Urgent security issue in NGINX/php-fpm

You are welcome.

BTW a little ACK to one or more of my comments (i.e. click on the heart icon :heart:) would show you are satisfied. This could be a kind gesture and would motivate me like authors of other advice to continue in lending a hand freely…
:smiley:

One should presume you are on the safe bank.

Good luck.
:four_leaf_clover:

1 Like

Hello,

after the update I was receiving some errors, can’t remember them now because I recopied the configuration for nginx. When I did that the index.php is not rendering and is now just trying to download. I believe this is because I am not pointing to where fpm is listening or something along those lines but I double checked the config and everything seems fine.
Not sure what to do here.

Please be aware this is the ‘news’ section and there are more appropriate categories like ‘support’ or ‘howto’ available in this user forum.

No offence. Hope this helps.
:smile:

Re: [Nextcloud community] [news] Urgent security issue in NGINX/php-fpm
Hello Nextcloud,

And it’s time to start a new thread and new subject-line, this “Urgent” matter is old news now. I’m tired of seeing “Urgent” in my inbox. It makes this list look like click bait…

Jason

Wednesday, November 6, 2019, 2:25:27 AM, you wrote:

int_1.jpg
TP75
November 6Please be aware this is the ‘news’ section and there are more appropriate categories like ‘support’ or ‘howto’ available in this user forum.
No offence. Hope this helps.
int_2.jpg

int_1.png

1 Like

@system To whom this may be of concern at Nextcloud.

We’re Nextcloud: the future of private file sync, share and communication!

:+1:

however, another click unfortunately.
:innocent:

Does this affect nginx-uwsgi users?

Apparently, NGINX with uWSGI is an application of the NGINX server in combination with the uWSGI server, if I understand your issue correctly.

IMHO your NGINX server has to be fully examined concerning the a.m. security issue at your deliberation.

Always seek to update to the most current version of NGINX, I presume.

There may be some advice from true NGINX server experts around. unfortunately, I can give no more specific advice.

Happy hacking.
:four_leaf_clover:

No you don’t uWSGI is an application that runs with any web server that supports the WSGI standard.
This enables the use of any language that uwsgi supports with that web server.
Which means in this case php, which is why I’m asking if uwsgi is affect of this CVE.

ad 1

:pleading_face:

You have a NGINX server involved or not?

  1. When NGINX involved, check for the conditions ref to the CVE and security advisory applicable to the flavour in use at your premises.

  2. When NGINX not involved, have a nice day.

  3. When some misunderstanding apparent, try to rephrase and reshuffle and provide some more details, I presume.

  4. You may ignore any option and live happily ever after at your convenience.

Choose 1 - 4 and no cheating please.
:face_with_monocle:

Not my cup of tea.
BTW The uWSGI seems to be off-topic anyway.
:innocent:

Good luck.
:four_leaf_clover:


ad 2

Apparently, you chose option (1.) but cannot deduce sufficient details from a.m. CVE. Correct?

more information:

Emil Lerner and Andrew Danau discovered that insufficient validation in the path handling code of PHP FPM could result in the execution of arbitrary code in some setups

@Thaodan Would this information help you?


ad 3

@Thaodan There seems to be a basic misunderstanding.

  1. The author of this thread is @system i.e. Nextcloud GmbH.

  2. The title of this thread :top: given by the author is: “… issue in NGINX/php-fpm:zap:

  3. One may refer to #64 by @JasGot who nicely requested :
    And it’s time to start a new thread and new subject-line, this “Urgent” matter is old news now.

  4. Please note I am not affiliated with Nextcloud GmbH.

Mission accomplished.
:innocent:


ad 4

:pleading_face:

A basic misunderstanding again, I presume. Please take the effort to truly read the first lines of text in this thread:

@Thaodan IMHO the wording used here is quite correct.
:nerd_face:

1 Like

Yes I have NGINX in use but don’t use php-fpm but uwsgi as replacement and asked if the bug only affects nginx users that use php-fpm.

EDIT:
As the bug is in fpm_main.c the bug only affects php-fpm users and not all NGINX users.
Maybe add this to the description.

Yes I don’t read the CVE properly at first but the post says NGINX users are affected “a new security risk has emerged around NGINX” but the bug is inside php-fpm as listed in the CVE.
The case is that only when NGINX is in use as webserver is the only config that is currently affected/can trigger this bug.

I know I just wanted to point of that the wording used here is wrong.

More Details at Tracking CVE-2019-11043 PHP Vulnerability – An Uncommon Chain of Events
And latest solutions Solutions Directly from php.net bug website

I try to update PHP on my Raspberry Pi.

php -v:
PHP 7.3.4-2 (cli) (built: Apr 13 2019 19:05:48) ( NTS )
Copyright © 1997-2018 The PHP Group
Zend Engine v3.3.4, Copyright © 1998-2018 Zend Technologies
with Zend OPcache v7.3.4-2, Copyright © 1999-2018, by Zend Technologies

apt-get remove php7.3
apt-get install php7.3

Die folgenden NEUEN Pakete werden installiert:
php7.3
0 aktualisiert, 1 neu installiert, 0 zu entfernen und 129 nicht aktualisiert.
Es m?ssen noch 0 B von 39,0 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 75,8 kB Plattenplatz zus?tzlich benutzt.
Vormals nicht ausgew?hltes Paket php7.3 wird gew?hlt.
(Lese Datenbank … 44974 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von …/php7.3_7.3.11-1~deb10u1_all.deb …
Entpacken von php7.3 (7.3.11-1~deb10u1) …
php7.3 (7.3.11-1~deb10u1) wird eingerichtet .

php -v:
PHP 7.3.4-2 (cli) (built: Apr 13 2019 19:05:48) ( NTS )
Copyright © 1997-2018 The PHP Group
Zend Engine v3.3.4, Copyright © 1998-2018 Zend Technologies
with Zend OPcache v7.3.4-2, Copyright © 1999-2018, by Zend Technologies

Why is still installed the old version???

What do you expect when removing and installing the same version again? :wink:

Did you update your sources (“apt-get update”) before installing php again?

In general, it should be enough to update your sources and to upgrade your packages with “apt-get upgrade”, no need to remove the old version.

sorry, I added some further information at my last post. I had installed php 7.3.4-2 and try to install php7.3 (7.3.11-1~deb10u1). I made apt-get update

In general, it should be enough to update your sources and to upgrade your
packages with “apt-get upgrade”, no need to remove the old version.

I am afraid after “apt-get upgrade” Nextcloud has some other problems. In the past I had pretty often problems after updating my system.

You don’t need to call apt-get remove for an update.
Just do the following if you want to update php-cli. I’m pretty sure there are other PHP packages installed that you might want to update too.

apt-get update
apt-get install php-cli

or alternatively if you don’t want to accidentally add new packages to your system, you have a kind of a safe mode option:

apt-get update
apt-get install --only-upgrade php-cli
1 Like

apt-get install php-cli

After this, it is the same. It seems I have PHP 7.3.4 installed, but I must install PHP 7.3.11

Is my Nextcloud safe or do I have to update php??

I guess you could check what packages need an upgrade with
sudo apt list --upgradable

And then call the command from my other post for the php packages.

I would still use sudo apt upgrade, so that no other program with known vulnerabilities would remain on the system

I made apt-get upgrade, and it works fine.

Thanks!!