Security updates for PHP: rolling out now

Platform.sh
11 Sep 2019

Recently, the PHP team released a security update for PHP 7.3.9, 7.2.22, and 7.1.32. This update fixes a remote code execution vulnerability, and, as usual, all PHP users are encouraged to upgrade immediately.

Platform.sh customers: don’t worry, we got this. Automatic upgrades are rolling out tonight.

New releases of the PHP engine come out every month, with bug fixes and the occasional security fix; most other languages also have periodic bug-fix releases. At Platform.sh, that’s largely abstracted away from you. We package up each PHP release series (e.g., 7.1, 7.2, 7.3) and make it available as a container type that you can select for your application. Every time you deploy an environment (be it production or a dev environment), we use whatever the most recent release available is for that PHP series.

That means under normal circumstances customers can largely ignore patch releases entirely. They’ll get those upgrades automatically in the normal course of development as long as a site is redeployed every so often (which it should be to renew Let’s Encrypt TLS certificates.) The same is true for every other language we support.

Because this particular release includes a fix for a remote code execution (technical speak for “potentially really, really bad”), we’re taking the extra step this time and triggering a redeploy on all environments using the php:7.1, php:7.2, or php:7.3 container images to force them all to use the latest release. Over the next day or two, rolling redeploys will take place outside of standard business hours in each region. Sites may experience a very brief (under one minute, but often only a few seconds) interruption during the update as the container is swapped out.

To be clear, as of this writing, we’re not aware of any active exploits of this bug—on Platform.sh or elsewhere. Where remote code execution is concerned, though, better safe than sorry.

So what do you need to do?

Absolutely nothing. This upgrade will happen automatically. In general, though, we recommend setting up a cron job to renew Let’s Encrypt certificates (as above), which will also ensure that all languages and services you’re using are on the latest version we have available.

Please note, however, that if you’re on a version of PHP older than 7.1, your PHP version is unsupported and will not be getting any new security releases. You should upgrade immediately to 7.2 or 7.3. If you’re still on 7.1, be aware that security support ends 1 December of this year, so you should be planning your upgrade to 7.3 now. Fortunately, upgrading your PHP on Platform.sh is one-character trivial, and can be easily and safely tested in a dev branch.

If you experience any issues, please open a ticket with our support team.