[CentOS] PHP FPM issue

Thu Oct 31 23:38:20 UTC 2019
Marius ROMAN <marius at roman.systems>

On 10/31/19 6:55 PM, Thomas Stephen Lee wrote:
> Hi Marius,
>
> Will make the changes and see how it goes.
>
> On the other hand
>
> https://cbs.centos.org/koji/buildinfo?buildID=27138
>
> if the above was released we could just install and migrate to
> rh-php73-php, which is not affected as per
>
> https://access.redhat.com/security/cve/cve-2019-11043
>
> thanks
>
> ---
> Thomas Stephen Lee
>
> On Thu, Oct 31, 2019 at 8:40 PM Marius ROMAN <marius at roman.systems> wrote:
>
>> On 10/31/19 10:49 AM, Thomas Stephen Lee wrote:
>>> Hi,
>>>
>>> what is the workaround for this?
>>>
>>> https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
>>>
>>> in either CentOS 7 or 8 ?
>>>
>>> thanks
>>>
>>> ---
>>> Thomas Stephen Lee
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>> The simplest is to conditionally set PATH_INFO if it's not empty:
>>
>> fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;
>>
>> Another option is to explicitly test whether the fastcgi script path
>> exists :
>>
>> if (!-f $document_root$fastcgi_script_name) {
>>                                   return 404;
>> }
>>
>> --
>> Marius
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Interesting the RedHat page says "7.3.x below 7.3.11", now looking at 
https://cbs.centos.org/koji/buildinfo?buildID=27138 it has


        php-7.3.7-2.el7 which means it is affected.

-- 
Marius