How to safely update PHP and apache server to most recent versions CentOS 6.4

Hi,

My server must become PCI DSS compliant and as part of this i must update PHP, openssl, openssh, and apache to the most current versions.  

I want to know the best practice for doing this on a CentOS 6.4 server, what to look out for/what can go wrong, and how to rollback changes if i make a mistake.

There are a number of sites on this server, each is controlled by a cPanel account(to which i have complete access), but only one of them handles credit card data.  Initially, i would like to update php for this cpanel account only.

Apache info:
Server version: Apache/2.2.21 (Unix)
Server built:   Jan 21 2012 20:57:54
Cpanel::Easy::Apache v3.8.5 rev9999
Server loaded:  APR 1.4.5, APR-Util 1.3.12
Compiled using: APR 1.4.5, APR-Util 1.3.12
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/usr/local/apache"
 -D SUEXEC_BIN="/usr/local/apache/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

The PHP version displays as 5.2.17 but i'm not convinced that this is true as the cpanel php.ini files are located in /usr/local/cpanel/3rdparty/php/53/* which looks like it's some kind of 5.3.x.

I'm not entirely sure what data you will need from me; so please advise.

Thanks
EyeBallInSaltAsked:
Who is Participating?
 
David Johnson, CD, MVPOwnerCommented:
why does php 5.4.16 break that site... is something I'd be investigating.

What I do is go through the changelog(s) sometimes there is a sweeping change to something I don't use.. and what I do use isn't mentioned..

If you want to test things a lab is always a good idea. update the lab, check things out.. if nothing seems broken.. then stage it to the production servers.  Sometimes authors use undocumented calls or rely on depreciated calls in their code. Those are the major code breakers..
0
 
Dave BaldwinFixer of ProblemsCommented:
"My server must become PCI DSS compliant and as part of this i must update PHP, openssl, openssh, and apache to the most current versions.  "

I am curious who told you that because I don't think it is true.  To update to the very latest versions, you must download and compile the source code yourself.  Binaries other than the supported packages are not normally available for Linux systems.
0
 
EyeBallInSaltAuthor Commented:
Thanks for posting.
I got these recommendations from the Trustwave vulnerability scan preformed on my server.  

"Binaries other than the supported packages are not normally available for Linux systems."

Are you saying that the most recent versions of PHP, OpenSSL, OpenSSH, and Apache are not supported packages for CentOS 6.4?
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
David Johnson, CD, MVPOwnerCommented:
There are many different versions available.
Version #
Beta
Latest
Latest-Stable is version 5.4.16
Earlier Versions

i.e. php
The very latest version is available via git from the git repository (source)

BTW Centos is at version 6.5

Apache
Stable Release - Latest Version:
    2.4.4 (released 2013-02-25)
Stable Release - 2.2 Branch:
    2.2.24 (released 2013-02-26)
Legacy Release:
    2.0.64 (released 2010-10-19)

11-Feb-2013:          OpenSSL 1.0.1e is now available, including bug fixes

openssh latest update 20130516

Doesn't Centos have an updater?  You MUST always keep your software up to date with the latest patches otherwise the cracker-hackers will use the vulnerabilities to gain access to your system.
0
 
EyeBallInSaltAuthor Commented:
Sorry about the versions; i wasn't clear.  It is the most recent stable version that i need to update to in all cases.

Centos DOES have an updater!  That's great and thanks for pointing that out.
But doesn't that lead me to the same issue?  I want to safely update the software without breaking my sites.
If i use the updater; am i not exposing myself to mishap as ALL of the software will be updated simultaneously?
For example, PHP 5.4.16 breaks at least one of my sites on my development machine.
Ideally, I'd like to update php for the site that is to become compliant only and leave the others for a later date.

Also; I don't know what what can go wrong when updating apache/OpenSSL/OpenSSH.
0
 
EyeBallInSaltAuthor Commented:
"If you want to test things a lab is always a good idea. "

I think you've hit the nail on the head there.  I've been struggling to replicate my production environment in a VMWare Esxi virtual server but i think that i need to persevere with that so that i gain experience and become more confident when it comes to doing the updates.

Thanks for taking the time to respond.
0
 
EyeBallInSaltAuthor Commented:
You made me realise where i need to focus my attention.  Thanks
0
 
Dave BaldwinFixer of ProblemsCommented:
Depending on your coding, moving from PHP 5.2 to 5.3 and 5.4 can break everything if you were depending on a feature that got obsoleted.  And if your code was written for PHP 4, it can be a huge step.

The repositories for your distribution, the place where binaries of supported software versions are stored, are unlikely to have the very latest versions of everything.  They generally do not put a new version up until they have had a chance and a reason to update it.

Also, major hosting companies rarely update the version of PHP on a server though their newer servers tend to have newer versions of PHP.  I got a big project updating a site when Godaddy stopped supporting PHP 4 and forced everyone to update to PHP 5.2/5.3.  I do have one site that is still running on PHP 4 and MySQL 4.0.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.