They will receive a patch if they're using it on a Linux distro that is still supported (e.g. Ubuntu 16.04 LTS). How many people actually bother to run apt-get update && apt-get upgrade on their cloud servers or docker images is a different question, though.
If you're using out-of-support version, you should either use a distro that backports patches or contract somebody to do the backports for you. Otherwise you're basically hanging a sign saying "please pwn me" on your site. This is true for any software, not just PHP (for PHP, most security fixes are actually not hard to backport, just somebody has to do it).
The issue is PHP-FPM (FastCGI) only and it's vulnerable from outside only with nginx.
The vast majority of PHP 7.0 installations don't use FastGCI and don't use nginx but Apache simply because people used 'apt install php' (or 'yum install php') to install it.
kijin|6 years ago
oefrha|6 years ago
gallexme|6 years ago
VvR-Ox|6 years ago
It's time to upgrade if you want to stay secure: https://www.php.net/supported-versions.php
smsm42|6 years ago
unknown|6 years ago
[deleted]
kgersen75|6 years ago
The vast majority of PHP 7.0 installations don't use FastGCI and don't use nginx but Apache simply because people used 'apt install php' (or 'yum install php') to install it.
So imho, the impact is very limited.
cbg0|6 years ago
Do you have a source for this?