• Overview
    Key features
    • Observability
    • Auto-scaling
    • Multi-framework
    • Security
    Frameworks
    • Django
    • Next.js
    • Drupal
    • WordPress
    • Symfony
    • Magento
    • See all frameworks
    Languages
    • PHP
    • Python
    • Node.js
    • Ruby
    • Java
    • Go
  • Industries
    • Consumer Goods
    • Media/Entertainment
    • Higher Education
    • Government
    • Ecommerce
  • Pricing
  • Overview
    Featured articles
    • Switching to Platform.sh can help IT/DevOps organizations drive 219% ROI
    • Organizations, the ultimate way to manage your users and projects
  • Support
  • Docs
  • Login
  • Request a demo
  • Free Trial
Blog

PHP LTS security fixes have arrived

09 May, 2023
Rémi Lejeune
Rémi Lejeune
Product Manager

That’s right - thanks to a Freexian subscription, end of life versions of PHP are getting extended support!

The PHP lifespan

A PHP version is officially supported for a total of 3 years with two distinct periods within those 3 years which are:

  1. 2 years of active support
  2. 1 year of security fixes

After that last year of security fixes, the version is considered to be “end of life” and will no longer receive any bug fixes or security fixes.

With this in mind, we always encourage our Platform.sh users to use a supported version of PHP to ensure the best performance and security. And the good news is with our platform, it’s simple to upgrade to the latest version of PHP in just a few steps: branch, update, deploy, test, and merge. Check out this blog where we explain how to do it.

…but what if I can’t upgrade?

We get it. Being able to upgrade to the latest version of PHP every time a new release is made available isn’t always easy or possible. The reality is that projects can involve:

  • Custom code which needs to be upgraded to the latest version.
  • Unsupported plugins which may have been discontinued in the latest versions.
  • A long life cycle with huge QA steps.

That’s why, even with all the tooling and good intentions, many “end of life” versions of PHP are still used widely on production applications. So, what’s the alternative?

We have your back

Every year a PHP version reaches its “end of life” and we receive a lot of enquiries from our customers and partners regarding their application security. Many of them do not want to migrate to a new version of PHP for similar reasons to those mentioned above but want to know if their applications would still be secure. So we started looking for a solution to provide long-term support for PHP.

And the good news is we found that solution and implemented it. End of life PHP will continue to receive security fixes for our users. However, even with our PHP legacy and all of our skilled engineers, we are not PHP maintainers. That’s why we got in touch with Freexian.

Freexian is a service company specialized in Free Software and, in particular, Debian who offer long-term support for Debian and PHP. Describing their security support as:

Upstream security and stability fixes, as applied to PHP stable releases, are backported to the Freexian LTS supported PHP releases. This is essentially the same support that upstream PHP provides for their upstream-supported releases, but continued long after upstream PHP stops supporting them.

We review and triage security issues regularly, and apply patches according to impact and compatibility with the older PHP releases. This is done on a best-effort basis. Where an issue is not fixable, mitigations may be recommended.

Many security updates come with regression tests to ensure that they are fixed. These are usually backported with the patch, ensuring its correctness and avoiding future regression.

This is the same level of security support as is provided for PHP packages within regular Debian stable releases, by the same team.

How do I get this LTS support?

PHP versions are now covered with LTS support without extra charge. Your projects will get the last version when the image is updated, this happens when a project is redeployed or when the SSL certificate is renewed.

To make sure that your projects use an LTS version, you can force a redeploy by using the following CLI command:

platform redeploy

Or, alternatively, in Console you can:

  1. Select the project and the environment
  2. Click on the ‘More’ menu and select ‘Redeploy’

Which versions are supported?

At the time of writing this blog post, versions retroactively affected by this extended support are PHP 5.6 and 7.0.

The team is actively working on providing the same support on 7.2, 7.4 and 8.0 versions.

Upgrade!

We do our best to extend the support for PHP versions but at the end of the day, older versions will disappear at some point as it’s possible that someone discovers a security issue that just can’t be fixed and forces us to retire a version.

That’s why upgrading your PHP version, even from one minor version to another minor version, is always a good move and our top tip when it comes to optimizing your performance and security.

Get the latest Platform.sh news and resources
Subscribe

Related Content

An update to our events privacy policy

An update to our events privacy policy

Company
AboutSecurity and complianceTrust CenterBoard and investorsCareersPressContact us
Leader Winter 2023
System StatusPrivacyTerms of ServiceImpressumWCAG ComplianceManage your cookie preferencesReport a security issue
© 2023 Platform.sh. All rights reserved.
Supported by Horizon 2020's SME Instrument - European Commission 🇪🇺