Solved

How to safely update PHP and apache server to most recent versions CentOS 6.4

Posted on 2013-06-17
8
1,001 Views
Last Modified: 2013-06-18
Hi,

My server must become PCI DSS compliant and as part of this i must update PHP, openssl, openssh, and apache to the most current versions.  

I want to know the best practice for doing this on a CentOS 6.4 server, what to look out for/what can go wrong, and how to rollback changes if i make a mistake.

There are a number of sites on this server, each is controlled by a cPanel account(to which i have complete access), but only one of them handles credit card data.  Initially, i would like to update php for this cpanel account only.

Apache info:
Server version: Apache/2.2.21 (Unix)
Server built:   Jan 21 2012 20:57:54
Cpanel::Easy::Apache v3.8.5 rev9999
Server loaded:  APR 1.4.5, APR-Util 1.3.12
Compiled using: APR 1.4.5, APR-Util 1.3.12
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/usr/local/apache"
 -D SUEXEC_BIN="/usr/local/apache/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

The PHP version displays as 5.2.17 but i'm not convinced that this is true as the cpanel php.ini files are located in /usr/local/cpanel/3rdparty/php/53/* which looks like it's some kind of 5.3.x.

I'm not entirely sure what data you will need from me; so please advise.

Thanks
0
Comment
Question by:EyeBallInSalt
  • 4
  • 2
  • 2
8 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
"My server must become PCI DSS compliant and as part of this i must update PHP, openssl, openssh, and apache to the most current versions.  "

I am curious who told you that because I don't think it is true.  To update to the very latest versions, you must download and compile the source code yourself.  Binaries other than the supported packages are not normally available for Linux systems.
0
 

Author Comment

by:EyeBallInSalt
Comment Utility
Thanks for posting.
I got these recommendations from the Trustwave vulnerability scan preformed on my server.  

"Binaries other than the supported packages are not normally available for Linux systems."

Are you saying that the most recent versions of PHP, OpenSSL, OpenSSH, and Apache are not supported packages for CentOS 6.4?
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
There are many different versions available.
Version #
Beta
Latest
Latest-Stable is version 5.4.16
Earlier Versions

i.e. php
The very latest version is available via git from the git repository (source)

BTW Centos is at version 6.5

Apache
Stable Release - Latest Version:
    2.4.4 (released 2013-02-25)
Stable Release - 2.2 Branch:
    2.2.24 (released 2013-02-26)
Legacy Release:
    2.0.64 (released 2010-10-19)

11-Feb-2013:          OpenSSL 1.0.1e is now available, including bug fixes

openssh latest update 20130516

Doesn't Centos have an updater?  You MUST always keep your software up to date with the latest patches otherwise the cracker-hackers will use the vulnerabilities to gain access to your system.
0
 

Author Comment

by:EyeBallInSalt
Comment Utility
Sorry about the versions; i wasn't clear.  It is the most recent stable version that i need to update to in all cases.

Centos DOES have an updater!  That's great and thanks for pointing that out.
But doesn't that lead me to the same issue?  I want to safely update the software without breaking my sites.
If i use the updater; am i not exposing myself to mishap as ALL of the software will be updated simultaneously?
For example, PHP 5.4.16 breaks at least one of my sites on my development machine.
Ideally, I'd like to update php for the site that is to become compliant only and leave the others for a later date.

Also; I don't know what what can go wrong when updating apache/OpenSSL/OpenSSH.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
Comment Utility
why does php 5.4.16 break that site... is something I'd be investigating.

What I do is go through the changelog(s) sometimes there is a sweeping change to something I don't use.. and what I do use isn't mentioned..

If you want to test things a lab is always a good idea. update the lab, check things out.. if nothing seems broken.. then stage it to the production servers.  Sometimes authors use undocumented calls or rely on depreciated calls in their code. Those are the major code breakers..
0
 

Author Comment

by:EyeBallInSalt
Comment Utility
"If you want to test things a lab is always a good idea. "

I think you've hit the nail on the head there.  I've been struggling to replicate my production environment in a VMWare Esxi virtual server but i think that i need to persevere with that so that i gain experience and become more confident when it comes to doing the updates.

Thanks for taking the time to respond.
0
 

Author Closing Comment

by:EyeBallInSalt
Comment Utility
You made me realise where i need to focus my attention.  Thanks
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
Depending on your coding, moving from PHP 5.2 to 5.3 and 5.4 can break everything if you were depending on a feature that got obsoleted.  And if your code was written for PHP 4, it can be a huge step.

The repositories for your distribution, the place where binaries of supported software versions are stored, are unlikely to have the very latest versions of everything.  They generally do not put a new version up until they have had a chance and a reason to update it.

Also, major hosting companies rarely update the version of PHP on a server though their newer servers tend to have newer versions of PHP.  I got a big project updating a site when Godaddy stopped supporting PHP 4 and forced everyone to update to PHP 5.2/5.3.  I do have one site that is still running on PHP 4 and MySQL 4.0.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now