PHP 5.5.14 - seriously?

Question

Level 1

6 points

PHP 5.5.14 - seriously?

Installed Yosemite Server on a MacMini (Server). Updated to all the latest releases and checked the basics. Now, there is PHP 5.5.14 installed.

Since then, there have been quite a bunch of security fixes and PHP is now at 5.5.22 in the 5.5 branch. Is there any way to learn if those fixes have been introduced by Apple in the 5.5.14 release, without changing the release number, or is Apple seriously ignoring those issues?

I understand Apple isn't always jumping the very latest release, so 5.5 is ok even if 5.6 is out (and not since yesterday). But 5.5.14 instead of 5.5.22? Seriously?

How do you guys deal with this issue?

Posted on Mar 3, 2015 1:12 AM

Reply

Answer 1

Best reply

John Lockwood

Level 6

13,685 points

Mar 3, 2015 1:52 AM in response to Habakuk

For some or even most of the open-source packages Apple uses they actually make various customisations, for example the bootpd software and Racoon software used by Apple is heavily customised, I believe the Apache2 software itself is fairly standard but the location of the files used by Apple is again significantly different to standard Linux installations.

As such it would not be a simple matter of compiling the latest version and distributing it, even there due to Kernal and other differences I know from experience that when you run a 'make' even using a standard open-source distribution you will see many operating system specific steps occurring.

So, while I understand your position this is a fact of life when dealing with Apple's software. Apple do generally try an issue security updates including patches for various open-source packages when vulnerabilities are discovered and hopefully not too long later fixed, for example the BASH vulnerabilities from last year. (Ironically because Apple used an older OpenSSL implementation they were never vulnerable to that issue.)

If you want a system where you have complete control over versions and the ability to rapidly install updates then Linux is the way to go but even there I have seen that older Linux distributions do not always get newer releases via e.g. apt-get meaning you may have to manually download, compile and and install an update, for example StrongSwan5 for Ubuntu 12.04

Note: One absolutely should not try downloading and installing newer open-source releases over Apple's ones as this is highly likely to break other Apple software or at a minimum make it harder to impossible to later install official Apple updates. It is in many cases possible to install separate copies of various open-source packages in different locations and run them instead or sometimes as well as Apple's official copies. For example the MAMP project installs additional separate copies of Apache and PHP in different locations. (I have not listed MySQL because as Apple no longer include this that module is no longer a parallel install but the only install.)

Reply

Answer 2

Habakuk Author

Level 1

6 points

Mar 3, 2015 2:23 AM in response to John Lockwood

Thanks for your post, John. I am aware of the limitations using Apple Server. We've been there, moved away to using the client and a MAMP installation compiled ourself. Periodically I come back to check if things became "better" (in my own perspective of course). From your writing, I gather there is no simple way of checking IF Apple was sneaking in some of the fixes, except to wade through the details of the security update lists, correct?

Reply