Passbolt and PHP 7.3


I would like to install Passbolt on my server running Debian Stretch 9.6. I have downloaded the installer from here and have found that it assumes that one uses PHP7.0. As you may know, PHP7.0 is not even receiving security fixes anymore. ( I would not like to process my company’s passwords with an application running on an outdated version of PHP. Now my questions are:

Can I use Passbolt with a current version of PHP, to be specific 7.2 or 7.3? I have found references to php7.0-mcrypt, which is not available in current versions anymore. Which PHP7.3-Extensions do I need to be able to run the application? Can it be used without mcrypt?

Yours sincerely
Stefan Malte Schumacher

Hi @stefan.schumacher

Yes, you are right, php7.0 is not receiving security fixes from PHP development team. However, the installer is based on the official debian stable PHP packages which continue to receive security fixes from the debian security team.
If you don’t trust the debian security team or you just want to use a different version of php I would suggest to use php7.2 as php7.3 is not supported by passbolt, there are a few known problems and the team is working on fixing them.
You could use a third party ppa in debian to use a different version of PHP this task is also on passbolt backlog is just the bandwidth the team has is not enough at this moment.

Regarding php-mcrypt for php7.2 you can build it from PECL. The list of extensions typically build in passbolt currently:

'curl', 'gd', 'intl', 'json', 'mcrypt','mysqlnd', 'xsl', 'phar','posix', 'xml', 'zlib', 'ctype', 'pdo', 'gnupg', 'pdo_mysql','mbstring'

Hope this helps.

Hello Diego,

thanks for the quick reply. I did know that the Debian Security Team provides fixes for critical systems like the Linux kernel, but I was not aware that PHP also receives these updates. I will now install it with PHP7.0. The install script already ran through smoothly, I am confident that the last steps on the webinstaller will also not pose any insurmountable problems.

Yours sincerely

yeah, they provide security patches for all their stable packages, you can check the php security tracker here:

Glad to see the scripts work fine!

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.