PHP – Frequently Asked Questions
Why is the PHP version so old? Can it be updated? Isn’t it a security risk?
Purdue IT has standardized on Oracle Linux (OL). Each version of OL ships with certain certified versions of various packages, and those versions do not and can not change for the life of that version of the operating system without losing vendor support and potentially breaking dependent software. This allows enterprise software vendors to expect certain behaviors so they can certify their own software to work with OL without worrying about newer versions breaking backward compatibility. However, this doesn’t mean that it’s insecure. Red Hat (Oracle’s upstream) spends considerable effort back-porting the security fixes from newer versions of PHP to the version running in OL, so OL’s PHP is as secure as bleeding-edge PHP.
The Shared Apache HTTPD service (PPWC) currently runs OL 7, which uses PHP version 5.4.16. This will be the version of PHP for the life of these servers, and will only change for systems as they are migrated to OL 8 or later.
OL 8 uses a concept called “Application Streams” to offer multiple versions of popular packages like PHP. As such it can offer PHP 7.0, 7.1, 7.2, 7.3, 7.4, and 8.0, though only PHP 7.2 and 7.4 are still getting security updates on OL 8, so the newest version of PHP we can safely offer on OL 8 systems is PHP 7.4.
OL 9 continues the use of Application Streams and will offer up to PHP 8.0 with a reasonable duration of support. However, OL 9 is not yet available to Web Services. Once it is, it will also allow the installation of PHP 8.1 and, eventually, 8.2, but each will only be supported for 2 years.