Page 1 of 1

Bogus PHP security message on Admin Control Panel

Posted: Mon Sep 03, 2018 5:19 am
by JJazz
Joomla! 3.8.12 Stable is reporting a new, bogus security message on the admin panel today.

Warning
Your PHP version, 7.0.30-0ubuntu0.16.04.1, is only receiving security fixes at this time from the PHP project. This means your PHP version will soon no longer be supported. We recommend planning to upgrade to a newer PHP version before it reaches end of support on 2018-09-03. Joomla will be faster and more secure if you upgrade to a newer PHP version (PHP 7.x is recommended).


This is nonsense.

1. Joomla itself states that this PHP version is acceptable on its Technical Requirements page,
https://downloads.joomla.org/technical-requirements
PHP[1] 5.6 or 7.0 + 5.3.10

2. PHP states that 7.0 is supported until December.
https://secure.php.net/supported-versions.php

If Joomla wants users to take security advice seriously, it needs to do better to not issue false alerts. There are likely many users running on Ubuntu 16.04.

Thank you.

Re: Bogus PHP security message on Admin Control Panel

Posted: Mon Sep 03, 2018 5:41 am
by Per Yngve Berg
7.0.31 was released a month ago.

Code: Select all

sudo apt-get update
sudo apt-get upgrade
Will update the server to the latest version of 7.0.x and ubuntu 16.04.5. Your server is outdated.

You should start planning for an upgrade to php 7.2

Re: Bogus PHP security message on Admin Control Panel

Posted: Mon Sep 03, 2018 6:14 am
by SharkyKZ
Thanks for the report. The warning is meant to be displayed 3 months before security updates end but the date displayed is incorrect.

Re: Bogus PHP security message on Admin Control Panel

Posted: Mon Sep 03, 2018 6:22 am
by SharkyKZ

Re: Bogus PHP security message on Admin Control Panel

Posted: Mon Sep 03, 2018 2:23 pm
by Fatwiisel
Got the same Warning, when on to ask my hosting company to upgrade from php 7.0 to 7.2 and got an error page. They're looking into the problem. I did deactivate most 3rd party extensions but still getting the error. How does one find out which extension is php 7.2 compatible other than looking each one up?

Re: Bogus PHP security message on Admin Control Panel

Posted: Mon Sep 03, 2018 3:36 pm
by JAVesey
It's not a bogus warning (poor thread title); it is a genuine warning. PHP 7.0.x will stop receiving updates in December 2018.

Re: Bogus PHP security message on Admin Control Panel

Posted: Mon Sep 03, 2018 5:11 pm
by sozzled

Re: Bogus PHP security message on Admin Control Panel

Posted: Mon Sep 03, 2018 5:12 pm
by brian
@javesey if you look at the message you will see it says today not december :)

Re: Bogus PHP security message on Admin Control Panel

Posted: Mon Sep 03, 2018 7:44 pm
by JJazz
SharkyKZ wrote:
Mon Sep 03, 2018 6:14 am
Thanks for the report. The warning is meant to be displayed 3 months before security updates end but the date displayed is incorrect.
SharkyKZ, thank you for responding promptly and effectively.

Re: Bogus PHP security message on Admin Control Panel

Posted: Mon Sep 03, 2018 9:06 pm
by JJazz
Per Yngve Berg wrote:
Mon Sep 03, 2018 5:41 am

Code: Select all

sudo apt-get update
sudo apt-get upgrade
Will update the server to the latest version of 7.0.x and ubuntu 16.04.5. Your server is outdated.
You're wrong.

Code: Select all

# cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.5 LTS"

 dpkg -l php-fpm
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                    Version                  Architecture             Description
+++-=======================================-========================-========================-===================================================================================
ii  php-fpm                                 1:7.0+35ubuntu6.1        all                      server-side, HTML-embedded scripting language (FPM-CGI binary) (default)

# apt update && apt upgrade
...
All packages are up to date.
...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Re: Bogus PHP security message on Admin Control Panel

Posted: Wed Sep 05, 2018 12:50 am
by CptBlisterButt
JAVesey wrote:
Mon Sep 03, 2018 3:36 pm
It's not a bogus warning (poor thread title); it is a genuine warning. PHP 7.0.x will stop receiving updates in December 2018.
Here is my warning message:

Code: Select all

Warning
Your PHP version, 7.0.30-0+deb9u1, is only receiving security fixes at this time from the PHP project. This means your PHP version will soon no longer be supported. We recommend planning to upgrade to a newer PHP version before it reaches end of support on 2018-09-03. Joomla will be faster and more secure if you upgrade to a newer PHP version (PHP 7.x is recommended). Please contact your host for upgrade instructions.
What it means is that I run PHP 7.x and it is recommended to upgrade to PHP 7.x :D

Re: Bogus PHP security message on Admin Control Panel

Posted: Sun Sep 09, 2018 1:38 pm
by JAVesey
CptBlisterButt wrote:
Wed Sep 05, 2018 12:50 am
What it means is that I run PHP 7.x and it is recommended to upgrade to PHP 7.x :D
You know what it really means ;)

Re: Bogus PHP security message on Admin Control Panel

Posted: Mon Sep 10, 2018 4:30 pm
by jkull
I have done both
sudo apt-get update
sudo apt-get upgrade

also did the release upgrade to bring the server to 18.04.01

php -v shows:

Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.9-1+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies

still get error in admin console. I host the server locally - we use Joomla for our company Intranet. I looked at the back end directory structure and it looks like I have both a php 7.0 folder and 7.2 folder.

Tried
sudo a2dismod php7.0
sudo a2enmod php7.2
systemctl restart apache2
This broke the site so I switched back to 7.0

Most articles I have found say "ask you hosting company to use 7.2 or use cpanel to use 7.2. Not an option for me - I am the host.

How do I force joomla to use 7.2?

Thanks!

Re: Bogus PHP security message on Admin Control Panel

Posted: Mon Sep 10, 2018 5:52 pm
by abernyte
This broke the site so I switched back to 7.0
What broke? Joomla 3.8.12 is perfectly compatible with PHP 7.2. Do you have a third party extension that isn't?

Re: Bogus PHP security message on Admin Control Panel

Posted: Mon Sep 10, 2018 6:00 pm
by Per Yngve Berg
Run the FPA when on Php 7.2. That will tell if some modules are missing.

Re: Bogus PHP security message on Admin Control Panel

Posted: Fri Jan 25, 2019 6:56 pm
by MacNaught0n
Greetings,

I am also receiving the php 7.x error msg. I am currently using v7.0.29. When I asked my hosting company about upgrading to 7.1+ they informed me that it is not available on the shared servers & they have no roll out date for the upgrade. They only offer v7.1+ on their VPS servers which I cannot afford.

Are my websites in jeopardy?

Thanks.

Re: Bogus PHP security message on Admin Control Panel

Posted: Fri Jan 25, 2019 7:02 pm
by abernyte
Not critically but it's time to look for some decent hosting as your current provider is falling well short.

Re: Bogus PHP security message on Admin Control Panel

Posted: Fri Jan 25, 2019 7:30 pm
by sozzled
@MacNaught0n: although you've hijacked someone else's topic (relating to "bogus PHP security" messages in Joomla), you ask the question about whether your website(s) may be jeopardised because you are running an outdated, end-of-life version of PHP and your webhosting provider doesn't seem to care about the needs of their customers.

For your information, this is the current information about supported versions of PHP to help people in choosing a reliable hosting platform with a company that does care about the needs of their customers: http://php.net/supported-versions.php

The information I have just provided is not bogus; the information is obtained directly from the [open source] "bible" for PHP development.

Re: Bogus PHP security message on Admin Control Panel

Posted: Sat Jan 26, 2019 4:26 am
by leolam
MacNaught0n wrote:
Fri Jan 25, 2019 6:56 pm
I am also receiving the php 7.x error msg. I am currently using v7.0.29. When I asked my hosting company about upgrading to 7.1+ they informed me that it is not available on the shared servers & they have no roll out date for the upgrade.
Well change host!. Any descent host has currently EasyApache4 or similar (Cloudlinux) on their servers (we have for sure) which offers the users PHP5.4, PHP5.6, PHP7.0, PHP7.1 or PHP7.2 as well as the ability to customize the PHP.ini for any of the versions. That they not have this per definition on their servers is a big problem and limits you in your online presence (PHP7.2 for instance is much faster and way more secure and works just fine with Joomla.
They only offer v7.1+ on their VPS servers
What a BS. See previous remark. Go....start running!

Leo 8)

Re: Bogus PHP security message on Admin Control Panel

Posted: Thu Nov 14, 2019 5:53 pm
by regexaurus
You could disable the Quick Icon - PHP Version Check site plugin. It's a protected extension. You can use phpMyAdmin to disable/enable, if such access is offered by your db host (or you :)). Look in the [dbPrefix]_extensions table. You can browse that table, then modify the SQL query, setting the WHERE condition to "name = 'plg_quickicon_phpversioncheck'," to quickly display the record corresponding to the PHP Version Check plugin. Click the edit button and set the enabled field value to 0. Click the Go button. Or from a command line on a system where mysql is installed:

Code: Select all

mysql -h [mysqlServerHostname] -u [mysqlUser] -p [joomlaDatabaseName] -e "UPDATE [dbPrefix]_extensions SET enabled = 0 WHERE name = 'plg_quickicon_phpversioncheck'"
If you run this on the server hosting your database, omit -h [mysqlServerHostname]. You will need to update values in brackets (removing brackets) for your environment. You will see an interactive prompt for your mysql user password (not echoed).