Hi Marius, Will make the changes and see how it goes. On the other hand https://cbs.centos.org/koji/buildinfo?buildID=27138 if the above was released we could just install and migrate to rh-php73-php, which is not affected as per https://access.redhat.com/security/cve/cve-2019-11043 thanks --- Thomas Stephen Lee On Thu, Oct 31, 2019 at 8:40 PM Marius ROMAN <marius at roman.systems> wrote:> On 10/31/19 10:49 AM, Thomas Stephen Lee wrote: > > Hi, > > > > what is the workaround for this? > > > > https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/ > > > > in either CentOS 7 or 8 ? > > > > thanks > > > > --- > > Thomas Stephen Lee > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > https://lists.centos.org/mailman/listinfo/centos > > The simplest is to conditionally set PATH_INFO if it's not empty: > > fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty; > > Another option is to explicitly test whether the fastcgi script path > exists : > > if (!-f $document_root$fastcgi_script_name) { > return 404; > } > > -- > Marius > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
On 10/31/19 6:55 PM, Thomas Stephen Lee wrote:> Hi Marius, > > Will make the changes and see how it goes. > > On the other hand > > https://cbs.centos.org/koji/buildinfo?buildID=27138 > > if the above was released we could just install and migrate to > rh-php73-php, which is not affected as per > > https://access.redhat.com/security/cve/cve-2019-11043 > > thanks > > --- > Thomas Stephen Lee > > On Thu, Oct 31, 2019 at 8:40 PM Marius ROMAN <marius at roman.systems> wrote: > >> On 10/31/19 10:49 AM, Thomas Stephen Lee wrote: >>> Hi, >>> >>> what is the workaround for this? >>> >>> https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/ >>> >>> in either CentOS 7 or 8 ? >>> >>> thanks >>> >>> --- >>> Thomas Stephen Lee >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> The simplest is to conditionally set PATH_INFO if it's not empty: >> >> fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty; >> >> Another option is to explicitly test whether the fastcgi script path >> exists : >> >> if (!-f $document_root$fastcgi_script_name) { >> return 404; >> } >> >> -- >> Marius >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosInteresting the RedHat page says "7.3.x below 7.3.11", now looking at https://cbs.centos.org/koji/buildinfo?buildID=27138 it has php-7.3.7-2.el7 which means it is affected. -- Marius
https://access.redhat.com/errata/RHSA-2019:3286 Looks like RedHat is updating PHP 5 packages. thanks --- Thomas Stephen Lee On Fri, Nov 1, 2019 at 5:08 AM Marius ROMAN <marius at roman.systems> wrote:> On 10/31/19 6:55 PM, Thomas Stephen Lee wrote: > > Hi Marius, > > Will make the changes and see how it goes. > > On the other hand > https://cbs.centos.org/koji/buildinfo?buildID=27138 > > if the above was released we could just install and migrate to > rh-php73-php, which is not affected as per > https://access.redhat.com/security/cve/cve-2019-11043 > > thanks > > --- > Thomas Stephen Lee > > On Thu, Oct 31, 2019 at 8:40 PM Marius ROMAN <marius at roman.systems> <marius at roman.systems> wrote: > > > On 10/31/19 10:49 AM, Thomas Stephen Lee wrote: > > Hi, > > what is the workaround for this? > https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/ > > in either CentOS 7 or 8 ? > > thanks > > --- > Thomas Stephen Lee > _______________________________________________ > CentOS mailing listCentOS at centos.orghttps://lists.centos.org/mailman/listinfo/centos > > The simplest is to conditionally set PATH_INFO if it's not empty: > > fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty; > > Another option is to explicitly test whether the fastcgi script path > exists : > > if (!-f $document_root$fastcgi_script_name) { > return 404; > } > > -- > Marius > > _______________________________________________ > CentOS mailing listCentOS at centos.orghttps://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing listCentOS at centos.orghttps://lists.centos.org/mailman/listinfo/centos > > Interesting the RedHat page says "7.3.x below 7.3.11", now looking at > https://cbs.centos.org/koji/buildinfo?buildID=27138 it has > php-7.3.7-2.el7 which means it is affected. > > -- > Marius > >
On Fri, Nov 1, 2019 at 5:08 AM Marius ROMAN <marius at roman.systems> wrote:> On 10/31/19 6:55 PM, Thomas Stephen Lee wrote: > > Hi Marius, > > Will make the changes and see how it goes. > > On the other hand > https://cbs.centos.org/koji/buildinfo?buildID=27138 > > if the above was released we could just install and migrate to > rh-php73-php, which is not affected as per > https://access.redhat.com/security/cve/cve-2019-11043 > > thanks > > --- > Thomas Stephen Lee > > On Thu, Oct 31, 2019 at 8:40 PM Marius ROMAN <marius at roman.systems> <marius at roman.systems> wrote: > > > On 10/31/19 10:49 AM, Thomas Stephen Lee wrote: > > Hi, > > what is the workaround for this? > https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/ > > in either CentOS 7 or 8 ? > > thanks > > --- > Thomas Stephen Lee > _______________________________________________ > CentOS mailing listCentOS at centos.orghttps://lists.centos.org/mailman/listinfo/centos > > The simplest is to conditionally set PATH_INFO if it's not empty: > > fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty; > > Another option is to explicitly test whether the fastcgi script path > exists : > > if (!-f $document_root$fastcgi_script_name) { > return 404; > } > > -- > Marius > > _______________________________________________ > CentOS mailing listCentOS at centos.orghttps://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing listCentOS at centos.orghttps://lists.centos.org/mailman/listinfo/centos > > Interesting the RedHat page says "7.3.x below 7.3.11", now looking at > https://cbs.centos.org/koji/buildinfo?buildID=27138 it has > php-7.3.7-2.el7 which means it is affected. > > -- > Marius > >yes, those who use software collections will have to wait longer for permanent fix i guess. thanks --- Thomas Stephen Lee
RedHat has updated rh-php71-php and rh-php72-php. https://access.redhat.com/errata/RHSA-2019:3300 https://access.redhat.com/errata/RHSA-2019:3299 thanks --- Thomas Stephen Lee On Sat, Nov 2, 2019 at 12:45 AM Kenneth Porter <shiva at sewingwitch.com> wrote:> --On Friday, November 01, 2019 12:40 PM +0530 Thomas Stephen Lee > <lee.iitb at gmail.com> wrote: > > > yes, those who use software collections will have to wait longer for > > permanent fix i guess. > > Or it may arrive sooner, depending on the repo maintainer for each > package. > I use a COPR package of BackupPC 4 and the packager typically has a new > package rolled a day after an upstream release. > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >