PHP LTS security fixes have arrived
That’s right - thanks to a Freexian subscription, end of life versions of PHP are getting extended support!
The PHP lifespan
A PHP version is officially supported for a total of 3 years with two distinct periods within those 3 years which are:
- 2 years of active support
- 1 year of security fixes
After that last year of security fixes, the version is considered to be “end of life” and will no longer receive any bug fixes or security fixes.
With this in mind, we always encourage our Platform.sh users to use a supported version of PHP to ensure the best performance and security. And the good news is with our platform, it’s simple to upgrade to the latest version of PHP in just a few steps: branch, update, deploy, test, and merge. Check out this blog where we explain how to do it.
…but what if I can’t upgrade?
We get it. Being able to upgrade to the latest version of PHP every time a new release is made available isn’t always easy or possible. The reality is that projects can involve:
- Custom code which needs to be upgraded to the latest version.
- Unsupported plugins which may have been discontinued in the latest versions.
- A long life cycle with huge QA steps.
That’s why, even with all the tooling and good intentions, many “end of life” versions of PHP are still used widely on production applications. So, what’s the alternative?
We have your back
Every year a PHP version reaches its “end of life” and we receive a lot of enquiries from our customers and partners regarding their application security. Many of them do not want to migrate to a new version of PHP for similar reasons to those mentioned above but want to know if their applications would still be secure. So we started looking for a solution to provide long-term support for PHP.
And the good news is we found that solution and implemented it. End of life PHP will continue to receive security fixes for our users. However, even with our PHP legacy and all of our skilled engineers, we are not PHP maintainers. That’s why we got in touch with Freexian.
Freexian is a service company specialized in Free Software and, in particular, Debian who offer long-term support for Debian and PHP. Describing their security support as:
How do I get this LTS support?
PHP versions are now covered with LTS support without extra charge. Your projects will get the last version when the image is updated, this happens when a project is redeployed or when the SSL certificate is renewed.
To make sure that your projects use an LTS version, you can force a redeploy by using the following CLI command:
Or, alternatively, in Console you can:
- Select the project and the environment
- Click on the ‘More’ menu and select ‘Redeploy’
Which versions are supported?
At the time of writing this blog post, versions retroactively affected by this extended support are PHP 5.6 and 7.0.
The team is actively working on providing the same support on 7.2, 7.4 and 8.0 versions.
We do our best to extend the support for PHP versions but at the end of the day, older versions will disappear at some point as it’s possible that someone discovers a security issue that just can’t be fixed and forces us to retire a version.
That’s why upgrading your PHP version, even from one minor version to another minor version, is always a good move and our top tip when it comes to optimizing your performance and security.