Debian PHP security advisory

Discussion in 'ISPConfig 3 Priority Support' started by Norman, Jun 2, 2014.

  1. Norman

    Norman Member

    php5 (5.4.4-14+deb7u9) stable; urgency=medium
      * The default PHP FPM socket permission has been changed from 0666
        to 0660 to mitigate security vulnerability (CVE-2014-0185) in PHP
        FPM that allowed any local user to run a PHP code under the active
        user of FPM process via crafted FastCGI client.
        The default Debian setup now correctly sets the listen.owner and to www-data:www-data in default php-fpm.conf.  If you
        have more FPM instances or a webserver not running under www-data
        user you need to adjust the configuration of FPM pools in
        /etc/php5/fpm/pool.d/ so the accessing process has rights to
        access the socket.
    Will this affect standard ISPconfig 3 virtual hosts ?
    Anything we need to do on our ends?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Just install the update with apt and then restart php-fpm and apache/nginx.

Share This Page