plugin-SecurityInfo
plugin-SecurityInfo copied to clipboard
SecurityInfo thinks my PHP is vulnerable because it's from Debian Stable
I'm running PHP 5.6.9-0+deb8u1
, aka PHP 5.6.9 as packaged in Debian Stable ("Jessie", as of this writing). SecurityInfo wants me to update to PHP 5.6.11, but this isn't actually very good advice:
- If I install PHP from some other source, then I'm installing an untrusted binary on my system. Not only that, but I'm basically giving the distributor root, because
dpkg
will execute package maintainer scripts as root. - If I fix the first issue by building PHP from source, then I don't receive automatic security upgrades.
- If I fix the first issue by installing PHP from Backports, then I don't get support from the Debian security team, and have to rely on the backporter to push out security updates.
There really isn't a good answer. The solution is for SecurityInfo to check against the latest version of PHP available from Debian (on Debian systems, obviously), and ensure that the versions match.