What about Nextcloud installed via Ubuntu snaps?
Did it got all required updates to its nginx automatically?
Hereās more updates since this news thread was opened.
I run a fully-refreshed snap on Ubuntu 16.04. Version information is installed: 16.0.5snap2 (16402) 228MB
and I do not see nginx running at all. That leads me to believe the version of php-fpm (which is installed) is not a problem.
Services from nextcloud snap:
$ sudo snap services nextcloud
Service Startup Current Notes
nextcloud.apache enabled active -
nextcloud.mdns-publisher enabled active -
nextcloud.mysql enabled active -
nextcloud.nextcloud-cron enabled active -
nextcloud.nextcloud-fixer enabled inactive -
nextcloud.php-fpm enabled active -
nextcloud.redis-server enabled active -
nextcloud.renew-certs enabled active -
Nextcloud-Snap comes with Apache and not with nginx, so you should be safe:
Iām just wondering (but could be an idiotic thought): are users really safe just because they run apache? I mean, the bug was actually in PHP (not nginx) in combination with php-fpm. Doesnāt apache use php-fpm as well?
As said, just wondering. Could be a totally mislead thought.
WARNING to everybody with nginx version: nginx/1.10.3 (Debian stretch latest)
The directive or cgi_parameter SCRIPTFILENAME will render your nextcloud website blank.
change it to SCRIPT_FILENAME
Are both āImmediate actionsā required to be secure? My upstream distribution does not have updated packages available currently.
I am relying on this statement from the initial post:
I corrected the article now regarding SCRIPTFILENAME vs. SCRIPT_FILENAME and PATHINFO vs. PATH_INFO. Also I pinned it globally.
Oh - you can edit the first post? Could you please also add what Meiros posted?
The was another change in the nginx-config, which didnāt make it in the initial post. It would be great, if you could add that as well, since many people might not notice the other change.
I actually didnāt want to mess with the official post, but I think you are right. If users already modify their config, it should be done right.
So @all please, check your config again, there has been a little change in the first post!
i see two added lines:
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
Edit: Oh, Bernie_O already mentioned that in the post above. My bad
@Schmu Please also update the official blog post. Having two different versions might be a bit confusing.
@jospoortvliet
Sorry, Iām not an official and donāt have access to the blog.
I only jumped in to help forum users to directly pick the latest config changes. We have to wait for @system to do so.
Please remove the typo ^^
$try_files
->
try_files
Iām running Nginx on a raspberry pi as a reverse proxy. And on another raspberry pi NextcloudPi. Would it effect me as well?
Asking because i donāt even have ā rewrite ^ /index.php$request_uri ā under locationā¦
same here, do i need to update the php version running nextcloud on snap? if yes then how do i do that?
no