PHP 7.3, 7.4 and 8.0 Security Release

February 5, 2021
by Ben Croker

If you host any sites on a VPS that you manage then this PHP security update very likely affects you. The severity of the update is unclear, but fortunately, it is a simple patch.

Php security release

If you’ve read my articles on security, then you will likely already know that I tend to harp on about how you should Always Apply Critical Updates.

Yesterday a security update was released for PHP 7.3, 7.4 and 8.0. If you manage a VPS and run Craft CMS (or any PHP application, for that matter), then this affects you. On the off-chance that you’re running PHP version 7.2 or lower, then you are taking the unnecessary risk of using software that is no longer receiving security updates, please upgrade!!

Interestingly, the severity of this security update goes completely unmentioned in the release announcements (7.3.27, 7.4.15, 8.0.2). It may be that an explanation would be too low-level to warrant, or more likely, that the contributors want to get as many people as possible to patch their version of PHP before they release any further details of the security implications. This makes sense, in order to prevent malicious actors from reverse engineering any vulnerabilities and attempting to exploit them, but leaves us in the dark as to what was actually fixed.

The PHP 8.0.2 release announcement states that this is a bug fix release” rather than a security release”, although personally I would err on the side of caution and update to it anyway.

How you update PHP depends on your VPS setup. If you have SSH access to the server then running the follow command will upgrade all packages on the system 

sudo apt update && sudo apt upgrade -y

In Laravel Forge you can go to the PHP tab of your server and click on Patch Version (do this for every version of PHP installed). To double-check that the patch worked, run the command php -v on your server or go to Utilities → System Report in the Craft CMS control panel and you should see the PHP version near the top of the page.

Laravel Forge patch PHP

Needless to say, the message is clear, UPGRADE!