Pantheon release notes: Infrastructure

PHP 8.1.28, 8.2.18, and 8.3.6 were released on the platform. They contain the latest bug fixes and security releases for PHP.

Updates include patches for the following CVEs ( Common Vulnerabilities and Exposures):

• CVE-2024-1874 "Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows"
• CVE-2024-2756 "__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix"
• CVE-2024-3096 "password_verify can erroneously return true, opening ATO risk"
• CVE-2024-2757 "mb_encode_mimeheader runs endlessly for some inputs" (PHP 8.3 only)

As a reminder, PHP 8.0 reached End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.2 and above.

As part of our continued effort to provide the latest and best in secure software, PHP versions 7.1 and below will reach end-of-sale (EoS) on May 15, 2024. This means that sites created after May 15 will not be able to change their PHP version to PHP 7.1, 7.0, or any version of PHP 5. Sites created with custom upstreams using EoS PHP may also have unexpected behavior upon site creation.

Sites already running PHP 5, PHP 7.0, or PHP 7.1 will continue to run even after May 15.

PHP 7.1 was declared end-of-life (EoL) by the PHP Foundation on November 30, 2020, more than three years ago. PHP 5.6 reached EoL on December 31, 2018, more than five years ago. EoL software does not receive security or feature updates, and could expose sites to attack if any vulnerabilities or exploits are discovered.

Action required

Customers using custom upstreams with a PHP version less than 7.2 should update their custom upstreams by May 15 to avoid disruption. The current supported versions of PHP are 8.1, 8.2, and 8.3. Pantheon currently recommends at least PHP 8.1 for all production sites.

PHP 8.2.17 and 8.3.4 were released on the platform. They contain the latest bug fixes and security releases for PHP. As a reminder, PHP 8.0 reached End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.1 and above.

The latest versions of PHP 8.x are now available on the Pantheon platform. PHP 8.1.27, 8.2.16, and 8.3.3 are all bug fix releases. No action is required on your part if you are using one of these PHP versions (8.1, 8.2 or 8.3).

We're thrilled to announce an impactful upgrade to Pantheon's security infrastructure, reinforcing our commitment to safeguarding your websites. In response to the escalating sophistication of distributed denial-of-service (DDoS) attacks, we've implemented innovative solutions to fortify our defenses. Particularly, we've addressed a surge in Layer 7 attacks targeting content management systems, ensuring resilience even without our Advanced Global CDN's Web Application Firewall (WAF).

Key benefits:

• Advanced DDoS protection: Our engineers have proactively countered Layer 7 attacks, mitigating risks posed by inauthentic traffic targeting web content management systems.
• Rate limiting capabilities: We've introduced rate limiting capabilities within our Global CDN, curbing abusive traffic effectively. This ensures a stable online presence, even during large-scale attacks, preventing wider stability issues.

For more in-depth insights into the measures we've taken and the value they bring to your Pantheon experience, delve into the full blog post. Your website's security and stability are our top priorities, and this enhancement is another step in our ongoing commitment to delivering a robust WebOps platform.

• As part of Pantheon’s commitment to accessibility, diversity, and inclusion, we are proud to announce that we have completed an external audit of our platform’s accessibility features and the results are available in our WCAG 2.1 AA VPAT.
• Our teams have ongoing efforts to improve accessibility further and have outlined goals to improve our support of WCAG 2.1 AA criteria for the next two quarters.
• Our partners and customers who depend on WCAG compliant products can confidently continue to use the platform knowing that we hold accessibility to be an important function of the services we provide.

The File System team at Pantheon achieved significant speed improvements in backup processes. The Valhalla export process was overhauled, allowing backups to be constructed from new objects, cutting down export times by 25-83%. This was accomplished by initiating object retrieval immediately after receiving MANIFEST metadata, omitting empty files, and promptly archiving received files.

Global CDN now has improved compatibility with the WPML multilingual WordPress plugin. Page variations for each language can be cached at the edge. This update was rolled out automatically for all sites that use the WPML plugin and increased site cache hit ratio by 24% on average.

Sometimes you just need more memory to serve your site reliably. To learn more about why we doubled the memory for most site plans, check out this blog by Rachel Whitton, Lead Technical Writer here at Pantheon.

To take advantage of the increased memory limit, contact our customer support team. Or drop by our regular Zoom-based office hours.

PHP 8.2.11 and 8.1.24 were released on the platform. They contain the latest bug fixes and security releases for PHP. As a reminder, PHP 8.0 will reach End-of-Life on 26 November 2023. For the best performance and security, Pantheon recommends running PHP 8.1 and above.

Pantheon has deployed PHP versions 8.2.9, 8.1.22, and 8.0.30 to customer sites running on the platform. These releases address vulnerabilities disclosed in CVE-2023-3823 and CVE-2023-3824.

If you are using PHP 8.2, 8.1 or 8.0, there is nothing further that you need to do. If you are still on PHP 7.4 or earlier, though, you should schedule some time to upgrade to a supported version.While the vulnerabilities patched in these latest releases are not reported to affect PHP 7.4, the fact remains that there could be (and probably are) unpatched vulnerabilities in the end-of-life versions. Read more about it in Greg Anderson’s blog post.

Pantheon has pushed an update to WordPress and Drupal 7 core upstreams which sets PHP 8.1 as the new default PHP version, rather than 7.4.

Please test this core update thoroughly before deploying to the Live environment. If your site requires an older version of PHP, or if you'd like to upgrade to PHP 8.2, see Pantheon’s documentation on how to manage PHP versions via the pantheon.yml configuration file.

Services like Redis greatly accelerate web performance by offloading heavy database and fileservice interactions to a fast in-memory cache. Pantheon Object Cache Update allows customers the ability to adopt Redis server 6.x. This capability is made possible by adopting Pantheon’s modernized infrastructure and cloud operations frameworks. To learn more about Object Cache, refer to our documentation.

PHP 8.1 is now recommended for Drupal sites version 9.3.0 and higher. An underlying bug with ProxySQL was fixed in version 2.4.3 and PHP 8.1 was updated on the platform to incorporate this fix.

Customers can now upgrade their site database and PHP by using the One-Click Upstream Update feature in the Site Dashboard or the command Terminus upstream:updates:apply. Pantheon makes it simple to keep your site database secure and performant. Sites using Custom Upstreams can easily upgrade to supported database versions by configuring the site's pantheon.yml.

Updated to PHP 7.3.22 and 7.4.10 platform-wide. For information on upgrading between major PHP versions see Upgrade PHP Versions.

All Pantheon customers are now provisioned with a dedicated certificate for HTTPS for each custom domain on a site environment. In addition, the go-live experience has been optimized and now lets you configure HTTPS before launch via the DNS TXT method to verify domain ownership.

Although it places load on the platform, Pantheon now excludes traffic from Petalbot, which would otherwise count towards your website's total traffic.

Global CDN now blocks requests identified as being performed by AspiegelBot (aka PetalBot) when a query string is present. This platform-wide change is intended to guard against resource exhaustion and related site downtime. Going forward these requests will result in a 403 and will not count as site traffic for Pages Served and Visits. For more information see Traffic Limits and Overages.

Capacity Expansion: Auckland, New Zealand (AKL).

The New Relic agent has been upgraded from version 9.2.0.247 to version 9.7.0.258 platform-wide. This upgrade fixes a potential segfault with PHP 7.3. For more information, see the New Relic Agent release notes.

New Points of Presence:

• Ashburn, VA (WDC)
• Chicago (PWK)

Expanded Capacity:

• Vancouver (YVR)
• Sydney, Australia (SYD)
• NY (LGA)
• Los Angeles (BUR)
• Dallas (DFW)
• Atlanta (FTY)
• Boston (BOS)
• Helsinki (HEL)
• Osaka (ITM)
• Amsterdam (AMS)

Advanced Global CDN extends Global CDN for customers that need unique customizations including personalization, domain masking, and extended enterprise-grade security features including a WAF, IP and geolocation blocking and blocklisting. Advanced Global CDN is available as an add-on product to all customers now.

Updated to PHP 7.3.14and 7.2.27 platform-wide. For information on upgrading between major PHP versions see Upgrade PHP Versions.

Most UDP traffic originating from the platform has now been blocked in order to prevent platform abuse.

Updated to PHP 7.2.26, and 7.3.13 platform-wide. For information on upgrading between major PHP versions see Upgrade PHP Versions.

Localdev 0.6.0-beta.9 includes macOS Catalina support, and numerous improvements and bug fixes.

Updated to PHP 7.2.25, and 7.3.12 platform-wide. For information on upgrading between major PHP versions see Upgrade PHP Versions.

Updated to PHP 7.1.33, 7.2.24, and 7.3.11 platform-wide. For information on upgrading between major PHP versions see Upgrade PHP Versions.

Improved auto-update system with support for stable and beta channels, as well as changelog display, plus other fixes.

Swiftbot can now crawl non-production environments and platform domains like test-example.pantheonsite.io to support pre-release site search testing. For details see, Bots and Indexing on Pantheon.

This release also includes several options to control HSTS and the ability to choose a primary domain. For details see the blog announcement, Pantheon YAML documentation and our updated Launch Essentials guide.

Updated to PHP 7.3.9, 7.2.22, and 7.1.31 platform-wide.

The New Relic agent has been upgraded Platform-wide. For more info see New Relic PHP Agent 8.7.0.242 release notes.

Now when you create a new site on Pantheon, you can select from one of four regions across the globe, including Australia, Canada, and the European Union. For more info see Pantheon Site Regions and Data Residency.

Pantheon now recommends A/AAAA records instead of CNAME records. This change is to reduce complexity, confusion, and address a few edge cases introduced with CNAMEs. For example, the use of an MX or TXT record prevents the use of a CNAME. If you are already using a CNAME you can continue to do so or you can update to A/AAAA records as shown on the dashboard.

Updated to PHP 7.1.30, 7.2.19, and 7.3.6 platform-wide.

Following April’s announcement of our new European Union region, we’ve added Australia and Canada regions. For more info see regions

In January 2018, Pantheon announced migration of the Pantheon CMS Container Matrix to Google Cloud. Now, all site file storage, backup processing, and backup storage has moved from Amazon Web Services to Google Cloud. This change provides higher backup performance, higher reliability, and increased innovation ahead for all of Pantheon's customers.

PHP 7.3 is the new default for Drupal 8 and WordPress sites. Apply the 1-click update on the Pantheon site dashboard to upgrade. For more information see Faster WordPress & Drupal 8 sites with PHP 7.3 by Default.

New Relic Agent has been upgraded platform-wide to 8.6.0.238. For details see New Relic release notes.

Whether you need your WordPress or Drupal site to meet data residency requirements or have a performance use case not solved by caching requests through Pantheon’s Global CDN, contract customers can now create sites in the European Union. Also see the blog announcement.

Updated to PHP 7.2.15 platform-wide. For more information, see http://php.net/ChangeLog-7.php#7.2.15.

Early Access to run sites in Pantheon’s new European Region is now available for contract customers. See regions for details and contact us for more info.

Pantheon now includes the intl PHP extension in PHP 7.1 and PHP 7.2. For more information on upgrading your site's version of PHP see Upgrade PHP Versions.

Updated to PHP 7.2.14 and 7.1.26 platform-wide. For more information, see http://php.net/ChangeLog-7.php#7.2.14 and http://php.net/ChangeLog-7.php#7.1.26.

New Relic has been upgraded platform-wide to version 8.5.0.235. For details see New Relic's APM PHP Agent 8.50.236 release notes. Also, see Pantheon's New Relic documentation for general info on using New Relic to monitor your site and identify opportunities to improve application performance.

Pantheon is happy to announce our new Disaster Recovery Service, designed for mission-critical websites that need to ensure business continuity during the unlikely event of a zone failure. See the Disaster Recovery doc below for more information.

PHP 7.1 and 7.2 were updated to the latest versions on the platform. For information on changing minor versions (e.g from 7.0 to 7.2) see Upgrade PHP Versions.

Updated to PHP 7.2.11 and 7.1.23. For more information, see http://php.net/ChangeLog-7.php#7.2.11 and http://php.net/ChangeLog-7.php#7.1.23.

PHP was updated to versions 5.6.38, 7.0.32, 7.1.22 and 7.2.10.

While we still recommend using a third-party email solution, for those who choose to use Pantheon's built-in message transfer agent (MTA), you may now set up an SPF record for your domain and include Pantheon's mail relays for improved delivery. For details, see: Email on Pantheon.

The platform was updated to PHP patch releases.

Drupal 8 and WordPress now default to PHP 7.2, while Drupal 7 defaults to PHP 7.1. For details see https://pantheon.io/blog/speed-your-site-php-72/.

The PHP versions on the platform have been upgraded to 7.2.8, 7.1.20, 7.0.31 and 5.6.37.

An improvement to our queuing system has resulted in a 60% reduction in average HTTPS provisioning times!

The latest version of Apache Tika, 1.18, is now available on the platform. See documentation on External Libraries on Pantheon for details.

More crawlers can now access platform domains, like test-example.pantheonsite.io, to support pre-release SEO testing. Details: https://github.com/pantheon-systems/documentation/pull/3827

PHP 5.5 and 5.3 have reached end-of-life (EOL), and PHP 5.6 and 7.0 will reach EOL in December 2018 so upgrade to PHP 7.1 or 7.2 as soon as possible.

PHP has been upgraded to 5.6.36, 7.0.30, 7.1.17 and 7.2.5 platform-wide.

The platform-wide build of PHP 7.2 now supports connecting to an external Microsoft SQL server via sqlsrv functions. Your CMS should use Pantheon's default database, but this unlocks use cases that require connecting to an external MS SQL server.

Use the filemount configuration to modify the default location of Pantheon's cloud-based filesystem. For details, see Pantheon YAML Configuration Files.

OCSP stapling is an improved method for quickly and safely checking the validity of certificates for HTTPS. You can use SSL Labs (e.g. https://www.ssllabs.com/ssltest/analyze.html?d=pantheon.io) and search for "stapling" to see it's enabled. OCSP responses are typically good for about 7 days, so a response will only get updated as its validity lifetime expiration time approaches.

We’ve upgraded to PHP 5.6.35, 7.0.29, 7.1.16, and 7.2.4. See our documentation to learn how to upgrade your PHP version.

The Surrogate-Key-Raw header, used for debugging when using Pantheon Advanced Page Cache, is no longer sent by default. To receive this header when making a request, send the Pantheon-Debug: 1 header, like so:

curl -IsH "Pantheon-Debug:1" https://example.com | grep key

This change addressed an issue that caused Twitter card validation to fail, and also reduces overall page size and speeds up page load time when sending many keys.

PHP 5.6, 7.0, 7.1, and 7.2 have been updated to the latest versions platform-wide to address a vulnerability that could allow for arbitrary code execution.

On March 5th, the cost for legacy load balancers increased from $30/month to $60/month. To avoid increased charges, upgrade to the Global CDN, which includes free, automated HTTPS, by updating DNS records.

We've upgraded to PHP 5.6.33, 7.0.27, 7.1.13, and 7.2.1. See our documentation to learn how to upgrade your PHP version.

Pantheon has switched infrastructure providers from Rackspace to Google Cloud Platform. This switch requires no downtime, as we actually did it six months ago! Read the announcement here.

New Relic on Pantheon has been upgraded to version 7.7.0.203 5.0.199, which supports PHP 7.2.

We've upgraded to PHP 5.6.32, 7.0.26, and 7.1.12. See our documentation to learn how to upgrade your PHP version.

• Added the HTML Tidy PHP extension.
• Fixed an issue where the Redis cache was not cleared during clone operations.
• Fixed an issue where repeated UTM_* parameters caused an infinite redirect loop.

Over 200,000 sites are already on Pantheon's Global CDN, but if you still have sites pointing to the legacy, deprecated infrastructure, you can now see which sites need an upgrade from your User or Organization Dashboard. Find the required DNS information from the Domains / HTTPS tab on each site environment. Complete the upgrade as soon as possible, and let us know if you have any questions.

Global CDN now respects the no-store directive in the cache-control header.

WebP, a new image format created by Google, is now supported by Pantheon’s Global CDN.

We’ve made PHP 7.1 available for all sites. See our documentation to learn how to upgrade your PHP version, or learn more in this blog post.

New Relic on Pantheon has been updated to version 7.5.0.199. You can read the release notes for this version in New Relic’s docs. This update also includes Drupal-specific fixes from previous versions, detailed in the release notes.

We upgraded PHP to 5.6.31 and 7.0.23. See our documentation to learn how to upgrade your PHP version. Drupal 7 sites may require action.

We improved cache clearing behavior for a large number of surrogate keys or cache tags. The fix was made internally by Pantheon and no action is required if you are already running WordPress or Drupal versions of Pantheon Advanced Page Cache. See the Pantheon Advanced Page Cache for WordPress and Drupal pages for more information.

Although our analysis indicated our customers were not likely subject to this vulnerability, we applied the recommended remediation for CVE-2017-7529.

Organizations using a Custom Upstream can now add and manage their upstreams without engaging Pantheon Support.

If your organization doesn’t yet use Custom Upstreams, and you are interested in access to this feature, tell us about your use-case.

Organizations utilizing a Custom Upstream can now set default site configurations, such as nested docroot, in the pantheon.upstream.yml file. For details, see Pantheon YAML Configuration Files.

New Relic's APM Availability Monitoring has known incompatibilities with SNI, which our HTTPS uses. Instead, we recommend configuring the free availability monitoring service within New Relic’s Synthetics Lite tool. For details, refer to New Relic APM Pro.

New WordPress and Drupal 8 sites now run PHP 7 by default. Drupal 7 sites will default to PHP 5.6.

CVE-2016-8332

Pantheon has deployed new versions of Ghostscript and Openjpeg2 to mitigate the CVE-2016-8332 vulnerability. No user action is required.

CVE-2017-8295

The platform is not vulnerable to this exploit, no user action is required.

We upgraded PHP to 7.0.18. See our documentation to learn how to upgrade your PHP version.

We upgraded PHP to 5.6.30 and 7.0.15. See our documentation to learn how to upgrade your PHP version.

A vulnerability in the Linux Kernel was discovered that could allow users to gain root privileges. The Pantheon platform was quickly updated to prevent this privilege escalation.

We upgraded PHP to 5.6.28 and 7.0.13. See our documentation to learn how to upgrade your PHP version.

Upgraded from 6.3.0.161 to 6.8.0.177. Includes a fix for an issue with Drupal 6 sites that could cause POST requests made using drupal_http_request to be converted into GET requests. Learn more.

You can now add custom domain names to your Multidev environments. Among other use cases, this allows you to use your company’s name in a URL when you show your work to customers or others in your organization.

Now your site’s Drush version is managed via pantheon.yml, so it’s in version control and deployed along with the rest of your code.

We now support PHP 5.6 and 7.0. See our documentation to learn how to upgrade your PHP version.

Nested docroot: Serve sites from a web subdirectory, one-level beneath the root of your code repository. Among other use cases, this helps facilitate managing dependencies via Composer. Protected Web Paths: Specify files or directories that you don’t want to be publicly web-accessible. PHP Version: Now your site’s PHP version is managed via pantheon.yml so it’s in version control and deployed along with the rest of your code.

We are now providing richer and more accurate information about the background actions the Pantheon platform is performing on your sites. This includes commits, workflow actions and clear caches, including more details about the tasks that were performed.

We’ve officially completed a fleet-wide codeserver update to Fedora 20.

We upgraded from PHP 5.3 to 5.3.29. This is the last release for 5.3 and current users are encouraged, if possible, to upgrade to 5.5 in your site's Dashboard.

There's no need. Customer application containers and database servers that were already on up-to-date versions were not vulnerable to GHOST. Backing services were quickly patched, and our engineers further refined our patch deployment capability for even faster responses to future vulnerabilities. For more details, see related Incident Report for Platform Operations