Php: apache: Update to 2.4.33

We use Apache directly from Debian, so we can't really update that easily. :disappointed:

Maybe there is sense to install apache like in the apache image: https://github.com/docker-library/httpd/blob/3af22f20b54cbb7c76ef4c3b12bd9dcf6cae862b/2.4/Dockerfile

That would be a fairly large breaking change, not to mention a large increase in the already incredibly-long compilation times for our many, many variants of PHP.

Since this repository is focused on providing a PHP experience close to what PHP upstream recommends, we opted for using Debian's Apache packages (especially since the way Debian sets up Apache is very commonly understood by PHP developers in general).

This is very important problem. Latest apache version has a lot of bug fixes and vulnerabilities fixes.
Working on PCI scope it's a big problem... no way to change it upgrading through dockerfile?

@mahnunchik did you find any solution for this? thanks

@AndryBray no, I'm thinking about building image based on apache and php images.

As far as vulnerabilities are concerned, see https://security-tracker.debian.org/tracker/source-package/apache2.

thanks @tianon
I didn't see refreshing the image it was including the patched version.

Debian stretch has apache 2.4.25, but Debian buster has apache 2.4.34

Maybe a new serie of Dockerfiles that pull from debian:buster-slim would be the solution

@tianon I really need acme support...

This is more pressing now with the highly publicized https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0211

This is more pressing now with the highly publicized https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0211

See https://security-tracker.debian.org/tracker/CVE-2019-0211; stretch (security) is good.

Just not sure if this is using stretch or stretch (security).

Moving CVE-2019-0211 to new discussion since this issue was originally about getting a new version for new features, not a security update. See #810

Debian stretch has apache 2.4.25, but Debian buster has apache 2.4.34

Maybe a new serie of Dockerfiles that pull from debian:buster-slim would be the solution

Sounds like a good idea to me :-) ...

Debian Buster is still unreleased. When it is released, we will look to migrate to Buster based images. While yes, Buster is in the freeze process of becoming released, it still has quite a few "release-critical" bugs to be worked out.

Please note that security updates for testing distribution are not yet managed by the security team. Hence, testing does not get security updates in a timely manner. You are encouraged to switch your sources.list entries from testing to stretch for the time being if you need security support. See also the entry in the Security Team's FAQ for the testing distribution.

- https://www.debian.org/releases/buster/

This also means that if I want security releases from the
stretch-security I could just modify sources.list to point to
stretch-security lists?

Thank you

On Tue, Apr 16, 2019 at 12:10 AM yosifkit notifications@github.com wrote:

Debian Buster is still unreleased. When it is released, we will look to
migrate to Buster based images. While yes, Buster is in the freeze process
of becoming released, it still has quite a few "release-critical" bugs
https://lists.debian.org/debian-devel-announce/2019/04/msg00003.html to
be worked out.

Please note that security updates for testing distribution are not yet
managed by the security team. Hence, testing does not get security updates
in a timely manner. You are encouraged to switch your sources.list entries
from testing to stretch for the time being if you need security support.
See also the entry in the Security Team's FAQ for the testing distribution.

• https://www.debian.org/releases/buster/

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/docker-library/php/issues/619#issuecomment-483437363,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFBI2qY3KaMJHOyuf-ObvIkqGzbj0mROks5vhPjhgaJpZM4TI750
.

--
Mvh. / Kind regards
Lars Bengtsson

• Health is wealth, movement is medicine -
  > My DevOps blog https://bengtssondd.it
  > My poetry website https://skakmatdigte.dk

@larssb, the security updates for stretch are already included:

$ docker run -it --rm php:apache cat /etc/apt/sources.list
Unable to find image 'php:apache' locally
apache: Pulling from library/php
27833a3ba0a5: Pull complete 
2d79f6773a3c: Pull complete 
f5dd9a448b82: Pull complete 
95719e57e42b: Pull complete 
cc75e951030f: Pull complete 
78873f480bce: Pull complete 
1b14116a29a2: Pull complete 
95836a0750ea: Pull complete 
7f419f7492e4: Pull complete 
579567332cdb: Pull complete 
9cc8d2923fb7: Pull complete 
8dd306eba19f: Pull complete 
329ff9bebb9e: Pull complete 
Digest: sha256:df1b70df7eadbd94fee6432bfaba40ce54edc72fc9d4d0239780f294ae03c038
Status: Downloaded newer image for php:apache
# deb http://snapshot.debian.org/archive/debian/20190326T120000Z stretch main
deb http://deb.debian.org/debian stretch main
# deb http://snapshot.debian.org/archive/debian-security/20190326T120000Z stretch/updates main
deb http://security.debian.org/debian-security stretch/updates main
# deb http://snapshot.debian.org/archive/debian/20190326T120000Z stretch-updates main
deb http://deb.debian.org/debian stretch-updates main

Since "We use Apache directly from Debian", there is nothing actionable for the images. Using one of the images based on a newer Debian will get the newest Apache httpd available for that release of Debian. For example, use php:7.3-apache-buster instead of php:7.3-apache-stretch should get Apache httpd version 2.4.38 instead of 2.4.25.

_{* As is normal for stable OS distributions, these versions of apache httpd can also include backported security fixes.}

Closing.

@yosifkit php:apache-buster would get httpd v2.4.38 that is old version, current version is v2.4.43

Was there any way to get apache v2.4.43 with recent PHP 7.4?

You could use our Dockerfile to create an image FROM debian:bullseye and that would get you whatever is available there (https://packages.debian.org/bullseye/apache2), but since bullseye is still the "testing" release of Debian we will not be using it for the PHP images. Once Debian Bullseye is close to release/released, we will look to add it as we have done with Stretch and Buster.