GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Fri Oct 25, 2019 11:26 am Post subject: [ glsa 201910-01 ] php |
 |
|
Gentoo Linux Security Advisory
Title: PHP: Arbitrary code execution (GLSA 201910-01)
Severity: high
Exploitable: remote
Date: 2019-10-25
Bug(s): #698452
ID: 201910-01
Synopsis
A vulnerability in PHP might allow an attacker to execute arbitrary
code.
Background
PHP is an open source general-purpose scripting language that is
especially suited for web development.
Affected Packages
Package: dev-lang/php
Vulnerable: < 7.1.33
Vulnerable: < 7.2.24
Vulnerable: < 7.3.11
Vulnerable: < 5.6.40-r7
Unaffected: >= 7.1.33
Unaffected: >= 7.2.24
Unaffected: >= 7.3.11
Unaffected: >= 5.6.40-r7
Architectures: All supported architectures
Description
A underflow in env_path_info in PHP-FPM under certain configurations can
be exploited to gain remote code execution.
Impact
A remote attacker, by sending special crafted HTTP requests, could
possibly execute arbitrary code with the privileges of the process, or
cause a Denial of Service condition.
Workaround
If patching is not feasible, the suggested workaround is to include
checks to verify whether or not a file exists before passing to PHP.
Resolution
All PHP 5.6 users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-5.6.40-r7"
|
All PHP 7.1 users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-7.1.33"
|
All PHP 7.2 users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-7.2.24"
|
All PHP 7.3 users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-7.3.11"
|
References
CVE-2019-11043
Last edited by GLSA on Wed Nov 20, 2019 4:17 am; edited 1 time in total |
|
News & Announcements
