Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to safely update PHP and apache server to most recent versions CentOS 6.4

Posted on 2013-06-17
8
Medium Priority
?
1,043 Views
Last Modified: 2013-06-18
Hi,

My server must become PCI DSS compliant and as part of this i must update PHP, openssl, openssh, and apache to the most current versions.  

I want to know the best practice for doing this on a CentOS 6.4 server, what to look out for/what can go wrong, and how to rollback changes if i make a mistake.

There are a number of sites on this server, each is controlled by a cPanel account(to which i have complete access), but only one of them handles credit card data.  Initially, i would like to update php for this cpanel account only.

Apache info:
Server version: Apache/2.2.21 (Unix)
Server built:   Jan 21 2012 20:57:54
Cpanel::Easy::Apache v3.8.5 rev9999
Server loaded:  APR 1.4.5, APR-Util 1.3.12
Compiled using: APR 1.4.5, APR-Util 1.3.12
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/usr/local/apache"
 -D SUEXEC_BIN="/usr/local/apache/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

The PHP version displays as 5.2.17 but i'm not convinced that this is true as the cpanel php.ini files are located in /usr/local/cpanel/3rdparty/php/53/* which looks like it's some kind of 5.3.x.

I'm not entirely sure what data you will need from me; so please advise.

Thanks
0
Comment
Question by:EyeBallInSalt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39255441
"My server must become PCI DSS compliant and as part of this i must update PHP, openssl, openssh, and apache to the most current versions.  "

I am curious who told you that because I don't think it is true.  To update to the very latest versions, you must download and compile the source code yourself.  Binaries other than the supported packages are not normally available for Linux systems.
0
 

Author Comment

by:EyeBallInSalt
ID: 39255532
Thanks for posting.
I got these recommendations from the Trustwave vulnerability scan preformed on my server.  

"Binaries other than the supported packages are not normally available for Linux systems."

Are you saying that the most recent versions of PHP, OpenSSL, OpenSSH, and Apache are not supported packages for CentOS 6.4?
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39255691
There are many different versions available.
Version #
Beta
Latest
Latest-Stable is version 5.4.16
Earlier Versions

i.e. php
The very latest version is available via git from the git repository (source)

BTW Centos is at version 6.5

Apache
Stable Release - Latest Version:
    2.4.4 (released 2013-02-25)
Stable Release - 2.2 Branch:
    2.2.24 (released 2013-02-26)
Legacy Release:
    2.0.64 (released 2010-10-19)

11-Feb-2013:          OpenSSL 1.0.1e is now available, including bug fixes

openssh latest update 20130516

Doesn't Centos have an updater?  You MUST always keep your software up to date with the latest patches otherwise the cracker-hackers will use the vulnerabilities to gain access to your system.
0
Stack Overflow Podcast - Developer Story

Welcome to the Stack Overflow podcast recorded Thursday July 20 at Stack Overflow Headquearters in NYC. Your hosts today are podcast regulars Jay Hanlon, David Fullerton, and Ilana Yitzhaki, plus the quite irregular Matt Sherman (Stack Overflow Engineering Manager extraordinaire)

 

Author Comment

by:EyeBallInSalt
ID: 39255714
Sorry about the versions; i wasn't clear.  It is the most recent stable version that i need to update to in all cases.

Centos DOES have an updater!  That's great and thanks for pointing that out.
But doesn't that lead me to the same issue?  I want to safely update the software without breaking my sites.
If i use the updater; am i not exposing myself to mishap as ALL of the software will be updated simultaneously?
For example, PHP 5.4.16 breaks at least one of my sites on my development machine.
Ideally, I'd like to update php for the site that is to become compliant only and leave the others for a later date.

Also; I don't know what what can go wrong when updating apache/OpenSSL/OpenSSH.
0
 
LVL 83

Accepted Solution

by:
David Johnson, CD, MVP earned 1500 total points
ID: 39255747
why does php 5.4.16 break that site... is something I'd be investigating.

What I do is go through the changelog(s) sometimes there is a sweeping change to something I don't use.. and what I do use isn't mentioned..

If you want to test things a lab is always a good idea. update the lab, check things out.. if nothing seems broken.. then stage it to the production servers.  Sometimes authors use undocumented calls or rely on depreciated calls in their code. Those are the major code breakers..
0
 

Author Comment

by:EyeBallInSalt
ID: 39256401
"If you want to test things a lab is always a good idea. "

I think you've hit the nail on the head there.  I've been struggling to replicate my production environment in a VMWare Esxi virtual server but i think that i need to persevere with that so that i gain experience and become more confident when it comes to doing the updates.

Thanks for taking the time to respond.
0
 

Author Closing Comment

by:EyeBallInSalt
ID: 39256408
You made me realise where i need to focus my attention.  Thanks
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39257133
Depending on your coding, moving from PHP 5.2 to 5.3 and 5.4 can break everything if you were depending on a feature that got obsoleted.  And if your code was written for PHP 4, it can be a huge step.

The repositories for your distribution, the place where binaries of supported software versions are stored, are unlikely to have the very latest versions of everything.  They generally do not put a new version up until they have had a chance and a reason to update it.

Also, major hosting companies rarely update the version of PHP on a server though their newer servers tend to have newer versions of PHP.  I got a big project updating a site when Godaddy stopped supporting PHP 4 and forced everyone to update to PHP 5.2/5.3.  I do have one site that is still running on PHP 4 and MySQL 4.0.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question