Announcement

Collapse
No announcement yet.

Php updates delay compared to cPanel

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Php updates delay compared to cPanel

    Php 7.0.10 is in repo since 23th of August

  • #2
    Hello, Im using Cloudlinux repos for EasyApache 4.
    I like to have latest versions of php because usually they fix critical security vulnerability.
    cPanel released php 7.0.9 on 26th of July https://documentation.cpanel.net/dis...e+4+Change+Log
    but you sync the repo only one month later (testing one month later and stable few days after).

    Now with 7.0.10 its about 2 weeks since the cPanel release. Can we expect more regular updates when EasyApache 4 became stable with CloudLinux?

    Thank you

    Comment


    • #3
      PHP 7.0.11 released with security fix (and maybe they release 5.6 too).
      Were still on 7.0.9 with stable and since few days 7.0.10 is on beta channel.

      Comment


      • #4
        Am I the only one wondering about php updates?

        SUMMARY cPanel, Inc. has released updated RPMs for EasyApache 4 on September 20, 2016, with PHP versions 5.6.26 and 7.0.11. This release addresses vulnerabilities related to CVE-2016-7411, CVE-2016-7412, CVE-2016-7413, CVE-2016-7414, CVE-2016-7416, CVE-2016-7417, and CVE-2016-7418. We strongly encourage all PHP 5.6 users to upgrade to version 5.6.26 and all PHP 7.0 users to upgrade to version


        > cPanel, Inc. has released updated RPMs for EasyApache 4 on September 20, 2016, with PHP versions 5.6.26 and 7.0.11. This release addresses vulnerabilities related to CVE-2016-7411, CVE-2016-7412, CVE-2016-7413, CVE-2016-7414, CVE-2016-7416, CVE-2016-7417, and CVE-2016-7418. We strongly encourage all PHP 5.6 users to upgrade to version 5.6.26 and all PHP 7.0 users to upgrade to version 7.0.11.



        > ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a MessageFormatter::formatMessage call with a long first argument.

        Comment


        • #5
          Im not using PHP 7.0 yet on any of our servers, so I really cant speak for it specifically. We are using PHP 5.6.26, with a mixture of CloudLinux alt-php on some servers and EA4-php on other servers.

          PHP 7.0.10 was released by PHP on August 18th

          It looks like PHP 7.0.10 for CloudLinux was released around August 25th

          PHP 7.0.11 was released by PHP on September 15th

          It looks like PHP 7.0.11 for CloudLinux was released today - September 21st

          PHP 5.6.26 was released by PHP on September 16

          PHP 5.6.26 for CloudLinux was released today - September 21st

          PHP 5.6.26 for cPanel (EA4) was released today - September 21st

          The fact that it takes 5+ days for PHP versions to be released by php.net and picked up by CloudLinux and cPanel, that is a little concerning. I wish this interval could be reduced. Im really not sure why there is this much time between versions being released. But I would think that whatever patches CloudLinux or cPanel apply, those patches are fairly uniform between PHP 5.6.25 and PHP 5.6.26. Its just a matter of downloading the new PHP 5.6.26 source and building new RPMs. Im not sure why it takes 5+ days to do this. But perhaps there is more involved than I am aware of.

          If you always want the latest and greatest, the only way youre going to accomplish this is to get it straight from the horses mouth - in this case php.net. Theres bound to be some delay when you start adding middle men (i.e. CloudLinux and cPanel) between a product (PHP) and the end-user (us). Im not that upset over the 5+ days in-between for this, but at the same time I dont understand why it takes 5+ days, I would think this could be reasonably solved within 1 day. Especially when you know that new versions of each PHP release is going to be released about every month (Id expect PHP 5.6.27 to be released around October 16th).

          Comment


          • #6
            Hi,

            As a note, cPanel releases PHP updates the Tuesday following the Thursday pushes. So PHP drops on Thursday (sometimes early mornings, sometimes very late evening), and then we come in Friday, build the changes, and test them / prep them for release on Tuesday. This is only around 3 business days.

            cPanel released EA4 updates with PHP 5.6.26 yesterday, Sept 20th.

            Comment


            • #7
              Hello Scott, Im the alt-php packages maintainer.

              Here is alt-php56-5.6.26 / alt-php70-7.0.11 release timeline:

              - 15 Sep 2016 - upstream release on php.net
              - 16 Sep 2016 - alt-php beta release by CloudLinux, see announcement
              - 20 Sep 2016 - alt-php stable release by CloudLinux, see announcement
              So, the real delay between the upstream release and the alt-php release is 1 day. Our alt-php beta channel is pretty safe to use, so if you want updates immidiately, you can install them with "yum groupinstall alt-php --enablerepo=cloudlinux-updates-testing". We will publish a special warning for potentially dangerous beta releases in our blog announcements. To avoid massive outage because of fresh updates, we do not release them right into stable.

              As for ea-php packages: we technically cannot release them faster than cPanel does. Youve read the Jacobs post - 5 days for cPanel release + 1 (max 2) days for us to apply our patches, rebuild the packages, etc and you will be able to install them from EA4 beta repositories soon.

              Comment


              • #8
                Hello all, Im happy to see Im not alone. Im using EasyApache 4 and Im forced to use CloudLinux repo. EasyApache repo is different from Alt-Php repo.
                Look here:



                Updates for easyapache 4 were uploaded on 2016/09/13

                (note its in testing, so it will be available after some days)

                and this update include ea-php70*7.0.10-2 released on 2016/08/16



                Again, php 7.0.9 released by php.net on 2016/07/21 and uploaded in testing on 2016/08/23


                27 Days for 7.0.10, 32 days for 7.0.9 (plus some days to switch between testing and stable). What Im asking is if its normal and its because easyapache4 repo its still in beta. Of course I hope to see 5 or 7 days between releases, but now were around the month.

                Comment


                • #9
                  Hello bettinz,

                  Previous CL EA4 updates were really slow because we were adopting our monitoring / build / testing processes for the new product. But now the situation became better and the latest ea-php* packages are already published to our beta repositoriy (~1 day delay after cPanel release). We are going to release them to stable today / tomorrow after additional testing.

                  So, my recommendation is the same as for alt-php: use beta if you want to receive updates immediately.

                  Comment


                  • #10
                    We have pushed the release to production. I want to say thanks for my team for pushing through it and staying late and getting it out.

                    The release was delayed due to unexpected patch in PHP-FPM. We are taking all possible measures to prevent such issues in the future. I also want to thank cPanel team for being open and working with us on improving the process.

                    Comment


                    • #11
                      And I want to thank you all CloudLinux Team for the great work. Thank you

                      Comment

                      Working...
                      X