Hi, what is the workaround for this? https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/ in either CentOS 7 or 8 ? thanks --- Thomas Stephen Lee
On Thu, Oct 31, 2019 at 02:19:05PM +0530, Thomas Stephen Lee wrote:> > Hi, > > what is the workaround for this? > > https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/ > > in either CentOS 7 or 8 ?https://access.redhat.com/security/cve/cve-2019-11043 -- Jonathan Billings <billings at negate.org>
On 10/31/19 10:49 AM, Thomas Stephen Lee wrote:> Hi, > > what is the workaround for this? > > https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/ > > in either CentOS 7 or 8 ? > > thanks > > --- > Thomas Stephen Lee > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosThe simplest is to conditionally set PATH_INFO if it's not empty: fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty; Another option is to explicitly test whether the fastcgi script path exists : if (!-f $document_root$fastcgi_script_name) { ??????????????????????????????? return 404; } -- Marius
Hi Jonathan and CentOS Team, Thanks for the link. https://cbs.centos.org/koji/buildinfo?buildID=27138 rh-php73-php seems to be ready and is not vulnerable according to the CVE. When will rh-php73-php be released to the repos? thanks --- Thomas Stephen Lee On Thu, Oct 31, 2019 at 8:40 PM Jonathan Billings <billings at negate.org> wrote:> On Thu, Oct 31, 2019 at 02:19:05PM +0530, Thomas Stephen Lee wrote: > > > > Hi, > > > > what is the workaround for this? > > > > https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/ > > > > in either CentOS 7 or 8 ? > > https://access.redhat.com/security/cve/cve-2019-11043 > > > -- > Jonathan Billings <billings at negate.org> > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
Hi Marius, Will make the changes and see how it goes. On the other hand https://cbs.centos.org/koji/buildinfo?buildID=27138 if the above was released we could just install and migrate to rh-php73-php, which is not affected as per https://access.redhat.com/security/cve/cve-2019-11043 thanks --- Thomas Stephen Lee On Thu, Oct 31, 2019 at 8:40 PM Marius ROMAN <marius at roman.systems> wrote:> On 10/31/19 10:49 AM, Thomas Stephen Lee wrote: > > Hi, > > > > what is the workaround for this? > > > > https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/ > > > > in either CentOS 7 or 8 ? > > > > thanks > > > > --- > > Thomas Stephen Lee > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > https://lists.centos.org/mailman/listinfo/centos > > The simplest is to conditionally set PATH_INFO if it's not empty: > > fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty; > > Another option is to explicitly test whether the fastcgi script path > exists : > > if (!-f $document_root$fastcgi_script_name) { > return 404; > } > > -- > Marius > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >