates in "foreseeable" time, or should all admins running Debian 8 as a server update them manually?

Are you referring to existing vulnerabilities or have you found others which should be reported to the Debian Security Team. Debian 8 only receives security updates but you might consider installing mysql from jessie-backports if you need any features not available using the current stable packages; for example:

Code: Select all

$ rmadison  mysql-server mysql-client |grep jessie-backports
mysql-client | 5.6.30-1~bpo8+1 | jessie-backports         | all
mysql-server | 5.6.30-1~bpo8+1 | jessie-backports         | all

[w-sky]

No I'm referring only to known vulnerabilities and drawbacks. For example, PHP 7 is twice as fast as PHP 5 – this alone is a major reason to upgrade – and PHP 5 latest version still has options that when enabled can cause a security risk.
Wordpress.com recommends using MySQL 5.6 or greater and they surely have their reasons too. https://wordpress.org/about/requirements/

[pylkko]

those issues were already addressed in this thread and are things that people maintaining a server should already know.... Reiteration: Security Team takes care of known vulnerabilities. PHP 7 will not be available on Debian 8. it's less safe to use backported or your own install manually/from source than the one in the repository, but at the end of the day that's your call

[Zill]

w-sky: Please see "Don't suffer from Shiny New Stuff Syndrome" in the Debian Wiki.

[debiman]

For example, PHP 7 is twice as fast as PHP 5

proof, reports, examples?

– this alone is a major reason to upgrade –

maybe you should switch to archlinux as your server environment, then.

and PHP 5 latest version still has options that when enabled can cause a security risk.

i daresay this holds true for php7, too. and all other software.
in any case, since you know these risks, don't enable them?

Wordpress.com recommends using MySQL 5.6 or greater and they surely have their reasons too. https://wordpress.org/about/requirements/

wordpress is a known vulnerability all by itself. lol.

Reiteration: Security Team takes care of known vulnerabilities. ... it's less safe to use backported or your own install manually/from source than the one in the repository

this.

[pylkko]

Actually php7 is pretty much exactly, no more no less, 2x faster than 5.6

[w-sky]

Actually php7 is pretty much exactly, no more no less, 2x faster than 5.6

Yes – I installed PHP7 on my Debian 8 server and my Wordpress site now loads in 2.4s instead of 4.5s. I guess I will upgrade to Debian 9 next year anyway.

[debiman]

I installed PHP7 on my Debian 8 server

and are you going to keep this secret all for yourself, or will you share the solution, so others can benefit from it?
remember, these forums are a 2-way street.

[stevepusser]

https://www.dotdeb.org/2015/12/04/php-7 ... or-jessie/

These may cause problems if you plan an upgrade in place to Stretch, though. It depends on how they implemented the backports.

[pylkko]

The secret is using either a third party repo or frankendebian. In other words, no secret at all.

[millpond]

PHP and MySQL are crucial features of web site hosting servers that no sysadmin in their right minds would 'update' according to the whims of upstream providers. It would destroy their businesses almost immediately.

The reason is that enterprise website software is often created by independent developers, or if used as a pre-existing package like Drupal can be massive in size and complexity, and not take too well to updates messing with their modifications and specialized scripts.

Some ecommerce sites, even my own are running software over a decade old, and are not about to pay thousands in developer fees because some propellorhead tells the owners it may save a second or so on loading time, when their hardware is fast enough so that it is not an issue.

For blog software like Wordpress which must always be updated, and where software mods are actively discouraged, this may not be a problem - but for ecommerce sites stability instead of 'new' features is what keeps them in business.

Edited to add:
Things would not be so bad if newer versions of LAMPP programs had a history of coexisting with legacy code. But PHP for example has the notoriety of crashing due to 'deprecated' function names. And even perl needs certain switches set to avoid that problem. Not sure about MySQL or Apache though.

If you should ever consider developing websites or hosting utils - it would be well so see what software versions of the LAMPP stack are preferred at the time. The good news is that some hosts will permit differing versions of PHP and I believe mySQl for their customers.

[RoyFokker]

MySQL 5.5 and PHP 5 are outdated and insecure

Wow, Mysql 5.5.5 used in stable was released in late 2010! See:
http://dev.mysql.com/doc/relnotes/mysql ... 5-5-5.html
2010-07-06

The geniuses in the linux cult performs such nonsense all the time -- it is their default setting. Generally they like to waste monumental effort making millions of useless window managers, and backporting security fixes and bugfixes from software they want to hold hostage for about 4-6 years in time in a semi-frozen state under the deluded notion that it is more secure. Meanwhile stuff that is missing or annoying never gets dealt with and only gets worse. How could it, they are too busy making too many desktop environments that are lacking and don't work together beceause herrr-derr "freedom to suck", trying to patch dinosaur software that upstream doesn't care about as they stopped supporting it, etc.?

Don't try to argue with true believers of this cult. Instead go to your local Scientology center for sane conversation. Anyway maybe on the server that approach has merit, but there is no reason why home users should be using four to six year old versions of browsers, torrent clients, crappy outdated word processors that anyway cannot interact with documents that most the world creates anyway, etc. Frankly these people don't care and will suffer with nonsense and inferiority as long it is open-source inferiority.