install RHEL 6.5 php package on RHEL 5.10?

Latest response

Is it advisable to install a php package targeted to RHEL 6.5 to RHEL 5.10? What is the risk?
php inoperative, server OS inoperative?
I have a subscribed RHEL 6.5 server I can use yumdownloader on to get the php packages.
I have a RHEL 5.10 server on a disconnected network and need to update php.
OR is there a way to use yumdownloader on the 6.5 server to download the 5.10 php packages?
I need to update due to vulnerabilities present in the current 5.10 php install.

Thanks for any help.

Responses

Hi Robert,

Is it advisable to install a php package targeted to RHEL 6.5 to RHEL 5.10?

No. If you went the whole way and updated the dependencies for PHP (which you would have to if you wanted PHP to run), then as you surmise, you would end up with an computer ready for re-installation.

Can you tell me specifically which vulnerabilities you are concerned about in PHP 5.3 in RHEL 5.10 please (CVE numbers would be great), then we can reference that against our advisories.

I would also note that we released a security update for PHP only two days ago as well: https://rhn.redhat.com/errata/RHSA-2014-1012.html that covers the following CVEs:

CVE-2012-1571
CVE-2013-6712
CVE-2014-0237
CVE-2014-0238
CVE-2014-1943
CVE-2014-2270
CVE-2014-3479
CVE-2014-3480
CVE-2014-3515
CVE-2014-4049
CVE-2014-4721

Please let us know,

Many thanks,
Mark

[edit] s/PHP 5.10/PHP 5.3 in RHEL 5.10/

The Security Update referenced in the Nessus scan was RHSA2013-1814
CVE-2011-1398
cve-2012-2688
cve-2013-1643
cve-2013-6420

I'm confident that when this update is accomplished, the successive newer cve numbers will be flagged on the next Nessus scan.
Is there a way to download RHSA patches via http or ftp? I can't find that option.

Hi Robert,

http access to packages is via: https://rhn.redhat.com/rhn/channels/software/Search.do

and the specific rpm is at:
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=987924

Please remember to check dependencies!

Best regards,
Mark

EDIT: This explains how you could have offline content of specific packages. Regarding the mixing of el6 packages on an el5 box - I would not attempt that (personally).

You could potentially do the following:
* retrieve the repo data for the files you want to retrieve
* place the repo file in /etc/yum.repos.d/ and make sure enabled=0
* create an excludepkgs and includepkgs directive in your repo file
* run reposync and identify the repo you just created
* bonus: you could run createrepo (which would create the repomd.xml file and all)
* place the entire repo on some media that you can attach to your server

Repo File (I use this to ONLY grab a few asm files - not the entire repo - hence the include/exclude)
/etc/yum.repos.d/oracle.repo

[ol6_latest]
name=Oracle Linux 6 Latest (x86_64)
baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL6/latest/x86_64/
gpgkey=http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6
gpgcheck=1
enabled=0
exclude = *xen* 
includepkgs = oracleasm*el6.x86_64 oracle-validated-* oracleasmlib* cvu* kmod-oracleasm*
excludepkgs = oracleasm-2.6*.ol6xen* oracleasm-2.6.*.ol6debug* oraclelinux-release* oracle-logos* oracle-rdbms*
includepkgorder = excludepkg,includepkg
SWBASE=/var/satellite/repos/
ARCH=x86_64
REPOID=ol6_latest
PKGDIR=${SWBASE}/${ARCH}/${REPOID}

reposync -q -n -a $ARCH --repoid=${REPOID} -p ${SWBASE}/${ARCH}/ # > /dev/null 2>&1
cd $PKGDIR
createrepo $PKGDIR

tree /var/satellite/repos/x86_64/ol6_latest/

/var/satellite/repos/x86_64/ol6_latest/

|-- getPackage
|   |-- kmod-oracleasm-2.0.6.rh1-2.el6.x86_64.rpm
|   `-- oracleasm-support-2.1.8-1.el6.x86_64.rpm
`-- repodata
    |-- filelists.xml.gz
    |-- other.xml.gz
    |-- primary.xml.gz
    `-- repomd.xml

I pulled this from a script that I use to do many things, but I think all the pieces are there.

Thank you for your advice. This is really too complicated though.
I'm going to take my chances with CentOS rpms.

Robert,

Did you install the RPM linked to by Mark Flitter? It is the latest 5.x package and addresses the CVEs you are concerned about.

If there are any outstanding CVEs on that version of the package I would raise it with Red Hat, the support that Red Hat offers includes backported security patches.

There should be no need to install 6.x, or CentOS packages, especially considering Red Hat is CentOS's upstream.

Thank you for the additional reply.
No I did not install the php53 RPM. I wanted to patch the php-5.1.6 install, not upgrade to a new php version with the risk of getting into dependency issues.
Up until today IE did not return searches correctly on the redhat site which led me to believe the packages I needed were not available to me. Thanks again.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.