Hi @Nemskiller
You can follow the steps from this answer:
https://askubuntu.com/questions/1111922/upgrade-to-the-latest-php-version-in-ubuntu-16-04
Just replace every 7.2 with 7.3 in his answer.
He stated that as an update in his answer as well:
Update:
Yesterday, I’ve used the above set of commands to install PHP 7.3 on Ubuntu 16.04 and everything went completely fine. Just replace 7.2 with 7.3 within these commands - the entire process took about 7 minutes.
7.3.11 packages are not yet released on https://launchpad.net/%7Eondrej/+archive/ubuntu/php/+index?batch=75&memo=150&start=150 .
I am sure it will come soon.
@system And the workaround is sufficient and reliable?
The last comment from the bug report reads:
A method to quick fix this problem.
If you want to use PATH_INFO in php, and do not want to patch and recompile PHP.Add this line before ALL YOUR “location ~ .php(/|$) {” LINES in nginx confs:
rewrite ^(.*?)\n $1; #Fix CVE-2019-11043 (THIS LINE!!!)
location ~ \.php(/|$) {
...
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
...
That will truncate PATH_INFO after “\n” while URL contains “%0a”.
(PHP :: Sec Bug #78599 :: env_path_info underflow in fpm_main.c can lead to RCE)
Is this something which should be added as well?
@system I noticed that try_files was included, while further down the config we still set PATHINFO. Doesn’t that cause issues? Due to a bug try_files resets $fastcgi_path_info…
http://trac.nginx.org/nginx/ticket/321
On Arch, those directives are
SCRIPT_FILENAME and PATH_INFO (notice the _ between the words). Got bit once again and spent some time thinking my server was borked. Hope it helps someone else.
To whom it may concern.
I appreciate such urgent info and the resp. Nextcloud announcement. However, for the convenience of administrators and other interested parties one may add several links such as:
Beispielhaft sei noch der Artikel Debian und CVE-Kompatibilität für deutschsprachige Personen erwähnt. - English: Debian and CVE compatibility
php7.3-fpm:
Installed: 7.3.11-1+ubuntu18.04.1+deb.sury.org+1
Candidate: 7.3.11-1+ubuntu18.04.1+deb.sury.org+1
Version table:
*** 7.3.11-1+ubuntu18.04.1+deb.sury.org+1 500
500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages
100 /var/lib/dpkg/status
I got hit by this also, I’m not sure whether SCRIPTFILENAME and PATHINFO are valid anywhere?
I think it might just be a mistake in the blog post?
e.g. https://docs.nextcloud.com/server/17/admin_manual/installation/nginx.html?highlight=nginx has underscores.
What about Nextcloud installed via Ubuntu snaps?
Did it got all required updates to its nginx automatically?
Here’s more updates since this news thread was opened.
I run a fully-refreshed snap on Ubuntu 16.04. Version information is installed: 16.0.5snap2 (16402) 228MB and I do not see nginx running at all. That leads me to believe the version of php-fpm (which is installed) is not a problem.
Services from nextcloud snap:
$ sudo snap services nextcloud
Service Startup Current Notes
nextcloud.apache enabled active -
nextcloud.mdns-publisher enabled active -
nextcloud.mysql enabled active -
nextcloud.nextcloud-cron enabled active -
nextcloud.nextcloud-fixer enabled inactive -
nextcloud.php-fpm enabled active -
nextcloud.redis-server enabled active -
nextcloud.renew-certs enabled active -Nextcloud-Snap comes with Apache and not with nginx, so you should be safe:
I’m just wondering (but could be an idiotic thought): are users really safe just because they run apache? I mean, the bug was actually in PHP (not nginx) in combination with php-fpm. Doesn’t apache use php-fpm as well?
As said, just wondering. Could be a totally mislead thought.
WARNING to everybody with nginx version: nginx/1.10.3 (Debian stretch latest)
The directive or cgi_parameter SCRIPTFILENAME will render your nextcloud website blank.
change it to SCRIPT_FILENAME
Are both “Immediate actions” required to be secure? My upstream distribution does not have updated packages available currently.
I am relying on this statement from the initial post:
I corrected the article now regarding SCRIPTFILENAME vs. SCRIPT_FILENAME and PATHINFO vs. PATH_INFO. Also I pinned it globally.