6

I got a quite stupid question I am afraid but I am kind of in need of written confirmation of my suspicion.

Consider a Debian 9 with PHP from the official repositories. The PHP version shipped by Debian 9 is 7.0.
I did not enable third party repositories such as Sury.

In my research I found the Debian PHP documentation which gives all the information I could need except for the following question: What happens, when the PHP version is not maintained upstream any more?

The PHP Project states in their supported versions document, that PHP 7.0 does not receive security updates since the beginning of 2019. So is the default PHP version in Debian 9 potentially vulnerable?

Thanks in advance for any input and information!

Improve this question
1
  • The PHP version packaged with a new Debian release is nearly out of date (ie unsupported by PHP maintainers). It becomes unsupported before a new Debian version is released. Debian officially encourages people not to go to outside sources for software for security reasons. If you follow Debian and PHP maintainer's advice you can not implement PHP on Debian securely. This is why I reluctantly switched to Ubuntu as a server for PHP websites.
    – user3425506
    CommentedJul 6, 2022 at 12:51

2 Answers 2

Reset to default
7

The PHP packages are covered as part of Debian Stretch LTS, until June 2022, on the LTS architectures (i386, amd64, arm64, armel and armhf). Ondřej Surý backports security fixes from later releases, see his July 6 upload for a recent example.

If you install the debian-security-support package, you’ll be told if your system uses any unsupported package.

Improve this answer
1
  • I was unsure which answer to mark as correct as both provide a valid answer, but after your edit this is definitely the more comprehensive answer. Thank you!
    – Thorian93
    CommentedJul 22, 2020 at 14:05
4

Debian 9.0 is currently supported.

PHP7.0 in Debian 9.0 does receive security fixes: https://metadata.ftp-master.debian.org/changelogs//main/p/php7.0/php7.0_7.0.33-0+deb9u8_changelog

TLDR: You're safe as long as Debian 9.0 is supported.

Improve this answer

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.