Updating PHP 7.4 on Ubuntu 20.04 doesn't update to the latest release

Question

I was just trying to install PHP 7.4 on a fresh Ubuntu 20.04,

Doing a simple apt install php php-cli installed the 7.4 version by default,

But when I do apt update && apt upgrade the version is still 7.4.3 instead of 7.4.5!

Please note that I'm aware this can be fixed by adding ppa:ondrej/php repository.

I'm just trying to understand, if Ubuntu is shipping with 7.4 by default, why doesn't it update to the latest version? will we always get 7.4.3 in Ubuntu 20.04.0 (not the next point release) even after 2-3 years? and the only option is to add the ondrej/php repository?

Edit: PHP 7.4.6 has been released few weeks ago, but the version on my server is still stuck on 7.4.3.

Answer 1

The previously accepted answer is wrong.

This claim

it's common that some packages remain outdated for a few months

leaves the impression that Ubuntu LTS releases are constantly upgrading to the newest minor version just a few months after the PHP team released them.

That's not true!

Ubuntu's update policy

TL;DR Ubuntu's officially packaged PHP is up-to-date security-wise and out-out-date bug-fix-wise.

Here's how Ubuntu / Canonical actually maintains official packages like PHP:

When Ubuntu prepares an LTS release, there's a feature freeze (details) at some point in time. That means even if the packaged software releases a newer minor version (e.g. to fix bugs) before Ubuntu's feature freeze and after the final LTS release, this minor version update isn't going to find it's way into Ubuntu anymore.

In case of Ubuntu Focal Fossa 20.04 LTS, PHP was frozen at version 7.4.3. That means Focal's php package will never again get a minor release update (e.g. 7.4.6) throughout it's support lifespan.

However, that doesn't mean that Fossa's php package will never ever get updates at all.

SRUs

The contrary is true: it will be patched with these so-called stable release updates or short SRUs.

So what goes into SRUs?

Mainly fixes for high-impact bugs which boils down to security bugs most of the time. See SRUs for what Ubuntu considers high-impact bugs.

Anyway, what you end up with is Focal Fossa receiving multiple patched versions of PHP 7.4.3 throughout its lifetime. In other words, there exist multiple PHP 7.4.3 versions in Focal Fossa as you can see in the package's change log. It shows multiple versions like 7.4.3-4ubuntu1, 7.4.3-4ubuntu2, 7.4.3-4ubuntu2.5 and so on and you can see that mostly security bugs are fixed.

How to check which version is actually installed?

Problem is that php -v will always report PHP 7.4.3. However, take a look at the details of the output: PHP 7.4.3 (cli) (built: Jul 5 2021 15:13:35) ( NTS ). That it was built Jul 5 2021 already hints that something happened to the seemingly old 7.4.3 version.

To be really sure which version is installed, ask apt: apt policy php7.4.

Output:

In this case 7.4.3-4ubuntu2.5 is installed. Again, take a look at the package's change log to see what's included in that build.

Are all security bugs affecting PHP 7.4 fixed?

Yes.

Comparing with the PHP 7.4 ChangeLog, you'll discover that all security problems (CVEs) except one (afaik just Windows affected) are fixed in the Ubuntu package. Apart from that, just a few non-security bug fixes are included.

Ubuntu's security team is closely tracking the CVE database and maintains its own Ubuntu CVE tracker.

Should you use Ubuntu's official PHP package?

It depends on your situation. I tend to say it's a good default.

Anyway, here are the facts on which you should base your decision:

When you use Ubuntu's official PHP package, you can be sure that it'll receive security updates throughout the lifespan of the actual Ubuntu release (5 years in case of a LTS version like Focal Fossa 20.04). Even when PHP 7.4 reaches end-of-life (end of 2022), Ubuntu's security team will still patch the official php7.4 package. In other words, even if the PHP team no longer release security fixes, Ubuntu's security team will.

When you're using something like Ondrej's PPA in contrast, you'll have to switch to PHP 8 after end of 2022. If you do not, your PHP will get no more security fixes.

While Ubuntu's php package will get security fixes, it will barely get bug fixes of other sorts. Either you're lucky and your software isn't affected or you'll have to work around those bugs. If a bug seriously affects your software (e.g. performance problem), you may consider switching to a PPA package.

Answer 2

Found this question and none of the answers worked for me, what worked was:

sudo a2dismod php7.2
sudo a2enmod php7.4
sudo service apache2 restart

Adjust php7.2 to your current module

Answer 3

Be aware, this can ruin things. I had been using the PHP 7.4.3 that came with Ubuntu. My experience adding ppa:ondrej/php was not good.

apt upgrade first wanted me to install both PHP 7.4 and PHP 8.0. Then it made PHP 8.0 the default and wanted me to run apt autoremove to get rid of the duplicate PHP 7.4 installation.

Restarting Apache caused it to fail with errors and took down all of my websites.

apt install libapache2-mod-php7.4 was necessary to restore the server, now showing PHP 7.4.16, but all of my websites were throwing server errors indicating none of my PHP extensions were installed anymore. After reinstalling all of the extensions for PHP 7.4, another Apache restart restored my websites.

update-alternatives --config php also helped reset the CLI version back to 7.4.16.

Answer 4

Kindly use below code to update php 7.4.15

  sudo add-apt-repository ppa:ondrej/php
  
  sudo apt-get update
  
  sudo apt-get install -y php7.4 php7.4-cli php7.4-common php7.4-fpm

  sudo apt-get install -y php7.4-mysql php7.4-dom php7.4-simplexml php7.4-ssh2 php7.4-xml php7.4-xmlreader php7.4-curl  php7.4-exif  php7.4-ftp php7.4-gd  php7.4-iconv php7.4-imagick php7.4-json  php7.4-mbstring php7.4-posix php7.4-sockets php7.4-tokenizer

  sudo apt-get install -y php7.4-mysqli php7.4-pdo  php7.4-sqlite3 php7.4-ctype php7.4-fileinfo php7.4-zip php7.4-exif

   sudo nano /etc/php/7.4/fpm/php.ini
   
              Find: cgi.fix_pathinfo  => Remove semi-colon and set 0

              cgi.fix_pathinfo=0

Save & quit

php -v

your php version has updated.

Answer 5

Ubuntu official repository shows that the 7.4.3 is the latest available version. So that's not a problem with apt or caching as suggested by @blizzo.

Since we are talking about a LTS release of Ubuntu, it's common that some packages remain outdated for a few months due to stability reasons. (Even patch versions can introduce bugs that make thinks unrealiable, and LTS is meant to be very stable and realiable)

As you wrote on the original question, the best solution is using the ondrej/php repository.

Edit:

I asked to ondrej about it and he gently answered with this link: https://wiki.ubuntu.com/StableReleaseUpdates that says:

Once an Ubuntu release has been completed and published, updates for it are only released under certain circumstances, and must follow a special procedure called a "stable release update" or SRU.

2. When

2.1. High-impact bugs

Stable release updates will, in general, only be issued in order to fix high-impact bugs.

2.2. Other safe cases

...

Answer 6

This could be a problem with apt. For whatever reason, apt update && apt upgrade looks to be pointing to an older release of the software. If it's absolutely necessary, you may indeed need to manually install the latest PHP version via GitHub or some other trusted source.