2

Oddly enough I couldn't seem to find anything about this. Baffles me, except I'm an Ubuntu noob (switched over about 6 months ago, and absolutely loving it).

I'm simply trying to install php 7.2.31 (the version my hosting is using) on Ubuntu 20.04. I found an answer on SE for installing 7.2, but this installed 7.2.34...doh! It would be of great help if I could get a generalized answer here, something to point me in the right direction of installing any version of anything on Ubuntu (or anything:). Thanks hahaha! :)

Cinder
  • 21
  • 2
    Hmmm... Can you explain why the version in repositories isn't working for your use case? Software gets updated all the time, so it's incredibly rare that you need a very specific version. They should have the same functionality, right? – Nmath Mar 26 '22 at 03:00
  • 1
    Why would a slightly newer version be an issue? Unless you’re writing software that needs a very specific quirk that exists in very specific releases, using slightly different numbers should be fine – matigo Mar 26 '22 at 03:03
  • What's with the "hahaha! :)" ? Is this some kind of joke question? – user535733 Mar 26 '22 at 03:26
  • Well it's simply a fact-of-life of my workflow, I'm building a website specifically (on the server) for php 7.2.31, and running php 7.4.x on my sandbox. I would prefer to line everything up on my sandbox, you know, if necessary. Basically, are "revisions" backwards compatible? – Cinder Mar 26 '22 at 03:29
  • Install anything on anything? That's whats hahaha ;) – Cinder Mar 26 '22 at 03:29
  • 1
    I write a whole bunch of PHP and my local development system uses PHP 7.4 while the servers I deploy to are running 7.1, 7.2, 7.4, and 8.0. So long as you're using standard functions, there should be no issue. If you need 100% alignment, the only way you'll get it is via Docker containers. – matigo Mar 26 '22 at 03:39
  • I had a property-typing error in one of my (small) scripts I uploaded to my server. It was a quick fix (just removed the types), but I thought you know it would be a good idea to be strict about this, if possible. That's all. – Cinder Mar 26 '22 at 03:43
  • My question is basically: are php 7.2.x backwards compatible? I know this is an EXTREMELY retarded question but I thought it would be a killer one to ask here on SE :D – Cinder Mar 26 '22 at 03:43
  • Pretty sure that version has multiple DOS vulnerabilities. Can you update the hosting version (it probably should be updated)? – mchid Mar 26 '22 at 03:45
  • @Cinder Although that does sound like a good question, I think it would be better posted as a separate question to ask if version 7.2.34 is generally backwards compatible with 7.2.31. There really wasn't that many changes aside from the CVE fixes. I posted the changelog below in my answer. – mchid Mar 26 '22 at 04:05
  • Your intentions are good but misguided. You're much more likely to break something or expose a vulnerability by trying to force a particular package version. This can be especially destructive when it starts to come to dependencies and there are a lot of dependencies associated with php. I would leave it alone. Stay with the maintained version unless absolutely necessary. In this case, it doesn't seem to be so – Nmath Mar 26 '22 at 04:11
  • I'll try docker and see what I get. My only concern is coding thousands of lines of code and then having to pick through them right before publish. I mean this seems like not a good thing. Am I wrong for thinking this? – Cinder Mar 26 '22 at 15:11
  • Sio I'm trying to install via docker, anyone help me with this? Total noob :D Figured it might be faster to just ask instead of fiddling around all day long. – Cinder Mar 26 '22 at 23:36
  • Ok so I figure I need this image on docker, can anyone confirm this? https://hub.docker.com/layers/php/library/php/7.2.31-apache-stretch/images/sha256-710cea82add4bb22d5cc5dcfe98a11f5220caa8e2b2374f0ad31c32a9eb39095?context=explore – Cinder Mar 27 '22 at 02:30
  • So before I go any further why would I not want to do this? How does one code for a particular version of php without a huge mess, otherwise? – Cinder Mar 29 '22 at 14:13
  • https://github.com/rectorphp/rector – Cinder Apr 01 '22 at 05:00

1 Answers1

5

There have been multiple CVEs fixed in subsequent versions since 7.2.31, all the way up to 7.3.34.

You're probably not going to find a vulnerable version to install unless you download it from php directly or build it from source although, not sure you would want to do that just to run a vulnerable version. Also, I'm not sure if vulnerable versions are even available directly from php.

CVE-2020-7070

CVE-2020-7069

CVE-2020-7068

Version 7.2.34
01 Oct 2020
Core:
Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-` cookies can be sent). (CVE-2020-7070)
OpenSSL:
Fixed bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV). (CVE-2020-7069)

Version 7.2.33
06 Aug 2020
Core:
Fixed bug #79877 (getimagesize function silently truncates after a null byte) (cmb)
Phar:
Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile function). (CVE-2020-7068)


Version 7.2.32
09 Jul 2020
Windows:
Rebuild of official Windows binaries with patched libcurl. No PHP source changes.
mchid
  • 43,546
  • 8
  • 97
  • 150