• Overview
    Frameworks
    • Drupal
    • WordPress
    • Symfony
    • Magento
    • See all frameworks
    Features
    • Observability
    • Auto-scaling
    Solutions
    • Marketing Teams
    • Retail
    • Higher Education
  • Pricing
  • Featured articles
    • Switching to Platform.sh can help IT/DevOps organizations drive 219% ROI
    • Organizations, the ultimate way to manage your users and projects
  • Support
  • Docs
  • Contact
  • Login
  • Free Trial
Blog
Security updates for PHP: rolling out now

Security updates for PHP: rolling out now

php
September 11, 2019

Recently, the PHP team released a security update for PHP 7.3.9, 7.2.22, and 7.1.32. This update fixes a remote code execution vulnerability, and, as usual, all PHP users are encouraged to upgrade immediately.

Platform.sh customers: don't worry, we got this. Automatic upgrades are rolling out tonight.

New releases of the PHP engine come out every month, with bug fixes and the occasional security fix; most other languages also have periodic bug-fix releases. At Platform.sh, that’s largely abstracted away from you. We package up each PHP release series (e.g., 7.1, 7.2, 7.3) and make it available as a container type that you can select for your application. Every time you deploy an environment (be it production or a dev environment), we use whatever the most recent release available is for that PHP series.

That means under normal circumstances customers can largely ignore patch releases entirely. They’ll get those upgrades automatically in the normal course of development as long as a site is redeployed every so often (which it should be to renew Let's Encrypt TLS certificates.) The same is true for every other language we support.

Because this particular release includes a fix for a remote code execution (technical speak for "potentially really, really bad"), we're taking the extra step this time and triggering a redeploy on all environments using the php:7.1, php:7.2, or php:7.3 container images to force them all to use the latest release. Over the next day or two, rolling redeploys will take place outside of standard business hours in each region. Sites may experience a very brief (under one minute, but often only a few seconds) interruption during the update as the container is swapped out.

To be clear, as of this writing, we’re not aware of any active exploits of this bug—on Platform.sh or elsewhere. Where remote code execution is concerned, though, better safe than sorry.

So what do you need to do?

Absolutely nothing. This upgrade will happen automatically. In general, though, we recommend setting up a cron job to renew Let's Encrypt certificates (as above), which will also ensure that all languages and services you're using are on the latest version we have available.

Please note, however, that if you're on a version of PHP older than 7.1, your PHP version is unsupported and will not be getting any new security releases. You should upgrade immediately to 7.2 or 7.3. If you're still on 7.1, be aware that security support ends 1 December of this year, so you should be planning your upgrade to 7.3 now. Fortunately, upgrading your PHP on Platform.sh is one-character trivial, and can be easily and safely tested in a dev branch.

If you experience any issues, please open a ticket with our support team.

Get the latest Platform.sh news and resources
Subscribe

Related Content

Cover image

PHP 8.1 lays new ground on Platform.sh

Company

AboutSecurity and complianceTrust CenterBoard and investorsCareersPressContact us
System StatusPrivacyTerms of ServiceImpressumWCAG ComplianceManage your cookie preferencesReport a security issue
© 2022 Platform.sh. All rights reserved.
Supported by Horizon 2020's SME Instrument - European Commission 🇪🇺