PHP update to secure version

Discussion in 'Plesk Automation Suggestions and Feedback' started by Thomas Westman, Feb 15, 2016.

  1. Thomas Westman

    Thomas Westman Bit Poster

    To vote on PHP update regarding customer safety is like to vote whether to defend themselves if someone attacks, so obviously this must be updated, I think this is not something you should vote for but something that is constantly updated for safety's sake
  2. JustinSoul

    JustinSoul Odin Team

    Hello Thomas,

    Plesk Automation provides built-in PHP 5.3.3 for Linux-based hosting and PHP 4.4.9, 5.2.17, 5.3.29 and 5.4.32 for Windows-based hosting.
    On linux-based nodes you can register own PHP version by steps from the article:
    On Windows-based nodes unfortunately, it's not possible at the moment.

    Also, you can update custom-built PHP hanlder for example from PHP 5.6.3 to PHP 5.6.8 as follows:

    First, to simplify administration, it is recommended to install custom PHP into the directory with a name not containing minor version number. For example, you install PHP 5.6.3, so the directory name would be /usr/local/php-5.6, to achieve this PHP has to be configured with the following options(built-in modules are provided as example):

    ./configure '--with-libdir=lib64' '--cache-file=../config.cache' '--prefix=/usr/local/php-5.6' '--with-config-file-path=/usr/local/php-5.6/etc' '--disable-debug' '--with-pic' '--disable-rpath' '--with-bz2' '--with-curl' '--with-freetype-dir=/usr/local/php-5.6' '--with-png-dir=/usr/local/php-5.6' '--enable-gd-native-ttf' '--without-gdbm' '--with-gettext' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr/local/php-5.6' '--with-openssl' '--with-pspell' '--with-pcre-regex' '--with-zlib' '--enable-exif' '--enable-ftp' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' '--with-kerberos' '--with-unixODBC=/usr' '--enable-shmop' '--enable-calendar' '--without-sqlite3' '--with-libxml-dir=/usr/local/php-5.6' '--enable-pcntl' '--with-imap' '--with-imap-ssl' '--enable-mbstring' '--enable-mbregex' '--with-gd' '--enable-bcmath' '--with-xmlrpc' '--with-ldap' '--with-ldap-sasl' '--with-mysql=/usr' '--with-mysqli' '--with-snmp' '--enable-soap' '--with-xsl' '--enable-xmlreader' '--enable-xmlwriter' '--enable-pdo' '--with-pdo-mysql' '--with-pdo-pgsql' '--with-pear=/usr/local/php-5.6/pear' '--enable-intl' '--without-pdo-sqlite' '--with-config-file-scan-dir=/usr/local/php-5.6/php.d'

    Next time, when you decide to update PHP 5.6 to the latest build, you perform the following steps:

    1. Download archive with a new version (for example php-5.6.8.tar.bz2)

    # cd /usr/src
    # wget
    2. Unpack it:

    # tar xjvf php-5.6.8.tar.bz2
    3. Configure with the same prefix:

    # cd php-5.6.8
    # ./configure '--with-libdir=lib64' '--cache-file=../config.cache' '--prefix=/usr/local/php-5.6' '--with-config-file-path=/usr/local/php-5.6/etc' '--disable-debug' '--with-pic' '--disable-rpath' '--with-bz2' '--with-curl' '--with-freetype-dir=/usr/local/php-5.6' '--with-png-dir=/usr/local/php-5.6' '--enable-gd-native-ttf' '--without-gdbm' '--with-gettext' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr/local/php-5.6' '--with-openssl' '--with-pspell' '--with-pcre-regex' '--with-zlib' '--enable-exif' '--enable-ftp' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' '--with-kerberos' '--with-unixODBC=/usr' '--enable-shmop' '--enable-calendar' '--without-sqlite3' '--with-libxml-dir=/usr/local/php-5.6' '--enable-pcntl' '--with-imap' '--with-imap-ssl' '--enable-mbstring' '--enable-mbregex' '--with-gd' '--enable-bcmath' '--with-xmlrpc' '--with-ldap' '--with-ldap-sasl' '--with-mysql=/usr' '--with-mysqli' '--with-snmp' '--enable-soap' '--with-xsl' '--enable-xmlreader' '--enable-xmlwriter' '--enable-pdo' '--with-pdo-mysql' '--with-pdo-pgsql' '--with-pear=/usr/local/php-5.6/pear' '--enable-intl' '--without-pdo-sqlite' '--with-config-file-scan-dir=/usr/local/php-5.6/php.d'
    4. Build PHP:

    # make
    5. If you compiled PHP on another server, first move the directory with compiled PHP to the destination server. Please note it has to be the same directory name as on source server. Once the directory with compiled PHP is on destination server, you can install it:

    # make install
    The older version in /usr/local/php-5.6 will be overwritten. After new PHP has been installed, you can update PHP handler display name accordingly, so it will reflect the changes in CCP:

    1. Obtain PHP handler ID:

    # /usr/local/psa/bin/php_handler --list -service-node
    id: display name: full version: version: type: cgi-bin: php.ini: custom:
    cgi 5.3.3 5.3.3 5.3 cgi /usr/bin/php-cgi /etc/php.ini false
    fastcgi 5.3.3 5.3.3 5.3 fastcgi /usr/bin/php-cgi /etc/php.ini false
    module 5.3.3 5.3.3 5.3 module /usr/bin/php-cgi /etc/php.ini false
    php563 php-5.6.3 5.6.3 5.6 fastcgi /usr/local/php563-cgi/bin/php-cgi /usr/local/php563-cgi/php.ini true

    2. Update display name:

    /usr/local/psa/bin/php_handler --update -displayname php-5.6.8 -id php563 -service-node

    You can also create a backup of the directory /usr/local/php-5.6 before installing new version, so you can roll back to the older version if needed.
    Last edited: Feb 16, 2016
  3. Thomas Westman

    Thomas Westman Bit Poster

    Hi JustinSoul
    and thanks for your replay We use Windows-based nodes so for me it´s realy important that Plesk / Odin make this upgrades regarding PHP to a secure
    version at this time i think it is 5.6.8, We have a lot of joomla custumers so pleace dont make this a voting matter
    its a security matter and shuld be treated that way

    Kind Regards
  4. JustinSoul

    JustinSoul Odin Team

    This information was passed to Plesk Automation Developers, however we have no ETA for it now.

    Meanwhile, you can check Plesk Automation upcoming updates and bugfixes plans at

    Please consider that this article outlines _current plans_ that can be changed because of several reasons.
    It cannot be considered as guarantee or any kind of commitment.
  5. Thomas Westman

    Thomas Westman Bit Poster

    Tanks JustinSoul i vill check out the
    and hopfully the Developers vill see this as a security matter like it is and make the update...


Share This Page