Urgent security issue in NGINX/php-fpm

What about Nextcloud installed via Ubuntu snaps?
Did it got all required updates to its nginx automatically?

3 Likes

Hereā€™s more updates since this news thread was opened.

1 Like

I run a fully-refreshed snap on Ubuntu 16.04. Version information is installed: 16.0.5snap2 (16402) 228MB and I do not see nginx running at all. That leads me to believe the version of php-fpm (which is installed) is not a problem.

Services from nextcloud snap:

$ sudo snap services nextcloud
Service                    Startup  Current   Notes
nextcloud.apache           enabled  active    -
nextcloud.mdns-publisher   enabled  active    -
nextcloud.mysql            enabled  active    -
nextcloud.nextcloud-cron   enabled  active    -
nextcloud.nextcloud-fixer  enabled  inactive  -
nextcloud.php-fpm          enabled  active    -
nextcloud.redis-server     enabled  active    -
nextcloud.renew-certs      enabled  active    -
1 Like

Nextcloud-Snap comes with Apache and not with nginx, so you should be safe:

1 Like

Iā€™m just wondering (but could be an idiotic thought): are users really safe just because they run apache? I mean, the bug was actually in PHP (not nginx) in combination with php-fpm. Doesnā€™t apache use php-fpm as well?

As said, just wondering. Could be a totally mislead thought.

1 Like

WARNING to everybody with nginx version: nginx/1.10.3 (Debian stretch latest)

The directive or cgi_parameter SCRIPTFILENAME will render your nextcloud website blank.
change it to SCRIPT_FILENAME

4 Likes

Are both ā€œImmediate actionsā€ required to be secure? My upstream distribution does not have updated packages available currently.

I am relying on this statement from the initial post:

1 Like

Is Nginx (under Plesk) with the directives set from this guide affected?

I corrected the article now regarding SCRIPTFILENAME vs. SCRIPT_FILENAME and PATHINFO vs. PATH_INFO. Also I pinned it globally.

1 Like

Oh - you can edit the first post? Could you please also add what Meiros posted?

The was another change in the nginx-config, which didnā€˜t make it in the initial post. It would be great, if you could add that as well, since many people might not notice the other change.

1 Like

I actually didnā€™t want to mess with the official post, but I think you are right. If users already modify their config, it should be done right.

So @all please, check your config again, there has been a little change in the first post!

2 Likes

i see two added lines:

set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;

Edit: Oh, Bernie_O already mentioned that in the post above. My bad

@Schmu Please also update the official blog post. Having two different versions might be a bit confusing.
@jospoortvliet

1 Like

@DecaTec

Sorry, Iā€™m not an official and donā€™t have access to the blog.
I only jumped in to help forum users to directly pick the latest config changes. We have to wait for @system to do so.

1 Like

Please remove the typo ^^

$try_files
->
try_files

3 Likes

Iā€™m running Nginx on a raspberry pi as a reverse proxy. And on another raspberry pi NextcloudPi. Would it effect me as well?

Asking because i donā€™t even have ā€™ rewrite ^ /index.php$request_uri ā€™ under locationā€¦

same here, do i need to update the php version running nextcloud on snap? if yes then how do i do that?

no