PHP 5.3 Security Backports

In mid-2013 decided to give PHP 5.3 one last year of security fixes. This security fix period officially runs out around June / July 2014. The plan is that your current PHP 5.3 installations won't receive any security bugfixes after that date. However your situation might require you to stick with PHP 5.3 for a while, before you can update.

Realistically PHP 5.3 is already lacking in security, because the last security update to PHP 5.3 was released in December 2013 and since then there have already been security fixes for current PHP versions that affected PHP 5.3 and have never been backported to the old code branch, e.g.:

However securing your PHP 5.3 installation is more work than just backporting these fixes. PHP is in constant development with lots of bugfixes. On average there has been one PHP release per month per active branch within the last three years. This comes down to two releases per month and a lot of fixes to look into.

Some of these fixes are marked as security problems, but quite often bugs are simply not recognised as security bugs and therefore not correctly labled as such. E.g. most crash bugs are not considered security relevant by, although they might be exploitable somehow. In general this cannot be determined without further analysis, which usually does not happen. Sometimes such bugs are not even mentioned in PHP changelogs. For example, the following four bugs were fixed in newer PHP branches but not marked as security problems, while they crash PHP and might have security implications:

Keeping on top of which security bugs were fixed, which of them were not listed/recognized as security problems, which were not even mentioned in the changelog and if they really affect PHP 5.3 is quite a bit of effort. The PHP Security Backports from our PHP security experts at SektionEins can help you here.

Please contact us for pricing and details: