upgrading PHP and Apache on uptime 7.6

has anyone manually upgraded PHP and Apache on uptime 7.6?
Our security monitoring has identified vulnerabilities with PHP 5.4.45 and openSSL 1.01p. Ive seen the upgrade document here and the windows downloads here but the windows x64 download is currently shown as experimental so I don’t want to do it without more feedback.

With uptime 7.7 coming out soon I’m wondering if I should just wait since hopefully it fixes these vulnerabilities.

James

  • Hi James,

    We direct many clients to the Apache and PHP upgrade guide to resolve security issues and nobody has reported any issues.

    The link to the PHP file in the KB was incorrect. It has been updated now. The PHP file made available by apachelounge.com is the one we regularly advise clients to use.

    Regards,
    Chris

  • thanks, I successfully manually upgraded PHP to 5.5.33 which removes the critical security alert.

    However, I couldn’t upgrade to Apache 2.4 manually, I followed all the steps but when I tried to restart the service it failed straight away with ‘service didn’t respond in timely fashion’ type of error. I suspect its because the service is tied to Apache 2.2 and I was trying to upgrade to Apache 2.4. Possibly a reboot might of fixed it but I wasn’t willing to risk it.

    Given that its only OpenSSL i need to upgrade I did look into this separately but decided against it for now unless anyone else has experience of doing this. Anyone got experience of using a different version of Apache or OpenSSL on uptime 7.6?

    James

  • Hi James,

    I’m glad your upgrade to PHP 5.5 was successful. Unfortunately PHP 5.5 has not been tested, so we cannot guarantee there will not be any issues which is why we only recommend upgrading to the latest PHP 5.4.

    Similarly, Apache 2.4 has not been tested (and I’ve had confirmation like yours that upgrading didn’t work), which is why the KB recommends the latest Apache 2.2 release.

    The next release of Uptime IM will come with Apache 2.4.18 and OpenSSL 1.0.2e. It is due to be released within the next couple of months. If you are curious about what else will be in Uptime 7.7 or other roadmap items, I suggest checking out the following upcoming webinar hosted by Beth Chauvin, Uptime IM PM.

    attendee.gotowebinar.com/.../2011696533458561026

    Regards,
    Chris

  • thanks, does the latest build of Apache 2.2 have a supported version of OpenSSL eg 101.s or greater? The current version of Uptime 7.6 has OpenSSL 1.01p

    James

  • The Apache 2.2.31 release offered by Apache Lounge includes OpenSSL 1.0.1s. To install, follow the steps in the first portion of the Upgrade KB article: Manually Update Apache and PHP on Windows.

  • thanks, tried latest Apache 2.2.31 but got same issue so I’ll wait for uptime 7.7

    James

  • In reply to James Bellarby:

    Hey James,

    I wanted to follow up with you on this. See where you were at, etc.

    Since going up to Apache 2.4 in uptime 7.7 upgrading builds in 2.4 is easy. PHP always has some considerations and as of 7.8 we're on PHP 5.4. Platform info for 7.8 is

    Apache: Apache/2.4.20 (Win64) PHP/5.4.45 OpenSSL/1.0.2g

    I took the challenge of upgrading from that (something we're doing for the next release anyway). I was able to upgrade Apache and PHP to 5.6 with no issues. That readout is,

    Apache: Apache/2.4.25 (Win64) PHP/5.6.30 OpenSSL/1.0.2j

    I am about to do a writeup on that and post it here, but if you like, I can share the download links, etc, with you prior.

    Best,

    Robert