Hi,
what is the workaround for this?
https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
in either CentOS 7 or 8 ?
thanks
--- Thomas Stephen Lee
On Thu, Oct 31, 2019 at 02:19:05PM +0530, Thomas Stephen Lee wrote:
Hi,
what is the workaround for this?
https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
in either CentOS 7 or 8 ?
https://access.redhat.com/security/cve/cve-2019-11043
Hi Jonathan and CentOS Team,
Thanks for the link.
https://cbs.centos.org/koji/buildinfo?buildID=27138
rh-php73-php seems to be ready and is not vulnerable according to the CVE.
When will rh-php73-php be released to the repos?
thanks --- Thomas Stephen Lee
On Thu, Oct 31, 2019 at 8:40 PM Jonathan Billings billings@negate.org wrote:
On Thu, Oct 31, 2019 at 02:19:05PM +0530, Thomas Stephen Lee wrote:
Hi,
what is the workaround for this?
https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
in either CentOS 7 or 8 ?
https://access.redhat.com/security/cve/cve-2019-11043
-- Jonathan Billings billings@negate.org _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 10/31/19 10:49 AM, Thomas Stephen Lee wrote:
Hi,
what is the workaround for this?
https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
in either CentOS 7 or 8 ?
thanks
Thomas Stephen Lee _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
The simplest is to conditionally set PATH_INFO if it's not empty:
fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;
Another option is to explicitly test whether the fastcgi script path exists :
if (!-f $document_root$fastcgi_script_name) { return 404; }
Hi Marius,
Will make the changes and see how it goes.
On the other hand
https://cbs.centos.org/koji/buildinfo?buildID=27138
if the above was released we could just install and migrate to rh-php73-php, which is not affected as per
https://access.redhat.com/security/cve/cve-2019-11043
thanks
--- Thomas Stephen Lee
On Thu, Oct 31, 2019 at 8:40 PM Marius ROMAN marius@roman.systems wrote:
On 10/31/19 10:49 AM, Thomas Stephen Lee wrote:
Hi,
what is the workaround for this?
https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
in either CentOS 7 or 8 ?
thanks
Thomas Stephen Lee _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
The simplest is to conditionally set PATH_INFO if it's not empty:
fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;
Another option is to explicitly test whether the fastcgi script path exists :
if (!-f $document_root$fastcgi_script_name) { return 404; }
-- Marius
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 10/31/19 6:55 PM, Thomas Stephen Lee wrote:
Hi Marius,
Will make the changes and see how it goes.
On the other hand
https://cbs.centos.org/koji/buildinfo?buildID=27138
if the above was released we could just install and migrate to rh-php73-php, which is not affected as per
https://access.redhat.com/security/cve/cve-2019-11043
thanks
Thomas Stephen Lee
On Thu, Oct 31, 2019 at 8:40 PM Marius ROMAN marius@roman.systems wrote:
On 10/31/19 10:49 AM, Thomas Stephen Lee wrote:
Hi,
what is the workaround for this?
https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
in either CentOS 7 or 8 ?
thanks
Thomas Stephen Lee _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
The simplest is to conditionally set PATH_INFO if it's not empty:
fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;
Another option is to explicitly test whether the fastcgi script path exists :
if (!-f $document_root$fastcgi_script_name) { return 404; }
-- Marius
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Interesting the RedHat page says "7.3.x below 7.3.11", now looking at https://cbs.centos.org/koji/buildinfo?buildID=27138 it has
php-7.3.7-2.el7 which means it is affected.
https://access.redhat.com/errata/RHSA-2019:3286
Looks like RedHat is updating PHP 5 packages.
thanks
--- Thomas Stephen Lee
On Fri, Nov 1, 2019 at 5:08 AM Marius ROMAN marius@roman.systems wrote:
On 10/31/19 6:55 PM, Thomas Stephen Lee wrote:
Hi Marius,
Will make the changes and see how it goes.
On the other hand https://cbs.centos.org/koji/buildinfo?buildID=27138
if the above was released we could just install and migrate to rh-php73-php, which is not affected as per https://access.redhat.com/security/cve/cve-2019-11043
thanks
Thomas Stephen Lee
On Thu, Oct 31, 2019 at 8:40 PM Marius ROMAN marius@roman.systems marius@roman.systems wrote:
On 10/31/19 10:49 AM, Thomas Stephen Lee wrote:
Hi,
what is the workaround for this? https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
in either CentOS 7 or 8 ?
thanks
Thomas Stephen Lee _______________________________________________ CentOS mailing listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos
The simplest is to conditionally set PATH_INFO if it's not empty:
fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;
Another option is to explicitly test whether the fastcgi script path exists :
if (!-f $document_root$fastcgi_script_name) { return 404; }
-- Marius
CentOS mailing listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos
CentOS mailing listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos
Interesting the RedHat page says "7.3.x below 7.3.11", now looking at https://cbs.centos.org/koji/buildinfo?buildID=27138 it has php-7.3.7-2.el7 which means it is affected.
-- Marius
On Fri, Nov 1, 2019 at 5:08 AM Marius ROMAN marius@roman.systems wrote:
On 10/31/19 6:55 PM, Thomas Stephen Lee wrote:
Hi Marius,
Will make the changes and see how it goes.
On the other hand https://cbs.centos.org/koji/buildinfo?buildID=27138
if the above was released we could just install and migrate to rh-php73-php, which is not affected as per https://access.redhat.com/security/cve/cve-2019-11043
thanks
Thomas Stephen Lee
On Thu, Oct 31, 2019 at 8:40 PM Marius ROMAN marius@roman.systems marius@roman.systems wrote:
On 10/31/19 10:49 AM, Thomas Stephen Lee wrote:
Hi,
what is the workaround for this? https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
in either CentOS 7 or 8 ?
thanks
Thomas Stephen Lee _______________________________________________ CentOS mailing listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos
The simplest is to conditionally set PATH_INFO if it's not empty:
fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;
Another option is to explicitly test whether the fastcgi script path exists :
if (!-f $document_root$fastcgi_script_name) { return 404; }
-- Marius
CentOS mailing listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos
CentOS mailing listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos
Interesting the RedHat page says "7.3.x below 7.3.11", now looking at https://cbs.centos.org/koji/buildinfo?buildID=27138 it has php-7.3.7-2.el7 which means it is affected.
-- Marius
yes, those who use software collections will have to wait longer for permanent fix i guess.
thanks
--- Thomas Stephen Lee
--On Friday, November 01, 2019 12:40 PM +0530 Thomas Stephen Lee lee.iitb@gmail.com wrote:
yes, those who use software collections will have to wait longer for permanent fix i guess.
Or it may arrive sooner, depending on the repo maintainer for each package. I use a COPR package of BackupPC 4 and the packager typically has a new package rolled a day after an upstream release.
-
Jonathan Billings -
Kenneth Porter -
Marius ROMAN -
Thomas Stephen Lee