New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Urgent security issue in NGINX/php-fpm #1663
Comments
Immediate fix would be to stop nginx. After looking at the link you provided : https://github.com/neex/phuip-fpizdam |
Hi all. I will write about mitigation steps on the thread on the discussion forum: https://discourse.mailinabox.email/t/urgent-security-issue-in-nginx-php-fpm-cve-2019-11043/5600/3 If it's determined that Mail-in-a-Box is vulnerable and needs to have a new version posted, we'll have that discussion on what fixes we need to make here. |
I haven't been able to get https://github.com/neex/phuip-fpizdam to work, I've tested with multiple php scripts we employ. There is only one location block that uses I'll be interested in your findings @JoshData |
I was trying to setup a new test instance too, but mailinabox.email/setup.sh is inaccessible although mailinabox.email is, is this related Josh ? |
@jvolkenant I tried that too, came to the same conclusion. So I tentatively think we're fine. @FiveBoroughs Yes, the Mail-in-a-Box that the site is hosted on is down as a precaution. (Both URLs should be down - you probably have one cached.) The README instructions at https://github.com/mail-in-a-box/mailinabox should work fine instead, in the meanwhile. |
I was trying to figure out last night if this is a problem for roundcube. My analysis is that it wasn't from the provided detail, but the bug exists and there maybe another way to exploit. See also. |
That's what I think and what I'm wondering about too. |
The new version of PHP is being distributed! Yay!
However, there are changes in the |
Thanks for the heads up! I will look tonight!
…On October 28, 2019 3:49:39 PM EDT, Gerhard Klostermeier ***@***.***> wrote:
The new version of PHP is being distributed! Yay!
```
> php-fpm7.2 -v
PHP 7.2.24-0ubuntu0.18.04.1 (fpm-fcgi) (built: Oct 28 2019 12:07:07)
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.24-0ubuntu0.18.04.1, Copyright (c) 1999-2018, by
Zend Technologies
```
However, there are changes in the `php.ini`. Should I keep the
`php.ini` or should I install the packet maintainers version?
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#1663 (comment)
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
I didn't get any issue with php.ini so I don't have any particular suggestion. |
all of my php.ini "conflicts" were just changes to commented items. |
Maybe it is just me. I'm not 100% sure. I might have changed the upload file size limit... |
Thanks for everyone's help on this issue. Closing now. @ikarus23 It sounds like you're probably all set, but feel free to start a new issue/discussion if needed. |
@JoshData, everything is fine on my MiaB! Thanks for this great project and handling security issues like this so transparently. |
See: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/
and
https://github.com/neex/phuip-fpizdam
At this moment, Ubuntu has not released an updated php-fpm package for 18.04. (Still 7.2.19: https://packages.ubuntu.com/bionic/php7.2-fpm)
The ngnix configuration looks safe, but more detailed analysis is required.
EDIT: Temporary fix is to restrict access to nginx via the firewall:
sudo ufw insert 1 deny 443
Or, if you want to maintain access from specific IP:
sudo ufw insert 1 allow from <IP> to any port 443
sudo ufw insert 2 deny 443
The text was updated successfully, but these errors were encountered: