Urgent security issue in NGINX/php-fpm #1663
Comments
|
Immediate fix would be to stop nginx. After looking at the link you provided : https://github.com/neex/phuip-fpizdam |
|
Hi all. I will write about mitigation steps on the thread on the discussion forum: https://discourse.mailinabox.email/t/urgent-security-issue-in-nginx-php-fpm-cve-2019-11043/5600/3 If it's determined that Mail-in-a-Box is vulnerable and needs to have a new version posted, we'll have that discussion on what fixes we need to make here. |
|
I haven't been able to get https://github.com/neex/phuip-fpizdam to work, I've tested with multiple php scripts we employ. There is only one location block that uses I'll be interested in your findings @JoshData |
|
I was trying to setup a new test instance too, but mailinabox.email/setup.sh is inaccessible although mailinabox.email is, is this related Josh ? |
|
@jvolkenant I tried that too, came to the same conclusion. So I tentatively think we're fine. @FiveBoroughs Yes, the Mail-in-a-Box that the site is hosted on is down as a precaution. (Both URLs should be down - you probably have one cached.) The README instructions at https://github.com/mail-in-a-box/mailinabox should work fine instead, in the meanwhile. |
|
I was trying to figure out last night if this is a problem for roundcube. My analysis is that it wasn't from the provided detail, but the bug exists and there maybe another way to exploit. See also. |
|
That's what I think and what I'm wondering about too. |
|
The new version of PHP is being distributed! Yay! However, there are changes in the |
|
Thanks for the heads up! I will look tonight!
…On October 28, 2019 3:49:39 PM EDT, Gerhard Klostermeier ***@***.***> wrote:
The new version of PHP is being distributed! Yay!
```
> php-fpm7.2 -v
PHP 7.2.24-0ubuntu0.18.04.1 (fpm-fcgi) (built: Oct 28 2019 12:07:07)
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.24-0ubuntu0.18.04.1, Copyright (c) 1999-2018, by
Zend Technologies
```
However, there are changes in the `php.ini`. Should I keep the
`php.ini` or should I install the packet maintainers version?
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#1663 (comment)
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
|
I didn't get any issue with php.ini so I don't have any particular suggestion. |
|
all of my php.ini "conflicts" were just changes to commented items. |
Maybe it is just me. I'm not 100% sure. I might have changed the upload file size limit... |
|
Thanks for everyone's help on this issue. Closing now. @ikarus23 It sounds like you're probably all set, but feel free to start a new issue/discussion if needed. |
|
@JoshData, everything is fine on my MiaB! Thanks for this great project and handling security issues like this so transparently. |
See: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/
and
https://github.com/neex/phuip-fpizdam
At this moment, Ubuntu has not released an updated php-fpm package for 18.04. (Still 7.2.19: https://packages.ubuntu.com/bionic/php7.2-fpm)
The ngnix configuration looks safe, but more detailed analysis is required.
EDIT: Temporary fix is to restrict access to nginx via the firewall:
sudo ufw insert 1 deny 443Or, if you want to maintain access from specific IP:
sudo ufw insert 1 allow from <IP> to any port 443sudo ufw insert 2 deny 443The text was updated successfully, but these errors were encountered: