Re: [CentOS] PHP FPM issue
RedHat has updated rh-php71-php and rh-php72-php. https://access.redhat.com/errata/RHSA-2019:3300 https://access.redhat.com/errata/RHSA-2019:3299 thanks --- Thomas Stephen Lee On Sat, Nov 2, 2019 at 12:45 AM Kenneth Porter wrote: > --On Friday, November 01, 2019 12:40 PM +0530 Thomas Stephen Lee > wrote: > > > yes, those who use software collections will have to wait longer for > > permanent fix i guess. > > Or it may arrive sooner, depending on the repo maintainer for each > package. > I use a COPR package of BackupPC 4 and the packager typically has a new > package rolled a day after an upstream release. > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PHP FPM issue
--On Friday, November 01, 2019 12:40 PM +0530 Thomas Stephen Lee wrote: yes, those who use software collections will have to wait longer for permanent fix i guess. Or it may arrive sooner, depending on the repo maintainer for each package. I use a COPR package of BackupPC 4 and the packager typically has a new package rolled a day after an upstream release. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PHP FPM issue
On Fri, Nov 1, 2019 at 5:08 AM Marius ROMAN wrote:
> On 10/31/19 6:55 PM, Thomas Stephen Lee wrote:
>
> Hi Marius,
>
> Will make the changes and see how it goes.
>
> On the other hand
> https://cbs.centos.org/koji/buildinfo?buildID=27138
>
> if the above was released we could just install and migrate to
> rh-php73-php, which is not affected as per
> https://access.redhat.com/security/cve/cve-2019-11043
>
> thanks
>
> ---
> Thomas Stephen Lee
>
> On Thu, Oct 31, 2019 at 8:40 PM Marius ROMAN
> wrote:
>
>
> On 10/31/19 10:49 AM, Thomas Stephen Lee wrote:
>
> Hi,
>
> what is the workaround for this?
> https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
>
> in either CentOS 7 or 8 ?
>
> thanks
>
> ---
> Thomas Stephen Lee
> ___
> CentOS mailing
> listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos
>
> The simplest is to conditionally set PATH_INFO if it's not empty:
>
> fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;
>
> Another option is to explicitly test whether the fastcgi script path
> exists :
>
> if (!-f $document_root$fastcgi_script_name) {
> return 404;
> }
>
> --
> Marius
>
> ___
> CentOS mailing
> listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos
>
> ___
> CentOS mailing
> listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos
>
> Interesting the RedHat page says "7.3.x below 7.3.11", now looking at
> https://cbs.centos.org/koji/buildinfo?buildID=27138 it has
> php-7.3.7-2.el7 which means it is affected.
>
> --
> Marius
>
>
yes, those who use software collections will have to wait longer for
permanent fix i guess.
thanks
---
Thomas Stephen Lee
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PHP FPM issue
https://access.redhat.com/errata/RHSA-2019:3286
Looks like RedHat is updating PHP 5 packages.
thanks
---
Thomas Stephen Lee
On Fri, Nov 1, 2019 at 5:08 AM Marius ROMAN wrote:
> On 10/31/19 6:55 PM, Thomas Stephen Lee wrote:
>
> Hi Marius,
>
> Will make the changes and see how it goes.
>
> On the other hand
> https://cbs.centos.org/koji/buildinfo?buildID=27138
>
> if the above was released we could just install and migrate to
> rh-php73-php, which is not affected as per
> https://access.redhat.com/security/cve/cve-2019-11043
>
> thanks
>
> ---
> Thomas Stephen Lee
>
> On Thu, Oct 31, 2019 at 8:40 PM Marius ROMAN
> wrote:
>
>
> On 10/31/19 10:49 AM, Thomas Stephen Lee wrote:
>
> Hi,
>
> what is the workaround for this?
> https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
>
> in either CentOS 7 or 8 ?
>
> thanks
>
> ---
> Thomas Stephen Lee
> ___
> CentOS mailing
> listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos
>
> The simplest is to conditionally set PATH_INFO if it's not empty:
>
> fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;
>
> Another option is to explicitly test whether the fastcgi script path
> exists :
>
> if (!-f $document_root$fastcgi_script_name) {
> return 404;
> }
>
> --
> Marius
>
> ___
> CentOS mailing
> listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos
>
> ___
> CentOS mailing
> listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos
>
> Interesting the RedHat page says "7.3.x below 7.3.11", now looking at
> https://cbs.centos.org/koji/buildinfo?buildID=27138 it has
> php-7.3.7-2.el7 which means it is affected.
>
> --
> Marius
>
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PHP FPM issue
On 10/31/19 6:55 PM, Thomas Stephen Lee wrote:
Hi Marius,
Will make the changes and see how it goes.
On the other hand
https://cbs.centos.org/koji/buildinfo?buildID=27138
if the above was released we could just install and migrate to
rh-php73-php, which is not affected as per
https://access.redhat.com/security/cve/cve-2019-11043
thanks
---
Thomas Stephen Lee
On Thu, Oct 31, 2019 at 8:40 PM Marius ROMAN wrote:
On 10/31/19 10:49 AM, Thomas Stephen Lee wrote:
Hi,
what is the workaround for this?
https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
in either CentOS 7 or 8 ?
thanks
---
Thomas Stephen Lee
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
The simplest is to conditionally set PATH_INFO if it's not empty:
fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;
Another option is to explicitly test whether the fastcgi script path
exists :
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
--
Marius
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Interesting the RedHat page says "7.3.x below 7.3.11", now looking at
https://cbs.centos.org/koji/buildinfo?buildID=27138 it has
php-7.3.7-2.el7 which means it is affected.
--
Marius
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PHP FPM issue
Hi Marius,
Will make the changes and see how it goes.
On the other hand
https://cbs.centos.org/koji/buildinfo?buildID=27138
if the above was released we could just install and migrate to
rh-php73-php, which is not affected as per
https://access.redhat.com/security/cve/cve-2019-11043
thanks
---
Thomas Stephen Lee
On Thu, Oct 31, 2019 at 8:40 PM Marius ROMAN wrote:
> On 10/31/19 10:49 AM, Thomas Stephen Lee wrote:
> > Hi,
> >
> > what is the workaround for this?
> >
> > https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
> >
> > in either CentOS 7 or 8 ?
> >
> > thanks
> >
> > ---
> > Thomas Stephen Lee
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
>
> The simplest is to conditionally set PATH_INFO if it's not empty:
>
> fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;
>
> Another option is to explicitly test whether the fastcgi script path
> exists :
>
> if (!-f $document_root$fastcgi_script_name) {
> return 404;
> }
>
> --
> Marius
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PHP FPM issue
Hi Jonathan and CentOS Team, Thanks for the link. https://cbs.centos.org/koji/buildinfo?buildID=27138 rh-php73-php seems to be ready and is not vulnerable according to the CVE. When will rh-php73-php be released to the repos? thanks --- Thomas Stephen Lee On Thu, Oct 31, 2019 at 8:40 PM Jonathan Billings wrote: > On Thu, Oct 31, 2019 at 02:19:05PM +0530, Thomas Stephen Lee wrote: > > > > Hi, > > > > what is the workaround for this? > > > > https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/ > > > > in either CentOS 7 or 8 ? > > https://access.redhat.com/security/cve/cve-2019-11043 > > > -- > Jonathan Billings > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PHP FPM issue
On 10/31/19 10:49 AM, Thomas Stephen Lee wrote:
Hi,
what is the workaround for this?
https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
in either CentOS 7 or 8 ?
thanks
---
Thomas Stephen Lee
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
The simplest is to conditionally set PATH_INFO if it's not empty:
fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;
Another option is to explicitly test whether the fastcgi script path
exists :
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
--
Marius
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PHP FPM issue
On Thu, Oct 31, 2019 at 02:19:05PM +0530, Thomas Stephen Lee wrote: > > Hi, > > what is the workaround for this? > > https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/ > > in either CentOS 7 or 8 ? https://access.redhat.com/security/cve/cve-2019-11043 -- Jonathan Billings ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] PHP FPM issue
Hi, what is the workaround for this? https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/ in either CentOS 7 or 8 ? thanks --- Thomas Stephen Lee ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
