As PHP Group Patches High-Risk Bugs, 62% of Sites Still Use PHP 5

America's Multi-State Information Sharing & Analysis Center is operated in collaboration with its Department of Homeland Security's Office of Cybersecurity and Communications -- and they've got some bad news. MS-ISAC released an advisory warning government agencies, businesses, and home users of multiple high-risk security issues in PHP that can allow attackers to execute arbitrary code. Furthermore, if the PHP vulnerabilities are not successfully exploited, attackers could still induce a denial-of-service condition rendering the probed servers unusable... The PHP Group has issued fixes in the PHP 7.1.23 and 7.2.11 releases for all the high-risk bugs that could lead to DoS and arbitrary code execution in all vulnerable PHP 7.1 and 7.2 versions before these latest updates.
But meanwhile, Threatpost reported this week that 62% of the world's web sites are still running PHP version 5 -- even though its end of life is December 31st. "The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided," warned a recent CERT notice.

So far Drupal is the only CMS posting an official notice requiring upgrades to PHP 7 (by March, three months after the PHP 5.6's end of life deadline). Threatpost notes that "There has been no such notice from WordPress or Joomla."

Re:

Besides, normally even numbers are used for stable releases. Why would PHP ever be considered dependable or trustworthy as a stable runtime?

Re:PHP 7 is awesome

[infolation]

It still looks like a clusterfuck to me, although maybe slightly more unfucked than the last one.

Regrettably $CLUSTER_FUCK is a superglobal.

Re:5 and, but no mention of PHP 6

[hcs_$reboot]

PHP 6 was released along with iPhone 9.