Solved

How to safely update PHP and apache server to most recent versions CentOS 6.4

Posted on 2013-06-17
8
1,013 Views
Last Modified: 2013-06-18
Hi,

My server must become PCI DSS compliant and as part of this i must update PHP, openssl, openssh, and apache to the most current versions.  

I want to know the best practice for doing this on a CentOS 6.4 server, what to look out for/what can go wrong, and how to rollback changes if i make a mistake.

There are a number of sites on this server, each is controlled by a cPanel account(to which i have complete access), but only one of them handles credit card data.  Initially, i would like to update php for this cpanel account only.

Apache info:
Server version: Apache/2.2.21 (Unix)
Server built:   Jan 21 2012 20:57:54
Cpanel::Easy::Apache v3.8.5 rev9999
Server loaded:  APR 1.4.5, APR-Util 1.3.12
Compiled using: APR 1.4.5, APR-Util 1.3.12
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/usr/local/apache"
 -D SUEXEC_BIN="/usr/local/apache/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

The PHP version displays as 5.2.17 but i'm not convinced that this is true as the cpanel php.ini files are located in /usr/local/cpanel/3rdparty/php/53/* which looks like it's some kind of 5.3.x.

I'm not entirely sure what data you will need from me; so please advise.

Thanks
0
Comment
Question by:EyeBallInSalt
  • 4
  • 2
  • 2
8 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39255441
"My server must become PCI DSS compliant and as part of this i must update PHP, openssl, openssh, and apache to the most current versions.  "

I am curious who told you that because I don't think it is true.  To update to the very latest versions, you must download and compile the source code yourself.  Binaries other than the supported packages are not normally available for Linux systems.
0
 

Author Comment

by:EyeBallInSalt
ID: 39255532
Thanks for posting.
I got these recommendations from the Trustwave vulnerability scan preformed on my server.  

"Binaries other than the supported packages are not normally available for Linux systems."

Are you saying that the most recent versions of PHP, OpenSSL, OpenSSH, and Apache are not supported packages for CentOS 6.4?
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 39255691
There are many different versions available.
Version #
Beta
Latest
Latest-Stable is version 5.4.16
Earlier Versions

i.e. php
The very latest version is available via git from the git repository (source)

BTW Centos is at version 6.5

Apache
Stable Release - Latest Version:
    2.4.4 (released 2013-02-25)
Stable Release - 2.2 Branch:
    2.2.24 (released 2013-02-26)
Legacy Release:
    2.0.64 (released 2010-10-19)

11-Feb-2013:          OpenSSL 1.0.1e is now available, including bug fixes

openssh latest update 20130516

Doesn't Centos have an updater?  You MUST always keep your software up to date with the latest patches otherwise the cracker-hackers will use the vulnerabilities to gain access to your system.
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 

Author Comment

by:EyeBallInSalt
ID: 39255714
Sorry about the versions; i wasn't clear.  It is the most recent stable version that i need to update to in all cases.

Centos DOES have an updater!  That's great and thanks for pointing that out.
But doesn't that lead me to the same issue?  I want to safely update the software without breaking my sites.
If i use the updater; am i not exposing myself to mishap as ALL of the software will be updated simultaneously?
For example, PHP 5.4.16 breaks at least one of my sites on my development machine.
Ideally, I'd like to update php for the site that is to become compliant only and leave the others for a later date.

Also; I don't know what what can go wrong when updating apache/OpenSSL/OpenSSH.
0
 
LVL 79

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 39255747
why does php 5.4.16 break that site... is something I'd be investigating.

What I do is go through the changelog(s) sometimes there is a sweeping change to something I don't use.. and what I do use isn't mentioned..

If you want to test things a lab is always a good idea. update the lab, check things out.. if nothing seems broken.. then stage it to the production servers.  Sometimes authors use undocumented calls or rely on depreciated calls in their code. Those are the major code breakers..
0
 

Author Comment

by:EyeBallInSalt
ID: 39256401
"If you want to test things a lab is always a good idea. "

I think you've hit the nail on the head there.  I've been struggling to replicate my production environment in a VMWare Esxi virtual server but i think that i need to persevere with that so that i gain experience and become more confident when it comes to doing the updates.

Thanks for taking the time to respond.
0
 

Author Closing Comment

by:EyeBallInSalt
ID: 39256408
You made me realise where i need to focus my attention.  Thanks
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39257133
Depending on your coding, moving from PHP 5.2 to 5.3 and 5.4 can break everything if you were depending on a feature that got obsoleted.  And if your code was written for PHP 4, it can be a huge step.

The repositories for your distribution, the place where binaries of supported software versions are stored, are unlikely to have the very latest versions of everything.  They generally do not put a new version up until they have had a chance and a reason to update it.

Also, major hosting companies rarely update the version of PHP on a server though their newer servers tend to have newer versions of PHP.  I got a big project updating a site when Godaddy stopped supporting PHP 4 and forced everyone to update to PHP 5.2/5.3.  I do have one site that is still running on PHP 4 and MySQL 4.0.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
The 21st century solution to antiquated pagers.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question