Urgent security issue in NGINX/php-fpm

šŸ“° News
64

Re: [Nextcloud community] [news] Urgent security issue in NGINX/php-fpm
Hello Nextcloud,

And itā€™s time to start a new thread and new subject-line, this ā€œUrgentā€ matter is old news now. Iā€™m tired of seeing ā€œUrgentā€ in my inbox. It makes this list look like click baitā€¦

Jason

Wednesday, November 6, 2019, 2:25:27 AM, you wrote:

int_1.jpg
TP75
November 6Please be aware this is the ā€˜newsā€™ section and there are more appropriate categories like ā€˜supportā€™ or ā€˜howtoā€™ available in this user forum.
No offence. Hope this helps.
int_2.jpg

int_1.png

1 Like
65

@system To whom this may be of concern at Nextcloud.

ā€œWeā€™re Nextcloud: the future of private file sync, share and communication!ā€

:+1:

however, another click unfortunately.
:innocent:

66

Does this affect nginx-uwsgi users?

67

Apparently, NGINX with uWSGI is an application of the NGINX server in combination with the uWSGI server, if I understand your issue correctly.

IMHO your NGINX server has to be fully examined concerning the a.m. security issue at your deliberation.

Always seek to update to the most current version of NGINX, I presume.

There may be some advice from true NGINX server experts around. unfortunately, I can give no more specific advice.

Happy hacking.
:four_leaf_clover:

68

No you donā€™t uWSGI is an application that runs with any web server that supports the WSGI standard.
This enables the use of any language that uwsgi supports with that web server.
Which means in this case php, which is why Iā€™m asking if uwsgi is affect of this CVE.

69

ad 1

:pleading_face:

You have a NGINX server involved or not?

  1. When NGINX involved, check for the conditions ref to the CVE and security advisory applicable to the flavour in use at your premises.

  2. When NGINX not involved, have a nice day.

  3. When some misunderstanding apparent, try to rephrase and reshuffle and provide some more details, I presume.

  4. You may ignore any option and live happily ever after at your convenience.

Choose 1 - 4 and no cheating please.
:face_with_monocle:

Not my cup of tea.
BTW The uWSGI seems to be off-topic anyway.
:innocent:

Good luck.
:four_leaf_clover:

ad 2

Apparently, you chose option (1.) but cannot deduce sufficient details from a.m. CVE. Correct?

more information:

Emil Lerner and Andrew Danau discovered that insufficient validation in the path handling code of PHP FPM could result in the execution of arbitrary code in some setups

@Thaodan Would this information help you?

ad 3

@Thaodan There seems to be a basic misunderstanding.

  1. The author of this thread is @system i.e. Nextcloud GmbH.

  2. The title of this thread :top: given by the author is: ā€œā€¦ issue in NGINX/php-fpmā€ :zap:

  3. One may refer to #64 by @JasGot who nicely requested :
    ā€” And itā€™s time to start a new thread and new subject-line, this ā€œUrgentā€ matter is old news now. ā€”

  4. Please note I am not affiliated with Nextcloud GmbH.

Mission accomplished.
:innocent:

ad 4

:pleading_face:

A basic misunderstanding again, I presume. Please take the effort to truly read the first lines of text in this thread:

@Thaodan IMHO the wording used here is quite correct.
:nerd_face:

1 Like
70

Yes I have NGINX in use but donā€™t use php-fpm but uwsgi as replacement and asked if the bug only affects nginx users that use php-fpm.

EDIT:
As the bug is in fpm_main.c the bug only affects php-fpm users and not all NGINX users.
Maybe add this to the description.

71

Yes I donā€™t read the CVE properly at first but the post says NGINX users are affected ā€œa new security risk has emerged around NGINXā€ but the bug is inside php-fpm as listed in the CVE.
The case is that only when NGINX is in use as webserver is the only config that is currently affected/can trigger this bug.

I know I just wanted to point of that the wording used here is wrong.

72

More Details at Tracking CVE-2019-11043 PHP Vulnerability ā€“ An Uncommon Chain of Events
And latest solutions Solutions Directly from php.net bug website

73

I try to update PHP on my Raspberry Pi.

php -v:
PHP 7.3.4-2 (cli) (built: Apr 13 2019 19:05:48) ( NTS )
Copyright Ā© 1997-2018 The PHP Group
Zend Engine v3.3.4, Copyright Ā© 1998-2018 Zend Technologies
with Zend OPcache v7.3.4-2, Copyright Ā© 1999-2018, by Zend Technologies

apt-get remove php7.3
apt-get install php7.3

Die folgenden NEUEN Pakete werden installiert:
php7.3
0 aktualisiert, 1 neu installiert, 0 zu entfernen und 129 nicht aktualisiert.
Es m?ssen noch 0 B von 39,0 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 75,8 kB Plattenplatz zus?tzlich benutzt.
Vormals nicht ausgew?hltes Paket php7.3 wird gew?hlt.
(Lese Datenbank ā€¦ 44974 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von ā€¦/php7.3_7.3.11-1~deb10u1_all.deb ā€¦
Entpacken von php7.3 (7.3.11-1~deb10u1) ā€¦
php7.3 (7.3.11-1~deb10u1) wird eingerichtet .

php -v:
PHP 7.3.4-2 (cli) (built: Apr 13 2019 19:05:48) ( NTS )
Copyright Ā© 1997-2018 The PHP Group
Zend Engine v3.3.4, Copyright Ā© 1998-2018 Zend Technologies
with Zend OPcache v7.3.4-2, Copyright Ā© 1999-2018, by Zend Technologies

Why is still installed the old version???

74

What do you expect when removing and installing the same version again? :wink:

Did you update your sources (ā€œapt-get updateā€) before installing php again?

In general, it should be enough to update your sources and to upgrade your packages with ā€œapt-get upgradeā€, no need to remove the old version.

75

sorry, I added some further information at my last post. I had installed php 7.3.4-2 and try to install php7.3 (7.3.11-1~deb10u1). I made apt-get update

In general, it should be enough to update your sources and to upgrade your
packages with ā€œapt-get upgradeā€, no need to remove the old version.

I am afraid after ā€œapt-get upgradeā€ Nextcloud has some other problems. In the past I had pretty often problems after updating my system.

76

You donā€™t need to call apt-get remove for an update.
Just do the following if you want to update php-cli. Iā€™m pretty sure there are other PHP packages installed that you might want to update too.

apt-get update
apt-get install php-cli

or alternatively if you donā€™t want to accidentally add new packages to your system, you have a kind of a safe mode option:

apt-get update
apt-get install --only-upgrade php-cli
1 Like
77

apt-get install php-cli

After this, it is the same. It seems I have PHP 7.3.4 installed, but I must install PHP 7.3.11

78

Is my Nextcloud safe or do I have to update php??

79

I guess you could check what packages need an upgrade with
sudo apt list --upgradable

And then call the command from my other post for the php packages.

I would still use sudo apt upgrade, so that no other program with known vulnerabilities would remain on the system

80

I made apt-get upgrade, and it works fine.

Thanks!!

81

IMHO both the future and the safety of the code basis of NGINX seems to be debatable.

Unfortunately, a FOSS project in danger, I presume.
:grimacing:

Happy hacking.
:sunflower:

82

The company that has complained knows that it was developed as open source to start with and they have done nothing at all but sitting on those hands for 15 years. And now when there is money in it they complain and wants a piece of the cake ā€¦ Hopefully the Russian police will soon realize their mistake to act in this case